EventBridge allows an Alibaba Cloud account to grant permissions on resources to Resource Access Management (RAM) users. This prevents risks of exposing the AccessKey pair of the Alibaba Cloud account. Only authorized RAM users are allowed to manage resources in the EventBridge console and publish events by using SDKs and API operations.
Enterprise A has purchased the EventBridge service and employees of Enterprise A need to manage resources related to this service, such as event rules and event buses. Employees with different duties require different permissions.
The following section introduces specific scenarios:
- For security reasons, Enterprise A does not want to disclose the AccessKey pair of its Alibaba Cloud account to employees. Instead, Enterprise A prefers to create different RAM users for the employees and grant different permissions to the RAM users.
- A RAM user can use resources only under authorization. Resource usage and costs are not separately calculated for the RAM user. All expenses are billed to the Alibaba Cloud account of Enterprise A.
- Enterprise A can revoke the permissions granted to a RAM user and delete a RAM user at any time.
In this scenario, the Alibaba Cloud account of Enterprise A can grant fine-grained permissions on resources to employees as needed.
- Create a RAM user by using the Alibaba Cloud account of Enterprise A.
For more information, see Create a RAM user.
- Optional. Create custom policies for the new RAM user by using the Alibaba Cloud account of Enterprise A.
- Grant permissions to the RAM user by using the Alibaba Cloud account of Enterprise
For more information, see Grant permissions to a RAM user.
What to do next
- Log on to the EventBridge console.
- Open the RAM user logon portal in your browser.
- On the RAM User Logon page, enter the RAM user name and then click Next. Enter the password of the RAM user and then click Login.
Note The RAM user name is in the format of
<$AccountAlias>is the account alias. If an account alias is not set, the ID of the Alibaba Cloud account is used by default.
- On the homepage of the console, click an authorized service to access the console of this service.
- Call an API operation by using the AccessKey pair of the RAM user.
Use the AccessKey ID and AccessKey secret of the RAM user in the code.