How to grant permissions on ApsaraMQ for RabbitMQ across Alibaba Cloud accounts - ApsaraMQ for RabbitMQ

When multiple Alibaba Cloud accounts need to share ApsaraMQ for RabbitMQ resources, creating separate RAM users in each account becomes difficult to manage and audit. A Resource Access Management (RAM) role lets one account (Account A, the resource owner) delegate access to another account (Account B, the accessor) through the Security Token Service (STS) AssumeRole mechanism. Account A controls what permissions to grant and can revoke access at any time by removing the trust relationship.

How cross-account access works

Account A creates a RAM role that trusts Account B. Account B's RAM users then assume that role to operate on Account A's ApsaraMQ for RabbitMQ resources, including instances, topics, and consumer groups.

The setup follows four steps:

Step	Account	Action
1	Account A (resource owner)	Create a RAM role that trusts Account B
2	Account A	Attach ApsaraMQ for RabbitMQ permissions to the RAM role
3	Account B (accessor)	Create a RAM user
4	Account B	Grant the RAM user permission to assume roles (STS)

After you complete these steps, Account B's RAM user can access Account A's ApsaraMQ for RabbitMQ resources through the console or the API.

This approach provides the following advantages:

Account A focuses on its business systems and delegates resource management to Account B.
When employees join or leave Account B, Account A does not need to update permissions. Account B manages fine-grained access for its own RAM users.
RAM user credentials can be assigned to either employees or applications.
Account A can revoke all access from Account B at any time by removing the RAM role trust relationship.

Prerequisites

Before you begin, make sure that you have:

Two Alibaba Cloud accounts (Account A and Account B)
ApsaraMQ for RabbitMQ activated on Account A
Account B's Alibaba Cloud account ID, available on the Security Settings page or the Basic Information page in Account Center

Step 1: Create a RAM role (Account A)

Create a RAM role in Account A that trusts Account B's Alibaba Cloud account.

Log on to the RAM console as a RAM administrator using Account A's credentials.
In the navigation pane, choose Identity Management > Roles.
On the Roles page, click Create Role.
On the Create Role page, set Trusted Entity Type to Alibaba Cloud Account. The trusted account options:
- Current Alibaba Cloud Account: All RAM users and RAM roles under your own account can assume this role.
- Other Alibaba Cloud Account: All RAM users and RAM roles from another Alibaba Cloud account can assume this role. Select this option for cross-account access. For more information, see Access resources across Alibaba Cloud accounts. The account ID is available on the Security Settings page.
Enter a RAM Role Name, set Select Trusted Alibaba Cloud Account to Other Alibaba Cloud Account, enter Account B's Alibaba Cloud account ID, and click OK.

Note

The RAM role name can be up to 64 characters in length and can contain letters, digits, and hyphens (-).

Step 2: Attach permissions to the RAM role (Account A)

Grant the RAM role the ApsaraMQ for RabbitMQ permissions that Account B needs.

Log on to the RAM console as a RAM administrator.
In the left-side navigation pane, choose Identities > Users.
On the Users page, find the required RAM user and click Add Permissions in the Actions column.
In the Policy section of the Grant Permission panel, search for the target policy, select it from the results, and add it to the Selected Policy list. Click Grant permissions.

Note

For the full list of ApsaraMQ for RabbitMQ policies, see RAM policies.

Step 3: Create a RAM user (Account B)

Create a RAM user in Account B that will assume the cross-account role.

Console

Log on to the RAM console using Account B's Alibaba Cloud account or as a RAM administrator (for example, with the AliyunRAMFullAccess policy).
In the left-side navigation pane, choose Identity > Users.
On the Users page, click Create User.

In the User Account Information section, configure the following fields:

Note

Click Add User to create multiple RAM users at the same time.

Field	Required	Description
Logon Name	Yes	Letters, digits, periods (.), hyphens (-), and underscores (_). Up to 64 characters.
Display Name	No	Up to 128 characters.
Tag	No	Click the icon to add a tag key and value for categorizing RAM users.

