Set up an Alibaba Cloud connector

Capabilities

Resource	Sync	Provision
Account
Users
Groups
Roles
Policies

Gather Alibaba Cloud credentials

The current Alibaba Cloud connector is read-only partial access sync. It syncs identity inventory and group membership grants, but does not yet sync policy attachment or role assumption grants.

Create or select an Alibaba Cloud RAM user for the connector. Do not use Alibaba Cloud account root AccessKeys.

Attach the Alibaba-managed AliyunRAMReadOnlyAccess policy, or attach a custom read-only policy that allows ram:GetAccountAlias, ram:ListUsers, ram:ListGroups, ram:ListUsersForGroup, ram:ListRoles, and ram:ListPolicies.

Create an AccessKey pair for that RAM user.

Copy the AccessKey ID.

Copy the AccessKey Secret.

Configuration fields

Field	Required	Description
`access-key-id`	Yes	AccessKey ID for an Alibaba Cloud RAM user with read-only RAM permissions.
`access-key-secret`	Yes	AccessKey Secret paired with the AccessKey ID.

Synced resource types

Account: account alias from RAM GetAccountAlias.
Users: active and frozen users from IMS ListUsers.
Groups: groups from IMS ListGroups.
Group membership grants: group members from IMS ListUsersForGroup.
Roles: roles from RAM ListRoles.
Policies: system and custom policies from RAM ListPolicies.

Special notes

Authentication uses Alibaba Cloud ACS3-HMAC-SHA256 request signing.
Use one connector instance per Alibaba Cloud account.
Policy attachment grants are not emitted in the current build.
Role assumption grants and role attached-policy grants are not emitted in the current build.
The connector keeps Alibaba RAM and IMS metadata snapshots in the repo for local validation.

Configure the Alibaba Cloud connector

Cloud-hosted
Self-hosted

Follow these instructions to use a built-in, no-code connector hosted by C1.

In C1, navigate to Integrations > Connectors and click Add connector.

Search for Alibaba Cloud and click Add.

Choose how to set up the new Alibaba Cloud connector.

Set the owner for this connector.

Click Next.

Find the Settings area of the page and click Edit.

Paste the Alibaba Cloud credentials into the relevant fields:

AccessKey ID: The RAM identity AccessKey ID.
AccessKey Secret: The paired AccessKey Secret.

Click Save.

The connector’s label changes to Syncing, followed by Connected. You can view the logs to ensure that information is syncing.

Done. Your Alibaba Cloud connector is now pulling access data into C1.

Follow these instructions to run the Alibaba Cloud connector in your own environment.

In C1, navigate to Integrations > Connectors and click Add connector.

Search for Baton and click Add.

Choose how to set up the new Alibaba Cloud connector, set the owner, and click Next.

In the Settings area, click Edit, then click Rotate to generate a new Client ID and Client Secret. Store these values securely for your deployment.

Configure C1 credentials and Alibaba Cloud credentials as environment variables:

BATON_CLIENT_ID=<C1 client ID>
BATON_CLIENT_SECRET=<C1 client secret>
BATON_HOST_ID=baton-alibaba-cloud
BATON_ACCESS_KEY_ID=<Alibaba Cloud RAM AccessKey ID>
BATON_ACCESS_KEY_SECRET=<Alibaba Cloud RAM AccessKey Secret>

Deploy the connector using the Public ECR image:

public.ecr.aws/conductorone/baton-alibaba-cloud:<version>

Use a version tag without the leading v, such as 0.0.3.

Done. Your Alibaba Cloud connector is now pulling access data into C1.

Set up an Airflow connector

Set up an Amazon EKS connector

⌘I

​Capabilities

​Gather Alibaba Cloud credentials

​Configuration fields

​Synced resource types

​Special notes

​Configure the Alibaba Cloud connector

Capabilities

Gather Alibaba Cloud credentials

Configuration fields

Synced resource types

Special notes

Configure the Alibaba Cloud connector