1. Experiment
1.1 Knowledge points
The experiment adopts the Alibaba Cloud Provider plug-in for Terraform, it will introduce three most common ways to apply Terraform management RAM accounts. RAM is a service provided by Alibaba Cloud to manage user identities and resource access permissions. RAM allows you to create and manage multiple identities under an Alibaba Cloud account, and assign different permissions to each identity or one particular group of identities. This allows different users to have different resource access permissions. The features of RAM are as follows:
Centralized control of RAM users and their keys: Manage each RAM user and their access keys, and bind multi-factor authentication (MFA) devices to users.
Centrally control the access permissions of RAM users: Control the permissions of each RAM user to access resources.
Centralize access to resources of RAM users: Ensure that RAM users can access specific Alibaba Cloud resources through secure channels at a specified time and network environment.
1.2 Experiment process
- Terraform Environment Preparation
- RAM User Management
1.3 Scene architecture diagram
1.4 Cloud resources required
1.5 Prerequisites
- If you’re using your own Alibaba Cloud account instead of the account provided by this lab during the experiment, please note that you’ll need to choose the same Ubuntu 16.04 operating system for your ECS, in order to run the experiment smoothly.
- Before starting the experiment, please confirm that the previous experiment has been closed normally and has been exited.
2. Start the experiment environment
Click Start Lab in the upper right corner of the page to start the experiment.
.
After the experiment environment is successfully started, the system has deployed resources needed during the experiment in the background. For example, the ECS instance, RDS instance, Server Load Balancer instance, and OSS bucket. An account consisting of the username and password for logging on to the Web console of Alibaba Cloud is also provided.
After the experiment environment is started and related resources are properly deployed, the experiment starts a countdown. You have an hour to perform experimental operations. After the countdown ends, the experiment stops, and related resources are released. During the experiment, pay attention to the remaining time and arrange your time wisely. Next, use the username and password provided by the system to log on to the Web console of Alibaba Cloud and view related resources:
Go to the logon page of Alibaba Cloud console.
Fill in the sub-user account and click on Next.
Fill in the sub-user password and click on Login.
After successfully log on to the console, you will see the page showing as the following page.
3.1 Log on to ECS
Click Elastic Compute Service, as shown in the following figure.
We can see one running ECS instance in Silicon Valley region.
Copy this ECS instance’s Internet IP address and remotely log on to this ECS (Ubuntu system) instance. For details of remote login, refer to login。
The default account name and password of the ECS instance:
Account name: root
Password: nkYHG890..
Run the following command to update the apt installation source:
apt update
Run the following command to install the unpacking tool:
apt install -y unzip zip
Run the following command to download the Terraform installation package:
wget http://labex-ali-data.oss-us-west-1.aliyuncs.com/terraform/terraform_0.14.6_linux_amd64.zip
Run the following command to unpack the Terraform installation package to /usr/local/bin:
unzip terraform_0.14.6_linux_amd64.zip -d /usr/local/bin/
4. RAM User Management
4.1 Create AccessKey
As shown below, click AccessKey Management.
Click Create AccessKey. After AccessKey has been created successfully, AccessKeyID and AccessKeySecret are displayed. AccessKeySecret is only displayed once. Click Download CSV FIle to save the AccessKeySecret.
4.2 Obtain the User ID of the Primary Account
Go to the Message Service console, as shown in the following figure.
Select the US(Silicon Valley) area to see that there is an automatically created message queue instance. The name of this instance is the UID of your current Alibaba Cloud account (the letter “U” at the front is not required).
4.3 RAM Account Management
Enter the following command to create the “ram” directory and enter.
mkdir -p ram && cd ram
Enter the commandvim main.tf to create the main.tf document. Copy the following content and paste to the file, save and exit. Please note to replace YOU-ACCESS-KEY to your own YOU-ACCESS-KEY-SECRET.
