Use a RAM role to access resources across Alibaba Cloud accounts or grant temporary access permissions - Simple Log Service

You can use a Resource Access Management (RAM) role to access resources across Alibaba Cloud accounts. This topic describes how to create and use a RAM role.

Solution overview

A RAM role is a virtual identity to which policies can be attached. A RAM role does not have permanent identity credentials, such as a logon password or an AccessKey pair. A RAM role can be used only after the role is assumed by a trusted entity. After a RAM role is assumed by a trusted entity, the trusted entity can obtain a Security Token Service (STS) token. Then, the trusted entity can use the STS token to access Alibaba Cloud resources as the RAM role.

The following procedure shows how Enterprise B uses its RAM user to assume the RAM role of Enterprise A to access the resources of Enterprise A.

Create a RAM role by using the Alibaba Cloud account of Enterprise A.
Attach a policy to the RAM role.
Create a RAM user by using the Alibaba Cloud account of Enterprise B.
Attach the AliyunSTSAssumeRoleAccess policy to the RAM user.
Obtain a Security Token Service (STS) token of the RAM role to access the resources of Enterprise A.

Step 1: Create a RAM role by using the Alibaba Cloud account of Enterprise A

Log on to the RAM console as a RAM user who has administrative rights.
In the left-side navigation pane, choose Identities > Roles.
On the Roles page, click Create Role.
On the Create Role page, set the Principal Type parameter to Cloud Account and the Principal Name parameter to Other Account, enter the ID of the Alibaba Cloud account of Enterprise B, and then click OK.
In the Create Role dialog box, configure the Role Name parameter. Example: aliyunlogreadrole.

Step 2: Attach a policy to the RAM role

Note

After a RAM role is created, the RAM role has no permissions. You can grant permissions to the RAM role. RAM provides the following system policies for Simple Log Service. We recommend that you grant only the required permissions to the RAM role based on the principle of least privilege.

AliyunLogFullAccess: This policy grants the permissions to manage all Simple Log Service resources.
AliyunLogReadOnlyAccess: This policy grants the read-only permissions on all Simple Log Service resources.

If system policies do not meet your business requirements, you can create a custom policy to implement fine-grained access control. For more information, see Create custom policies. For more information about sample policies, see Examples of using custom policies to grant permissions to a RAM user and Overview.

Log on to the RAM console as a RAM administrator.
In the left-side navigation pane, choose Identities > Roles.
On the Roles page, find the RAM role that you want to manage and click Grant Permission in the Actions column.
You can also select multiple RAM roles and click Grant Permission in the lower part of the RAM role list to grant permissions to multiple RAM roles at a time.
In the Grant Permission panel, select the required policy and click Grant permissions. In this example, the AliyunLogReadOnlyAccess policy is selected.
Click Close.

Step 3: Create a RAM user by using the Alibaba Cloud account of Enterprise B

Log on to the RAM console by using an Alibaba Cloud account or a RAM user who has administrative rights.
In the left-side navigation pane, choose Identities > Users.
On the Users page, click Create User.
In the User Account Information section of the Create User page, configure the following parameters:
- Logon Name: The logon name can be up to 64 characters in length, and can contain letters, digits, periods (.), hyphens (-), and underscores (_).
- Display Name: The display name can be up to 128 characters in length.
- Tag: Click the icon and enter a tag key and a tag value. You can add one or more tags to the RAM user. This way, you can manage the RAM user based on the tags.
Note
You can click Add User to create multiple RAM users at a time.
In the Access Mode section, select an access mode and configure the required parameters.
To ensure the security of your Alibaba Cloud account, we recommend that you select only one access mode for the RAM user. This way, the RAM user for an individual is separated from the RAM user for a program.
- Console Access
  If the RAM user represents an individual, we recommend that you select Console Access for the RAM user. This way, the RAM user can use a username and password to access Alibaba Cloud. If you select Console Access, you must configure the following parameters:
  - Set Console Password: You can select Automatically Regenerate Default Password or Reset Custom Password. If you select Reset Custom Password, you must specify a password. The password must meet the complexity requirements. For more information, see Configure a password policy for RAM users.
  - Password Reset: specifies whether the RAM user is required to reset the password upon the next logon.
  - Enable MAF: specifies whether to enable multi-factor authentication (MFA) for the RAM user. After you enable MFA, you must bind an MFA device to the RAM user. For more information, see Bind an MFA device to a RAM user.
- Using permanent AccessKey to access
  If the RAM user represents a program, you can select Using permanent AccessKey to access for the RAM user. This way, the RAM user can use an AccessKey pair to access Alibaba Cloud. If you select OpenAPI Access, the system automatically generates an AccessKey ID and AccessKey secret for the RAM user. For more information, see Obtain an AccessKey pair.
  Important
  An AccessKey secret for a RAM user is displayed only when you create an AccessKey pair. You cannot query the AccessKey secret in subsequent operations. Therefore, you must back up your AccessKey secret.
  An AccessKey pair is a permanent credential for application access. If the AccessKey pair of an Alibaba Cloud account is leaked, the resources that belong to the account are exposed to potential risks. To prevent credential leak risks, we recommend that you use Security Token Service (STS) tokens. For more information, see Best practices for using an access credential to call API operations.
Click OK.
Complete security verification as prompted.

Step 4: Attach a policy to the RAM user

Enterprise B must attach the AliyunSTSAssumeRoleAccess policy to the RAM user before the RAM user can assume the RAM role of Enterprise A.

Log on to the RAM console as a RAM administrator.
In the left-side navigation pane, choose Identities > Users.
On the Users page, find the required RAM user, and click Add Permissions in the Actions column.
You can also select multiple RAM users and click Add Permissions in the lower part of the page to grant permissions to the RAM users at a time.
In the Policy section of the Grant Permission page, search for and select the AliyunSTSAssumeRoleAccess system policy. Then, click Grant permissions.
Click Close.

Step 5: Obtain an STS token of the RAM role

After the AliyunSTSAssumeRoleAccess policy is attached to the RAM user, the RAM user calls the AssumeRole operation of STS to obtain an STS token and assume the RAM role that is created in Step 1: Create a RAM role by using the Alibaba Cloud account of Enterprise A. Then, the RAM user can access the resources of Enterprise A.

Note

For more information about how to call the AssumeRole operation, see STS SDK for Java.
After a RAM user obtains the required AccessKey ID, AccessKey secret, and STS token, the RAM user can use Simple Log Service SDK to access the resources of Simple Log Service. For more information, see Overview of Simple Log Service SDK.