You can grant permissions to a Resource Access Management (RAM) role that you created for a trusted Alibaba Cloud account, Alibaba Cloud service, or identity provider (IdP). This topic describes how to create a RAM role for a trusted Alibaba Cloud account and grant permissions to the RAM role to access Serverless App Engine (SAE) resources across accounts.
Scenario
Enterprise A has activated SAE and wants to authorize Enterprise B to manage part of its business. Requirements:
Enterprise A wants to focus on the business system and act only as the resource owner of SAE. Enterprise A wants to authorize Enterprise B to manage part of its business, such as application publishing, application management, auto scaling policy management, application one-click start and stop, and application monitoring.
If an employee joins or leaves Enterprise B, Enterprise A does not need to make modifications to the granted permissions. Enterprise B can grant its RAM users fine-grained permissions on the resources of Enterprise A.
If the contract between Enterprise A and Enterprise B ends, Enterprise A can revoke the permissions from Enterprise B.
Step 1: Enterprise A creates a RAM role
Enterprise A has an Alibaba Cloud account named Account A and Enterprise B has an Alibaba Cloud account named Account B.
The ID of Account A is
1234************, and the account alias iscompany-a.The ID of Account B is
2345************, and the account alias iscompany-b.
Log on to the RAM console with Account A.
In the left-side navigation pane, choose .
On the Roles page, click Create Role.
On the Create Role page, configure the related parameters.
Set Principal Type to Cloud Account and Principal Name to Other Account. Then, enter the UID for Account B. Click OK.
Enter
sae-adminin the Role Name field and click OK.ImportantIf you want a specific RAM user instead of all RAM users that belong to an Alibaba Cloud account to assume the RAM role, use one of the following methods:
Modify the trust policy of the RAM role. For more information, see Example 1: Change the trusted entity of a RAM role to an Alibaba Cloud account.
Modify the role-assuming policy that is attached to the RAM user. For more information, see How to specify the RAM role that a RAM user can assume?
On the Basic Information page of the RAM role, you can view the RAM role name, creation time, and Alibaba Cloud Resource Name (ARN).
RAM role name: sae-admin.
ARN:
acs:ram::1234************:role/sae-admin.Trust policy:
NoteThis policy indicates that only RAM users that belong to Account B can assume the RAM role.
{ "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "RAM": [ "acs:ram::2345************:root" ] } } ], "Version": "1" }
Step 2: Enterprise A grants permissions to the RAM role
Log on to the RAM console with Account A.
In the left-side navigation pane, choose .
On the Roles page, find the RAM role that you want to manage and click Grant Permission in the Actions column.
You can also select multiple RAM roles and click Grant Permission in the lower part of the RAM role list to grant permissions to multiple RAM roles at a time.
In the Grant Permission panel, grant permissions to the RAM role.
Configure the Resource Scope parameter.
Account: The authorization takes effect on the current Alibaba Cloud account.
Resource Group: The authorization takes effect on a specific resource group.
NoteIf you select Resource Group for the Resource Scope parameter, make sure that the required cloud service supports resource groups. For more information, see Services that work with Resource Group.
Configure the Principal parameter.
The principal is the RAM role to which you want to grant permissions. The current RAM role is automatically selected.
Configure the Policy parameter.
A policy is a set of access permissions. You can select multiple policies at a time.
System policies: policies that are created by Alibaba Cloud. You can use but cannot modify these policies. Version updates of the policies are maintained by Alibaba Cloud. For more information, see Services that work with RAM.
NoteThe system automatically identifies high-risk system policies, such as AdministratorAccess and AliyunRAMFullAccess. We recommend that you do not grant unnecessary permissions by attaching high-risk policies.
Custom policies: You can manage and update custom policies based on your business requirements. You can create, update, and delete custom policies. For more information, see Create a custom policy.
Click Grant permissions.
Click Close.
Step 3: Enterprise B creates a RAM user
Log on to the RAM console with Account B.
In the left-side navigation pane, choose .
On the Users page, click Create User.
In the User Account Information section of the Create User page, configure the following parameters:
Logon Name: The logon name can be up to 64 characters in length, and can contain letters, digits, periods (.), hyphens (-), and underscores (_).
Display Name: The display name can be up to 128 characters in length.
Tag: Click the
icon and enter a tag key and a tag value. Adding tags helps you categorize and manage RAM users.
NoteYou can click Add User to create multiple RAM users at a time.
In the Access Mode section, select an access mode and configure the required parameters.
For enhanced security, we recommend creating separate users for individuals and for applications. Choose only one access mode accordingly to maintain this separation.
Console access
For users who are individuals, we recommend enabling Console Access. This allows them to sign in to the Alibaba Cloud Management Console with a username and password. If you select Console Access, you must configure the following parameters:
Set Logon Password: Select Automatically Regenerate Default Password or Reset Custom Password. If you select Reset Custom Password, you must specify a password. The password must meet complexity requirements. For more information, see Configure a password policy for RAM users.
