Grant permissions on stack group operations - Stack groups| Alibaba Cloud Documentation Center

ROS deploys stacks corresponding to stack instances in a stack group by assuming roles. Before you use a stack group, create the necessary RAM roles and grant required permissions to ROS.

Background information

Before you use a stack group, set permissions for the following accounts:

An administrator account
An administrator account is the Alibaba Cloud account in which you create stack groups.
A target account
A target account is the account into which you create stacks in your stack group.

To set account permissions, perform the following steps:

Set permissions in the console
- Set administrator account permissions in the console
- Set target account permissions in the console
Use ROS templates to set permissions

Set administrator account permissions in the console

Create a role named AliyunROSStackGroupAdministrationRole for the administrator account, and grant permissions specified in the AssumeRole-AliyunROSStackGroupExecutionRole policy.

Create a role named AliyunROSStackGroupAdministrationRole and grant permissions to ROS.
1. Log on to the RAM console with an Alibaba Cloud account.
2. In the left-side navigation pane, click RAM Roles.
3. On the RAM Roles page, click Create RAM Role.
4. In the Create RAM Role pane, select Alibaba Cloud Service for the Trusted entity type parameter and click Next.
5. Select Normal Service Role for the Role Type parameter.
6. Set RAM Role Name to AliyunROSStackGroupAdministrationRole and Select Trusted Service to Resource Orchestration Service.
7. Click OK.
Create a permission policy named AssumeRole-AliyunROSStackGroupExecutionRole.
1. In the left-side navigation pane, choosePermissions>Policies.
2. On the Policies page, click Create Policy.
3. Set Policy Name to AssumeRole-AliyunROSStackGroupExecutionRole and Configuration Mode to Script.
  In the Policy Document section, enter the following policy content to allow the AliyunROSStackGroupAdministrationRole role to assume the AliyunROSStackGroupExecutionRole role:
```
{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "sts:AssumeRole",
      "Resource": "acs:ram::*:role/AliyunROSStackGroupExecutionRole"
    }
  ],
  "Version": "1"
}
```
4. Click OK.
Grant the permissions in the AssumeRole-AliyunROSStackGroupExecutionRole policy statement to AliyunROSStackGroupAdministrationRole.
1. In the left-side navigation pane, click RAM Roles.
2. In the RAM Role Name column, click AliyunROSStackGroupAdministrationRole.
3. On the Basic Information page of AliyunROSStackGroupAdministrationRole, click Add Permissions.
4. In the Add Permissions pane, set Principal to AliyunROSStackGroupAdministrationRole and Custom Policy to AssumeRole-AliyunROSStackGroupExecutionRole.
5. Click OK.
6. Click Complete.

Set target account permissions in the console

Create a role named AliyunROSStackGroupExecutionRole for the target account, and grant permissions specified in the AdministratorAccess policy. This set of permissions is required when you use a stack group to create stacks in a target account.

Create a role named AliyunROSStackGroupExecutionRole.
1. Log on to the RAM console with an Alibaba Cloud account.
2. In the left-side navigation pane, click RAM Roles.
3. On the RAM Roles page, click Create RAM Role.
4. In the Create RAM Role pane, select Alibaba Cloud Account for the Trusted entity type parameter and click Next.
5. Set RAM Role Name to AliyunROSStackGroupExecutionRole and Select Trusted Alibaba Cloud Account to Other Alibaba Cloud Account, and enter the administrator account ID.
6. Click OK.
Grant permissions specified in the AdministratorAccess policy to AliyunROSStackGroupExecutionRole.
1. In the left-side navigation pane, click RAM Roles.
2. In the RAM Role Name column, click AliyunROSStackGroupExecutionRole.
3. On the Basic Information page of AliyunROSStackGroupExecutionRole, click Add Permissions.
4. In the Add Permissions pane, set Principal to AliyunROSStackGroupExecutionRole and System Policy to AdministratorAccess.
5. Click OK.
6. Click Complete.

Use ROS templates to set permissions

You can use ROS templates to create execution roles for the administrator and target accounts, and grant operation permissions on stack groups and stacks.

Log on to the ROS console with an Alibaba Cloud account.
Use the AliyunROSStackGroupAdministrationRole template to create an administrator role and permissions for the administrator account.
Use the AliyunROSStackGroupExecutionRole template to create an execution role and permissions for the target account.