You can use the Alibaba Cloud account of Enterprise A to create a RAM role, grant permissions to this role, and then assign this role to Enterprise B. This way, the Alibaba Cloud account of Enterprise B or the RAM user that belongs to the Alibaba Cloud account of Enterprise B can access the Alibaba Cloud resources of Enterprise A.
Background information
Enterprise A has purchased Message Queue for Apache RocketMQ and wants to grant specific permissions to Enterprise B.
Enterprise A has the following requirements:
- Enterprise A wants to focus on its business systems by authorizing Enterprise B to perform operations on the resources owned by Enterprise A. The operations include publishing and subscribing to messages.
- No permission changes are required when an employee joins or leaves Enterprise B. Enterprise B can grant permissions on different resources of Enterprise A to different RAM users of Enterprise B to realize fine-grained access control. These RAM users can be employees or applications.
- If the agreement between Enterprise A and Enterprise B ends, Enterprise A can revoke the permissions that are granted to Enterprise B.
Solution
- Step 1: Create a RAM role and grant permissions to the role
Use Alibaba Cloud account A to create a RAM role, grant permissions to the RAM role based on the business scope and requirements, and then authorize the RAM users of Alibaba Cloud account B to assume the RAM role.
- Step 2: Access resources across Alibaba Cloud accountsAfter the RAM role authorization is complete, the RAM users of Alibaba Cloud account B can obtain the permissions of the RAM role by assuming the RAM role. The RAM users can access the resources of Alibaba Cloud account A by using one of the following methods:
- Access resources by using SDKs
- Access resources in the console
- Access resources by calling API operations
Step 1: Create a RAM role and grant permissions to the role
Step 2: Access resources across Alibaba Cloud accounts
- Access resources by using SDKsRAM users of Enterprise B can access the Message Queue for Apache RocketMQ resources of Enterprise A and publish and subscribe to messages by using SDKs. To access resources by using SDKs, you can use one of the following two methods to configure the SDK code:
- Configure the SDK code by using a token that is generated by Security Token Service
(STS): When you configure the SDK code by using a token that is generated by STS, you must
provide the AccessKey ID and AccessKey secret of the RAM user and the temporary security
token that is generated by STS for the RAM user. The temporary security token must
be updated on a regular basis. For more information about how to obtain a temporary
security token by using STS, see AssumeRole.
Notice This method is applicable only to Message Queue for Apache RocketMQ SDK for Java V 1.7.8. Final or later.Example of configuring the SDK code by using a token that is generated by STS
- When you initialize the Message Queue for Apache RocketMQ client, specify the AccessKey ID, AccessKey secret, and security token as shown in
the following code:
Properties properties = new Properties(); // The AccessKey ID of the RAM user. properties.put(PropertyKeyConst.AccessKey, "STS.XXX"); // The AccessKey secret of the RAM user. properties.put(PropertyKeyConst.SecretKey, "XXX"); // The security token that is generated by STS for the RAM user. properties.put(PropertyKeyConst.SecurityToken, "XXX"); // Other attributes. properties.put(PropertyKeyConst.NAMESRV_ADDR, "XXX"); ...... Producer client = ONSFactory.createProducer(properties); client.start();
- If the security token expires, call the updateCredential method to dynamically update
the token.
Properties properties = new Properties(); // The AccessKey ID of the RAM user. properties.put(PropertyKeyConst.AccessKey,"STS.XXX"); // The AccessKey secret of the RAM user. properties.put(PropertyKeyConst.SecretKey, "XXX"); // The security token that is generated by STS for the RAM user. properties.put(PropertyKeyConst.SecurityToken, "XXX"); client.updateCredential(properties);
- When you initialize the Message Queue for Apache RocketMQ client, specify the AccessKey ID, AccessKey secret, and security token as shown in
the following code:
- Configure the SDK code by using the RAM role that is assigned to your Elastic Compute
Service (ECS) instance: If a RAM role is assigned to your ECS instance, you do not need to provide the AccessKey
ID, AccessKey secret, or security token of the RAM user in the SDK code. You only
need to enter the name of the RAM role. This simplifies code configuration. However,
you must assign the RAM role to the ECS instance where your application is deployed
to grant the permissions of the RAM role to the ECS instance. For more information,
see Bind an instance RAM role.
Notice This method is applicable only to Message Queue for Apache RocketMQ SDK for Java 1.8.7.3. Final or later.Example of configuring the SDK code by using the RAM role that is assigned to your ECS instance
Properties properties = new Properties(); // The name of the RAM role that you create and assign to the ECS instance. properties.put(PropertyKeyConst.RAM_ROLE_NAME,"XXX");
- Configure the SDK code by using a token that is generated by Security Token Service
(STS): When you configure the SDK code by using a token that is generated by STS, you must
provide the AccessKey ID and AccessKey secret of the RAM user and the temporary security
token that is generated by STS for the RAM user. The temporary security token must
be updated on a regular basis. For more information about how to obtain a temporary
security token by using STS, see AssumeRole.
- Access resources in the consoleRAM users of Enterprise B can log on to the console to access Message Queue for Apache RocketMQ resources of Enterprise A by performing the following steps.
- Open the RAM Account Login page in your browser.
- On the RAM Account Login page, enter the logon name of the RAM user, and then click Next. Enter the password, and then click Log On.
Note The logon name of the RAM user is in the format of
<$username>@<$AccountAlias>
or<$username>@<$AccountAlias>.onaliyun.com
.<$AccountAlias>
is the account alias. If an account alias is not specified, the ID of the Alibaba Cloud account is used by default. - In the upper-right corner of the homepage of the console, move the pointer over the profile icon and click Switch Identity.
- On the Switch Role page, enter the alias, domain name, or Alibaba Cloud account ID of Enterprise A. Enter a role name, and then click Submit.
- Manage the Message Queue for Apache RocketMQ resources of Enterprise A.
- Access resources by calling API operations
RAM users of Enterprise B can access the resources of Enterprise A by calling the API operations provided by Message Queue for Apache RocketMQ. For more information about how to call an API operation, see Make API requests.