You can grant permissions to a Resource Access Management (RAM) role that you created for a trusted Alibaba Cloud account, Alibaba Cloud service, or identity provider (IdP). This topic describes how to create a RAM role for a trusted Alibaba Cloud account and grant permissions to the RAM role to access Serverless App Engine (SAE) resources across accounts.
Scenarios
Enterprise A has activated SAE and wants to authorize Enterprise B to manage part of its business. Requirements:
Enterprise A wants to focus on the business system and act only as the resource owner of SAE. Enterprise A wants to authorize Enterprise B to manage part of its business, such as application publishing, application management, auto scaling policy management, application one-click start and stop, and application monitoring.
If an employee joins or leaves Enterprise B, Enterprise A does not need to make modifications to the granted permissions. Enterprise B can grant its RAM users fine-grained permissions on the resources of Enterprise A.
If the agreement between Enterprise A and Enterprise B ends, Enterprise A can revoke the permissions from Enterprise B.
Step 1: Enterprise A creates a RAM role
Enterprise A has an Alibaba Cloud account named Alibaba Cloud Account A and Enterprise B has an Alibaba Cloud account named Alibaba Cloud Account B.
The ID of Alibaba Cloud Account A is
123456789098****
, and the account alias iscompany-a
.The ID of Alibaba Cloud Account B is
234567890987****
, and the account alias iscompany-b
.
Log on to the RAM console with Alibaba Cloud Account A.
In the left-side navigation pane, choose .
On the Roles page, click Create Role.
On the Create Role page, configure the related parameters.
In the Select Role Type step, set Select Trusted Entity to Alibaba Cloud Account and click Next.
In the Configure Role step, set RAM Role Name to
sae-admin
, specify Note, set Select Trusted Alibaba Cloud Account to Other Alibaba Cloud Account, and enter Alibaba Cloud Account B of Enterprise B.ImportantIf you want a specific RAM user instead of all RAM users that belong to your Alibaba Cloud account to assume the RAM role, you can use one of the following methods:
Modify the trust policy of the RAM role. For more information, see Example 1: Change the trusted entity of a RAM role to an Alibaba Cloud account.
Modify the role-assuming policy that is attached to the RAM user. For more information, see Can I specify the RAM role that a RAM user can assume?
After you complete the configurations, click OK.
If you are redirected to the Finish step, the RAM role is created. On the Basic Information page of the RAM role, you can view the RAM role name, creation time, and Alibaba Cloud Resource Name (ARN).
RAM role name: sae-admin.
ARN:
acs:ram::123456789098****:role/sae-admin
.Trust policy:
NoteThis policy indicates that only RAM users that belong to Alibaba Cloud Account B can assume the RAM role.
{ "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "RAM": [ "acs:ram::234567890987****:root" ] } } ], "Version": "1" }
Step 2: Enterprise A grants permissions to the RAM role
Log on to the RAM console with Alibaba Cloud Account A.
In the left-side navigation pane, choose .
On the Roles page, find the RAM role that you want to manage and click Grant Permission in the Actions column.
You can also select multiple RAM roles and click Grant Permission in the lower part of the RAM role list to grant permissions to multiple RAM roles at a time.
In the Grant Permission panel, grant permissions to the RAM role.
Configure the Resource Scope parameter.
Account: The authorization takes effect on the current Alibaba Cloud account.
Resource Group: The authorization takes effect on a specific resource group.
NoteIf you select Resource Group for the Resource Scope parameter, make sure that the required cloud service supports resource groups. For more information, see Services that work with Resource Group.
Configure the Principal parameter.
The principal is the RAM role to which you want to grant permissions. The current RAM role is automatically selected.
Configure the Policy parameter.
A policy is a set of access permissions. You can select multiple policies at a time.
System policies: policies that are created by Alibaba Cloud. You can use but cannot modify these policies. Version updates of the policies are maintained by Alibaba Cloud. For more information, see Services that work with RAM.
NoteThe system automatically identifies high-risk system policies, such as AdministratorAccess and AliyunRAMFullAccess. We recommend that you do not grant unnecessary permissions by attaching high-risk policies.
