Grant permissions across Alibaba Cloud accounts by using RAM roles - Function Compute

This topic describes how to use the Resource Access Management (RAM) console or an SDK to grant permissions across Alibaba Cloud accounts by using a Security Token Service (STS) token. The authorized Alibaba Cloud accounts can view resources in Function Compute.

Scenarios

Enterprise A has activated Function Compute and requires Enterprise B to manage Function Compute resources. Enterprise A has the following requirements:

Enterprise A can focus on its business systems and act only as the owner of Function Compute. In addition, Enterprise A can authorize Enterprise B to manage specified resources, such as creating services and functions.
Enterprise A does not need to change permissions when an employee joins or leaves Enterprise B. Enterprise B can grant its RAM users fine-grained permissions on resources of Enterprise A.
Enterprise A can revoke the permissions that are granted to Enterprise B when the cooperation between Enterprise A and Enterprise B ends.

Use the RAM console

Assume Enterprise A wants to grant employees of Enterprise B the permission to access all services in Function Compute. Enterprise A has an Alibaba Cloud account named Account A, and Enterprise B has an Alibaba Cloud account named Account B.

The ID of Account A is 123456789012****, and the account alias is company-a.
The ID of Account B is 134567890123****, and the account alias is company-b.

Step 1: Create a RAM role by using Account A

Use Account A to create a RAM role, grant the required permissions to the RAM role, and then authorize Account B to assume this role. You must enter Account B in the Other Alibaba Cloud Account field.

Use Account A to log on to the RAM console.
In the left-side navigation pane, choose Identities > Roles.
On the Roles page, click Create Role.
In the Create Role panel, select Alibaba Cloud Account for the Select Trusted Entity parameter and click Next.
Configure the RAM role.
1. Specify RAM Role Name.
2. Optional:Specify Note.
3. Enter the ID of Account B in the Other Alibaba Cloud Account field.
  Note You can view the ID of an Alibaba Cloud account on the Security Settings page.
Click OK.
Click Close.
Use Account A to attach the AliyunFCReadOnlyAccess policy to the created RAM role. For more information about how to grant permissions to a RAM role, see Grant permissions to a RAM role.

After the RAM role is created, you can view the Alibaba Cloud Resource Name (ARN) and trust policy of the RAM role in the Basic Information section on the details page of the RAM role.

In this example, the ARN of the RAM role is acs:ram::123456789012****:role/fc-admin.

The following script shows the trust policy of the RAM role:

Note This policy indicates that only RAM users that belong to Account B can assume the RAM role.

{
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Effect": "Allow",
      "Principal": {
        "RAM": [
          "acs:ram::134567890123****:root"
        ]
      }
    }
  ],
  "Version": "1"
}

Step 2: Use Account B to create RAM users

Use Account B to create RAM users for employees of Enterprise B. For more information about how to create a RAM user, see Create a RAM user.
Use Account B to attach the AliyunSTSAssumeRoleAccess policy to the RAM users. Then, the RAM users can assume the RAM role. For more information about how to grant permissions to a RAM user, see Grant permissions to the RAM user.

Step 3: Switch the logon identity

If a RAM user that belongs to Account B needs to access resources of Account A, Account B can be used to grant the required permissions to the RAM user. The RAM user that belongs to Account B assumes the RAM role in Account A to access the resources of Account A. Procedure:

Use the RAM user that belongs to Account B to log on to the RAM console.
For information about how to log on to the console as a RAM user, see Log on to the Alibaba Cloud Management Console as a RAM user.
Move the pointer over the profile picture in the upper-right corner of the console and click Switch Identity.
1. Enter the enterprise alias (account alias), default domain name, or ID of the Alibaba Cloud account to which the RAM role belongs. For more information, see View and modify the default domain name.
2. Enter the name of the RAM role. For more information, see View the information about a RAM role.
For more information, see Assume a RAM role.

(Optional) Revoke the granted permissions

Enterprise A can revoke the permissions granted to Account B when the cooperation between Enterprise A and Enterprise B ends. Then, all RAM users that belong to Account B no longer have the permissions of the RAM role. Procedure:

Use Account A to log on to the RAM console.
In the left-side navigation pane, choose Identities > Users.
On the Users page, find the RAM user that you want to delete and click Delete in the Actions column.
In the Delete User dialog box, read the impact of deletion, enter the username of the RAM user, and then click Move to Recycle Bin.

Note Before you delete the RAM role, you must detach the policies that are attached to the RAM role. For more information, see Revoke permissions from a RAM role.

Use an SDK

You can use STS to authorize temporary access to Function Compute. STS is a web service that provides STS tokens for cloud computing users. The following example shows how Account B obtains the permissions to view all services in Account A.

Before you start

Create a function

Procedure

Use Account A to create a RAM role and select Account B as the trusted account.
For more information, see Create a RAM role for a trusted Alibaba Cloud account.
Use Account B to create RAM users and authorize the RAM users to assume the RAM role.
For more information, see Create a RAM user and Grant permissions to the RAM user.

In the function of Account B, enter the following sample code to obtain a temporary access credential. For more information, see STS SDK overview and AssumeRole.

