You can use roles through CAM APIs. This document describes how to use roles through APIs with a typical use case.
For example:
CompanyExampleA
(ownerUin: 12345).CompanyExampleB
(ownerUin: 67890).DevB
, and wants to use DevB
to do the work.Company A takes the following steps as directed in Creating a role > Creating a role using API:
CompanyExampleB
.CreateRole
API to create a role with the roleName
as DevOpsRole
, and grant the role the permissions allowing it to operate all Company A’s CVM resources in the Guangzhou region.Company B takes the following steps as directed in Assigning role policies to sub-accounts:
DevB
to assume the DevOpsRole
role.DevOpsRole
. Input parameters are as follows: If company B (
CompanyExampleB
) wants to directly operate the resources of company A (CompanyExampleA
), they can also request temporary credentials to perform operations.
roleArn=qcs::cam::uin/12345:roleName/DevOpsRole,
roleSessionName=DevBAssumeTheRole,
durationSeconds=7200
If this API is called successfully, the response will be as follows:{
"credentials": {
"sessionToken": "5e776c4216ff4d31a7c74fe194a978a3ff2a42864",
"tmpSecretId": "AKI***PCl",
"tmpSecretKey": "Vpx***MqD"
},
"expiredTime": 1506433269,
"expiration": "2018-09-26T13:41:09Z"
}
DevB
can perform operations on company A’s resources within the scope of permissions during the validity period of the credentials.DevB
wants to call the DescribeInstances API to view the CVM list. DevB
needs to replace the values of SecretId
and SecretKey
with the values of tmpSecretId
and tmpSecretKey
, and set the Token
in Common Parameters to the value of sessionToken
. To stop authorizing company B, company A only needs to delete the
DevOpsRole
role.
Was this page helpful?