Using a Role

Last updated: 2021-03-26 15:57:47


    You can use roles through CAM APIs. This document describes how to use roles through APIs with a typical use case.


    For example:

    • Company A wants to outsource its OPS Engineer position to Company B. The person taking the position needs the access to all Company A's CVM resources located in the Guangzhou region.
    • Company A has an enterprise account, CompanyExampleA (ownerUin: 12345).
    • Company B has an enterprise account, CompanyExampleB (ownerUin: 67890).
    • Company B has a sub-account, DevB, and wants to use DevB to do the work.


    Company A takes the following steps as directed in Creating a role > Creating a role using API:

    1. Create a role, and set the role entity to Company B’s enterprise account, CompanyExampleB.
    2. Call the CreateRole API to create a role with the roleName as DevOpsRole, and grant the role the permissions allowing it to operate all Company A’s CVM resources in the Guangzhou region.

    Company B takes the following steps as directed in Assigning role policies to sub-accounts:

    1. Authorize the sub-account DevB to assume the DevOpsRole role.
    2. Call the AssumeRole API to apply for temporary credentials for the role DevOpsRole. Input parameters are as follows:

      If company B (CompanyExampleB) wants to directly operate the resources of company A (CompanyExampleA), they can also request temporary credentials to perform operations.

      If this API is called successfully, the response will be as follows:
       "credentials": {
           "sessionToken": "5e776c4216ff4d31a7c74fe194a978a3ff2a42864",
           "tmpSecretId": "AKI***PCl",
           "tmpSecretKey": "Vpx***MqD"
       "expiredTime": 1506433269,
       "expiration": "2018-09-26T13:41:09Z"
    3. DevB can perform operations on company A’s resources within the scope of permissions during the validity period of the credentials.
      For example, DevB wants to call the DescribeInstances API to view the CVM list. DevB needs to replace the values of SecretId and SecretKey with the values of tmpSecretId and tmpSecretKey , and set the Token in Common Parameters to the value of sessionToken.

      To stop authorizing company B, company A only needs to delete the DevOpsRole role.