You can grant permissions to a Resource Access Management (RAM) role that you created for a trusted Alibaba Cloud account, Alibaba Cloud service, or identity provider (IdP). This topic describes how to create a RAM role for a trusted Alibaba Cloud account and grant permissions to the RAM role to access Serverless App Engine (SAE) resources across accounts.
Scenarios
Enterprise A has activated SAE and wants to authorize Enterprise B to manage part of its business. Requirements:
Enterprise A wants to focus on the business system and act only as the resource owner of SAE. Enterprise A wants to authorize Enterprise B to manage part of its business, such as application publishing, application management, auto scaling policy management, application one-click start and stop, and application monitoring.
Each time an employee joins or leaves Enterprise B, Enterprise A does not need to change permission settings. Enterprise B can grant its RAM users fine-grained permissions on the resources of Enterprise A.
If the agreement between Enterprise A and Enterprise B ends, Enterprise A can revoke the permissions from Enterprise B.
Step 1: Enterprise A creates a RAM role
Enterprise A has an Alibaba Cloud account named Alibaba Cloud Account A and Enterprise B has an Alibaba Cloud account named Alibaba Cloud Account B.
The ID of Alibaba Cloud Account A is
123456789098****, and the account alias iscompany-a.The ID of Alibaba Cloud Account B is
234567890987****, and the account alias iscompany-b.
Log on to the RAM console with Alibaba Cloud Account A.
- In the left-side navigation pane, choose .
- On the Roles page, click Create Role.
- In the Create Role panel, select Alibaba Cloud Account for the Select Trusted Entity parameter and click Next.
Configure the RAM role.
Configure the RAM Role Name parameter. Enter sae-admin.
- Optional:Specify Note.
Select the trusted Alibaba Cloud account. Select Other Alibaba Cloud Account and enter the ID of Alibaba Cloud Account B.
Note You can view the ID of an Alibaba Cloud account on the Security Settings page.
Click OK.
If you are redirected to the Finish step, the RAM role is created. On the Basic Information page of the RAM role, you can view the RAM role name, creation time, and Alibaba Cloud Resource Name (ARN).
RAM role name: sae-admin.
ARN:
acs:ram::123456789098****:role/sae-admin.Trust policy:
NoteThis policy indicates that only RAM users that belong to Alibaba Cloud Account B can assume the RAM role.
{ "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "RAM": [ "acs:ram::234567890987****:root" ] } } ], "Version": "1" }
Step 2: Enterprise A grants permissions to the RAM role
Log on to the RAM console with Alibaba Cloud Account A.
- In the left-side navigation pane, choose .
- On the Roles page, find the RAM role to which you want to grant permissions and click Add Permissions in the Actions column.
- In the Add Permissions panel, grant permissions to the RAM role.
- Set the authorization scope.
- Alibaba Cloud Account: The permissions take effect on the current Alibaba Cloud account.
- Specific Resource Group: The permissions take effect in a specific resource group. Note If you select Specific Resource Group for Authorized Scope, make sure that the required cloud service supports resource groups. For more information, see Services that work with Resource Group.
- Specify the principal. The principal is the RAM role to which permissions are granted. By default, the current RAM role is specified. You can also specify a different RAM role.
- Select policies. Note You can attach a maximum of five policies to a RAM role at a time. If you need to attach more than five policies to a RAM role, perform the operation multiple times.
- Set the authorization scope.
- Click OK.
- Click Complete.
Step 3: Enterprise B creates a RAM user
Log on to the RAM console with Alibaba Cloud Account B.
In the left-side navigation pane, choose .
On the Users page, click Create User.
In the User Account Information section of the Create User page, configure the following parameters:
Logon Name: The logon name can be up to 64 characters in length, and can contain letters, digits, periods (.), hyphens (-), and underscores (_).
Display Name: The display name can be up to 128 characters in length.
(Optional) Tag: You can click the
icon. In the dialog box that appears, specify the Tag Key and Tag Value parameters. You can add one or more tags to the RAM user. This way, you can manage the RAM user based on the tags.
NoteYou can click Add User to create multiple RAM users at a time.
In the Access Mode section, select an access mode and configure the required parameters.
To ensure the security of your Alibaba Cloud account, we recommend that you select only one access mode for the RAM user. This way, the RAM user for an individual is separated from the RAM user for a program.
Console Access
If the RAM user represents an individual, we recommend that you select Console Access for the RAM user. This way, the RAM user can use a username and password to access Alibaba Cloud. If you select Console Access, you must configure the following parameters:
Console Password: You can select Automatically Regenerate Default Password or Reset Custom Password. If you select Reset Custom Password, you must specify a password. The password must meet the complexity requirements. For more information, see Configure a password policy for RAM users.
Password Reset: specifies whether the RAM user is required to reset the password upon the next logon.
Multi-factor Authentication: specifies whether to enable multi-factor authentication (MFA) for the RAM user. If you select Required to Enable MFA for the RAM user, the RAM user must bind an MFA device when the RAM user logs on to the Alibaba Cloud Management Console. For more information, see Bind an MFA device to a RAM user.
OpenAPI Access
If the RAM user represents a program, we recommend that you select OpenAPI Access for the RAM user. This way, the RAM user can use an AccessKey pair to access Alibaba Cloud. If you select OpenAPI Access, the system automatically generates an AccessKey ID and AccessKey secret for the RAM user. For more information, see Create an AccessKey pair.
Click OK.