In the Access Mode section, select one of the following: #### Console access For human users such as employees, select Console Access and configure these settings: #### Programmatic access For applications or systems, select Using permanent AccessKey to access. The system automatically creates an AccessKey ID and an AccessKey secret.
- Set Logon Password: Choose Automatically Regenerate Default Password or Reset Custom Password. Custom passwords must meet the password complexity requirements.
- Password Reset: Specify whether the RAM user must reset the password at the next logon.
- Enable MFA: Multi-factor authentication (MFA) is required by default. RAM users must bind an MFA device during their first logon. For more information, see Bind an MFA device to a RAM user. To modify this setting, see Manage the security settings of RAM users.
Important
As a security best practice, select only one access mode per user. This creates a clear separation between human users who need console access and applications that need programmatic access.
Important
The AccessKey secret is displayed only once upon creation and cannot be retrieved later. Copy and save it to a secure location immediately, or click Download CSV File to download the credentials. If an AccessKey pair is leaked, the security of all resources in your account is at risk. For more information, see Create an AccessKey pair. An AccessKey pair is a long-term credential. To reduce the risk of credential leakage, use STS tokens as temporary credentials when possible. For more information, see Best practices for using an access credential to call API operations.

API

Create a RAM user for console access

Call GetDefaultDomain to obtain the default logon suffix for your account. The format is <AccountAlias>.onaliyun.com.
Call CreateUser with the following parameters:
- UserPrincipalName: <username>@<AccountAlias>.onaliyun.com. <username> is the RAM user name, and <AccountAlias>.onaliyun.com is the default logon suffix.
- DisplayName: Display name for the RAM user. Can differ from <username>.
Call CreateLoginProfile to enable console access for the user:
- UserPrincipalName: The logon name from the previous step.
- Password: Must meet the password complexity requirements. Call GetPasswordPolicy to query the current policy.
- MFABindRequired: Set to true to require MFA.
- Status: Keep the default value Active.

Create a RAM user for programmatic access

Call GetDefaultDomain to obtain the default logon suffix in the format <AccountAlias>.onaliyun.com.
Call CreateUser with the following parameters:
- UserPrincipalName: <username>@<AccountAlias>.onaliyun.com.
- DisplayName: Display name for the RAM user.
Call CreateAccessKey with the UserPrincipalName from the previous step.
Important
The CreateAccessKey API operation returns an AccessKey ID and an AccessKey secret. This is your only opportunity to view and save the secret. Copy and save it to a secure location immediately. If an AccessKey pair is leaked, the security of all resources in your account is at risk. For more information, see Create an AccessKey pair.

Step 4: Grant the RAM user STS permissions (Account B)

Attach the AliyunSTSAssumeRoleAccess policy to the RAM user so that it can assume the cross-account role.

Log on to the RAM console as a RAM administrator using Account B's credentials.
In the left-side navigation pane, choose Identities > Users.
On the Users page, find the RAM user and click Add Permissions in the Actions column.
In the Policy section of the Grant Permission panel, search for AliyunSTSAssumeRoleAccess, select the policy, and add it to the Selected Policy list. Click Grant permissions.

Access Account A's resources

After you complete the setup, Account B's RAM user can access Account A's ApsaraMQ for RabbitMQ resources through either the console or the API.

Console

Open the RAM User Logon page.
Enter the RAM user name, click Next, enter the password, and click Log On.
Note
The RAM user name format is <$username>@<$AccountAlias> or <$username>@<$AccountAlias>.onaliyun.com. <$AccountAlias> is the account alias. If no alias is set, the Alibaba Cloud account ID is used.
On the homepage of the console, move the pointer over the profile picture in the upper-right corner and click Switch Role.
On the Switch Role page, enter Account A's enterprise alias or default domain name in the Enterprise Alias/Default Domain Name field, enter the role name in the Role Name field, and click Submit.
Note
To find the enterprise alias, log on to the Expenses and Costs console with Account A's credentials and hover over the profile picture in the upper-right corner. To find the default domain name, log on to the RAM console with Account A's credentials, go to the Settings page, and click the Advanced tab.

API

Call AssumeRole to obtain temporary credentials: an AccessKey ID, an AccessKey secret, and an STS token.
Use these temporary credentials to call ApsaraMQ for RabbitMQ API operations and access Account A's resources.