All Products
Search
Document Center

Resource Orchestration Service:Step 1: Grant self-managed permissions

Last Updated:Feb 01, 2024

Before you create a stack group that has self-managed permissions in Resource Orchestration Service (ROS), you must manually create Resource Access Management (RAM) roles within the administrator and execution accounts and establish a trust relationship between the accounts. Then, you can deploy stacks within the execution account.

Background information

Before you grant self-managed permissions, you must create RAM roles for the Alibaba Cloud accounts in the following table and grant permissions to the roles.

Alibaba Cloud account

RAM role

Policy

Policy description

Administrator account

AliyunROSStackGroupAdministrationRole

Custom policy: AssumeRole-AliyunROSStackGroupExecutionRole

Allows the AliyunROSStackGroupAdministrationRole RAM role to assume the AliyunROSStackGroupExecutionRole RAM role.

Execution account

AliyunROSStackGroupExecutionRole

System policy: AdministratorAccess

Allows the AliyunROSStackGroupExecutionRole RAM role to manage all Alibaba Cloud resources that belong to the execution account.

Note

The administrator account and the execution account can be the same Alibaba Cloud account. For more information about administrator and execution accounts, see Overview.

When you use the administrator account to create a stack group in the ROS console after you grant the permissions to the roles, you can create stack instances in the stack group to deploy stacks within the execution account.

Method 1: Grant self-managed permissions in the RAM console

  1. Grant permissions to the execution account.

    1. Log on to the RAM console by using the execution account.

    2. Create the AliyunROSStackGroupExecutionRole RAM role for the execution account and specify the administrator account as the trusted entity of the role.

      1. In the left-side navigation pane, choose Identities > Roles.

      2. On the Roles page, click Create Role.

      3. In the Select Role Type step of the Create Role wizard, set the Select Trusted Entity parameter to Alibaba Cloud Account and click Next.

      4. Configure information about the RAM role.

        1. In the RAM Role Name field, enter AliyunROSStackGroupExecutionRole.

        2. In the Note field, enter a description for the RAM role.

        3. Set the Select Trusted Alibaba Cloud Account parameter to Other Alibaba Cloud Account and enter the ID of the administrator account in the field.

      5. Click OK.

      6. Click Close.

    3. Attach the AdministratorAccess policy to the AliyunROSStackGroupExecutionRole RAM role.

      1. On the Roles page, find the AliyunROSStackGroupExecutionRole RAM role and click Grant Permission in the Actions column.

      2. In the Grant Permission panel, the value of the Principal parameter is autopopulated. Set the Authorized Scope parameter to Alibaba Cloud Account.

      3. Set the Select Policy parameter to System Policy and click AdministratorAccess.

      4. Click OK.

      5. Click Complete.

  2. Grant permissions to the administrator account.

    1. Log on to the RAM console by using the administrator account.

    2. Create the AliyunROSStackGroupAdministrationRole RAM role for the administrator account and specify ROS as the trusted entity of the role.

      1. In the left-side navigation pane, choose Identities > Roles.

      2. On the Roles page, click Create Role.

      3. In the Select Role Type step of the Create Role wizard, set the Select Trusted Entity parameter to Alibaba Cloud Service and click Next.

      4. Set the Role Type parameter to Normal Service Role.

      5. Configure information about the RAM role.

        1. In the RAM Role Name field, enter AliyunROSStackGroupAdministrationRole.

        2. In the Note field, enter a description for the RAM role.

        3. From the Select Trusted Service drop-down list, select Resource Orchestration Service.

      6. Click OK.

      7. Click Close.

    3. Create the AssumeRole-AliyunROSStackGroupExecutionRole custom policy.

      1. In the left-side navigation pane, choose Permissions > Policies.

      2. On the Policies page, click Create Policy.

      3. On the Create Policy page, click the JSON tab, enter the following policy content in the code editor, and then click Next to edit policy information. In the Name field, enter AssumeRole-AliyunROSStackGroupExecutionRole.

        This policy allows the AliyunROSStackGroupAdministrationRole RAM role to assume the AliyunROSStackGroupExecutionRole RAM role.

        {
          "Statement": [
            {
              "Effect": "Allow",
              "Action": "sts:AssumeRole",
              "Resource": "acs:ram::*:role/AliyunROSStackGroupExecutionRole"
            }
          ],
          "Version": "1"
        }
      4. Click OK.

    4. Attach the AssumeRole-AliyunROSStackGroupExecutionRole policy to the AliyunROSStackGroupAdministrationRole RAM role.

      1. In the left-side navigation pane, choose Identities > Roles.

      2. On the Roles page, find the AliyunROSStackGroupAdministrationRole RAM role and click Grant Permission in the Actions column.

      3. In the Grant Permission panel, the value of the Principal parameter is autopopulated. Set the Authorized Scope parameter to Alibaba Cloud Account.

      4. Set the Select Policy parameter to Custom Policy and click AssumeRole-AliyunROSStackGroupExecutionRole.

      5. Click OK.

Method 2: Grant self-managed permissions by using a ROS template

You can use a ROS template to create RAM roles for the administrator and execution accounts, and grant the permissions on stack groups and stacks to the roles.

  1. Log on to the ROS console by using the administrator account. Then, use the AliyunROSStackGroupAdministrationRole template to create the RAM role and grant the required permissions to the role.

  2. Log on to the ROS console by using the execution account. Then, use the AliyunROSStackGroupExecutionRole template to create the RAM role and grant the required permissions to the role.