When your organization runs performance tests against resources owned by a different Alibaba Cloud account, sharing credentials between accounts creates security risks. RAM roles solve this by letting a user from one account temporarily assume an identity in another account -- with scoped permissions and no shared passwords or AccessKey pairs.
This guide walks through three phases: creating a RAM role in the resource-owning account (Account A), granting it PTS permissions, and configuring a RAM user in the accessing account (Account B) to assume that role.
How it works
A RAM role is a virtual identity with no permanent credentials. It can only be used when a trusted entity *assumes* it. Cross-account access works by establishing a trust relationship between two accounts:
Account A (resource owner) creates a RAM role and attaches PTS permissions to it. The role's trust policy designates Account B as a trusted entity.
Account B (resource accessor) has a RAM user with permission to assume roles via Security Token Service (STS). This RAM user assumes the role created by Account A to access PTS resources.
The setup has three phases:
Create a RAM role with PTS permissions in Account A -- Create a RAM role that trusts Account B, then attach the
AliyunPTSFullAccesspolicy so the role can manage PTS resources.Grant a RAM user role-assumption permissions in Account B -- Create a RAM user in Account B (or use an existing one) and grant it the
AliyunSTSAssumeRoleAccesspolicy so it can assume RAM roles.Assume the role to access Account A's resources -- Log in as the RAM user from Account B and switch to the RAM role to work with Account A's PTS resources.
Before you begin
Make sure you have:
Performance Testing Service (PTS) activated on Account A. For billing details, see Billing overview
Administrator access to the RAM consoles of both Alibaba Cloud accounts
The Alibaba Cloud account ID of Account B (find it on the Security Settings page)
Considerations
By default, all RAM users under Account B can assume the role. To restrict assumption to a specific RAM user, you can use one of the following methods:
Modify the role's trust policy. See Edit the trust policy of a RAM role.
Modify the role-assuming policy attached to the RAM user. See Can I specify the RAM role that a RAM user can assume?
The console-based role switch described in Phase 3 is suitable for interactive use. For automated performance testing scenarios, use the STS AssumeRole API to obtain temporary credentials programmatically. See Use a RAM role to grant permissions across Alibaba Cloud accounts.
Phase 1: Create a RAM role with PTS permissions in Account A
Step 1: Create the RAM role
Log in to the RAM console with an Alibaba Cloud account or a RAM user that has administrative rights.
In the left-side navigation pane, choose Identities > Roles.
On the Roles page, click Create Role.
On the Create Role page, set Principal Type to Cloud Account.
Set Principal Name to Other Alibaba Cloud Account and enter the Alibaba Cloud account ID of Account B.
NoteSelect Current Alibaba Cloud Account if you want RAM users within the same account to assume this role. Select Other Alibaba Cloud Account for cross-account access. For more information, see Use a RAM role to grant permissions across Alibaba Cloud accounts.
You can view the ID of your Alibaba Cloud account on the Security Settings page.
Click OK.
Enter a role name (for example,
PTSCrossAccountRole) and click OK.
Step 2: Attach PTS permissions to the RAM role
On the Roles page, find the role you created and click Grant Permission in the Actions column.
In the Grant Permission panel, search for and select
AliyunPTSFullAccess.
Click Grant permissions, then close the panel.
Phase 2: Grant a RAM user role-assumption permissions in Account B
If Account B already has a RAM user, skip to Step 4: Grant the RAM user permission to assume roles.
Step 3: Create a RAM user
Log in to the RAM console with Account B's Alibaba Cloud account or a RAM user that has administrative rights.
In the left-side navigation pane, choose Identities > Users.
On the Users page, click Create User.
In the User Account Information section, configure the following fields:
Field Description Logon Name Up to 64 characters. Supports letters, digits, periods (.), hyphens (-), and underscores (_). Display Name Up to 128 characters. Tag (Optional) Click the edit icon and enter a tag key and value to categorize the RAM user. NoteYou can click Add User to create multiple RAM users at a time.
In the Access Mode section, select an access mode. For enhanced security, create separate users for individuals and for applications, and choose only one access mode accordingly.
Console Access -- For users who log in to the Alibaba Cloud Management Console. If you select this mode, configure the following parameters:
Set Logon Password: Select Automatically Regenerate Default Password or Reset Custom Password. If you select Reset Custom Password, you must specify a password that meets complexity requirements. For more information, see Configure a password policy for RAM users.
Password Reset: Specifies whether the RAM user is required to reset the password at the next sign-in.
Enable MFA: Specifies whether to enable multi-factor authentication (MFA) for the RAM user. After you enable MFA, you must bind an MFA device to the RAM user. For more information, see Bind an MFA device to a RAM user.
Using permanent AccessKey to access -- For programmatic access. Generates an AccessKey ID and AccessKey Secret for API calls. For more information, see Obtain an AccessKey pair.
ImportantThe AccessKey Secret is displayed only at creation and cannot be retrieved later. Save it securely.
An AccessKey pair is a permanent credential for application access. If the AccessKey pair of an Alibaba Cloud account is leaked, the resources that belong to the account are exposed to potential risks. For production workloads, use STS tokens instead of permanent AccessKey pairs. See Best practices for access credentials.
Click OK and complete the security verification.
Step 4: Grant the RAM user permission to assume roles
On the Users page, find the RAM user and click Add Permissions in the Actions column.
In the Grant Permission panel, search for and select
AliyunSTSAssumeRoleAccess.
Click Grant permissions, then close the panel.
Phase 3: Assume the role to access Account A's resources
Log in to the Alibaba Cloud Management Console as Account B's RAM user.
Hover over the profile icon in the upper-right corner and click Switch Role.
Enter the following information and click Submit:
Field Value Account alias or default domain name The alias or default domain name of Account A Role name The RAM role name created in Step 1 (for example, PTSCrossAccountRole)
After switching, navigate to the Performance Testing console to verify that Account A's PTS resources are accessible.
Related topics
Edit the trust policy of a RAM role -- Restrict which RAM users can assume the role
Specify the RAM role that a RAM user can assume -- Limit a RAM user to assuming specific roles
Use a RAM role to grant permissions across Alibaba Cloud accounts -- Detailed guide on cross-account role assumption