Node.js

const Core = require('@alicloud/pop-core');

// Build an Alibaba Cloud client that is used to initiate requests. 
/*
    The AccessKey pair of an Alibaba Cloud account has permissions on all API operations. Using the AccessKey pair to perform operations is a high-risk operation. We recommend that you use a RAM user to call API operations or perform routine O&M. 
    We recommend that you do not save the AccessKey ID and AccessKey secret in your project code. Otherwise, the AccessKey pair may be leaked and the security of all resources under your account may be compromised. 
    In this example, the AccessKey pair is stored in environment variables to implement identity verification. 
    Configure the ALIBABA_CLOUD_ACCESS_KEY_ID and ALIBABA_CLOUD_ACCESS_KEY_SECRET environment variables before you run the sample code. 
    The ALIBABA_CLOUD_ACCESS_KEY_ID and ALIBABA_CLOUD_ACCESS_KEY_SECRET environment variables are automatically configured after you configure the execution permissions in the runtime of Function Compute. 
*/
 var client = new Core({
   accessKeyId: process.env['ALIBABA_CLOUD_ACCESS_KEY_ID'],
   accessKeySecret: process.env['ALIBABA_CLOUD_ACCESS_KEY_SECRET'],
   endpoint: 'https://sts.aliyuncs.com',
   apiVersion: '2015-04-01'
 });

 // Configure the parameters. 
 var params = {
   "RegionId": "cn-hangzhou",
   "RoleArn": "<RoleARN>",
   "RoleSessionName": "<RoleSessionName>"
 }

 var requestOption = {
   method: 'POST'
 };

 // Initiate the request and obtain responses. 
 client.request('AssumeRole', params, requestOption).then((result) => {
   console.log(JSON.stringify(result));
 }, (ex) => {
   console.log(ex);
 })

Python

# coding=utf-8
# encoding: utf-8
import json
import os
from aliyunsdkcore import client as AliyunSDK
from aliyunsdksts.request.v20150401 import AssumeRoleRequest

def main():
    # Enter the temporary key and temporary token.
    # The AccessKey pair of an Alibaba Cloud account can be used to access all API operations. Using these credentials to perform operations in Function Compute is a high-risk operation. We recommend that you use a RAM user to call API operations or perform routine O&M. 
    # We recommend that you do not save the AccessKey ID and AccessKey secret in your project code. Otherwise, the AccessKey pair may be leaked and the security of all resources under your account may be compromised. 
    In this example, the AccessKey pair is stored in environment variables to implement identity verification. 
    # Configure the ALIBABA_CLOUD_ACCESS_KEY_ID and ALIBABA_CLOUD_ACCESS_KEY_SECRET environment variables in your local environment before you run the sample code. 
    # In the runtime of Function Compute, the ALIBABA_CLOUD_ACCESS_KEY_ID and ALIBABA_CLOUD_ACCESS_KEY_SECRET environment variables are automatically configured after you configure the execution permissions. 
    AccessKeySecret=os.getenv('ALIBABA_CLOUD_ACCESS_KEY_SECRET'))
    AccessKeyId=os.getenv('ALIBABA_CLOUD_ACCESS_KEY_ID')
    regionId ='cn-hangzhou'

    sts_client = AliyunSDK.AcsClient(
            AccessKeyId,
            AccessKeySecret,
            regionId)
    request = AssumeRoleRequest.AssumeRoleRequest()
    request.set_RoleArn("<RoleARN>")
    request.set_RoleSessionName('fc-python-sdk')
    response = sts_client.do_action_with_exception(request)
    response_json = json.loads(response)
    result = json.dumps(response_json['Credentials'])
    print(result)

if __name__ == "__main__":
    main()

The following sample code shows the expected output:

{
  "RequestId": "964E0EC5-575B-4FF5-8FD0-D4BD8025602A",
  "AssumedRoleUser": {
    "Arn": "acs:ram::****:role/wss/wss",
    "AssumedRoleId": "***********:wss"
  },
  "Credentials": {
    "SecurityToken": "*************",
    "AccessKeyId": "STS.*************",
    "AccessKeySecret": "*************",
    "Expiration": "2021-05-28T11:23:19Z"
  }
}

Note For answers to commonly asked questions when you obtain the STS token, see FAQ about RAM roles and STS tokens.

Modify the function code of Account B to authorize the RAM user that belongs to Account B to view all services in Function Compute within Account A.

Sample code:

const FC = require('@alicloud/fc2');
// Build a client. 
// Use the obtained temporary key. /*
    The AccessKey pair of an Alibaba Cloud account has permissions on all API operations. Using the AccessKey pair to perform operations is a high-risk operation. We recommend that you use a RAM user to call API operations or perform routine O&M. 
    We recommend that you do not save the AccessKey ID and AccessKey secret in your project code. Otherwise, the AccessKey pair may be leaked and the security of all resources under your account may be compromised. 
    In this example, the AccessKey pair is stored in environment variables to implement identity verification. 
    Configure the ALIBABA_CLOUD_ACCESS_KEY_ID, ALIBABA_CLOUD_ACCESS_KEY_SECRET, and ALIBABA_CLOUD_SECURITY_TOKEN environment variables in your local environment before you run the sample code. 
    The ALIBABA_CLOUD_ACCESS_KEY_ID, ALIBABA_CLOUD_ACCESS_KEY_SECRET, and ALIBABA_CLOUD_SECURITY_TOKEN environment variables are automatically configured after you configure the execution permissions in the runtime of Function Compute. 
*/
const client = new FC('<accountID>', {
    region: '<yourRegionID>',
    accessKeyID: process.env['ALIBABA_CLOUD_ACCESS_KEY_ID'],
    securityToken: process.env['ALIBABA_CLOUD_SECURITY_TOKEN'],
    accessKeySecret: process.env['ALIBABA_CLOUD_ACCESS_KEY_SECRET'],
});
// Query services. 
client.listServices().then(res => {
    console.log(JSON.stringify(res, null, ' '))
}).catch(ex=> console.log(ex))

Important Make sure that the role that is created by Account A and for which you want to grant the permissions of temporary key has the permission to query services.