Resource Access Management (RAM) is a service provided by Alibaba Cloud to manage user identities and resource access permissions. Security Token Service (STS) allows you to manage temporary credentials for your Apsara Stack resources. RAM allows you to create and manage the following identities for Alibaba Cloud accounts: RAM user and RAM role. A RAM role does not have permanent identity credentials. A RAM role can be used to access Apsara Stack resource only by using an STS token. When an STS token is issued, you can specify a validity period and access permissions for the STS token.
RAM and STS allow you to grant permissions without exposing the AccessKey pair of your Alibaba Cloud account. The leakage of the AccessKey pair poses high security risks. Users who obtain the AccessKey pair of an Alibaba Cloud account can manage all resources of the account and steal important information.
RAM is an access control service that is used to manage long-term permissions. The owner of an Alibaba Cloud account can create multiple RAM users and grant different permissions to the RAM users. The AccessKey pairs of RAM users must be kept confidential. However, if the AccessKey pair of a RAM user is leaked, only limited information is potentially exposed. RAM users are valid for an extended period of time.
STS allows you to grant temporary permissions. You can use STS to obtain temporary AccessKey pairs and tokens. The temporary AccessKey pairs and tokens can be sent to temporary users for accessing specific resources. Permissions that are obtained by using STS are strictly restricted and have validity periods. Therefore, STS minimizes the impacts of information leakage.
For more information about how to use RAM and STS, see Examples.
Before you use RAM and STS, we recommend that you have a basic understanding of the relevant terms. For more information, see Terms for access control.
The relationship between RAM users and RAM roles is similar to the relationship between individuals and their identities. An individual can have multiple identities specific to different scenarios. For example, a person is an employee at work but a father at home. When an individual assumes an identity, the individual has the permissions of the identity. A RAM role is not an entity but an identity. A RAM role alone cannot perform operations. You must assign the RAM role to a user to execute the permissions of the RAM role. A RAM role can be assigned to multiple users.
To prevent the security risks that are caused by the leakage of the AccessKey pair of an Alibaba Cloud account, the Alibaba Cloud account administrator creates two RAM users: User A and User B. An independent AccessKey pair is generated for each RAM user. User A has the read permissions and User B has the write permissions. The administrator can revoke the permissions from the RAM users at any time in the RAM console.
To meet business requirements, you want to grant users temporary permissions to access the IoT Platform API. In this case, instead of disclosing the AccessKey pair of User A, we recommend that you create a RAM role, Role C, and grant Role C the permissions to access the IoT Platform API. Note that Role C cannot be used directly because no AccessKey pair is available. Role C is only a virtual entity that has the permissions to access the IoT Platform API.
You must call the AssumeRole operation of STS to obtain temporary identity credentials that are required to access the IoT Platform API. When you call the AssumeRole operation, you must set the RoleArn parameter to the Alibaba Cloud Resource Name (ARN) of Role C. If the call succeeds, STS returns the temporary AccessKey ID, AccessKey secret, and token as temporary identity credentials. The validity period of these credentials can be specified when you call the AssumeRole operation. After you deliver these credentials to users, the users can obtain the temporary permissions to access the IoT Platform API.
Why is the use of RAM and STS so complicated?
The terms and use of RAM and STS are slightly complicated, but the account security and flexible access control are guaranteed.
RAM allows you to create RAM users and RAM roles to separate the entities that perform operations from the virtual entities that define a set of permissions. A user who needs multiple permissions, such as the read and write permissions, may use only one permission at a time. In this case, you can create two RAM roles and grant one role the read permissions and the other role the write permissions. Then, you can create a RAM user and assign the two roles to the RAM user. When the RAM user needs the read permissions, the RAM user assumes the RAM role that has the read permissions. When the RAM user needs the write permissions, the RAM user assumes the RAM role that has the write permissions. This reduces the risks of excessive permissions. In addition, you can assign a RAM role to other Alibaba Cloud accounts and RAM users to facilitate collaboration.
You can use STS to implement access control in a more flexible manner. For example, you can configure the validity period for credentials. If long-term credentials are required, you can use RAM users only.