Use a RAM role to access resources across Alibaba Cloud accounts - Performance Testing

This topic describes how to use a RAM role to access resources across Alibaba Cloud accounts.

Prerequisites

PTS is activated. For more information, see Billing overview.

Background information

Enterprise A wants to authorize Enterprise B to use some of its cloud resources to perform business operations on its behalf. To facilitate this, Enterprise A can create a RAM role to allow Enterprise B to access and use the designated cloud resources on its behalf. A RAM role is a virtual user that does not have a fixed identity credential. A RAM role can be used only after it is assumed by a trusted entity. To use a RAM role to allow Enterprise B to access and use the designated cloud resources of Enterprise A, perform the following steps:

Step 1: Use the Alibaba Cloud account of Enterprise A to create a RAM role
Step 2: Use the Alibaba Cloud account of Enterprise A to grant permissions to the RAM role
Step 3: Use the Alibaba Cloud account of Enterprise B to create a RAM user
Step 4: Use the Alibaba Cloud account of Enterprise B to grant permissions to the RAM user
Step 5: Use the RAM user of Enterprise B to access the cloud resources of Enterprise A

Step 1: Use the Alibaba Cloud account of Enterprise A to create a RAM role

Use the Alibaba Cloud account of Enterprise A to log on to the RAM console and create a RAM role.

Log on to the RAM console by using an Alibaba Cloud account or a RAM user who has administrative rights.
In the left-side navigation pane, choose Identities > Roles.
On the Create Role page that appears, choose Cloud Account as Principal Type and Other Account as Principal Name, enter the Alibaba Cloud account of Enterprise B, and click OK.
Note
- Current Alibaba Cloud Account: If you want all RAM users that belong to the current Alibaba Cloud account to assume the RAM role, select Current Alibaba Cloud Account.
- Other Alibaba Cloud Account: If you want all RAM users that belong to a different Alibaba Cloud account to assume the RAM role, select Other Alibaba Cloud Account and enter the ID of the Alibaba Cloud account. This option is provided to grant resources access permissions across Alibaba Cloud accounts. For more information, see Use a RAM role to grant permissions across Alibaba Cloud accounts.
  You can view the ID of your Alibaba Cloud account on the Security Settings page.
- If you want a specific RAM user instead of all RAM users that belong to an Alibaba Cloud account to assume the RAM role, you can use one of the following methods:
  Modify the trust policy of the RAM role. For more information, see Example 1: Change the trusted entity of a RAM role to an Alibaba Cloud account.
  Modify the role-assuming policy that is attached to the RAM user. For more information, see Can I specify the RAM role that a RAM user can assume? .
In the dialog box that appears, enter a role name and click OK.

Step 2: Use the Alibaba Cloud account of Enterprise A to grant permissions to the RAM role

The RAM role that is created in Step 1 does not have permissions. Therefore, Enterprise A must grant permissions to the RAM role.

Log on to the RAM console by using an Alibaba Cloud account or a RAM user who has administrative rights.
In the left-side navigation pane, choose Identities > Roles.
On the Roles page, find the RAM role that you want to manage and click Grant Permission in the Actions column.
In the Grant Permission panel, grant the AliyunPTSFullAccess permission to the RAM role. Click Grant permissions and then close the window.

Step 3: Use the Alibaba Cloud account of Enterprise B to create a RAM user

Use the Alibaba Cloud account of Enterprise B to log on to the RAM console and create a RAM user.

Log on to the RAM console by using an Alibaba Cloud account or a RAM user who has administrative rights.
In the left-side navigation pane, choose Identities > Users.
On the Users page, click Create User.
In the User Account Information section of the Create User page, configure the following parameters:
- Logon Name: The logon name can be up to 64 characters in length, and can contain letters, digits, periods (.), hyphens (-), and underscores (_).
- Display Name: The display name can be up to 128 characters in length.
- Tag: Click the icon and enter a tag key and a tag value. Adding tags helps you categorize and manage RAM users.
Note
You can click Add User to create multiple RAM users at a time.
In the Access Mode section, select an access mode and configure the required parameters.
For enhanced security, we recommend creating separate users for individuals and for applications. Choose only one access mode accordingly to maintain this separation.
- Console access
  For users who are individuals, we recommend enabling Console Access. This allows them to sign in to the Alibaba Cloud Management Console with a username and password. If you select Console Access, you must configure the following parameters:
  - Set Logon Password: You can select Automatically Regenerate Default Password or Reset Custom Password. If you select Reset Custom Password, you must specify a password. The password must meet complexity requirements. For more information, see Configure a password policy for RAM users.
  - Password Reset: specifies whether the RAM user is required to reset the password at the next sign-in.
  - Enable MFA: specifies whether to enable multi-factor authentication (MFA) for the RAM user. After you enable MFA, you must bind an MFA device to the RAM user. For more information, see Bind an MFA device to a RAM user.
- Programmatic access
  For users that represent applications, enable Using permanent AccessKey to access for the RAM user. The system will generate a permanent AccessKey ID and AccessKey Secret for API calls. For more information, see Obtain an AccessKey pair.
  Important
  The AccessKey Secret is displayed only once when it is created and cannot be retrieved later. Therefore, you must save it in a secure location.
  An AccessKey pair is a permanent credential for application access. If the AccessKey pair of an Alibaba Cloud account is leaked, the resources that belong to the account are exposed to potential risks. To prevent credential leak risks, we recommend that you use Security Token Service (STS) tokens. For more information, see Best practices for using an access credential to call API operations.
Click OK.
Complete security verification as prompted.

Step 4: Use the Alibaba Cloud account of Enterprise B to grant permissions to the RAM user

Enterprise B must grant the AliyunSTSAssumeRoleAccess permission to the RAM user. This way, the RAM user can assume the RAM role created by Enterprise A.

Log on to the RAM console by using an Alibaba Cloud account or a RAM user who has administrative rights.
In the left-side navigation pane, choose Identities > Users.
On the Users page, find the RAM user that you created, and click Add Permissions in the Actions column.
In the Grant Permission panel, grant the AliyunSTSAssumeRoleAccess permission to the RAM user. Click Grant permissions and then close the window.

Step 5: Use the RAM user of Enterprise B to access the Alibaba Cloud resources of Enterprise A

Log on to the Alibaba Cloud Management Console by using the RAM user of Enterprise B created in Step 3.
On the Alibaba Cloud Management Console homepage, move the pointer over the profile picture in the upper-right corner and then click Switch Role.
On the Switch Role page, enter the alias or default domain name of Enterprise A and the name of the RAM role of Enterprise A created in Step 1, and then click Submit.
Enterprise B can manage the Alibaba Cloud resources of Enterprise A.