阿里云跨企业自治授权

需求

前提:需要有两个阿里云主账号作为两家使用阿里云的企业,需要使用授权主账号授权给被授权主账号的ram子账号,然后登陆ram子账号通过切换身份方式登陆

被授权企业账号:pool****

授权企业账号:燎原*****

实验目的及过程:将“燎原*****”将北京一台RDS的可读以及监控权限授权给“pool****”,授权主账号通过创建角色的方式授权给被授权主账号创建的ram账号,通过被授权账号的ram子账号登陆并且换身份的方式访问主账号的RDS资源

实验步骤

主账号RDS资源:授权实例ID:rm-2ze89cbt619y6a056

阿里云跨企业自治授权

授权主账号在访问控制中创建角色:

阿里云跨企业自治授权
阿里云跨企业自治授权
阿里云跨企业自治授权

配置角色中选择其他云账号,输入被授权账号的主账号ID

阿里云跨企业自治授权

创建授权策略精确授权:

阿里云跨企业自治授权

创建权限策略(如:strategy_for_pool*****)

可以选择可视化编辑方式和脚本编辑方式:

添加资源类型、读写权限以及添加资源(北京RDS实例)

阿里云跨企业自治授权

脚本编辑方式(更灵活):

阿里云跨企业自治授权

自治服务授权配置模版:

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "rds:DescribeBinlogFiles",
        "rds:DescribeBackupTasks",
        "rds:DescribeBackups",
        "rds:DescribeCrossBackupMetaList",
        "rds:DescribeCrossRegionBackupDBInstance",
        "rds:DescribeCrossRegionBackups",
        "rds:DescribeDatabases",
        "rds:DescribeCrossRegionLogBackupFiles",
        "rds:DescribeDBInstanceAttribute",
        "rds:DescribeDBInstanceByTags",
        "rds:DescribeAccounts",
        "rds:DescribeActionEventPolicy",
        "rds:DescribeAvailableClasses",
        "rds:DescribeAvailableCrossRegion",
        "rds:DescribeAvailableRecoveryTime",
        "rds:DescribeAvailableZones",
        "rds:DescribeBackupPolicy",
        "rds:DescribeDBInstanceDetail",
        "rds:DescribeDBInstanceHAConfig",
        "rds:DescribeDBInstanceIpHostname",
        "rds:DescribeDBInstanceIPArrayList",
        "rds:DescribeDBInstanceMonitor",
        "rds:DescribeDBInstanceNetInfo",
        "rds:DescribeDBInstancePerformance",
        "rds:DescribeDBInstanceProxyConfiguration",
        "rds:DescribeDBInstances",
        "rds:DescribeDBInstancesAsCsv",
        "rds:DescribeDBInstancesByExpireTime",
        "rds:DescribeDBInstancesByPerformance",
        "rds:DescribeDBInstancesOverview",
        "rds:DescribeDBInstanceSSL",
        "rds:DescribeDBInstanceTDE",
        "rds:DescribeDBProxy",
        "rds:DescribeLocalAvailableRecoveryTime",
        "rds:DescribeInstanceCrossBackupPolicy",
        "rds:DescribeInstanceAutoRenewalAttribute",
        "rds:DescribeHostAccounts",
        "rds:DescribeHASwitchConfig",
        "rds:CheckAccountNameAvailable",
        "rds:CheckCloudResourceAuthorized",
        "rds:CheckCreateDdrDBInstance",
        "rds:CheckDBNameAvailable",
        "rds:CheckRecoveryConditions",
        "rds:CheckRegionSupportBackupEncryption",
        "rds:DescribeBackupDatabase",
        "rds:DescribeDBProxyEndpoint",
        "rds:DescribeDBProxyPerformance",
        "rds:DescribeDedicatedHostAttribute",
        "rds:DescribeDedicatedHostGroups",
        "rds:DescribeDedicatedHosts",
        "rds:DescribeDetachedBackups",
        "rds:DescribeDiagnosticReportList",
        "rds:DescribeDTCSecurityIpHostsForSQLServer",
        "rds:DescribeErrorLogs",
        "rds:DescribeEvents",
        "rds:DescribeLogBackupFiles",
        "rds:DescribeMetaList",
        "rds:DescribeMigrateTasks",
        "rds:DescribeModifyParameterLog",
        "rds:DescribeNextEventForSign",
        "rds:DescribeOssDownloads",
        "rds:DescribeParameterGroup",
        "rds:DescribeParameterGroups",
        "rds:DescribeParameters",
        "rds:DescribeProxyFunctionSupport",
        "rds:DescribeRdsResourceSettings",
        "rds:DescribeReadDBInstanceDelay",
        "rds:DescribeResourceUsage",
        "rds:DescribeSlowLogRecords",
        "rds:DescribeSlowLogs",
        "rds:DescribeSQLCollectorPolicy",
        "rds:DescribeSQLCollectorRetention",
        "rds:DescribeSQLLogFiles",
        "rds:DescribeSQLLogRecords",
        "rds:DescribeSQLLogReports",
        "rds:DescribeTags",
        "rds:DescribeTasks",
        "rds:ListTagResources",
        "rds:RequestServiceOfCloudDBExpert",
        "rds:DescribeGadInstances",
        "hdm:Get*",
        "hdm:Describe*",
        "hdm:Query*"
      ],
      "Resource": "acs:rds:cn-beijing:1637691491324508:dbinstance/rm-2ze89cb**********"
    }
  ]
}

其中:
RDS读权限
"rds:Des"
自治服务读权限:
"hdm:Get
",
"hdm:Describe", "hdm:Query"

授权:

阿里云跨企业自治授权

被授权账号登陆主账号,创建一个RAM用户并授权STS

阿里云跨企业自治授权
阿里云跨企业自治授权
阿里云跨企业自治授权

获取登陆密码,授权RAM

阿里云跨企业自治授权
阿里云跨企业自治授权

登陆被授权账号RAM子账号,登陆后切换身份

阿里云跨企业自治授权

使用授权主账号的ID(或企业别名)登陆

阿里云跨企业自治授权

身份发生变化,使用rds-ram的用户扮演for-pool*****的角色访问到授权主账号授权的资源

阿里云跨企业自治授权

成功访问到资源

阿里云跨企业自治授权

发布者:LJH,转发请注明出处:https://www.ljh.cool/37003.html

(0)
上一篇 2023年4月20日 上午2:53
下一篇 2023年5月5日 上午12:08

相关推荐

发表回复

您的电子邮箱地址不会被公开。 必填项已用*标注