You can use the Alibaba Cloud account of Enterprise A to create a RAM role, grant permissions to this role, and then assign this role to Enterprise B. This way, the Alibaba Cloud account of Enterprise B or the RAM user that belongs to the Alibaba Cloud account of Enterprise B can access the Alibaba Cloud resources of Enterprise A.

Background information

Enterprise A has purchased Message Queue for Apache RocketMQ and wants to grant specific permissions to Enterprise B.

Enterprise A has the following requirements:

  • Enterprise A wants to focus on its business systems by authorizing Enterprise B to perform operations on the resources owned by Enterprise A. The operations include publishing and subscribing to messages.
  • No permission changes are required when an employee joins or leaves Enterprise B. Enterprise B can grant permissions on different resources of Enterprise A to different RAM users of Enterprise B to realize fine-grained access control. These RAM users can be employees or applications.
  • If the agreement between Enterprise A and Enterprise B ends, Enterprise A can revoke the permissions that are granted to Enterprise B.

Solution

In this example, Enterprise A needs to authorize employees of Enterprise B to manage Message Queue for Apache RocketMQ resources of Enterprise A. For example, Enterprise A has Alibaba Cloud account A and Enterprise B has Alibaba Cloud account B. To grant permissions on resources of Enterprise A to Enterprise B, perform the following steps:
  1. Step 1: Create a RAM role and grant permissions to the role

    Use Alibaba Cloud account A to create a RAM role, grant permissions to the RAM role based on the business scope and requirements, and then authorize the RAM users of Alibaba Cloud account B to assume the RAM role.

  2. Step 2: Access resources across Alibaba Cloud accounts
    After the RAM role authorization is complete, the RAM users of Alibaba Cloud account B can obtain the permissions of the RAM role by assuming the RAM role. The RAM users can access the resources of Alibaba Cloud account A by using one of the following methods:
    • Access resources by using SDKs
    • Access resources in the console
    • Access resources by calling API operations

Step 1: Create a RAM role and grant permissions to the role

  1. Use the Alibaba Cloud account of Enterprise A to log on to the RAM console and then create a RAM role for the Alibaba Cloud account of Enterprise B.
  2. Optional:Create a custom policy for the RAM role by using the Alibaba Cloud account of Enterprise A.

    For more information, see Create a custom policy.

    Message Queue for Apache RocketMQ allows you to configure permissions for instances, topics, and groups. For more information, see Policies and examples.

  3. The RAM role that is created in Step 1 does not have permissions. Therefore, Enterprise A must grant permissions to the RAM role. Enterprise A can attach a system policy or a custom policy to the RAM role.
    For more information, see Grant permissions to a RAM role.
  4. Use the Alibaba Cloud account of Enterprise B to log on to the RAM console and then create a RAM user.
  5. Enterprise B attaches the AliyunSTSAssumeRoleAccess permission policy to the RAM user.

    For more information, see Grant permissions to a RAM user.

    Enterprise B must attach the AliyunSTSAssumeRoleAccess permission policy to a RAM user of Alibaba Cloud account B. This way, the RAM user can assume the RAM role that is created by Enterprise A.

Step 2: Access resources across Alibaba Cloud accounts

  • Access resources by using SDKs
    RAM users of Enterprise B can access the Message Queue for Apache RocketMQ resources of Enterprise A and publish and subscribe to messages by using SDKs. To access resources by using SDKs, you can use one of the following two methods to configure the SDK code:
    • Configure the SDK code by using a token that is generated by Security Token Service (STS): When you configure the SDK code by using a token that is generated by STS, you must provide the AccessKey ID and AccessKey secret of the RAM user and the temporary security token that is generated by STS for the RAM user. The temporary security token must be updated on a regular basis. For more information about how to obtain a temporary security token by using STS, see AssumeRole.
      Notice This method is applicable only to Message Queue for Apache RocketMQ SDK for Java V 1.7.8. Final or later.
      Example of configuring the SDK code by using a token that is generated by STS
      • When you initialize the Message Queue for Apache RocketMQ client, specify the AccessKey ID, AccessKey secret, and security token as shown in the following code:
        Properties properties = new Properties();
// The AccessKey ID of the RAM user. 
properties.put(PropertyKeyConst.AccessKey, "STS.XXX");
// The AccessKey secret of the RAM user. 
properties.put(PropertyKeyConst.SecretKey, "XXX");
// The security token that is generated by STS for the RAM user. 
properties.put(PropertyKeyConst.SecurityToken, "XXX");
// Other attributes. 
properties.put(PropertyKeyConst.NAMESRV_ADDR, "XXX");
......
Producer client = ONSFactory.createProducer(properties);
client.start();
      • If the security token expires, call the updateCredential method to dynamically update the token. 
        Properties properties = new Properties();
// The AccessKey ID of the RAM user. 
properties.put(PropertyKeyConst.AccessKey,"STS.XXX");
// The AccessKey secret of the RAM user. 
properties.put(PropertyKeyConst.SecretKey, "XXX");
// The security token that is generated by STS for the RAM user. 
properties.put(PropertyKeyConst.SecurityToken, "XXX");
client.updateCredential(properties);
    • Configure the SDK code by using the RAM role that is assigned to your Elastic Compute Service (ECS) instance: If a RAM role is assigned to your ECS instance, you do not need to provide the AccessKey ID, AccessKey secret, or security token of the RAM user in the SDK code. You only need to enter the name of the RAM role. This simplifies code configuration. However, you must assign the RAM role to the ECS instance where your application is deployed to grant the permissions of the RAM role to the ECS instance. For more information, see Bind an instance RAM role.
      Notice This method is applicable only to Message Queue for Apache RocketMQ SDK for Java 1.8.7.3. Final or later.
      Example of configuring the SDK code by using the RAM role that is assigned to your ECS instance
      Properties properties = new Properties();
// The name of the RAM role that you create and assign to the ECS instance. 
properties.put(PropertyKeyConst.RAM_ROLE_NAME,"XXX");
  • Access resources in the console
    RAM users of Enterprise B can log on to the console to access Message Queue for Apache RocketMQ resources of Enterprise A by performing the following steps.
    1. Open the RAM Account Login page in your browser.
    2. On the RAM Account Login page, enter the logon name of the RAM user, and then click Next. Enter the password, and then click Log On.
      Note The logon name of the RAM user is in the format of <$username>@<$AccountAlias> or <$username>@<$AccountAlias>.onaliyun.com. <$AccountAlias> is the account alias. If an account alias is not specified, the ID of the Alibaba Cloud account is used by default.
    3. In the upper-right corner of the homepage of the console, move the pointer over the profile icon and click Switch Identity.
    4. On the Switch Role page, enter the alias, domain name, or Alibaba Cloud account ID of Enterprise A. Enter a role name, and then click Submit.
    5. Manage the Message Queue for Apache RocketMQ resources of Enterprise A.
  • Access resources by calling API operations

    RAM users of Enterprise B can access the resources of Enterprise A by calling the API operations provided by Message Queue for Apache RocketMQ. For more information about how to call an API operation, see Make API requests.

References