Create a Resource Access Management (RAM) role in Company A's Alibaba Cloud account, grant permissions to the role, and configure it to be assumed by Company B's Alibaba Cloud account or RAM users. This allows users from Company B to access Company A's Alibaba Cloud resources.
Background
Company A uses Message Queue for Apache RocketMQ and wants to delegate certain operational tasks to Company B.
Requirements:
Company A wants to remain the resource owner but delegate console-based tasks, such as querying resources and monitoring, to Company B.
Company A wants to avoid managing permissions when Company B's employees join or leave. Company B must be able to control which of its own RAM users (employees or applications) can access Company A's resources and define their specific permissions.
Company A must be able to revoke Company B's access at any time, for example, if their contract ends.
Solution
To meet these requirements, Company A grants permissions to Company B's employees to access Message Queue for Apache RocketMQ resources. Assume that Company A and Company B each have an Alibaba Cloud account. This guide outlines the procedure for configuring cross-account access:
Step 1: Create and authorize a RAM role
In Company A's account, you create a RAM role, attach the necessary policies, and configure a trust policy that allows RAM users in Company B's account to assume the role.
Step 2: Access resources across accounts
After the RAM role is configured, RAM users in Company B's account can assume the role to gain temporary permissions. They can then access resources in Company A's account in one of the following ways:
Using an SDK
Using the console
Using API calls
Step 1: Create and authorize a RAM role
Using Company A's Alibaba Cloud account, log on to the RAM console and create a RAM role for Company B's Alibaba Cloud account.
For more information, see Create a RAM role for a trusted Alibaba Cloud account.
Optional: In Company A's account, create a custom policy for the RAM role.
For more information, see Create a custom policy.
Currently, Message Queue for Apache RocketMQ supports instance-level, topic-level, and group-level permissions. For more information, see Custom policies for Message Queue for Apache RocketMQ.
By default, a new RAM role has no permissions. Company A must grant permissions to the role by attaching a system policy or a custom policy.
For more information, see Grant permissions to a RAM user.
Using Company B's Alibaba Cloud account, log on to the RAM console and create a RAM user.
For more information, see Create a RAM user.
In Company B's account, grant the AliyunSTSAssumeRoleAccess permission to the RAM user.
For more information, see Grant permissions to a RAM user.
You must grant the
AliyunSTSAssumeRoleAccesspermission to the RAM user in Company B's account. This allows that user to assume the RAM role created in Company A's account.
Step 2: Access resources across accounts
Accessing resources using an SDK
RAM users in Company B's account can use an SDK to access Message Queue for Apache RocketMQ resources in Company A's account. Choose one of the following two configuration methods:
Configure an STS token: This method requires providing the RAM user's AccessKey ID, AccessKey secret, and a temporary security token from Security Token Service (STS). The temporary security token expires and must be refreshed. For more information about how to obtain a temporary security token, see AssumeRole.
ImportantThe STS token method is supported only by the Java SDK for Message Queue for Apache RocketMQ 1.7.8.Final and later.
To obtain an AccessKey ID and AccessKey secret, see Create an AccessKey pair.
Example: STS token configuration
When you initialize the client for Message Queue for Apache RocketMQ, specify the obtained AccessKey ID, AccessKey secret, and temporary security token in the following properties:
Properties properties = new Properties(); // Make sure that the ALIBABA_CLOUD_ACCESS_KEY_ID, ALIBABA_CLOUD_ACCESS_KEY_SECRET, and ALIBABA_CLOUD_SECURITY_TOKEN environment variables are set. // The AccessKey ID obtained from STS. properties.put(PropertyKeyConst.AccessKey, System.getenv("ALIBABA_CLOUD_ACCESS_KEY_ID")); // The AccessKey secret obtained from STS. properties.put(PropertyKeyConst.SecretKey, System.getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET")); // The temporary security token. properties.put(PropertyKeyConst.SecurityToken, System.getenv("ALIBABA_CLOUD_SECURITY_TOKEN")); // Other properties. properties.put(PropertyKeyConst.NAMESRV_ADDR, "XXX"); ...... Producer client = ONSFactory.createProducer(properties); client.start();When the temporary security token expires, call the
updateCredentialmethod to update it.Properties properties = new Properties(); // Make sure that the ALIBABA_CLOUD_ACCESS_KEY_ID, ALIBABA_CLOUD_ACCESS_KEY_SECRET, and ALIBABA_CLOUD_SECURITY_TOKEN environment variables are set. // The AccessKey ID obtained from STS. properties.put(PropertyKeyConst.AccessKey, System.getenv("ALIBABA_CLOUD_ACCESS_KEY_ID")); // The AccessKey secret obtained from STS. properties.put(PropertyKeyConst.SecretKey, System.getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET")); // The temporary security token. properties.put(PropertyKeyConst.SecurityToken, System.getenv("ALIBABA_CLOUD_SECURITY_TOKEN")); client.updateCredential(properties);
Configure an ECS instance RAM role: If your application runs on an Elastic Compute Service (ECS) instance, you can use this method. This method avoids hardcoding credentials in your SDK. Instead, you provide only the RAM role name. However, you must first attach this RAM role to the application's ECS instance. For more information, see Attach an instance RAM role.
ImportantThe ECS instance RAM role method is supported only by the Java SDK for Message Queue for Apache RocketMQ 1.8.7.3.Final and later.
Example: ECS instance RAM role configuration
Properties properties = new Properties(); // The name of the RAM role that you created and attached to the ECS instance. properties.put(PropertyKeyConst.RAM_ROLE_NAME,"XXX");
Accessing resources from the console
RAM users in Company B's account can follow these steps to access Company A's Message Queue for Apache RocketMQ resources from the console:
In a browser, open the RAM User Logon page.
On the RAM User Logon page, enter the logon name of the RAM user, click Next, enter the password, and then click Log On.
NoteThe logon name is in the format
<$username>@<$AccountAlias>or<$username>@<$AccountAlias>.onaliyun.com.<$AccountAlias>is the alias of the Alibaba Cloud account. If an alias is not set, the ID of the Alibaba Cloud account is used by default.After logging on to the Alibaba Cloud console, hover over the profile picture in the upper-right corner and click Switch Identity.
On the Switch Role page, enter the Enterprise Alias, Default Domain, or Account UID for Company A's account. Then, enter the Role Name and click Submit.
You can now manage the Message Queue for Apache RocketMQ resources in Company A's account.
Accessing resources using API calls
RAM users in Company B's account can access resources in Company A's account by making API calls to Message Queue for Apache RocketMQ. For more information about how to make API calls, see Make API requests.