You can use a Resource Access Management (RAM) role to grant permissions across Alibaba Cloud accounts. This way, an enterprise can access Message Queue for RabbitMQ of another enterprise.

Background information

Enterprise A has activated Message Queue for RabbitMQ. Enterprise A requires Enterprise B to manage Message Queue for RabbitMQ resources, such as instances, queues, vhosts, and exchanges. Enterprise A has the following requirements:
  • Enterprise A wants to focus on its business systems and act only as the owner of Message Queue for RabbitMQ. Enterprise A can authorize Enterprise B to maintain, monitor, and manage Message Queue for RabbitMQ.
  • When an employee joins or leaves Enterprise B, no permission change is required. Enterprise B can grant fine-grained permissions on cloud resources of Enterprise A to its RAM users (employees or applications).
  • If the agreement between Enterprise A and Enterprise B ends, Enterprise A can revoke the permissions from Enterprise B.

Step 1: Enterprise A creates a RAM role

Use the Alibaba Cloud account of Enterprise A to log on to the RAM console, and create a RAM role for the Alibaba Cloud account of Enterprise B.

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, click RAM Roles.
  3. On the RAM Roles page, click Create RAM Role.
  4. In the Create RAM Role pane, set the Trusted Entity Type parameter to Alibaba Cloud Account, and then click Next.
  5. In the RAM Role Name field, enter a RAM role name. In the Select Trusted Alibaba Cloud Account section, select Other Alibaba Cloud Account, and enter the ID of the Alibaba Cloud account of Enterprise B. Then, click OK.
    Note
    • A RAM role name cannot exceed 64 characters in length and can contain only letters, digits, and hyphens (-).
    • You can view the account ID on the Security Settings page.

Step 2: Enterprise A grants permissions to the RAM role

Grant the RAM role the permissions to access Message Queue for RabbitMQ of Enterprise A.

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, choose Identities > Roles.
  3. On the Roles page, find the RAM role to which you want to grant permissions and click Add Permissions in the Actions column.
  4. In the Select Policy section of the Add Permissions panel, click System Policy or Custom Policy. Enter the keyword of the policy that you want to add in the search box, click the displayed policy to add it to the Selected list, and then click OK.
    Note For more information about the policies that can be assigned to access Message Queue for RabbitMQ, see RAM policies.
  5. In the Add Permissions panel, view the authorization information and click Complete.

Step 3: Enterprise B creates a RAM user

Use the Alibaba Cloud account of Enterprise B to log on to the RAM console and create a RAM user.

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, choose Identities > Users.
  3. On the Users page, click Create User.
  4. On the Create User page, specify Logon Name and Display Name in the User Account Information section.
    Note You can click Add User to create multiple RAM users at a time.
  5. In the Access Mode section, select Console Access or Programmatic Access.
    • Console Access: If you select this access mode, you must complete the logon security settings. These settings specify whether to use a system-generated or custom logon password, whether the password must be reset on the next logon, and whether to enable multi-factor authentication (MFA).
      Note If you select Custom Logon Password in the Console Password section, you must specify a password. The password must meet the complexity requirements. For more information about the complexity requirements, see Configure a password policy for RAM users.
    • Programmatic Access: If you select this access mode, an AccessKey pair is automatically created for the RAM user. The RAM user can call API operations or use other development tools to access Alibaba Cloud resources.
    Note We recommend that you select only one access mode for the RAM user to ensure the security of your Alibaba Cloud account. This prevents the RAM user from using an AccessKey pair to access Alibaba Cloud resources after the RAM user leaves the organization.
  6. Click OK.

Step 4: Enterprise B grants permissions to the RAM user

Attach the AliyunSTSAssumeRoleAccess policy to the RAM user.

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, choose Identities > Users.
  3. On the Users page, find the RAM user to which you want to grant permissions and click Add Permissions in the Actions column.
  4. In the Add Permissions panel, view the authorization information and click OK.
  5. In the Add Permissions panel, click Complete.

What to do next

The RAM user of Enterprise B can access Message Queue for RabbitMQ of Enterprise A by using the following methods:

  • Console
    1. Open the RAM Account Login page in your browser.
    2. On the RAM Account Login page, specify Username and click Next. Then, specify Password and click Login.
      Note The logon name of the RAM user is in the format of <$username>@<$AccountAlias> or <$username>@<$AccountAlias>.onaliyun.com. <$AccountAlias> is the account alias. If no account alias is specified, the ID of the Alibaba Cloud account is used.
    3. On the RAM user center page, move the pointer over the profile picture in the upper-right corner and click Switch Identity.
    4. On the Switch Role page, enter the enterprise alias or default domain name of Enterprise A and the RAM role name, and click Submit.
      Note
      • Enterprise alias: Use the Alibaba Cloud account of Enterprise A to log on to the Alibaba Cloud user center, move the pointer over the profile picture in the upper-right corner, and view the enterprise alias.
      • Default domain name: Use the Alibaba Cloud account of Enterprise A to log on to the RAM console. On the Settings page, click the Advanced tab to view the default domain name.
  • API operation
    1. Call the AssumeRole API operation to obtain the AccessKey ID, AccessKey secret, and a temporary security token. For more information, see AssumeRole.
    2. Use the obtained AccessKey ID, AccessKey secret, and temporary security token in code to access Message Queue for RabbitMQ.