You can use the Alibaba Cloud account of Enterprise A to create a Resource Access Management (RAM) role, grant permissions to the RAM role, and then assign the RAM role to a RAM user of Enterprise B. This way, the RAM user of Enterprise B can access Express Connect resources that belong to Enterprise A.
Scenario
If Enterprise A purchases a variety of cloud resources for business use and wants to entrust some tasks to Enterprise B, Enterprise A can create a RAM role to grant permissions to Enterprise B. A RAM role is a virtual entity without a specific logon password or an AccessKey pair. A RAM role can be used only after the RAM role is assumed by a trusted entity. To meet the business requirements of Enterprise A, perform the following steps:
- Create a RAM role with the account of Enterprise A. For more information, see Step 1: Create a RAM role with the account of Enterprise A.
- Grant permissions to the RAM role with the account of Enterprise A. For more information, see Step 2: Grant permissions to the RAM role with the account of Enterprise A.
- Create a RAM user with the account of Enterprise B. For more information, see Step 3: Create a RAM user with the account of Enterprise B.
- Attach the AliyunSTSAssumeRoleAccess policy to the RAM user with the account of Enterprise B. For more information, see Step 4: Grant permissions to the RAM user with the account of Enterprise B.
- Access the resources of Enterprise A by using the Express Connect console or calling API operations as the RAM user. For more information, see Step 5: Access the resources of Enterprise A by using the Express Connect console or calling API operations as the RAM user.
The following system policies of Express Connect can be attached to a RAM role:
- AliyunExpressConnectFullAccess: allows the RAM user to manage Express Connect.
- AliyunExpressConnectReadOnlyAccess: grants the RAM user read-only permissions on Express Connect.
Limits
By default, Express Connect resources cannot be accessed across accounts due to security and compliance requirements. If you want to access Express Connect resources of another Alibaba Cloud account, contact your account manager.
Step 1: Create a RAM role with the account of Enterprise A
Log on to the RAM console and create a RAM role with the Alibaba Cloud account of Enterprise A.
- Log on to the RAM console by using your Alibaba Cloud account.
- In the left-side navigation pane, click RAM Roles.
- On the RAM Roles page, click Create RAM Role.
- In the Create RAM Role pane, set the Trusted Entity Type parameter to Alibaba Cloud Account, and then click Next.
- Configure the RAM role.
- Click OK. Then, click Close.
Step 2: Grant permissions to the RAM role with the account of Enterprise A
The RAM role that is created in Step 1 does not have permissions. Therefore, Enterprise A must grant permissions to the RAM role.
- Log on to the RAM console by using your Alibaba Cloud account.
- In the left-side navigation pane, choose .
- On the Roles page, find the RAM role created in Step 1 and click Add Permissions in the Actions column.
- In the Add Permissions panel, grant permissions to the RAM role created in Step 1.
- Click OK. Then, click Complete.
Step 3: Create a RAM user with the account of Enterprise B
Log on to the RAM console and create a RAM user with the Alibaba Cloud account of Enterprise B.
Step 4: Grant permissions to the RAM user with the account of Enterprise B
Enterprise B must attach the AliyunSTSAssumeRoleAccess policy to the RAM user created in Step 3. This way, the RAM user can assume the RAM role created in Step 1.
- Log on to the RAM console by using your Alibaba Cloud account.
- In the left-side navigation pane, choose .
- On the Users page, find the RAM user created in Step 3 and click Add Permissions in the Actions column.
- In the Add Permissions panel, grant permissions to the RAM user.
- Click OK. Then, click Complete.
Step 5: Access the resources of Enterprise A by using the Express Connect console or calling API operations as the RAM user
After the preceding steps are completed, the RAM user of Enterprise B can perform the following steps to access the Express Connect resources of Enterprise A by using the console or calling API operations.
Log on to the console to access the cloud resources of Enterprise A
Call API operations to access the cloud resources of Enterprise A
To access the cloud resources of Enterprise A by calling API operations as the RAM user, you must specify the AccessKeyId, AccessKeySecret, and SecurityToken of the RAM user in the code. The SecurityToken is a temporary security token. For more information about how to obtain a temporary security token by using Security Token Service (STS), see AssumeRole.