This topic describes how to use a Resource Access Management (RAM) role to grant permissions across Alibaba Cloud accounts. Two enterprises (Enterprise A and Enterprise B) are used as examples. To authorize Enterprise B to access specified resources of Enterprise A, Enterprise A can create and assign a RAM role to Enterprise B. Then, Enterprise B can assume the RAM role and access the specified resources.

Prerequisites

An account alias is configured for your Alibaba Cloud account. For more information, see View and modify the default domain name.

Background information

Enterprise A has purchased multiple types of Alibaba Cloud resources, such as Elastic Compute Service (ECS) instances, ApsaraDB RDS instances, Server Load Balancer (SLB) instances, and Object Storage Service (OSS) buckets. Enterprise A wants to authorize Enterprise B to access specified resources of Enterprise A.

Enterprise A has the following requirements:

  • Enterprise A serves only as a cloud resource owner. Enterprise A can authorize Enterprise B to maintain, monitor, and manage specified cloud resources of Enterprise A.
  • If an employee joins or leaves Enterprise B, Enterprise A does not need to change permissions. Enterprise B can grant its RAM users fine-grained permissions on cloud resources of Enterprise A. The RAM user credentials can be assigned to either employees or applications.
  • If the agreement between Enterprise A and Enterprise B ends, Enterprise A can revoke the permissions from Enterprise B.

Solution

In this example, Enterprise A needs to authorize employees of Enterprise B to manage ECS resources of Enterprise A. Enterprise A has an Alibaba Cloud account named Account A and Enterprise B has an Alibaba Cloud account named Account B.

  • The ID of Account A is 123456789012**** and the account alias is company-a.
  • The ID of Account B is 134567890123**** and the account alias is company-b.
  1. Enterprise A uses Account A to create a RAM role, grants the required permissions to the RAM role, and then authorizes Account B to assume this role.

    For more information, see Grant permissions across Alibaba Cloud accounts.

  2. If an employee of Enterprise B needs to use a RAM user to assume this role, Enterprise B can use Account B to grant the required permissions to the RAM user. Then, the RAM user assumes the RAM role to access the resources of Account A.

    For more information, see Access resources across Alibaba Cloud accounts.

  3. If the agreement between Enterprise A and Enterprise B ends, Enterprise A can revoke the permissions from Account B. Then, the RAM users of Account B no longer have the permissions of the RAM role.

    For more information, see Revoke permissions across Alibaba Cloud accounts.

Grant permissions across Alibaba Cloud accounts

  1. Enterprise A uses Account A to create a RAM role that is named ecs-admin. Alibaba Cloud Account is selected as the trusted entity type.
    Note When the RAM role is created, Other Alibaba Cloud Account is selected and 134567890123**** is specified as the trusted Alibaba Cloud account. This ensures that RAM users that belong to Account B can assume the RAM role.

    For more information, see Create a RAM role for a trusted Alibaba Cloud account.

    After the RAM role is created, Enterprise A can view information about the RAM role on the basic information page.

    • In this example, the Alibaba Cloud Resource Name (ARN) of the RAM role is acs:ram::123456789012****:role/ecs-admin.
    • The following policy is attached to the RAM role:
      Note This policy indicates that RAM users of Account B can assume the RAM role. 
      {
"Statement": [
{
 "Action": "sts:AssumeRole",
 "Effect": "Allow",
 "Principal": {
   "RAM": [
     "acs:ram::134567890123****:root"
   ]
 }
}
],
"Version": "1"
}
  2. Enterprise A uses Account A to attach the AliyunECSFullAccess policy to the RAM role ecs-admin.

    For more information, see Grant permissions to a RAM role.

  3. Enterprise B uses Account B to create a RAM user named Alice.

    For more information, see Create a RAM user.

  4. Enterprise B uses Account B to set the logon password of the RAM user to 123456**** and attach the AliyunSTSAssumeRoleAccess policy to the RAM user. This allows the RAM user to assume the RAM role.

    For more information, see Grant permissions to a RAM user.

Access resources across Alibaba Cloud accounts

After Enterprise A uses Account A to grant the required permissions to Account B, the RAM user Alice of Account B can access ECS resources of Account A by assuming the RAM role. An employee of Enterprise B can perform the following steps to assume the RAM role as a RAM user:

  1. Log on to the RAM console as the RAM user named Alice.
    Note On the logon page, you must enter the account alias company-b, username Alice, and password 123456****.

    For more information, see Log on to the console as a RAM user.

  2. Move the pointer over the profile picture and click Switch Identity.
    Note On the page that appears, you must enter the account alias company-a and role name ecs-admin.

    For more information, see Assume a RAM role.

Revoke permissions across Alibaba Cloud accounts

Enterprise A can use Account A to revoke the permissions to assume the RAM role ecs-admin from Account B. Enterprise A can perform the following steps to revoke the permissions to assume the RAM role:

  1. Log on to the RAM console by using Account A.
  2. In the left-side navigation pane, choose Identities > Roles.
  3. In the Role Name column of the page that appears, click the RAM role ecs-admin.
  4. On the Trust Policy Management tab, click Edit Trust Policy. In the panel that appears, delete "acs:ram::134567890123****:root".
    Note Enterprise A can also use Account A to delete the RAM role ecs-admin. This revokes the permissions of the RAM role from Account B. Before the RAM role is deleted, the policies attached to the RAM role must be detached. For more information, see Revoke permissions from a RAM role.