EventBridge allows an Alibaba Cloud account to grant permissions on resources to Resource Access Management (RAM) users. This prevents risks of exposing the AccessKey pair of the Alibaba Cloud account. Only authorized RAM users are allowed to manage resources in the EventBridge console and publish events by using SDKs and API operations.

Scenarios

Enterprise A has purchased the EventBridge service and employees of Enterprise A need to manage resources related to this service, such as event rules and event buses. Employees with different duties require different permissions.

The following section introduces specific scenarios:

  • For security reasons, Enterprise A does not want to disclose the AccessKey pair of its Alibaba Cloud account to employees. Instead, Enterprise A prefers to create different RAM users for the employees and grant different permissions to the RAM users.
  • A RAM user can use resources only under authorization. Resource usage and costs are not separately calculated for the RAM user. All expenses are billed to the Alibaba Cloud account of Enterprise A.
  • Enterprise A can revoke the permissions granted to a RAM user and delete a RAM user at any time.

In this scenario, the Alibaba Cloud account of Enterprise A can grant fine-grained permissions on resources to employees as needed.

Method 1: Grant permissions to a RAM user on the Users page

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, choose Identities > Users.
  3. On the Users page, find the RAM user to which you want to attach the custom policy, and click Add Permissions in the Actions column.
  4. In the Add Permissions panel, grant permissions to the RAM user.
    1. Select the authorization scope.
      • Alibaba Cloud Account: The authorization takes effect on the current Alibaba Cloud account.
      • Specific Resource Group: The authorization takes effect in a specific resource group.
        Note If you select Specific Resource Group for Authorized Scope, make sure that the required cloud service supports resource groups. For more information, see Services that work with Resource Group.
    2. Specify the principal.
      The principal is the RAM user to which you want to grant permissions. By default, the current RAM user is specified. You can also specify another RAM user.
    3. Select policies.
      Note You can attach a maximum of five policies to a RAM user at a time. If you need to attach more than five policies to a RAM user, perform the operation multiple times.
  5. Click OK.
  6. Click Complete.

Method 2: Grant permissions to a RAM user on the Grants page

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, choose Permissions > Grants.
  3. On the Grants page, click Grant Permission.
  4. On the Grant Permission page, grant permissions to a RAM user.
    1. Select the authorization scope.
      • Alibaba Cloud Account: The authorization takes effect on the current Alibaba Cloud account.
      • Specific Resource Group: The authorization takes effect in a specific resource group.
        Note If you select Specific Resource Group for Authorized Scope, make sure that the required cloud service supports resource groups. For more information, see Services that work with Resource Group.
    2. Specify the principal.
      The principal is the RAM user to which permissions are to be granted.
    3. Select policies.
      Note You can attach a maximum of five policies to a RAM user at a time. If you need to attach more than five policies to a RAM user, perform the operation multiple times.
  5. Click OK.
  6. Click Complete.

References

What is RAM?

What to do next

After you create a RAM user by using an Alibaba Cloud account, you can distribute the RAM user name and password or AccessKey pair information of the RAM user to other employees. Other employees can log on to the console or call an API operation of the service as the RAM user based on the following steps:
  • Log on to the EventBridge console.
    1. Open the RAM user logon portal in your browser.
    2. On the RAM User Logon page, enter the RAM user name and then click Next. Enter the password of the RAM user and then click Login.
      Note The RAM user name is in the format of <$username>@<$AccountAlias> or <$username>@<$AccountAlias>.onaliyun.com. <$AccountAlias> is the account alias. If an account alias is not set, the ID of the Alibaba Cloud account is used by default.
    3. On the homepage of the console, click an authorized service to access the console of this service.
  • Call an API operation by using the AccessKey pair of the RAM user.

    Use the AccessKey ID and AccessKey secret of the RAM user in the code.