This configuration file defines a RAM account and a permission policy, and binds the RAM account to the permission policy.
provider "alicloud" {
access_key = "YOUR-ACCESS-KEY"
secret_key = "YOUR-ACCESS-KEY-SECRET"
region = "ap-southeast-1"
}
# Create a RAM User Policy attachment.
resource "alicloud_ram_user" "user" {
name = "LabEx-Ram"
display_name = "LabEx-Ram-display"
mobile = "86-18688888888"
email = "hello.uuu@aaa.com"
comments = "yoyoyo"
force = true
}
resource "alicloud_ram_login_profile" "profile" {
user_name = alicloud_ram_user.user.name
password = "Aliyun-test"
password_reset_required = false
}
resource "alicloud_ram_policy" "policy" {
policy_name = "LabEx_policy"
policy_document = <<EOF
{
"Version": "1",
"Statement": [
{
"Action": "ecs:Describe*",
"Resource": "acs:*:ap-southeast-1:*:*",
"Effect": "Allow"
},
{
"Action": "ecs:List*",
"Resource": "acs:*:ap-southeast-1:*:*",
"Effect": "Allow"
},
{
"Action": [
"vpc:DescribeVpcs",
"vpc:DescribeVSwitches"
],
"Resource": "acs:*:ap-southeast-1:*:*",
"Effect": "Allow"
}
]
}
EOF
description = "this is a policy test"
force = true
}
resource "alicloud_ram_user_policy_attachment" "attach" {
policy_name = alicloud_ram_policy.policy.name
policy_type = alicloud_ram_policy.policy.type
user_name = alicloud_ram_user.user.name
}
# Output
output "ram_user_id" {
description = "ram user id"
value = alicloud_ram_user.user.id
}
Enter the following command to initialize the TerraForm provider plug-in.
terraform init
Enter the following command to list the creation plan.
terraform plan
Run the following command to create resources based on the “main. TF” configuration file.
terraform apply
Go back to Alibaba Cloud RAM console.
A new RAM account can be found to have been created. The other RAM account is the one you are currently using.
Click the new RAM account to view the details.
View the permission information.
If you need to use the new RAM to log on to Alibaba Cloud, please follow the logon process below.
As you have already logged on to Alibaba Cloud’s RAM account in your browser. It will be better to switch to another browser or use the unscented mode on the current browser to avoid unnecessary influence.
Firstly, obtain the logon link of the RAM account.
Enter the name of the new RAM account and click Next.
Enter the password and click Log on.
Go back to the command line and run the following command to delete the RAM account information that you created before.
terraform destroy
4.4 RAM User Group Management
Run the following command to create a new “ram-group” directory and enter the directory.
mkdir -p ~/ram-group && cd ~/ram-group
Enter the commandvim main.tf to create a main.tf document. Copy the following content and paste to the file, save and exit. Please note to replace YOU-ACCESS-KEY to your own YOU-ACCESS-KEY-SECRET.
This configuration file defines two user groups, each with different permission policies and different RAM users.
provider "alicloud" {
access_key = "YOUR-ACCESS-KEY"
secret_key = "YOUR-ACCESS-KEY-SECRET"
region = "ap-southeast-1"
}
# Create a new RAM Group.
resource "alicloud_ram_group" "develop" {
name = "develop_group"
comments = "this is a develop group comments."
force = true
}
resource "alicloud_ram_group" "operation" {
name = "operation_group"
comments = "this is a operation group comments."
