Alibaba Cloud IDaaS lets you manage the current or other Alibaba Cloud accounts and their RAM roles in IDaaS. - Identity as a Service

Managing multiple Alibaba Cloud accounts can be challenging because of disparate accounts and complex permission management. The cloud identity management feature lets you manage Alibaba Cloud accounts and their Resource Access Management (RAM) roles in IDaaS for centralized identity administration and access control. This topic describes how to manage Alibaba Cloud accounts and cloud roles to achieve unified identity management.

Scope

This feature is available for the Enterprise Edition with the M2M extension enabled.

Add an Alibaba Cloud account

Log on to the IDaaS console, select an IDaaS instance, and in the Actions column, click Manage.

Add the current Alibaba Cloud account

Manage the Alibaba Cloud account that you are currently logged in to.

Add your Alibaba Cloud account information
1. Navigate to the Asset Management > Cloud Identity page.
2. Click Add Alibaba Cloud Account.
  1. Account Type: Select Account Type.
  2. Application Identity Service Authorization: Click the Authorize button to grant IDaaS permission to invoke RAM.
    Note
    If the status of Application Identity Service Authorization does not update automatically after authorization, refresh the page and add the Alibaba Cloud account again.
  3. Identity Provider Name: Enter a name for the identity provider that will be created. IDaaS creates an identity provider in the RAM of the current Alibaba Cloud account with the issuer URL https://<portal_address>/api/v2/iauths_system/oauth2. You can find the <portal_address> in the User Portal column of the IDaaS console. You must ensure that the name and issuer URL do not conflict with existing identity providers in RAM. For more information about how to view existing identity providers in RAM, see Manage OIDC identity providers.
3. Click Next.
Configure the system role for the Alibaba Cloud account.
1. In the RAM console of the target Alibaba Cloud account, follow the on-screen instructions to complete the following configurations:
  1. Create a custom policy. Copy the access policy script from the current page and create a policy in the RAM console. For more information, see Create a custom policy.
  2. Create a role. Use the role name provided on the page to create a RAM role. For more information, see Create a RAM role for a trusted identity provider.
  3. Grant permissions to the role. Associate the access policy with the RAM role. For more information, see Manage permissions of a RAM role.
2. Click Start Detection. IDaaS checks the configurations. If a fault is reported, review and modify the configurations.
3. Click Next to add the Alibaba Cloud account.

After you complete the configuration, the added Alibaba Cloud account appears on the Asset Management > Cloud Identity page. In the Actions column for the target Alibaba Cloud account, click Cloud Role Management to view the system role.

Add other Alibaba Cloud accounts

Manage an Alibaba Cloud account in IDaaS that you are not currently logged in to.

Add the Alibaba Cloud account information.
1. Navigate to the Asset Management > Cloud Identity page.
2. Click Add Alibaba Cloud Account.
  1. Account Type: Select Account Type.
  2. Cloud Account Type: Select Alibaba Cloud Account Type.
  3. Alibaba Cloud Account UID: Enter the UID of the root account for the Alibaba Cloud account that you want to add.
  4. Identity Provider Name: Enter a name for the identity provider. You must create this identity provider in the RAM of the corresponding Alibaba Cloud account as instructed. The Issuer URL is https://<portal_address>/api/v2/iauths_system/oauth2. You can find the <portal_address> value in the User Portal column on the IDaaS console. Ensure that the name and Issuer URL do not conflict with any existing identity provider in RAM. For more information about how to view existing identity providers in RAM, see Manage OIDC IdPs.
3. Click Next.
Configure the system role for the Alibaba Cloud account.
1. In the RAM console of the target Alibaba Cloud account, follow the on-screen instructions to complete the following configurations:
  1. Configure an identity provider. Enter the parameters provided on the page into the corresponding configuration items in RAM. For more information, see Manage OIDC IdPs.
  2. Create a custom policy. Copy the access policy script from the current page and create a policy in the RAM console. For more information, see Create a custom policy.
  3. Create a role. Use the role name provided on the page to create a RAM role. For more information, see Create a RAM role for a trusted identity provider.
  4. Grant permissions to the role. Associate the access policy with the RAM role. For more information, see Manage permissions of a RAM role.
2. Click Start Detection. IDaaS checks the configurations. If a fault is reported, review and modify the configurations.
3. Click Next to add the Alibaba Cloud account.
Note
If you exit the page before completing the configuration, navigate to the Asset Management > Cloud Identity page. Find the Alibaba Cloud account that you added. In the Actions column, click Cloud Role Management. Then, click Details and Configure System Role in order. Follow the on-screen instructions to complete the configuration.

Add a cloud role

Manage a cloud role of a target Alibaba Cloud account in IDaaS.

On the Asset Management > Cloud Identity page, select a managed Alibaba Cloud account. If you have not added an account, you must first add an Alibaba Cloud account. In the Actions column, click Cloud Role Management.
Click Add Cloud Role.
1. Role Name: Select the RAM role that you want to manage in IDaaS.
2. Trust Policy: Follow the on-screen instructions to complete the configuration in the RAM console of the Alibaba Cloud account. For more information, see Create a RAM role for a trusted identity provider or Modify the trust policy of a RAM role.
Click Confirm to add the cloud role.

After you complete the configuration, you can view the added cloud role on the Asset Management > Cloud Identity page. In the Actions column for the target Alibaba Cloud account, click Cloud Role Management to view the added cloud role.

Delete an Alibaba Cloud account

Stop managing an Alibaba Cloud account.

On the Asset Management > Cloud Identity page, find the target Alibaba Cloud account. In the Actions column, click Delete.

Note

Before you delete an Alibaba Cloud account, you must first delete all user-created cloud roles associated with that account.

Delete a cloud role

Stop managing a cloud role of a target Alibaba Cloud account.

On the Asset Management > Cloud Identity page, select a managed Alibaba Cloud account. If you have not added an account, you must first add an Alibaba Cloud account. In the Actions column, click Cloud Role Management.
In the cloud role list, find the target cloud role. In the Cloud Role Status column, click the switch to disable the cloud role.
Important
Disabling a cloud role prevents applications and users from using it. Before you proceed, confirm the potential business impact.
In the cloud role list, find the target cloud role. In the Actions column, click Delete.

Going live

Principle of least privilege: Configure precise access policies for managed RAM roles. Grant only the minimum permissions required to complete business tasks. Avoid overly broad authorizations, such as *:*.