Step 4: Enterprise B grants permissions to the RAM user
Log on to the RAM console with Alibaba Cloud Account B.
In the left-side navigation pane, choose .
On the Users page, find the required RAM user, and click Add Permissions in the Actions column.
In the Select Policy section of the Add Permissions panel, click System Policy. Enter AliyunSTSAssumeRoleAccess in the search box, click the policy that is displayed to add the policy to the Selected list.
Click Complete.
Step 5: Access resources across Alibaba Cloud accounts
STS allows you to use temporary credentials to access your Alibaba Cloud resources. You can use STS to create temporary access tokens for RAM entities such as RAM users and RAM roles. You can also specify a custom validity period and configure the access permissions of the STS tokens. Authorized RAM entities can use the STS tokens to access Alibaba Cloud resources by using one of the following methods:
Method 1: Use the console to access resources
You can log on to the console as the RAM user of Enterprise B to access SAE resources of Enterprise A by performing the following steps:
Log on to the RAM console as the RAM user of Alibaba Cloud Account B.
For more information, see Log on to the Alibaba Cloud Management Console as a RAM user.
Move the pointer over the profile picture in the upper-right corner of the page and click Switch Role.
On the Switch Role page, enter the enterprise alias and RAM role name of Enterprise A. Then, click Submit.
After the logon, the RAM user of Enterprise B can manage the SAE resources of Enterprise A.
Method 2: Use an SDK to access resources
In this example, SAE SDK for Java is used to obtain an STS token.
For more information, see STS SDK for Java and AssumeRole.
import com.aliyuncs.DefaultAcsClient; import com.aliyuncs.IAcsClient; import com.aliyuncs.exceptions.ClientException; import com.aliyuncs.exceptions.ServerException; import com.aliyuncs.profile.DefaultProfile; import com.google.gson.Gson; import java.util.*; import com.aliyuncs.sts.model.v20150401.*; public class AssumeRole { public static void main(String[] args) { // Construct an Alibaba Cloud client to initiate requests. // Make sure that the ALIBABA_CLOUD_ACCESS_KEY_ID and ALIBABA_CLOUD_ACCESS_KEY_SECRET environment variables are configured for the runtime environment. DefaultProfile profile = DefaultProfile.getProfile("cn-hangzhou", System.getenv("ALIBABA_CLOUD_ACCESS_KEY_ID"), System.getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET")); IAcsClient client = new DefaultAcsClient(profile); // Construct a request and configure request parameters. For more information about the parameters, see API Reference. AssumeRoleRequest request = new AssumeRoleRequest(); request.setRegionId("cn-hangzhou"); request.setRoleArn("<RoleArn>"); request.setRoleSessionName("<RoleSessionName>"); // Initiate the request and obtain a response. try { AssumeRoleResponse response = client.getAcsResponse(request); System.out.println(new Gson().toJson(response)); } catch (ServerException e) { e.printStackTrace(); } catch (ClientException e) { System.out.println("ErrCode:" + e.getErrCode()); System.out.println("ErrMsg:" + e.getErrMsg()); System.out.println("RequestId:" + e.getRequestId()); } } }NoteYou can call the SAE API to perform operations by using HTTP request methods, SDKs, and OpenAPI Explorer. For more information, see List of operations by function and Request methods.
The following sample code provides an example of the expected output:
{ "RequestId": "964E0EC5-575B-4FF5-8FD0-D4BD8025****", "AssumedRoleUser": { "Arn": "acs:ram::*************", "AssumedRoleId": "*************" }, "Credentials": { "SecurityToken": "*************", "AccessKeyId": "STS.*************", "AccessKeySecret": "*************", "Expiration": "2021-05-28T11:23:19Z" } }The AccessKey pair information in the output indicates that a new client is generated in the code of Alibaba Cloud Account B. This indicates that the RAM user of Alibaba Cloud Account B is granted the permissions to view all SAE namespaces in the China (Hangzhou) region of Alibaba Cloud Account A.
public class CreateNamespace { public static void main(String[] args) { DefaultProfile profile = DefaultProfile.getProfile("cn-hangzhou", System.getenv("ALIBABA_CLOUD_ACCESS_KEY_ID"), System.getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET")); IAcsClient client = new DefaultAcsClient(profile); CommonRequest request = new CommonRequest(); request.setMethod(MethodType.POST); request.setDomain("sae.cn-hangzhou.aliyuncs.com"); request.setVersion("2019-05-06"); request.setUriPattern("/pop/v1/paas/namespace"); request.putHeadParameter("Content-Type", "application/json"); String requestBody = "" + "{}"; request.setHttpContent(requestBody.getBytes(), "utf-8", FormatType.JSON); try { CommonResponse response = client.getCommonResponse(request); System.out.println(response.getData()); } catch (ServerException e) { e.printStackTrace(); } catch (ClientException e) { e.printStackTrace(); } } }
Revoke permissions from a RAM role
If the agreement between Enterprise A and Enterprise B ends, Enterprise A only needs to revoke the permissions from the RAM role of Enterprise B and delete the RAM role. This way, all RAM users of Alibaba Cloud Account B can no longer access the resources of Alibaba Cloud Account A.
Before you delete a RAM role, you must detach the policies from the RAM role. For more information, see Revoke permissions from a RAM role.
Log on to the RAM console with Alibaba Cloud Account A.
- In the left-side navigation pane, click RAM Roles.
- On the RAM Roles page, find the RAM role that you want to delete. Click Delete in the Actions column.
- In the message that appears, click OK.