All Products
Search

This Product

    ApsaraMQ for Kafka:Grant permissions across Alibaba Cloud accounts

    Document Center

    ApsaraMQ for Kafka:Grant permissions across Alibaba Cloud accounts

    Last Updated:Mar 04, 2025

    You can use a Resource Access Management (RAM) role to grant permissions across Alibaba Cloud accounts. This way, an enterprise can access the ApsaraMQ for Kafka resources of another enterprise.

    Background Information

    Enterprise A activated ApsaraMQ for Kafka and requires Enterprise B to manage the ApsaraMQ for Kafka resources of Enterprise A, such as instances, topics, and groups. The following items describe the detailed requirements of Enterprise A:

    • Enterprise A wants to focus on its business systems and act only as the owner of ApsaraMQ for Kafka resources. Enterprise A can authorize Enterprise B to maintain, monitor, and manage ApsaraMQ for Kafka resources.

    • Each time an employee joins or leaves Enterprise B, Enterprise A does not need to change permission settings. Enterprise B can grant its RAM users fine-grained permissions on the cloud resources of Enterprise A. The RAM user credentials can be assigned to either employees or applications.

    • If the agreement between Enterprise A and Enterprise B ends, Enterprise A can revoke the permissions from Enterprise B.

    Step 1: Enterprise A creates a RAM role

    Use the Alibaba Cloud account of Enterprise A to log on to the RAM console, and create a RAM role. This RAM role will be assigned to the Alibaba Cloud account of Enterprise B.

    1. Log on to the RAM console as a RAM user who has administrative rights.

    2. In the left-side navigation pane, choose Identities > Roles.

    3. On the Roles page, click Create Role. image

    4. On the Create Role page, select Alibaba Cloud Account in the Select Role Type section and click Next.image

    5. In the RAM Role Name field, enter a RAM role name. Set the Select Trusted Alibaba Cloud Account parameter to Other Alibaba Cloud Account and enter the ID of the Alibaba Cloud account of Enterprise B. Then, click OK.

      Note

      • The RAM role name can be up to 64 characters in length and can contain letters, digits, and hyphens (-).

      • You can view the account ID on the Security Settings page of the Account Management.

    Step 2: Enterprise A grants permissions to the RAM role

    Grant the RAM role the permissions that are required for Enterprise B to access the ApsaraMQ for Kafka resources of Enterprise A.

    1. Log on to the RAM console as a RAM administrator.

    2. In the left-side navigation pane, choose Identities > Roles.

    3. On the Roles page, find the RAM role that you want to manage and click Grant Permission in the Actions column.

      image

      You can also select multiple RAM roles and click Grant Permission in the lower part of the RAM role list to grant permissions to multiple RAM roles at a time.

    4. In the Policy section of the Grant Permission panel, enter the policy that you want to add in the search box and click the search icon to search for it. In the search result, select the policy and add it to the Selected Policy list on the right. Then, click Grant permissions.

      Note

      For information about the policies that you can attach to authorize RAM roles and RAM users to access ApsaraMQ for Kafka, see RAM policies.

    Step 3: Enterprise B creates a RAM user

    Use the Alibaba Cloud account of Enterprise B to log on to the RAM console and create a RAM user.

    Procedure

    1. Log on to the RAM console by using an Alibaba Cloud account or a RAM user who has administrative rights.

    2. In the left-side navigation pane, choose Identities > Users.

    3. On the Users page, click Create User. image

    4. In the User Account Information section of the Create User page, configure the following parameters:

      • Logon Name: The logon name can be up to 64 characters in length, and can contain letters, digits, periods (.), hyphens (-), and underscores (_).

      • Display Name: The display name can be up to 128 characters in length.

      • Tag: Click the edit icon and enter a tag key and a tag value. You can add one or more tags to the RAM user. This way, you can manage the RAM user based on the tags.

      Note

      You can click Add User to create multiple RAM users at a time.

