Use a RAM role to access resources across Alibaba Cloud accounts - Application Real-Time Monitoring Service

You can use the Alibaba Cloud account of Enterprise A to create a RAM role, grant permissions to this role, and then assign this role to Enterprise B. This way, the Alibaba Cloud account of Enterprise B or the RAM user that belongs to the Alibaba Cloud account of Enterprise B can access the Alibaba Cloud resources of Enterprise A.

Background information

If Enterprise A has purchased a variety of cloud resources to carry out business and needs to authorize Enterprise B to carry out some business on its behalf, you can use the RAM role to achieve this purpose. A RAM role does not have a specific logon password or AccessKey pair. A RAM role can be used only after the RAM role is assumed by a trusted entity. To meet the needs of Enterprise A, you can follow the following procedure:

Enterprise A creates a RAM role
Enterprise A adds permissions to the RAM role
Enterprise B creates a RAM user
Enterprise B adds AliyunSTSAssumeRoleAccess permissions to a RAM user
The RAM user of Enterprise B accesses the resources of Enterprise A through the console or API

Application Real-Time Monitoring Service (ARMS) provides two system policies to grant full permissions or read-only permissions. You can select a system policy based on your business requirements.

AliyunARMSFullAccess: grants full permissions to RAM users on ARMS. RAM users can view, edit, or delete instances of all sub-services.
Note
After you attach the AliyunARMSFullAccess policy to a RAM user, you do not need to attach the AliyunARMSReadOnlyAccess policy to the RAM user.
AliyunARMSReadOnlyAccess: grants read-only permissions to RAM users on ARMS. RAM users can view the instance information of each sub-service, and cannot modify or delete the information.
Important
To grant the read-only permissions on all ARMS features to a specific resource group, you must attach the AliyunARMSReadOnlyAccess policy to and grant the ReadTraceApp permission to the resource group. Otherwise, ARMS cannot display the application list that belongs to the authenticated resource group.

Step 1: Create a RAM role with the account of Enterprise A

Use the Alibaba Cloud account of Enterprise A to log on to the RAM console and create a RAM role.

Procedure

Log on to the RAM console by using an Alibaba Cloud account or a RAM user that has administrative rights.
In the left-side navigation pane, choose Identities > Roles.
On the Roles page, click Create Role.
In the Create Role panel, select Alibaba Cloud Account for the Select Trusted Entity parameter and click Next.
Configure parameters for the RAM role.
1. Specify RAM Role Name.
2. Specify Note.
3. Select Current Alibaba Cloud Account or Other Alibaba Cloud Account.
  - Current Alibaba Cloud Account: If you want a RAM user that belongs to your Alibaba Cloud account to assume the RAM role, select Current Alibaba Cloud Account.
  - Other Alibaba Cloud Account: If you want a RAM user that belongs to a different Alibaba Cloud account to assume the RAM role, select Other Alibaba Cloud Account and enter the ID of the Alibaba Cloud account. This option is provided to grant permissions on resources that belong to different Alibaba Cloud accounts. For more information, see Use a RAM role to grant permissions across Alibaba Cloud accounts.
  Important
  If you want a specific RAM user instead of all RAM users that belong to your Alibaba Cloud account to assume the RAM role, you can use one of the following methods:
  Modify the trust policy of the RAM role. For more information, see Example 1: Change the trusted entity of a RAM role to an Alibaba Cloud account.
  Modify the role-assuming policy that is attached to the RAM user. For more information, see Can I specify the RAM role that a RAM user can assume?.
  You can view the ID of your Alibaba Cloud account on the Security Settings page.
Click OK.
Click Close.

Step 2: Grant permissions to the RAM role with the account of Enterprise A

The RAM role that is created in Step 1 does not have permissions. Therefore, Enterprise A must grant permissions to the RAM role.

Log on to the RAM console by using an Alibaba Cloud account or a RAM user that has administrative rights.
In the left-side navigation pane, choose Identities > Roles.
On the Roles page, find the RAM role to which you want to grant permissions, and click Add Permissions in the Actions column.
In the Add Permissions panel, grant permissions to the RAM role.
1. Set the authorization scope.
  - Alibaba Cloud Account: The authorization takes effect on the current Alibaba Cloud account.
  - Specific Resource Group: The authorization takes effect on a specific resource group.
    Note
    If you select Specific Resource Group for Authorized Scope, make sure that the required cloud service supports resource groups. For more information, see Services that work with Resource Group.
2. Specify the principal.
  The principal is the RAM role to which permissions are granted. By default, the current RAM role is specified. You can also specify a different RAM role.
3. Select policies.
  Note
  You can attach a maximum of five policies to a RAM role at a time. If you need to attach more than five policies to a RAM role, perform the operation multiple times.
Click OK.
Click Complete.

Step 3: Create a RAM user with the account of Enterprise B

Use the Alibaba Cloud account of Enterprise B to log on to the RAM console and create a RAM user.