Password Reset: Specify whether the RAM user is required to reset the password at the next sign-in.
Enable MFA: Specify whether to enable multi-factor authentication (MFA) for the RAM user. After you enable MFA, you must bind an MFA device to the RAM user. For more information, see Bind an MFA device to a RAM user.
Programmatic access
For users that represent applications, enable Using permanent AccessKey to access for the RAM user. The system will generate a permanent AccessKey ID and AccessKey Secret for API calls. For more information, see Obtain an AccessKey pair.
ImportantThe AccessKey Secret is displayed only once when it is created and cannot be retrieved later. Therefore, you must save it in a secure location.
An AccessKey pair is a permanent credential for application access. If the AccessKey pair of an Alibaba Cloud account is leaked, the resources that belong to the account are exposed to potential risks. To prevent credential leak risks, we recommend that you use Security Token Service (STS) tokens. For more information, see Best practices for using an access credential to call API operations.
Click OK.
Step 4: Enterprise B grants permissions to the RAM user
Log on to the RAM console with Account B.
In the left-side navigation pane, choose .
On the Users page, find the required RAM user, and click Add Permissions in the Actions column.
You can also select multiple RAM users and click Add Permissions in the lower part of the page to grant permissions to the RAM users at a time.
In the Policy section, enter AliyunSTSAssumeRoleAccess in the search box, select the policy to add it to the Selected Policy list on the right, and then click Grant permissions.
Click Close.
Step 5: Access resources across Alibaba Cloud accounts
Security Token Service (STS) allows you to use temporary credentials to access your Alibaba Cloud resources. You can use STS to grant temporary access tokens with custom validity periods and access permissions to RAM entities such as RAM users and RAM roles. Authorized RAM entities can use the STS tokens to access Alibaba Cloud resources by using one of the following methods:
Method 1: Use the console to access resources
You can log on to the console as the RAM user of Enterprise B to access SAE resources of Enterprise A by performing the following steps:
Log on to the RAM console as the RAM user of Account B.
For more information, see Log on to the Alibaba Cloud Management Console as a RAM user.
Move the pointer over the profile picture in the upper-right corner of the page and click Switch Role.
On the Switch Role page, enter the enterprise alias and RAM role name of Enterprise A. Then, click Submit.
After the logon, the RAM user of Enterprise B can manage the SAE resources of Enterprise A.
Method 2: Use an SDK to access resources
Obtain access credentials. The SDK for Java is used as an example here:
Configure the environment variables for code execution.
Variable name
Variable value
ALIBABA_CLOUD_ACCESS_KEY_ID
The AccessKey ID of the RAM user of Enterprise B
ALIBABA_CLOUD_ACCESS_KEY_SECRET
The AccessKey secret of the RAM user of Enterprise B.
Run the following code. For more information, see STS SDK for Java and AssumeRole.
package com.aliyun.sample; import com.aliyun.sts20150401.models.AssumeRoleResponse; import com.aliyun.tea.TeaException; import com.google.gson.Gson; public class Sample { /** * <b>description</b> : * <p> * Initialize your client with the credentials. * </p> * * @return Client * * @throws Exception */ public static com.aliyun.sts20150401.Client createClient() throws Exception { com.aliyun.credentials.Client credential = new com.aliyun.credentials.Client(); com.aliyun.teaopenapi.models.Config config = new com.aliyun.teaopenapi.models.Config().setCredential(credential); // Specify the endpoint. For more information, visit https://api.aliyun.com/product/Sts. config.endpoint = "sts.cn-hangzhou.aliyuncs.com"; return new com.aliyun.sts20150401.Client(config); } public static void main(String[] args_) throws Exception { com.aliyun.sts20150401.Client client = Sample.createClient(); com.aliyun.sts20150401.models.AssumeRoleRequest assumeRoleRequest = new com.aliyun.sts20150401.models.AssumeRoleRequest(); com.aliyun.teautil.models.RuntimeOptions runtime = new com.aliyun.teautil.models.RuntimeOptions(); // Replace it with the actual RoleArn and customize the RoleSessionName. assumeRoleRequest.setRoleArn("acs:ram::1234************:role/sae-admin"); assumeRoleRequest.setRoleSessionName("Alice"); try { // Write your own code to display the response of the API operation if necessary. AssumeRoleResponse response = client.assumeRoleWithOptions(assumeRoleRequest, runtime); System.out.println(new Gson().toJson(response.body)); } catch (TeaException error) { // Handle exceptions with caution in actual business scenarios, and do not ignore exceptions in your project. In this example, exceptions are printed for demonstration. // Display the error message. System.out.println(error.getMessage()); // Display the URL for troubleshooting. System.out.println(error.getData().get("Recommend")); com.aliyun.teautil.Common.assertAsString(error.message); } catch (Exception _error) { TeaException error = new TeaException(_error.getMessage(), _error); // Handle exceptions with caution in actual business scenarios and do not ignore the exceptions in your project. In this example, exceptions are provided only for reference. // Display the error message. System.out.println(error.getMessage()); // Display the URL for troubleshooting. System.out.println(error.getData().get("Recommend")); com.aliyun.teautil.Common.assertAsString(error.message); } } }NoteYou can call the SAE API to perform operations by using HTTP request methods, SDKs, and OpenAPI Explorer. For more information, see List of operations by function.
