> ## Documentation Index
> Fetch the complete documentation index at: https://docs.streamnative.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Set up Account Access for BYOC on Alibaba Cloud

Before you can provision a BYOC [infrastructure pool](/cloud/clusters/streamnative-cluster-overview#infrastructure-pools), you will need to authorize the StreamNative Cloud control plane to access your cloud accounts. This enables StreamNative to provision and manage clusters within your Alibaba Cloud account.

This document describes how to grant such access to StreamNative Cloud for an Alibaba Cloud account.

## Access model in Alibaba Cloud

StreamNative leverages advanced RAM features in Alibaba Cloud to ensure minimal and precise access, allowing for efficient management of only necessary resources:

* **Bootstrap/Provisioning Role**: This role handles the provisioning and maintenance of the underlying infrastructure like VPCs, ACK clusters (and associated node groups, and so on), RAM resources, and is also utilized for troubleshooting during incidents by StreamNative's SRE team. This role is also for automated management tasks and interacts with the ACK cluster to deploy and manage Pulsar clusters
* **Support Role:** This role is used by the StreamNative SRE and Support team for troubleshooting during incidents.

Both roles use a same permission policy that allows StreamNative’s cloud manager role to assume these roles within the customer’s account. These roles are safeguarded using several Alibaba Cloud security features:

* An external ID for role assumption, enhancing security when third parties access your Alibaba account (See [Use external IDs to prevent the confused deputy issue](https://www.alibabacloud.com/help/en/ram/use-cases/use-externalid-to-prevent-the-confused-deputy-problem).
* Tag-based access, through the `Vendor: StreamNative` tag, is used where applicable to enforce resources that are created with these tags and access is limited to only resources with the tag (See [Use tags to control access to resources](https://www.alibabacloud.com/help/en/resource-management/tag/user-guide/use-tags-to-control-access-to-resources-1)).
* All RAM policies are statically created by the customer (via [StreamNative Vendor Access](https://github.com/streamnative/terraform-managed-cloud) Terraform module) to limit access.

## Provision Alibaba Cloud Access

StreamNative facilitates the setup of necessary policies and roles through a <Tooltip tip="A terraform module is a reusable block of Terraform code that is easily shared">Terraform</Tooltip> module. This module can be provisioned in a standalone Terraform project (as documented here), but can also be integrated into existing Terraform projects.

For full documentation of inputs and outputs of the Terraform module, see the [module's README on GitHub](https://github.com/streamnative/terraform-managed-cloud/tree/main/modules/alicloud).

### Prerequisites

* New to Terraform? Learn the [Terraform Alibaba Cloud Getting Started Tutorial](https://registry.terraform.io/providers/aliyun/alicloud/latest/docs) to get a basic introduction.
* Install Terraform, version 1.3.0 or greater.
* Ensure you have created an organization through the StreamNative Cloud Console

If you run into issues, please contact [StreamNative Support team](https://support.streamnative.io/hc/en-us/requests/new).

### Step 1: Create a new project and instantiate the module

Terraform works by having Terraform codes (in the form of `*.tf` files) and state files that represent the current resources. If you are using Terraform locally, without a [remote state store](https://developer.hashicorp.com/terraform/language/state/remote), these files should be checked into source control for future updates. Create a new folder and add a file called `main.tf` with the following content, replacing the referenced variables.

```hcl theme={null}
provider "alicloud" {
  region = "ap-southeast-1"
}

module "vendor_access" {
  source          = "github.com/streamnative/terraform-managed-cloud//modules/alicloud/vendor-access?ref=v3.23.0"
  organization_ids = ["<YOUR_SNCLOUD_ORG_ID>"]
}
```

* `<YOUR_SNCLOUD_ORG_ID>`: your StreamNative Cloud organization ID. This is typically an ID like `o-xxxxx`. This can be found in your organization list or the top header of the application. If you have multiple organizations, you can put multiple organization id in this list

If you are using `git` as source control, you need to use the `git init` command to initialize this folder as a git project.

### Step 2: Initialize the Terraform

While the above Terraform code is all needed, the module needs to be downloaded to this Terraform project.

To do so, run `terraform init`.

This will download the module and required dependencies.

### Step 3: Create a shell with the correct Alibaba Cloud credentials

Terraform requires Alibaba Cloud credentials with the proper permissions in the target account to create the resources to grant access. The permissions required by the module are all Alibaba Cloud RAM permissions, specifically to managed roles, policies, and attachments. The Alibaba Cloud Managed Access policies of `AliyunRAMFullAccess` are sufficient to perform these operations.

All of the [Terraform Alibaba Cloud credentials mechanisms](https://registry.terraform.io/providers/aliyun/alicloud/latest/docs#authentication) are compatible with the Terraform module.

If you are new to Terraform and Alibaba Cloud, the following steps will provide credentials in your shell:

1. Follow the steps to create an [access key and secret](https://www.alibabacloud.com/help/en/ram/user-guide/create-an-accesskey-pair) for your user.
2. Set the `ALIBABA_CLOUD_ACCESS_KEY_ID`, `ALIBABA_CLOUD_ACCESS_KEY_SECRET`, and `ALIBABA_CLOUD_REGION` environment variables from the generated credentials.

### Step 4: Run the Terraform

After initialization, and with credentials in the shell, the next step is to run the Terraform with `terraform apply`.

This will create a Terraform plan which shows all the resources to be created.

### Step 5: Annotate the account ID to be used by StreamNative

Once completed, please note the account ID of the Alibaba Cloud account you have granted access to StreamNative Cloud. You will use this account ID to create a Cloud Connection.

## Next steps

After granting access, you can set up a Cloud Connection to allow the StreamNative Cloud control plane to interact with your Alibaba Cloud account.