Procedure

Log on to the RAM console by using an Alibaba Cloud account or a RAM user who has administrative rights.
In the left-side navigation pane, choose Identities > Users.
On the Users page, click Create User.
In the User Account Information section of the Create User page, configure the following parameters:
- Logon Name: The logon name can be up to 64 characters in length, and can contain letters, digits, periods (.), hyphens (-), and underscores (_).
- Display Name: The display name can be up to 128 characters in length.
- Tag: Click the icon and enter a tag key and a tag value. You can add one or more tags to the RAM user. This way, you can manage the RAM user based on the tags.
Note
You can click Add User to create multiple RAM users at a time.
In the Access Mode section, select an access mode and configure the required parameters.
To ensure the security of your Alibaba Cloud account, we recommend that you select only one access mode for the RAM user. This way, the RAM user for an individual is separated from the RAM user for a program.
- Console Access
  If the RAM user represents an individual, we recommend that you select Console Access for the RAM user. This way, the RAM user can use a username and password to access Alibaba Cloud. If you select Console Access, you must configure the following parameters:
  - Set Console Password: You can select Automatically Regenerate Default Password or Reset Custom Password. If you select Reset Custom Password, you must specify a password. The password must meet the complexity requirements. For more information, see Configure a password policy for RAM users.
  - Password Reset: specifies whether the RAM user is required to reset the password upon the next logon.
  - Enable MAF: specifies whether to enable multi-factor authentication (MFA) for the RAM user. After you enable MFA, you must bind an MFA device to the RAM user or allow the RAM user to bind an MFA device. For more information, see Bind an MFA device to a RAM user.
- OpenAPI Access
  If the RAM user represents a program, we recommend that you select OpenAPI Access for the RAM user. This way, the RAM user can use an AccessKey pair to access Alibaba Cloud. If you select OpenAPI Access, the system automatically generates an AccessKey ID and AccessKey secret for the RAM user. For more information, see Obtain an AccessKey pair.
  Important
  An AccessKey secret for a RAM user is displayed only after you click Create AccessKey. You cannot query the AccessKey secret in subsequent operations. Therefore, you must back up your AccessKey secret.
Click OK.
Complete security verification as prompted.

Step 4: Grant permissions to the RAM user with the account of Enterprise B

Enterprise B must attach the AliyunSTSAssumeRoleAccess permission policy to the RAM user so that the RAM user can assume the RAM role created by Enterprise A.

Log on to the RAM console with an Alibaba Cloud account or a RAM user who has administrative rights.
In the left-side navigation pane, choose Identities > Users.
On the Users page, find the required RAM user and click Add Permissions in the Actions column.
In the Add Permissions panel, grant permissions to the RAM user.
1. Select the authorization scope.
  - Alibaba Cloud Account: The authorization takes effect on the current Alibaba Cloud account.
  - Specific Resource Group: The authorization takes effect on a specific resource group.
    Note
    If you select Specific Resource Group for Authorized Scope, make sure that the required cloud service supports resource groups. For more information, see Services that work with Resource Group. For more information about how to grant permissions on a resource group, see Use a resource group to manage an ECS instance.
2. Specify the principal.
  The principal is the RAM user to which you want to grant permissions.
3. Select policies.
  A policy contains a set of permissions. Policies can be classified into system policies and custom policies:
  - System policies: policies that are created by Alibaba Cloud. You can use but cannot modify these policies. Version updates of the policies are maintained by Alibaba Cloud. For more information, see Services that work with RAM.
  - Custom policies: You can manage and update custom policies based on your business requirements. You can create, update, and delete custom policies. For more information, see Create a custom policy.
  Note
  You can attach a maximum of five policies to a RAM user at a time. If you want to attach more than five policies to a RAM user, perform the operation multiple times.
Click OK.
Click Complete.

What to do next

After the preceding operations are completed, the RAM user of Enterprise B can log on to the console or call API operations to access the cloud resources of Enterprise A. To access the cloud resources of Enterprise A, perform the following steps:

Log on to the console

Log on to the Alibaba Cloud Management Console as a RAM user.
On the RAM User Logon page, enter the username of the RAM user and click Next.
- Logon name 1: default domain name. The format of the logon name of the RAM user is <UserName>@<AccountAlias>.onaliyun.com, such as username@company-alias.onaliyun.com.
  Note
  <UserName> indicates the username of the RAM user. <AccountAlias>.onaliyun.com indicates the default domain name. For more information, see Terms and View and modify the default domain name.
- Logon name 2: the account alias. The format of the logon name of the RAM user is <UserName>@<AccountAlias>, such as username@company-alias.
  Note
  <UserName> indicates the username of the RAM user. <AccountAlias> indicates the account alias. For more information, see Terms and View and modify the default domain name.
- Logon name 3: the domain alias. If you configured a domain alias, you can use this logon name. The format of the logon name of the RAM user is <UserName>@<DomainAlias>, such as username@example.com.
  Note
  <UserName> indicates the username of the RAM user. <DomainAlias> indicates the domain alias. For more information, see Terms and Create and verify a domain alias.
Enter the logon password and click Log On.
Optional. If you enable multi-factor authentication (MFA), enter the verification code that is provided by the virtual MFA device or configure settings to pass the Universal 2nd Factor (U2F) authentication.
For more information, see MFA and Bind an MFA device to a RAM user.

Call API operations

To access the cloud resources of Enterprise A by calling API operations as the RAM user of Enterprise B, you must specify the AccessKeyId, AccessKeySecret, and SecurityToken of the RAM user in the code. For more information about how to obtain a temporary security token by using Security Token Service (STS), see AssumeRole.