You can use a RAM role to grant permissions across Alibaba Cloud accounts. This way, an enterprise can access the Message Queue for RabbitMQ instance of another enterprise.

Background information

Enterprise A has activated Message Queue for RabbitMQ and requires Enterprise B to manage the Message Queue for RabbitMQ resources of Enterprise A, such as instances, topics, and consumer groups. The following items describe the detailed requirements of Enterprise A:
  • Enterprise A can focus on its business systems and act only as the owner of Message Queue for RabbitMQ. Enterprise A can authorize Enterprise B to maintain, monitor, and manage Message Queue for RabbitMQ.
  • If an employee joins or leaves Enterprise B, Enterprise A does not need to make modifications to the granted permissions. Enterprise B can grant its RAM users fine-grained permissions on the cloud resources of Enterprise A. The RAM user credentials can be assigned to either employees or applications.
  • If the agreement between Enterprise A and Enterprise B is terminated, Enterprise A can revoke the authorization from Enterprise B.

Step 1: Enterprise A creates a RAM role

Use the Alibaba Cloud account of Enterprise A to log on to the RAM console and create a RAM role. This RAM role will be assigned to the Alibaba Cloud account of Enterprise B.

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, click RAM Roles.
  3. On the RAM Roles page, click Create RAM Role.
  4. In the Create RAM Role pane, set the Trusted Entity Type parameter to Alibaba Cloud Account, and then click Next.
  5. In the RAM Role Name field, enter a RAM role name. Set the Select Trusted Alibaba Cloud Account parameter to Other Alibaba Cloud Account and enter the ID of the Alibaba Cloud account of Enterprise B. Then, click OK.
    Note
    • The RAM role name can be up to 64 characters in length and can contain letters, digits, and hyphens (-).
    • You can view the ID of the Alibaba Cloud account on the Basic Information page in the Account Center.

Step 2: Enterprise A grants permissions to the RAM role

Grant the RAM role the permissions that you want to grant to Enterprise B to access the Message Queue for RabbitMQ resources of Enterprise A.

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, choose Identities > Roles.
  3. On the Roles page, find the RAM role to which you want to grant permissions and click Add Permissions in the Actions column.
  4. In the Select Policy section of the Add Permissions panel, select System Policy or Custom Policy. Enter the keyword of the policy that you want to attach to the RAM role in the search box, click the RAM role to add it to the Selected list, and then click OK.
    Note For information about the policies that you can use to authorize RAM roles and RAM users to access Message Queue for RabbitMQ, see RAM policies.
  5. In the Add Permissions panel, check the authorization information and click Complete.

Step 3: Enterprise B creates a RAM user

Use the Alibaba Cloud account of Enterprise B to log on to the RAM console and create a RAM user.

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, choose Identities > Users.
  3. On the Users page, click Create User.
  4. In the User Account Information section of the Create User page, configure the Logon Name and Display Name parameters.
    Note You can click Add User to create multiple RAM users at a time.
  5. In the Access Mode section, select an access mode.
    • Console Access: If you select Console Access, configure the console logon password, password reset policies, and multi-factor authentication (MFA) policies.
      Note If you select Custom Logon Password in the Console Password section, you must specify a password. The password must meet the complexity requirements. For more information about the complexity requirements, see Configure a password policy for RAM users.
    • OpenAPI Access: If you select this option, an AccessKey pair is automatically created for the RAM user. The RAM user can call API operations or use other development tools to access Alibaba Cloud resources.
    Note To ensure the security of your Alibaba Cloud account, we recommend that you select only one access mode for the RAM user. This way, the employee who uses the RAM user cannot use an AccessKey pair to access Alibaba Cloud resources after the employee leaves the organization.
  6. Click OK.

Step 4: Enterprise B grants permissions to the RAM user

Attach the AliyunSTSAssumeRoleAccess permission policy to the RAM user.

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, choose Identities > Users.
  3. On the Users page, find the RAM user to which you want to attach the custom policy, and click Add Permissions in the Actions column.
  4. In the Select Policy section of the Add Permissions panel, click System Policy. Enter AliyunSTSAssumeRoleAccess in the search box, click the displayed policy to add it to the Selected list, and then click OK.
  5. In the Add Permissions panel, check the authorization information and click Complete.

What to do next

The RAM user of Enterprise B can access the Message Queue for RabbitMQ resources of Enterprise A by using the following methods:

  • Use the console
    1. Open the RAM User Logon page in a browser.
    2. On the RAM User Logon page, enter the name of the RAM user, click Next, enter the password, and then click Log On.
      Note The name of the RAM user is in <$username>@<$AccountAlias> format or <$username>@<$AccountAlias>.onaliyun.com format. <$AccountAlias> is the alias of the RAM user. If you do not specify an alias, the ID of the Alibaba Cloud account is used by default.
    3. On the homepage of the console, move the pointer over the profile picture in the upper-right corner and click Switch Role.
    4. On the Switch Role page, specify the Enterprise Alias/Default Domain Name parameter for Enterprise A, specify the Role Name parameter, and then click Submit.
      Note
      • To view the enterprise alias, use the Alibaba Cloud account of Enterprise A to log on to the Alibaba Cloud user center. Move the pointer over the profile picture in the upper-right corner. The enterprise alias is displayed.
      • To view the default domain name, use the Alibaba Cloud account of Enterprise A to log on to the RAM console. On the Settings page, click the Advanced tab to view the default domain name.
  • API
    1. Call the AssumeRole operation to obtain the AccessKey ID, AccessKey secret, and Security Token Service (STS) token. For more information, see AssumeRole.
    2. Use the obtained AccessKey ID, AccessKey secret, and STS token to call a specific API operation to access the corresponding Message Queue for RabbitMQ resources.