This topic describes how to log on to Hologres by using role-based single sign-on (SSO).
Background information
Alibaba Cloud allows enterprise users to manage and use cloud resources in the Alibaba Cloud Management Console. Enterprise users can use their Alibaba Cloud accounts and passwords to log on to the console. However, as the regulatory requirements for enterprise security become increasingly strict, some enterprises prefer to use role-based SSO to log on to Alibaba Cloud. For more information, see Overview of role-based SSO.
Access methods supported by Hologres
- Log on to Hologres by using an Alibaba Cloud account or as a RAM user.
You can log on to the Alibaba Cloud Management Console by using an Alibaba Cloud account and password or as a RAM user. Then, you can have access to Hologres. In this case, the account becomes a member of a Hologres instance and has permissions to use Hologres features.
- Log on to Hologres by using role-based SSO.
You can also log on to Alibaba Cloud and have access to Hologres by using role-based SSO. For more information, see SAML response for role-based SSO. In this case, the RAM role becomes a member of a Hologres instance. The user that assumes this RAM role has the same permissions as an Alibaba Cloud account or a RAM user. For information about RAM roles, see RAM role overview.
In Hologres, RAM roles have equal status with Alibaba Cloud accounts and RAM users. Therefore, in Hologres, a RAM role is regarded as an ordinary available account. For each RAM role, the superuser must grant permissions, such as the SELECT, INSERT, and UPDATE permissions, to the RAM role, not the Alibaba Cloud account or RAM user that assumes the role. After that, the RAM role can use Hologres based on the granted permissions.
Introduction to role-based SSO
The access to Hologres by using role-based SSO is implemented based on Security Token Service (STS) that is provided by Alibaba Cloud. STS is a cloud service that provides short-term access control for Alibaba Cloud accounts or RAM users. You can use STS to issue an access credential with a custom validity period and access permissions to a user that is managed by your on-premises account system. A user can use an STS short-term access credential to directly connect to Hologres and use authorized resources.
- STS tokens reduce the risk of disclosing the AccessKey ID and AccessKey secret of your Alibaba Cloud account. You need only to generate a temporary access credential for users to use.
- STS tokens allow you to flexibly control access to resources and impose time limits. Therefore, you do not need to manually revoke permissions. A temporary access credential automatically becomes invalid upon expiration.
Step 1: Create a RAM role
- If you want an Alibaba Cloud account or a RAM user to assume the RAM role by switching the identity in the Alibaba Cloud Management Console, set the Trusted entity type parameter to Alibaba Cloud Account. For more information, see Assign a RAM role to a RAM user and grant permissions.
- If you want an on-premises identity provider (IdP) to assume the RAM role, set the Trusted entity type parameter to IdP. For more information, see Assign a RAM role to an IdP and grant permissions.
Assign a RAM role to a RAM user and grant permissions
If you want a RAM user to assume a RAM role by switching the identity in the Alibaba Cloud Management Console, log on to the RAM console and create a RAM role. In the Create RAM Role panel, set the Trusted entity type parameter to Alibaba Cloud Account.
Assign a RAM role to an IdP and grant permissions
If you want an on-premises IdP to log on to Alibaba Cloud to assume a RAM role, log on to the RAM console and create a RAM role. In the Create RAM Role panel, set the Trusted entity type parameter to IdP.
Step 2: Add the RAM role to a Hologres instance and authorize the role
Before the RAM role can use Hologres based on the granted permissions, the role must obtain the required development permissions on the Hologres instance. By default, the RAM role does not have the permissions to view or manage instances in the Hologres console. Therefore, you must first use your Alibaba Cloud account to grant the required permissions to the RAM role. For more information, see Grant permissions on Hologres to RAM users. After you add the RAM role to a Hologres instance, you can use one of the following methods to authorize the RAM role:
Step 3: Log on to Alibaba Cloud and use Hologres
After you complete the authorization, a user can assume the RAM role and use Hologres.
- Access Alibaba Cloud by using the console or by using a program, assume the RAM role, and then log on to the Alibaba Cloud Management Console by using role-based SSO.
- Go to the Hologres console to manage and monitor instances.
- In the Hologres console, click Log on to Hologres Database to go to HoloWeb that supports Hologres schema design and data development. For more information, see HoloWeb quick start.