All Products
Search
Document Center

Grant RAM permission for OOS

Last Updated: Sep 05, 2019

This topic describes how to grant the permissions required for accessing other cloud products to Operation Orchestration Service (OOS). For more information about how to grant the permissions required for accessing OOS to a user, see Access control.

OOS uses the temporary tokens issued by Security Token Service (STS) to access the APIs of other cloud products. You must authorize the OOS account to use a Resource Access Management (RAM) role to access your resources.

    • If the RAM role is not specified in the template, OOS uses the default role OOSServiceRole.
    • If the RAM role is specified in the template, OOS uses the specified role.


Note: Temporary tokens are updated periodically.

Required permissions

OOS requires different sets of cloud product API permissions for executing different templates. You can use the GenerateExecutionPolicy operation of OOS to obtain the set of permissions required for executing a specified template. Then, grant the RAM role the minimum set of permissions required for executing the template. You can also grant the full access permission of related cloud products to the RAM role.

Create a RAM role for OOS

  1. Log on to the RAM console.

  2. Click RAM Roles in the left-side navigation pane. On the page that appears, click Create RAM Role.

    OOS

  3. In the dialog box that appears, select Alibaba Cloud Service as the trusted entity type, and then click Next.

  4. Set RAM Role Name. The value must be the same as the RAM role specified in your OOS template. If the RAM role is not specified in the template, the default role OOSServiceRole is used.

    OOS

  5. Select Operation Orchestration Service as the trusted service.

  6. Click OK.

Grant required permissions to the OOS-trusted role

  1. Log on to the RAM console.

  2. Click Add Permissions in the Quick Entries section.

    oos

  3. In the dialog box that appears, set Principal to OOSServiceRole, and then select the required authorization policies based on the actual needs in the Select Policy section. For example, if you want to use an OOS template to create, release, start, or stop an Elastic Compute Service (ECS) instance, you can select the full access authorization policy of ECS.

    OOS

  4. Click OK.
    The authorization of the role is completed.