Resource Access Management (RAM) roles allow one Alibaba Cloud account to delegate access to its ApsaraMQ for RocketMQ resources to another account, without sharing long-term credentials. When two organizations need to collaborate on messaging workloads -- for example, when one organization owns the RocketMQ instances while another needs to publish and subscribe to messages -- a RAM role provides a secure, revocable delegation mechanism.
This topic walks through three steps: creating a RAM role in the resource-owning account, setting up RAM users in the accessing account, and accessing the resources through SDKs, the console, or API operations.
What you will set up
After you complete these steps, you will have:
A RAM role in the resource-owning account (Enterprise A) that grants access to specific ApsaraMQ for RocketMQ resources
A trust policy on that role that allows the accessing account (Enterprise B) to assume it
RAM users in Enterprise B's account with the AliyunSTSAssumeRoleAccess policy, which enables them to assume the role and access Enterprise A's resources
Prerequisites
Before you begin, make sure that you have:
Two Alibaba Cloud accounts (one for each enterprise)
ApsaraMQ for RocketMQ activated on Enterprise A's account
Sufficient permissions to manage RAM roles, policies, and users in both accounts
Step 1: Create a RAM role in Enterprise A's account
All operations in this step use Enterprise A's Alibaba Cloud account.
Log on to the RAM console.
Create a RAM role for a trusted Alibaba Cloud account. Specify Enterprise B's account as the trusted account. For detailed instructions, see Create a RAM role for a trusted Alibaba Cloud account.
Optional: Create a custom policy to restrict the role's permissions to specific instances, topics, or groups. ApsaraMQ for RocketMQ supports fine-grained access control at three levels: For more information, see Custom policies for ApsaraMQ for RocketMQ. For general instructions on creating custom policies, see Create custom policies.
Level Description Instance Control access to specific RocketMQ instances Topic Control access to specific topics within an instance Group Control access to specific consumer groups within an instance Attach a system policy or custom policy to the RAM role. A newly created RAM role has no permissions. Attach the appropriate policy to grant the role access to ApsaraMQ for RocketMQ resources. For more information, see Grant permissions to a RAM role.
Step 2: Set up RAM users in Enterprise B's account
All operations in this step use Enterprise B's Alibaba Cloud account.
Log on to the RAM console.
Create a RAM user for each employee or application that needs cross-account access. For more information, see Create a RAM user.
Attach the AliyunSTSAssumeRoleAccess policy to each RAM user. This policy allows the RAM user to call the Security Token Service (STS)
AssumeRoleoperation, which is required to assume the RAM role that Enterprise A created. For more information, see Grant permissions to a RAM user.
Step 3: Access Enterprise A's resources
After the RAM role and user permissions are configured, Enterprise B's RAM users can access Enterprise A's ApsaraMQ for RocketMQ resources through SDKs, the console, or API operations.
Access resources through SDKs
Enterprise B's RAM users can send and receive messages on Enterprise A's ApsaraMQ for RocketMQ resources through SDKs. Choose one of the following authentication methods:
| Method | Minimum SDK version | When to use |
|---|---|---|
| STS temporary security token | Java SDK 1.7.8.Final | Applications running outside ECS, or when you need fine-grained credential control |
| ECS instance RAM role | Java SDK 1.8.7.3.Final | Applications running on ECS instances with the RAM role attached |
Method 1: STS temporary security token (recommended for non-ECS environments)
This method requires the ApsaraMQ for RocketMQ SDK for Java 1.7.8.Final or later.
Use a temporary security token issued by STS to authenticate SDK requests. This method requires the RAM user's AccessKey pair and a temporary security token. Refresh the token before it expires.
For more information about obtaining a temporary security token, see AssumeRole. For more information about obtaining an AccessKey pair, see Create an AccessKey pair.
Initialize the client with an STS token
Specify the AccessKey pair and temporary security token when you initialize the ApsaraMQ for RocketMQ client:
Properties properties = new Properties();
// Make sure that the environment variables ALIBABA_CLOUD_ACCESS_KEY_ID,
// ALIBABA_CLOUD_ACCESS_KEY_SECRET, and ALIBABA_CLOUD_SECURITY_TOKEN are configured.
// The AccessKey ID of the RAM user.
properties.put(PropertyKeyConst.AccessKey, System.getenv("ALIBABA_CLOUD_ACCESS_KEY_ID"));
// The AccessKey secret of the RAM user.
properties.put(PropertyKeyConst.SecretKey, System.getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET"));
// The temporary security token obtained from STS.
properties.put(PropertyKeyConst.SecurityToken, System.getenv("ALIBABA_CLOUD_SECURITY_TOKEN"));
// The endpoint of your ApsaraMQ for RocketMQ instance.
properties.put(PropertyKeyConst.NAMESRV_ADDR, "<your-namesrv-endpoint>");
// ... other properties ...
Producer client = ONSFactory.createProducer(properties);
client.start();Refresh an expired token
Call updateCredential to refresh the credentials without restarting the client:
Properties properties = new Properties();
// Make sure that the environment variables ALIBABA_CLOUD_ACCESS_KEY_ID,
// ALIBABA_CLOUD_ACCESS_KEY_SECRET, and ALIBABA_CLOUD_SECURITY_TOKEN are configured.
// The updated AccessKey ID.
properties.put(PropertyKeyConst.AccessKey, System.getenv("ALIBABA_CLOUD_ACCESS_KEY_ID"));
// The updated AccessKey secret.
properties.put(PropertyKeyConst.SecretKey, System.getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET"));
// The new temporary security token.
properties.put(PropertyKeyConst.SecurityToken, System.getenv("ALIBABA_CLOUD_SECURITY_TOKEN"));
client.updateCredential(properties);Method 2: ECS instance RAM role (recommended for ECS-hosted applications)
This method requires the ApsaraMQ for RocketMQ SDK for Java 1.8.7.3.Final or later.
If your application runs on an Elastic Compute Service (ECS) instance, attach the RAM role directly to the instance. The SDK retrieves temporary credentials automatically, so no AccessKey pair or security token is needed in your code.
Before using this method, attach the RAM role to the ECS instance where your application is deployed. For more information, see Attach an instance RAM role to an ECS instance.
Properties properties = new Properties();
// The name of the RAM role attached to the ECS instance.
properties.put(PropertyKeyConst.RAM_ROLE_NAME, "<your-ram-role-name>");Access resources through the console
Enterprise B's RAM users can switch to Enterprise A's RAM role in the console to manage ApsaraMQ for RocketMQ resources.
Open the RAM User Logon page.
In the Username field, enter the logon name of the RAM user and click Next. Enter the password and click Log On.
NoteThe logon name format is
<$username>@<$AccountAlias>or<$username>@<$AccountAlias>.onaliyun.com. If no account alias is set, the Alibaba Cloud account ID is used as<$AccountAlias>.In the upper-right corner, hover over the profile icon and click Switch Identity.
On the Switch Role page, enter Enterprise A's account alias, domain name, or Alibaba Cloud account ID in the Enterprise Alias / Domain / Account UID field. Enter the RAM role name in the Role Name field and click Submit.
Manage Enterprise A's ApsaraMQ for RocketMQ resources from the console.
Access resources through API operations
Enterprise B's RAM users can access Enterprise A's resources by calling ApsaraMQ for RocketMQ API operations directly. For more information, see Make API requests.