Custom policies: You can manage and update custom policies based on your business requirements. You can create, update, and delete custom policies. For more information, see Create a custom policy.
Click Grant permissions.
Click Close.
Step 3: Enterprise B creates a RAM user
Log on to the RAM console with Alibaba Cloud Account B.
In the left-side navigation pane, choose .
On the Users page, click Create User.
In the User Account Information section of the Create User page, configure the following parameters:
Logon Name: The logon name can be up to 64 characters in length, and can contain letters, digits, periods (.), hyphens (-), and underscores (_).
Display Name: The display name can be up to 128 characters in length.
Tag: Click the icon and enter a tag key and a tag value. You can add one or more tags to the RAM user. This way, you can manage the RAM user based on the tags.
NoteYou can click Add User to create multiple RAM users at a time.
In the Access Mode section, select an access mode and configure the required parameters.
To ensure the security of your Alibaba Cloud account, we recommend that you select only one access mode for the RAM user. This way, the RAM user for an individual is separated from the RAM user for a program.
Console Access
If the RAM user represents an individual, we recommend that you select Console Access for the RAM user. This way, the RAM user can use a username and password to access Alibaba Cloud. If you select Console Access, you must configure the following parameters:
Set Console Password: You can select Automatically Regenerate Default Password or Reset Custom Password. If you select Reset Custom Password, you must specify a password. The password must meet the complexity requirements. For more information, see Configure a password policy for RAM users.
Password Reset: specifies whether the RAM user is required to reset the password upon the next logon.
Enable MAF: specifies whether to enable multi-factor authentication (MFA) for the RAM user. After you enable MFA, you must bind an MFA device to the RAM user or allow the RAM user to bind an MFA device. For more information, see Bind an MFA device to a RAM user.
OpenAPI Access
If the RAM user represents a program, we recommend that you select OpenAPI Access for the RAM user. This way, the RAM user can use an AccessKey pair to access Alibaba Cloud. If you select OpenAPI Access, the system automatically generates an AccessKey ID and AccessKey secret for the RAM user. For more information, see Obtain an AccessKey pair.
ImportantAn AccessKey secret for a RAM user is displayed only after you click Create AccessKey. You cannot query the AccessKey secret in subsequent operations. Therefore, you must back up your AccessKey secret.
Click OK.
Step 4: Enterprise B grants permissions to the RAM user
Log on to the RAM console with Alibaba Cloud Account B.
In the left-side navigation pane, choose .
On the Users page, find the required RAM user, and click Add Permissions in the Actions column.
You can also select multiple RAM users and click Add Permissions in the lower part of the page to grant permissions to the RAM users at a time.
In the Policy section of the Grant Permission panel, enter AliyunSTSAssumeRoleAccess in the search box, select the policy to add it to the Selected Policy list on the right, and then click Grant permissions.
Click Close.
Step 5: Access resources across Alibaba Cloud accounts
Security Token Service (STS) allows you to use temporary credentials to access your Alibaba Cloud resources. You can use STS to create temporary access tokens for RAM entities such as RAM users and RAM roles. You can also specify a custom validity period and configure the access permissions of the STS tokens. Authorized RAM entities can use the STS tokens to access Alibaba Cloud resources by using one of the following methods:
Method 1: Use the console to access resources
You can log on to the console as the RAM user of Enterprise B to access SAE resources of Enterprise A by performing the following steps:
Log on to the RAM console as the RAM user of Alibaba Cloud Account B.
For more information, see Log on to the Alibaba Cloud Management Console as a RAM user.
Move the pointer over the profile picture in the upper-right corner of the page and click Switch Role.
On the Switch Role page, enter the enterprise alias and RAM role name of Enterprise A. Then, click Submit.
After the logon, the RAM user of Enterprise B can manage the SAE resources of Enterprise A.
Method 2: Use an SDK to access resources
In this example, SAE SDK for Java is used to obtain an STS token.
