You can use Enterprise A's Alibaba Cloud account to create a RAM role, grant permissions to the role, and then allow Enterprise B's Alibaba Cloud account to assume it. This enables Enterprise B's Alibaba Cloud account or its RAM users to access Enterprise A's Alibaba Cloud resources.
Background
Enterprise A uses the EventBridge service and wants to delegate some tasks to Enterprise B.
The requirements are as follows:
Enterprise A wants to remain the resource owner, while delegating tasks like event publishing to Enterprise B.
Enterprise A wants to avoid making permission changes when employees join or leave Enterprise B. Enterprise B should be able to manage access for its own RAM users (employees or applications) and define fine-grained permissions for Enterprise A's resources.
Enterprise A must be able to revoke Enterprise B's access at any time, for example, if their contract ends.
Procedure
Log on to the RAM console with Enterprise A's Alibaba Cloud account and create a RAM role for Enterprise B's Alibaba Cloud account.
For more information, see Create a RAM role for a trusted Alibaba Cloud account.
Optional:Create a custom policy for the RAM role.
For more information, see Create a custom policy.
EventBridge supports resource-level permissions. For more information, see Policies and examples.
A new RAM role has no permissions. Enterprise A must grant permissions to it by attaching a system policy or a custom policy.
For more information, see Manage permissions for a RAM role.
Use Enterprise B's Alibaba Cloud account to log on to the RAM console and create a RAM user.
For more information, see Create a RAM user.
Grant the
AliyunSTSAssumeRoleAccesspolicy to Enterprise B's RAM user.For more information, see Grant permissions to a RAM user.
Enterprise B must grant the
AliyunSTSAssumeRoleAccesspermission to its RAM user. This allows the RAM user to assume the RAM role created by Enterprise A.Enterprise B's RAM user can now access Enterprise A's resources through the console or via API calls.
For detailed instructions, see the Next steps section of this topic.
More information
Next steps
An Enterprise B RAM user can now access Enterprise A's Alibaba Cloud resources by logging on to the console or by calling an API.
Log on to the console to access Enterprise A's resources
Open the RAM user logon portal in your browser.
On the RAM User Logon page, enter the logon name of the RAM user, click Next, enter the password, and then click Logon.
NoteThe logon name for a RAM user must be in the format
<$username>@<$AccountAlias>or<$username>@<$AccountAlias>.onaliyun.com.<$AccountAlias>is the account alias. If no account alias is set, the ID of the Alibaba Cloud account is used by default.In the Alibaba Cloud console, move the pointer over your profile picture in the upper-right corner and click Switch Role.
On the Switch Role page, enter the Enterprise Alias or Default Domain for Enterprise A's account and the Role Name. Then, click Switch.
You can now perform operations on Enterprise A's Alibaba Cloud resources.
Make API calls to access Enterprise A's resources
To access Enterprise A's resources via API calls, you must include the RAM user's AccessKeyId, AccessKeySecret, and SecurityToken in your code. The SecurityToken is a temporary security token. To learn how to obtain a temporary security token from STS, see AssumeRole.