Enterprise A uses its Alibaba Cloud account to create a RAM role and then delegates this role to Enterprise B. This allows the Alibaba Cloud account or RAM users of Enterprise B to access the cloud resources of Enterprise A.
Background information
Enterprise A has purchased Container Application Service (AKS) for its business and wants to delegate some operations to Enterprise B.
The requirements are as follows:
Enterprise A wants to act as the resource owner and focus on its business systems. It wants to delegate tasks, such as message publishing and subscription, to Enterprise B.
Enterprise A wants to avoid changing permissions when the employees of Enterprise B change. Enterprise B can assign access to Enterprise A's resources to its own RAM users, which can be employees or applications. Enterprise B can also precisely control the permissions of its employees or applications.
Company A requires the ability to revoke the authorization granted to Company B at any time upon contract termination.
Procedure
Log on to the RAM console using the Alibaba Cloud account of Enterprise A and create a RAM role for the Alibaba Cloud account of Enterprise B.
For more information, see Create a RAM role for a trusted Alibaba Cloud account.
A newly created role has no permissions. You can grant permissions to the role by adding a system policy or a custom policy.
For more information, see Grant permissions to a RAM role.
NoteCurrently, SOFAStack does not support fine-grained access policies for resources. Policies that are defined based on resource dimensions will be available in the future. For more information, see Access policies.
Log on to the RAM console using the Alibaba Cloud account of Enterprise B and create a RAM user.
For more information, see Create a RAM user.
Grant the AliyunSTSAssumeRoleAccess permission to the RAM user.
For more information, see Grant permissions to a RAM user.
Enterprise B must grant the AliyunSTSAssumeRoleAccess permission to the RAM user that belongs to its Alibaba Cloud account. This allows the RAM user to assume the RAM role that was created by Enterprise A.
The RAM user of Enterprise B can then access the resources of Enterprise A through the console or using an API.
What to do next
After you complete the preceding steps, the RAM user of Enterprise B can log on to the console to access the cloud resources of Enterprise A or call an API.
Log on to the console to access the cloud resources of Enterprise A
In a browser, open the RAM user logon page.
On the RAM user logon page, enter the logon name of the RAM user, click Next, enter the password, and then click Log On.
NoteThe format of a RAM user logon name is <$username>@<$AccountAlias> or <$username>@<$AccountAlias>.onaliyun.com. <$AccountAlias> is the account alias. If an account alias is not set, the Alibaba Cloud account ID is used by default.
On the User Center page, move the mouse pointer over the profile picture in the upper-right corner and click Switch Identity in the menu that appears.
On the Alibaba Cloud - Switch Role page, enter the enterprise alias or default domain name of Enterprise A and the role name. Then, click Switch.
You can now perform operations on the Alibaba Cloud resources of Enterprise A.
Access the cloud resources of Enterprise A as a RAM user of Enterprise B using an API
To use an API to access the cloud resources of Enterprise A as a RAM user of Enterprise B, you must provide the RAM user's AccessKeyId, AccessKeySecret, and SecurityToken (a temporary security token) in your code. For more information about how to use Security Token Service (STS) to obtain a temporary security token, see AssumeRole.