You can use the Alibaba Cloud account of Enterprise A to create a Resource Access Management (RAM) role, grant permissions to the RAM role, and then assign the RAM role to a RAM user of Enterprise B. This way, the RAM user of Enterprise B can access Express Connect resources that belong to Enterprise A.

Scenario

If Enterprise A purchases a variety of cloud resources for business use and wants to entrust some tasks to Enterprise B, Enterprise A can create a RAM role to grant permissions to Enterprise B. A RAM role is a virtual entity without a specific logon password or an AccessKey pair. A RAM role can be used only after the RAM role is assumed by a trusted entity. To meet the business requirements of Enterprise A, perform the following steps:

  1. Create a RAM role with the account of Enterprise A. For more information, see Step 1: Create a RAM role with the account of Enterprise A.
  2. Grant permissions to the RAM role with the account of Enterprise A. For more information, see Step 2: Grant permissions to the RAM role with the account of Enterprise A.
  3. Create a RAM user with the account of Enterprise B. For more information, see Step 3: Create a RAM user with the account of Enterprise B.
  4. Attach the AliyunSTSAssumeRoleAccess policy to the RAM user with the account of Enterprise B. For more information, see Step 4: Grant permissions to the RAM user with the account of Enterprise B.
  5. Access the resources of Enterprise A by using the Express Connect console or calling API operations as the RAM user. For more information, see Step 5: Access the resources of Enterprise A by using the Express Connect console or calling API operations as the RAM user.

The following system policies of Express Connect can be attached to a RAM role:

  • AliyunExpressConnectFullAccess: allows the RAM user to manage Express Connect.
  • AliyunExpressConnectReadOnlyAccess: grants the RAM user read-only permissions on Express Connect.

Limits

By default, Express Connect resources cannot be accessed across accounts due to security and compliance requirements. If you want to access Express Connect resources of another Alibaba Cloud account, contact your account manager.

Step 1: Create a RAM role with the account of Enterprise A

Log on to the RAM console and create a RAM role with the Alibaba Cloud account of Enterprise A.

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, click RAM Roles.
  3. On the RAM Roles page, click Create RAM Role.
  4. In the Create RAM Role pane, set the Trusted Entity Type parameter to Alibaba Cloud Account, and then click Next.
  5. Configure the RAM role.
    1. Specify RAM Role Name.
    2. Specify Note.
    3. Select Current Alibaba Cloud Account or Other Alibaba Cloud Account. In this example, Other Alibaba Cloud Account is selected, and the ID of the Alibaba Cloud account of Enterprise B is entered.
      • Current Alibaba Cloud Account: If you want a RAM user that belongs to your Alibaba Cloud account to assume the RAM role, select Current Alibaba Cloud Account.
      • Other Alibaba Cloud Account: If you want a RAM user that belongs to a different Alibaba Cloud account to assume the RAM role, select Other Alibaba Cloud Account and enter the ID of the Alibaba Cloud account. This option is provided to authorize different Alibaba Cloud accounts.
        Note You can view the ID of an Alibaba Cloud account on the Security Settings page.
  6. Click OK. Then, click Close.

Step 2: Grant permissions to the RAM role with the account of Enterprise A

The RAM role that is created in Step 1 does not have permissions. Therefore, Enterprise A must grant permissions to the RAM role.

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, choose Identities > Roles.
  3. On the Roles page, find the RAM role created in Step 1 and click Add Permissions in the Actions column.
  4. In the Add Permissions panel, grant permissions to the RAM role created in Step 1.
    1. Select the authorization scope. In this example, Alibaba Cloud Account is selected.
      • Alibaba Cloud Account: The authorization takes effect on the current Alibaba Cloud account.
      • Specific Resource Group: The authorization takes effect in a specific resource group.
        Note If you select Specific Resource Group for Authorized Scope, make sure that the required cloud service supports resource groups. For more information, see Services that work with Resource Group.
    2. Specify the principal.
      The principal is the RAM role to which permissions are granted. By default, the current RAM role is specified. You can also specify a different RAM role.
    3. Select a policy. In this example, the AliyunExpressConnectFullAccess system policy is selected.
      You can select AliyunExpressConnectFullAccess or AliyunExpressConnectReadOnlyAccess for Express Connect based on your business requirements. If the system policies for Express Connect cannot meet your business requirements, you can create custom policies. For more information about how to create custom policies, see Create a custom policy.
  5. Click OK. Then, click Complete.

Step 3: Create a RAM user with the account of Enterprise B

Log on to the RAM console and create a RAM user with the Alibaba Cloud account of Enterprise B.

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, choose Identities > Users.
  3. On the Users page, click Create User.
  4. In the User Account Information section of the Create User page, configure the Logon Name and Display Name parameters.
    Note You can click Add User to create multiple RAM users at a time.
  5. In the Access Mode section, select an access mode.
    • Console Access: If you select Console Access, configure the console logon password, password reset policies, and multi-factor authentication (MFA) policies.
      Note If you select Custom Logon Password in the Console Password section, you must specify a password. The password must meet the complexity requirements. For more information about the complexity requirements, see Configure a password policy for RAM users.
    • OpenAPI Access: If you select this option, an AccessKey pair is automatically created for the RAM user. The RAM user can call API operations or use other development tools to access Alibaba Cloud resources.
    Note To ensure the security of your Alibaba Cloud account, we recommend that you select only one access mode for the RAM user. This way, the employee who uses the RAM user cannot use an AccessKey pair to access Alibaba Cloud resources after the employee leaves the organization.
  6. Click OK.

Step 4: Grant permissions to the RAM user with the account of Enterprise B

Enterprise B must attach the AliyunSTSAssumeRoleAccess policy to the RAM user created in Step 3. This way, the RAM user can assume the RAM role created in Step 1.

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, choose Identities > Users.
  3. On the Users page, find the RAM user created in Step 3 and click Add Permissions in the Actions column.
  4. In the Add Permissions panel, grant permissions to the RAM user.
    1. Select the authorization scope. In this example, Alibaba Cloud Account is selected.
      • Alibaba Cloud Account: The authorization takes effect on the current Alibaba Cloud account.
      • Specific Resource Group: The authorization takes effect in a specific resource group.
        Note If you select Specific Resource Group for Authorized Scope, make sure that the required cloud service supports resource groups. For more information, see Services that work with Resource Group.
    2. Specify the principal. In this example, the RAM user created in Step 3 is specified.
    3. Select a policy. In this example, AliyunSTSAssumeRoleAccess is selected.
  5. Click OK. Then, click Complete.

Step 5: Access the resources of Enterprise A by using the Express Connect console or calling API operations as the RAM user

After the preceding steps are completed, the RAM user of Enterprise B can perform the following steps to access the Express Connect resources of Enterprise A by using the console or calling API operations.

Log on to the console to access the cloud resources of Enterprise A

  1. Log on to the Alibaba Cloud console as the RAM user of Enterprise B.
  2. Move the pointer over the profile picture and click Switch Identity.
    Note Enter the alias of the Alibaba Cloud account of Enterprise A and the name of the RAM role created in Step 1.

    For more information, see Assume a RAM role.

  3. Log on to the Express Connect console. Then, you can access the cloud resources of Enterprise A.

Call API operations to access the cloud resources of Enterprise A

To access the cloud resources of Enterprise A by calling API operations as the RAM user, you must specify the AccessKeyId, AccessKeySecret, and SecurityToken of the RAM user in the code. The SecurityToken is a temporary security token. For more information about how to obtain a temporary security token by using Security Token Service (STS), see AssumeRole.