force = true
}
resource "alicloud_ram_user" "user1" {
name = "LabEx_user1"
display_name = "LabEx_user1_display"
mobile = "86-18688888888"
email = "hello.uuu@aaa.com"
comments = "develop_group"
force = true
}
resource "alicloud_ram_user" "user2" {
name = "LabEx_test2"
display_name = "LabEx_user2_display"
mobile = "86-18688888889"
email = "hello.uuu@aaa.com"
comments = "operation_group"
force = true
}
resource "alicloud_ram_group_membership" "membership1" {
group_name = alicloud_ram_group.develop.name
user_names = [alicloud_ram_user.user1.name]
}
resource "alicloud_ram_group_membership" "membership2" {
group_name = alicloud_ram_group.operation.name
user_names = [alicloud_ram_user.user2.name]
}
resource "alicloud_ram_policy" "policy_develop" {
policy_name = "policy_develop"
policy_document = <<EOF
{
"Statement": [
{
"Action": [
"ecs:*List*",
"ecs:*Get*"
],
"Effect": "Allow",
"Resource": [
"acs:*:ap-southeast-1:*:*"
]
}
],
"Version": "1"
}
EOF
description = "this is a develop policy"
force = true
}
resource "alicloud_ram_policy" "policy_operation" {
policy_name = "policy_operation"
policy_document = <<EOF
{
"Statement": [
{
"Action": [
"ecs:*List*",
"ecs:*Get*"
],
"Effect": "Allow",
"Resource": [
"acs:*:us-west-1:*:*"
]
}
],
"Version": "1"
}
EOF
description = "this is a operation policy"
force = true
}
resource "alicloud_ram_group_policy_attachment" "attach_develop" {
policy_name = alicloud_ram_policy.policy_develop.name
policy_type = alicloud_ram_policy.policy_develop.type
group_name = alicloud_ram_group.develop.name
}
resource "alicloud_ram_group_policy_attachment" "attach_operation" {
policy_name = alicloud_ram_policy.policy_operation.name
policy_type = alicloud_ram_policy.policy_operation.type
group_name = alicloud_ram_group.operation.name
}
# Output
output "operation_group_name" {
description = "operation group name"
value = alicloud_ram_group.operation.name
}
output "develop_group_name" {
description = "develop group name"
value = alicloud_ram_group.develop.name
}
output "ram_user1_id" {
description = "ram user1 id"
value = alicloud_ram_user.user1.id
}
output "ram_user2_id" {
description = "ram user2 id"
value = alicloud_ram_user.user2.id
}
Enter the following command to initialize the TerraForm provider plug-in.
terraform init
Run the following command to view the creation plan.
terraform plan
Run the following command to create resources based on the “main. TF” configuration file.
terraform apply
The file is created.
Go back to the Alibaba Cloud RAM console.
You can see that two new RAM users have been created.
Two new RAM user groups are created.
These RAM users belong to the two created RAM user groups separately.
Each RAM user group is bound with its own policy. Users in the group will automatically inherit the policy of the current group.
Go back to the command line and run the following command to delete the RAM account information that you created before.
terraform destroy
4.5 RAM Role Management
A RAM role is the same as a RAM user. A RAM role is a virtual user that does not have a defined authentication key and needs to be played by a trusted entity user before it can be used normally.
The basic concepts of RAM roles
| Concept |
Description |
| RAM role |
A RAM role is a virtual user that is different from physical users (Alibaba Cloud accounts, RAM users, and cloud services) and textbook roles. Entity User: has a defined login password or access key. Textbook role: a textbook role or a traditional role is a set of permissions, similar to the permission policy in RAM. If a user is given this role, it means that the user is given a set of permissions to access authorized resources. RAM role: RAM role has a certain identity, you can be given a set of permission policies, but there is no identified login password or access key. The RAM role must be played by a trusted entity user. The entity user who get the RAM role will obtain the security token of this role. The user will be able to use this security token to access the authorized resources as being the RAM role. |
| Role ARN |
Role ARN is a overall resource descriptor of a role, which is used to specify a specific role. ARN follows Alibaba Cloud ARN naming conventions. For example, the ARN of the DevOps role under an Alibaba Cloud account is: acs: ram:: 123456789012 * * * *: role/samplerole. After you create a role, click a role name to view its ARN on the Basic Information page. |
| Trusted entity |
A trusted entity of a role is an entity user identity that can play a role. When creating a role, you must specify a trusted entity. The role can only be played by a trusted entity. A trusted entity can be a trusted Alibaba Cloud account, a trusted Alibaba Cloud service, or an identity provider. |
| Policy |
A role can be bound to a set of permission policies. Roles that are not bound to the policy can also exist, but cannot access resources. |
| Assume role |
Playing a role is a method for an entity user to obtain a security token with a role identity. An entity user calls the STS API AssumeRole to obtain the security token of the role. The security token can be used to access the cloud service API. |
| Switch role |
Switch role is a method for an entity user to switch from the current logon identity to a role identity in the console. After an entity user logs on to the console, you can switch to a role that is authorized to play, and then operate cloud resources as being the role. If you do not need to use a role identity, you can switch from the role identity to the original logon identity. |
| Role token |
A role token is a temporary access key for a role identity. The role identity does not have a determined access key. When an entity user wants to use a role, you must obtain the corresponding role token by playing the role, and then use the role token to call the Alibaba Cloud service API. |
How to use a RAM role
Play a role through an API: An entity user can obtain a role token by calling an AssumeRole, and use the role token to access the cloud service API.