    5. In the Access Mode section, select an access mode and configure the required parameters.

      To ensure the security of your Alibaba Cloud account, we recommend that you select only one access mode for the RAM user. This way, the RAM user for an individual is separated from the RAM user for a program.

      • Console Access

        If the RAM user represents an individual, we recommend that you select Console Access for the RAM user. This way, the RAM user can use a username and password to access Alibaba Cloud. If you select Console Access, you must configure the following parameters:

        • Set Console Password: You can select Automatically Regenerate Default Password or Reset Custom Password. If you select Reset Custom Password, you must specify a password. The password must meet the complexity requirements. For more information, see Configure a password policy for RAM users.

        • Password Reset: specifies whether the RAM user is required to reset the password upon the next logon.

        • Enable MAF: specifies whether to enable multi-factor authentication (MFA) for the RAM user. After you enable MFA, you must bind an MFA device to the RAM user. For more information, see Bind an MFA device to a RAM user.

      • Using permanent AccessKey to access

        If the RAM user represents a program, you can select Using permanent AccessKey to access for the RAM user. This way, the RAM user can use an AccessKey pair to access Alibaba Cloud. If you select OpenAPI Access, the system automatically generates an AccessKey ID and AccessKey secret for the RAM user. For more information, see Obtain an AccessKey pair.

        Important

        • An AccessKey secret for a RAM user is displayed only when you create an AccessKey pair. You cannot query the AccessKey secret in subsequent operations. Therefore, you must back up your AccessKey secret.

        • An AccessKey pair is a permanent credential for application access. If the AccessKey pair of an Alibaba Cloud account is leaked, the resources that belong to the account are exposed to potential risks. To prevent credential leak risks, we recommend that you use Security Token Service (STS) tokens. For more information, see Best practices for using an access credential to call API operations.

    6. Click OK.

    7. Complete security verification as prompted.

    Step 4: Enterprise B grants permissions to the RAM user

    Use the Alibaba Cloud account of Enterprise B to attach the AliyunSTSAssumeRoleAccess policy to the RAM user.

    1. Log on to the RAM console as a RAM administrator.

    2. In the left-side navigation pane, choose Identities > Users.

    3. On the Users page, find the required RAM user, and click Add Permissions in the Actions column.

      image

      You can also select multiple RAM users and click Add Permissions in the lower part of the page to grant permissions to the RAM users at a time.

    4. In the Policy section of the Grant Permission panel, enter the policy that you want to add in the search box and click the search icon to search for it. In the search result, select the policy and add it to the Selected Policy list on the right. Then, click Grant permissions.

    What to do next

    The RAM user of Enterprise B can use the following methods to access the ApsaraMQ for Kafka resources of Enterprise A:

    • ApsaraMQ for Kafka console

      1. Open the RAM User Logon page in a browser.

      2. On the RAM User Logon page, enter the name of the RAM user, click Next, enter the password, and then click Log On.

        Note

        The name of the RAM user is in the <$username>@<$AccountAlias> format or the <$username>@<$AccountAlias>.onaliyun.com format. <$AccountAlias> specifies the account alias. If no account alias is specified, the ID of the Alibaba Cloud account is used.

      3. In the upper-right corner of the RAM user center page, move the pointer over the profile picture and click Switch Identity.

      4. On the Switch Role page, enter the enterprise alias or default domain name of Enterprise A and the RAM role name. Then, click Submit.

        Note

        • To view the enterprise alias, use the Alibaba Cloud account of Enterprise A to log on to the Expenses and Costs console. Move the pointer over the profile picture in the upper-right corner. The enterprise alias is displayed.

        • To view the default domain name, use the Alibaba Cloud account of Enterprise A to log on to the RAM console. On the Settings page, click the Advanced tab to view the default domain name.

    • API operation

      1. Call the AssumeRole operation to obtain the AccessKey ID, AccessKey secret, and Security Token Service (STS) token. For more information, see AssumeRole.

      2. Use the obtained AccessKey ID, AccessKey secret, and STS token to call a specific API operation to access the corresponding ApsaraMQ for Kafka resources.