For more information, see STS SDK for Java and AssumeRole.
import com.aliyuncs.DefaultAcsClient; import com.aliyuncs.IAcsClient; import com.aliyuncs.exceptions.ClientException; import com.aliyuncs.exceptions.ServerException; import com.aliyuncs.profile.DefaultProfile; import com.google.gson.Gson; import java.util.*; import com.aliyuncs.sts.model.v20150401.*; public class AssumeRole { public static void main(String[] args) { // Construct an Alibaba Cloud client to initiate requests. // Make sure that the ALIBABA_CLOUD_ACCESS_KEY_ID and ALIBABA_CLOUD_ACCESS_KEY_SECRET environment variables are configured for the runtime environment. DefaultProfile profile = DefaultProfile.getProfile("cn-hangzhou", System.getenv("ALIBABA_CLOUD_ACCESS_KEY_ID"), System.getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET")); IAcsClient client = new DefaultAcsClient(profile); // Construct a request and configure request parameters. For more information about the parameters, see API Reference. AssumeRoleRequest request = new AssumeRoleRequest(); request.setRegionId("cn-hangzhou"); request.setRoleArn("<RoleArn>"); request.setRoleSessionName("<RoleSessionName>"); // Initiate the request and obtain a response. try { AssumeRoleResponse response = client.getAcsResponse(request); System.out.println(new Gson().toJson(response)); } catch (ServerException e) { e.printStackTrace(); } catch (ClientException e) { System.out.println("ErrCode:" + e.getErrCode()); System.out.println("ErrMsg:" + e.getErrMsg()); System.out.println("RequestId:" + e.getRequestId()); } } }
NoteYou can call the SAE API to perform operations by using HTTP request methods, SDKs, and OpenAPI Explorer. For more information, see List of operations by function.
The following sample code provides an example of the expected output:
{ "RequestId": "964E0EC5-575B-4FF5-8FD0-D4BD8025****", "AssumedRoleUser": { "Arn": "acs:ram::*************", "AssumedRoleId": "*************" }, "Credentials": { "SecurityToken": "*************", "AccessKeyId": "STS.*************", "AccessKeySecret": "*************", "Expiration": "2021-05-28T11:23:19Z" } }
The AccessKey pair information in the output indicates that a new client is generated in the code of Alibaba Cloud Account B. This indicates that the RAM user of Alibaba Cloud Account B is granted the permissions to view all SAE namespaces in the China (Hangzhou) region of Alibaba Cloud Account A.
public class CreateNamespace { public static void main(String[] args) { DefaultProfile profile = DefaultProfile.getProfile("cn-hangzhou", System.getenv("ALIBABA_CLOUD_ACCESS_KEY_ID"), System.getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET")); IAcsClient client = new DefaultAcsClient(profile); CommonRequest request = new CommonRequest(); request.setMethod(MethodType.POST); request.setDomain("sae.cn-hangzhou.aliyuncs.com"); request.setVersion("2019-05-06"); request.setUriPattern("/pop/v1/paas/namespace"); request.putHeadParameter("Content-Type", "application/json"); String requestBody = "" + "{}"; request.setHttpContent(requestBody.getBytes(), "utf-8", FormatType.JSON); try { CommonResponse response = client.getCommonResponse(request); System.out.println(response.getData()); } catch (ServerException e) { e.printStackTrace(); } catch (ClientException e) { e.printStackTrace(); } } }
Revoke permissions from a RAM role
If the agreement between Enterprise A and Enterprise B ends, Enterprise A only needs to revoke the permissions from the RAM role of Enterprise B and delete the RAM role. This way, all RAM users of Alibaba Cloud Account B can no longer access the resources of Alibaba Cloud Account A.
Before you delete a RAM role, you must detach the policies from the RAM role. For more information, see Revoke permissions from a RAM role.
Log on to the RAM console with Alibaba Cloud Account A.
In the left-side navigation pane, choose .
On the Roles page, find the RAM user that you want to delete and click Delete Role in the Actions column.
In the Delete Role dialog box, enter the name of the RAM role and click Delete Role.
If a policy is attached to the RAM role, the policy is detached when you delete the RAM role.
For a RAM role that fails to be deleted, you can click Role Deletion in the upper-right corner of the RAM role list to view the details.