Play a role in the console: The identity switch is a method for an entity user to switch from the current logon identity to a RAM role in the console.
The following section describes how to play a role in the console.
Enter the following command to create a new “role” directory and enter.
mkdir -p ~/role && cd ~/role
Enter commands vim main.tf, Create the main. tf file. Copy the following content to the file, save it and exit. Please note to replace YOUR-ACCESS-KEY and YOU-ACCESS-KEY-SECRET to your own, please replace the YOUR-PRIMARY-ACCOUNT-UID with the UID of the user’s current primary account, this UID is the UID obtained in step 4.2.
This profile defines a role and a permission policy, and binds the role to the permission policy. Among them, the name of Role may be repeated, which may cause an error to be created. It is recommended that users change the name by themselves.
provider "alicloud"{
access_key = "YOUR-ACCESS-KEY"
secret_key = "YOU-ACCESS-KEY-SECRET"
region = "ap-southeast-1"
}
# Create a new RAM Role.
resource "alicloud_ram_role" "role"{
name = "LabExRole"
document = <<EOF
{
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"RAM": [
"acs:ram::YOUR-PRIMARY-ACCOUNT-UID:root"
]
}
}
],
"Version": "1"
}
EOF
description = "this is a role test ."
force = true
}
resource "alicloud_ram_policy" "policy"{
policy_name = "LabEx_policy"
policy_document = <<EOF
{
"Statement": [
{
"Action": [
"oss:ListObjects",
"oss:GetObject"
],
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "1"
}
EOF
description = "this is a policy test"
force = true
}
resource "alicloud_ram_role_policy_attachment" "attach"{
policy_name = alicloud_ram_policy.policy.name
policy_type = alicloud_ram_policy.policy.type
role_name = alicloud_ram_role.role.name
}
output "role_name"{
description = "ram role name"
value = alicloud_ram_role.role.id
}
Enter the following command to initialize the TerraForm provider plug-in.
terraform init
Run the following command to view the creation plan.
terraform plan
Run the following command to create resources based on the “main. tf” configuration file.
terraform apply
After it is created, return to the Alibaba Cloud console.
View the permissions of the Role. Users who log in with this role can use the permission policy bound by the role.
As shown in the following figure, we have the current RAM account logged in as the “LabExRole” role.
Enter the account ID and role name of the current Alibaba Cloud account.
You have switched to the role. In this case, the user uses the permission policy bound to the role.
When the user does not require the permission policy of the role, you can log on to the original Ram user.
Return to the ECS command line and run the following command to delete resources.
terraform destroy
Reminder:
Before you leave this lab, remember to log out your Alibaba RAM account before you click the ‘stop’ button of your lab. Otherwise you’ll encounter some issues when opening a new lab session in the same browser:
5. Experiment summary
This experiment describes three common ways of using Terraform to manage RAM accounts. With RAM, users can create and manage RAM users (such as employees, systems, or applications), and control their permissions on resources. RAM allows users to avoid sharing Alibaba Cloud account keys with other users and assign minimum permissions to users as needed, this reduces the information security risk of the enterprise.
