This topic describes how to use a Resource Access Management (RAM) role to grant permissions across Alibaba Cloud accounts. Two enterprises (Enterprise A and Enterprise B) are used as examples. To authorize Enterprise B to access specified resources of Enterprise A, Enterprise A can create and assign a RAM role to Enterprise B. Then, Enterprise B can assume the RAM role and access the specified resources.
Background information
Enterprise A has purchased multiple types of Alibaba Cloud resources, such as Elastic Compute Service (ECS) instances, ApsaraDB RDS instances, Server Load Balancer (SLB) instances, and Object Storage Service (OSS) buckets. Enterprise A wants to authorize Enterprise B to access specified resources of Enterprise A.
Enterprise A has the following requirements:
Enterprise A serves only as a cloud resource owner. Enterprise A can authorize Enterprise B to maintain, monitor, and manage specified cloud resources of Enterprise A.
If an employee joins or leaves Enterprise B, Enterprise A does not need to change permissions. Enterprise B can grant its RAM users fine-grained permissions on cloud resources of Enterprise A. The RAM user credentials can be assigned to either employees or applications.
If the agreement between Enterprise A and Enterprise B ends, Enterprise A can revoke the permissions from Enterprise B.
Solution
In this example, Enterprise A needs to authorize employees of Enterprise B to manage ECS resources of Enterprise A. Enterprise A has an Alibaba Cloud account named Account A and Enterprise B has an Alibaba Cloud account named Account B.
The ID of Account A is
123456789012****
and the account alias iscompany-a
.The ID of Account B is
134567890123****
and the account alias iscompany-b
.
For more information about how to configure an account alias, see View and modify the default domain name.
Enterprise A uses Account A to create a RAM role, grants the required permissions to the RAM role, and then authorizes Account B to assume this role.
For more information, see Grant permissions across Alibaba Cloud accounts.
If an employee of Enterprise B needs to use a RAM user to assume this role, Enterprise B can use Account B to grant the required permissions to the RAM user. Then, the RAM user assumes the RAM role to access the resources of Account A.
For more information, see Access resources across Alibaba Cloud accounts.
If the agreement between Enterprise A and Enterprise B ends, Enterprise A can revoke the permissions from Account B. Then, the RAM users of Account B no longer have the permissions of the RAM role.
For more information, see Revoke permissions across Alibaba Cloud accounts.
Grant permissions across Alibaba Cloud accounts
Enterprise A uses Account A to create a RAM role that is named
ecs-admin
. Alibaba Cloud Account is selected as the trusted entity type.NoteWhen the RAM role is created, Other Alibaba Cloud Account is selected and
134567890123****
is specified as the trusted Alibaba Cloud account. This ensures that RAM users that belong to Account B can assume the RAM role.For more information, see Create a RAM role for a trusted Alibaba Cloud account.
After the RAM role is created, Enterprise A can view information about the RAM role on the basic information page.
In this example, the Alibaba Cloud Resource Name (ARN) of the RAM role is
acs:ram::123456789012****:role/ecs-admin
.The following policy is attached to the RAM role:
NoteThis policy indicates that RAM users of Account B can assume the RAM role.
{ "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "RAM": [ "acs:ram::134567890123****:root" ] } } ], "Version": "1" }
Enterprise A uses Account A to attach the
AliyunECSFullAccess
policy to the RAM roleecs-admin
.For more information, see Grant permissions to a RAM role.
Enterprise B uses Account B to create a RAM user named
Alice
.For more information, see Create a RAM user.
Enterprise B uses Account B to set the logon password of the RAM user to
123456****
and attach theAliyunSTSAssumeRoleAccess
policy to the RAM user. This allows the RAM user to assume the RAM role.For more information, see Grant permissions to a RAM user.
Access resources across Alibaba Cloud accounts
After Enterprise A uses Account A to grant the required permissions to Account B, the RAM user Alice
of Account B can access ECS resources of Account A by assuming the RAM role. An employee of Enterprise B can perform the following steps to assume the RAM role as a RAM user:
Log on to the RAM console as the RAM user named Alice.
NoteOn the logon page, you must enter the account alias
company-b
, usernameAlice
, and password123456****
.For more information, see Log on to the Alibaba Cloud Management Console as a RAM user.
Move the pointer over the profile picture and click Switch Identity.
NoteOn the page that appears, you must enter the account alias
company-a
and role nameecs-admin
.For more information, see Assume a RAM role.
Revoke permissions across Alibaba Cloud accounts
Enterprise A can use Account A to revoke the permissions to assume the RAM role ecs-admin
from Account B. Enterprise A can perform the following steps to revoke the permissions to assume the RAM role:
Log on to the RAM console by using Account A.
In the left-side navigation pane, choose .
In the Role Name column of the page that appears, click the RAM role
ecs-admin
.On the Trust Policy tab, click Edit Trust Policy. In the panel that appears, delete
"acs:ram::134567890123****:root"
.NoteEnterprise A can also use Account A to delete the RAM role ecs-admin. This revokes the permissions of the RAM role from Account B. Before the RAM role is deleted, the policies attached to the RAM role must be detached. For more information, see Revoke permissions from a RAM role.