You can use a Resource Access Management (RAM) role to grant permissions across Alibaba Cloud accounts. This way, an enterprise can access Message Queue for RabbitMQ of another enterprise.
Background information
- Enterprise A wants to focus on its business systems and act only as the owner of Message Queue for RabbitMQ. Enterprise A can authorize Enterprise B to maintain, monitor, and manage Message Queue for RabbitMQ.
- When an employee joins or leaves Enterprise B, no permission change is required. Enterprise B can grant fine-grained permissions on cloud resources of Enterprise A to its RAM users (employees or applications).
- If the agreement between Enterprise A and Enterprise B ends, Enterprise A can revoke the permissions from Enterprise B.
Step 1: Enterprise A creates a RAM role
Use the Alibaba Cloud account of Enterprise A to log on to the RAM console, and create a RAM role for the Alibaba Cloud account of Enterprise B.
Step 2: Enterprise A grants permissions to the RAM role
Grant the RAM role the permissions to access Message Queue for RabbitMQ of Enterprise A.
Step 3: Enterprise B creates a RAM user
Use the Alibaba Cloud account of Enterprise B to log on to the RAM console and create a RAM user.
Step 4: Enterprise B grants permissions to the RAM user
Attach the AliyunSTSAssumeRoleAccess policy to the RAM user.
- Log on to the RAM console by using your Alibaba Cloud account.
- In the left-side navigation pane, choose .
- On the Users page, find the RAM user to which you want to grant permissions and click Add Permissions in the Actions column.
- In the Add Permissions panel, view the authorization information and click OK.
- In the Add Permissions panel, click Complete.
What to do next
The RAM user of Enterprise B can access Message Queue for RabbitMQ of Enterprise A by using the following methods:
- Console
- Open the RAM Account Login page in your browser.
- On the RAM Account Login page, specify Username and click Next. Then, specify Password and click Login.
Note The logon name of the RAM user is in the format of <$username>@<$AccountAlias> or <$username>@<$AccountAlias>.onaliyun.com. <$AccountAlias> is the account alias. If no account alias is specified, the ID of the Alibaba Cloud account is used.
- On the RAM user center page, move the pointer over the profile picture in the upper-right corner and click Switch Identity.
- On the Switch Role page, enter the enterprise alias or default domain name of Enterprise A and the RAM
role name, and click Submit.
Note
- Enterprise alias: Use the Alibaba Cloud account of Enterprise A to log on to the Alibaba Cloud user center, move the pointer over the profile picture in the upper-right corner, and view the enterprise alias.
- Default domain name: Use the Alibaba Cloud account of Enterprise A to log on to the RAM console. On the Settings page, click the Advanced tab to view the default domain name.
- API operation
- Call the AssumeRole API operation to obtain the AccessKey ID, AccessKey secret, and a temporary security token. For more information, see AssumeRole.
- Use the obtained AccessKey ID, AccessKey secret, and temporary security token in code to access Message Queue for RabbitMQ.