The following sample code provides an example of the expected output:
{ "requestId": "964E0EC5-575B-4FF5-8FD0-D4BD8025****", "assumedRoleUser": { "arn": "acs:ram::*************", "assumedRoleId": "*************" }, "credentials": { "securityToken": "*************", "accessKeyId": "STS.*************", "accessKeySecret": "*************", "expiration": "2021-05-28T11:23:19Z" } }
The AccessKey pair information in the output indicates that a new client is generated in the code of Account B. This indicates that the RAM user of Account B is granted the permissions to view all SAE namespaces in the China (Hangzhou) region of Account A.
Configure the environment variables for code execution.
Variable name
Variable value
ALIBABA_CLOUD_ACCESS_KEY_ID
# Obtain the credentials.accessKeyId from the results in the previous step.
ALIBABA_CLOUD_ACCESS_KEY_SECRET
# Obtain the credentials.accessKeySecret from the results in the previous step.
ALIBABA_CLOUD_SECURITY_TOKEN
# Obtain the credentials.securityToken from the results in the previous step.
Run the following code.
package com.aliyun.sample; import com.aliyun.sae20190506.models.DescribeNamespacesResponse; import com.aliyun.tea.*; import com.google.gson.Gson; public class Sample { /** * <b>description</b> : * <p> * Initialize your client with the credentials. * </p> * * @return Client * * @throws Exception */ public static com.aliyun.sae20190506.Client createClient() throws Exception { com.aliyun.credentials.Client credential = new com.aliyun.credentials.Client(); com.aliyun.teaopenapi.models.Config config = new com.aliyun.teaopenapi.models.Config().setCredential(credential); // For more information about endpoints, see https://api.aliyun.com/product/sae. config.endpoint = "sae.cn-hangzhou.aliyuncs.com"; return new com.aliyun.sae20190506.Client(config); } public static void main(String[] args_) throws Exception { com.aliyun.sae20190506.Client client = Sample.createClient(); com.aliyun.sae20190506.models.DescribeNamespacesRequest describeNamespacesRequest = new com.aliyun.sae20190506.models.DescribeNamespacesRequest(); com.aliyun.teautil.models.RuntimeOptions runtime = new com.aliyun.teautil.models.RuntimeOptions(); java.util.Map<String, String> headers = new java.util.HashMap<>(); // Customize the following optional parameters as needed: describeNamespacesRequest.setCurrentPage(1); describeNamespacesRequest.setPageSize(10); try { DescribeNamespacesResponse response = client .describeNamespacesWithOptions(describeNamespacesRequest, headers, runtime); System.out.println(new Gson().toJson(response.body)); } catch (TeaException error) { // Handle exceptions with caution in actual business scenarios, and do not ignore exceptions in your project. In this example, exceptions are printed for demonstration. // Display the error message. System.out.println(error.getMessage()); // Display the URL for troubleshooting. System.out.println(error.getData().get("Recommend")); com.aliyun.teautil.Common.assertAsString(error.message); } catch (Exception _error) { TeaException error = new TeaException(_error.getMessage(), _error); // Handle exceptions with caution in actual business scenarios and do not ignore the exceptions in your project. In this example, exceptions are provided only for reference. // Display the error message. System.out.println(error.getMessage()); // Display the URL for troubleshooting. System.out.println(error.getData().get("Recommend")); com.aliyun.teautil.Common.assertAsString(error.message); } } }
Revoke permissions from a RAM role
If the contract between Enterprise A and Enterprise B ends, Enterprise A only needs to revoke the permissions from the RAM role of Enterprise B and delete the RAM role. This way, all RAM users of Account B can no longer access the resources of Account A.
Before you delete a RAM role, you must detach the policies from the RAM role. For more information, see Revoke permissions from a RAM role.
Log on to the RAM console with Account A.
In the left-side navigation pane, choose .
On the Roles page, find the RAM user that you want to delete and click Delete Role in the Actions column.
In the Delete Role dialog box, enter the name of the RAM role and click Delete Role.
If a policy is attached to the RAM role, the policy is detached when you delete the RAM role.
For a RAM role that fails to be deleted, you can click Role Deletion in the upper-right corner of the RAM role list to view the details.