You can use a Resource Access Management (RAM) role to authorize a RAM user of another Alibaba Cloud account to use the server-side subscription feature of IoT Platform. For example, Enterprise A uses its Alibaba Cloud account to create a RAM role, grants permissions to this role, and then assigns this role to the Alibaba Cloud account of Enterprise B. This way, the Alibaba Cloud account and its RAM users of Enterprise B can access the server-side subscription resources of Enterprise A.
Background information
Security Token Service (STS) allows you to manage temporary credentials used to access your Alibaba Cloud resources. RAM allows you to create and manage the following identities for Alibaba Cloud accounts: RAM user and RAM role.
A RAM role is a virtual identity to which policies can be attached. RAM roles do not have logon passwords or AccessKey pairs. A RAM role must be assumed by a trusted entity, such as a RAM user, an Alibaba Cloud service, or an identity provider (IdP). If a trusted entity assumes a RAM role, the trusted entity can obtain and use an STS token of the RAM role to access the resources on which the RAM role has permissions.
For more information about the features and benefits of STS, see What is STS?
Scenario
Enterprise A uses its Alibaba Cloud account to activate IoT Platform and wants to authorize the Alibaba Cloud account of Enterprise B to access the server-side subscription resources.
Solution
Enterprise A must authorize employees of Enterprise B to access the server-side subscription resources of IoT Platform. In this topic, Account A indicates the Alibaba Cloud account of Enterprise A and Account B indicates the Alibaba Cloud account of Enterprise B. To authorize Account B to access resources that belong to Account A, perform the following steps:
Step 1: Create a RAM role and grant permissions to the RAM role
Enterprise A uses Account A to create a RAM role, attaches the policy related to server-side subscription to the RAM role, and then allows the RAM user that belongs to Account B to assume this role.
Step 2: Receive AMQP server-side subscription messages across accounts
After the required permissions are granted to the RAM role, the RAM user that belongs to Account B assumes the RAM role of Account A to obtain the permissions of the role.
Step 1: Create a RAM role and grant permissions to the RAM role
Create a RAM role for a trusted Alibaba Cloud account: Enterprise A uses Account A to log on to the RAM console and creates a RAM role for Account B of Enterprise B.
In the Configure Role step of the Create Role wizard, select Other Alibaba Cloud Account for the Select Trusted Alibaba Cloud Account parameter and enter the ID of Account B.
Create a custom policy on the JSON tab: Enterprise A uses Account A to create a custom policy.
To grant the permission to use server-side subscription, set the Action parameter to
iot:sub. The following code shows the policy content:{ "Statement": [ { "Action": "iot:sub", "Effect": "Allow", "Resource": "*" } ], "Version": "1" }Grant permissions to the RAM role: Enterprise A uses Account A to attach the custom policy that was created in the previous step to the RAM role.
Create a RAM user: Enterprise B uses Account B to log on to the RAM console and creates a RAM user.
Grant permissions to the RAM user: Enterprise B uses Account B to grant the AliyunSTSAssumeRoleAccess permission to the RAM user that was created in the previous step so that the RAM user of Account B can assume the RAM role of Account A.
Step 2: Receive AMQP server-side subscription messages across accounts
Configure an AMQP server-side subscription: Enterprise A uses Account A to log on to the IoT Platform console and configures an Advanced Message Queuing Protocol (AMQP) server-side subscription.
Configure an AMQP client to receive server-side subscription messages: Enterprise B connects an AMQP client to IoT Platform as the RAM user that was created to receive device messages of Enterprise A from IoT Platform by using the server-side subscription feature.