You can use a RAM role to grant permissions across Alibaba Cloud accounts. This way, an enterprise can access the Message Queue for RabbitMQ instance of another enterprise.
Background information
- Enterprise A can focus on its business systems and act only as the owner of Message Queue for RabbitMQ. Enterprise A can authorize Enterprise B to maintain, monitor, and manage Message Queue for RabbitMQ.
- If an employee joins or leaves Enterprise B, Enterprise A does not need to make modifications to the granted permissions. Enterprise B can grant its RAM users fine-grained permissions on the cloud resources of Enterprise A. The RAM user credentials can be assigned to either employees or applications.
- If the agreement between Enterprise A and Enterprise B is terminated, Enterprise A can revoke the authorization from Enterprise B.
Step 1: Enterprise A creates a RAM role
Use the Alibaba Cloud account of Enterprise A to log on to the RAM console and create a RAM role. This RAM role will be assigned to the Alibaba Cloud account of Enterprise B.
Step 2: Enterprise A grants permissions to the RAM role
Grant the RAM role the permissions that you want to grant to Enterprise B to access the Message Queue for RabbitMQ resources of Enterprise A.
Step 3: Enterprise B creates a RAM user
Use the Alibaba Cloud account of Enterprise B to log on to the RAM console and create a RAM user.
Step 4: Enterprise B grants permissions to the RAM user
Attach the AliyunSTSAssumeRoleAccess permission policy to the RAM user.
- Log on to the RAM console by using your Alibaba Cloud account.
- In the left-side navigation pane, choose .
- On the Users page, find the RAM user to which you want to attach the custom policy, and click Add Permissions in the Actions column.
- In the Select Policy section of the Add Permissions panel, click System Policy. Enter AliyunSTSAssumeRoleAccess in the search box, click the displayed policy to add it to the Selected list, and then click OK.
- In the Add Permissions panel, check the authorization information and click Complete.
What to do next
The RAM user of Enterprise B can access the Message Queue for RabbitMQ resources of Enterprise A by using the following methods:
- Use the console
- Open the RAM User Logon page in a browser.
- On the RAM User Logon page, enter the name of the RAM user, click Next, enter the password, and then click Log On.
Note The name of the RAM user is in <$username>@<$AccountAlias> format or <$username>@<$AccountAlias>.onaliyun.com format. <$AccountAlias> is the alias of the RAM user. If you do not specify an alias, the ID of the Alibaba Cloud account is used by default.
- On the homepage of the console, move the pointer over the profile picture in the upper-right corner and click Switch Role.
- On the Switch Role page, specify the Enterprise Alias/Default Domain Name parameter for Enterprise A,
specify the Role Name parameter, and then click Submit.
Note
- To view the enterprise alias, use the Alibaba Cloud account of Enterprise A to log on to the Alibaba Cloud user center. Move the pointer over the profile picture in the upper-right corner. The enterprise alias is displayed.
- To view the default domain name, use the Alibaba Cloud account of Enterprise A to log on to the RAM console. On the Settings page, click the Advanced tab to view the default domain name.
- API
- Call the AssumeRole operation to obtain the AccessKey ID, AccessKey secret, and Security Token Service (STS) token. For more information, see AssumeRole.
- Use the obtained AccessKey ID, AccessKey secret, and STS token to call a specific API operation to access the corresponding Message Queue for RabbitMQ resources.