RAM users who use Resource Access Management can achieve the purpose of splitting permissions, grant different permissions to sub-accounts as needed, and avoid security risks caused by exposing the key of Alibaba Cloud account (master account).
The following are typical scenarios that require Resource Access Management(RAM).
With RAM, users can realize decentralization
A project (Project-X) of Enterprise A logged in to Alibaba Cloud and purchased a variety of Alibaba Cloud products, such as ECS instance, RDS instance, SLB instance, OSS storage, etc.
There are multiple employees in the project who need to operate these cloud resources. Due to the different work responsibilities of each employee, the required permissions are also different. Enterprise A hopes to meet the following requirements:
For the sake of security or trust, Enterprise A does not want to directly disclose the cloud account key to employees, but wants to create independent accounts for employees.
User accounts can only operate resources under authorization. Enterprise A can revoke the authority of the user account at any time, or delete the user account it created at any time.
There is no need for independent metering and billing of user accounts, and all expenses are borne by Enterprise A.
In view of the above requirements, the authorization management function of RAM can be used to realize user decentralization and unified resource management.
Use RAM to enable roles to access resources across accounts
Cloud account A and cloud account B represent different enterprises. A has purchased a variety of cloud resources to carry out business, such as ECS instances, RDS instances, SLB instances, OSS storage space, etc.
Enterprise A hopes to focus on the business system and delegate cloud resource operation and maintenance, monitoring, management and other tasks to Enterprise B.
Enterprise B can also further assign A's resource access rights to one or more employees of B, and B can finely control the operation rights of its employees on resources.
If the operation and maintenance contract relationship between A and B is terminated, A can revoke the authorization of B at any time.
For the above requirements, RAM can be used to enable roles to achieve cross-account authorization and resource access control.
Use RAM to enable service roles to realize dynamic access to cloud services
If you have purchased ECS instances and intend to deploy enterprise applications in ECS, and these applications need to use Access Key to access the APIs of other cloud services, there are two ways:
Embed the Access Key directly into the code.
Save the Access Key in the application's configuration file.
However, these two approaches will bring two problems:
Confidentiality problem: If the Access Key exists in the ECS instance in clear text, the instance created by snapshot, image and image may be leaked.
Operation and maintenance difficulty: Because the Access Key exists in the instance, if you want to replace the Access Key (for example, periodically rotate or switch user identities), you need to update and redeploy each instance and image, which will increase the complexity of instance and image management.
After the combination of the access control capabilities provided by ECS services and RAM products, it is allowed to configure a RAM role identity with appropriate permissions for each ECS instance (that is, the running environment of user applications). The application accesses the API of cloud services by obtaining the dynamic token of the role identity.