Resource Orchestration Service (ROS) deploys stacks corresponding to stack instances
in a stack group by assuming RAM roles. Before you use a stack group, you must create
RAM roles and grant them permissions.
Background information
You must create RAM roles for the Alibaba Cloud accounts listed in the following table
and grant them permissions.
Alibaba Cloud account |
RAM role |
Policy |
Administrator account (account A) |
AliyunROSStackGroupAdministrationRole |
The AssumeRole-AliyunROSStackGroupExecutionRole custom policy |
Execution account (account B) |
AliyunROSStackGroupExecutionRole |
The AdministratorAccess system policy |
After authorization is complete, you can log on to the ROS console by using the administrator
account, create a stack group, and then create stacks for the execution account in
the stack group.
Set permissions in the ROS console
- Set permissions for the execution account.
- Log on to the RAM console by using the execution account.
- Create the AliyunROSStackGroupExecutionRole RAM role for the execution account. The trusted entity of this role is the administrator
account.
- In the left-side navigation pane, click RAM Roles.
- On the RAM Roles page, click Create RAM Role.
- In the Create RAM Role panel, select Alibaba Cloud Account as the trusted entity type and click Next.
- Set RAM Role Name to AliyunROSStackGroupExecutionRole and Select Trusted Alibaba Cloud Account to Other Alibaba Cloud Account, and then enter the administrator account ID.
- Click OK.
- Grant the AdministratorAccess permission to AliyunROSStackGroupExecutionRole.
- In the left-side navigation pane, click RAM Roles.
- In the RAM Role Name column, click AliyunROSStackGroupExecutionRole.
- On the Basic Information page of AliyunROSStackGroupExecutionRole, click Add Permissions.
- In the Add Permissions panel, set Principal to AliyunROSStackGroupExecutionRole and System Policy to AdministratorAccess.
- Click OK.
- Click Complete.
- Set permissions for the administrator account.
- Log on to the RAM console by using the administrator account.
- Create the AliyunROSStackGroupAdministrationRole RAM role for the administrator account. The trusted entity of this role is ROS.
- In the left-side navigation pane, click RAM Roles.
- On the RAM Roles page, click Create RAM Role.
- In the Create RAM Role panel, select Alibaba Cloud Service as the trusted entity type and click Next.
- Set Role Type to Normal Service Role.
- Set RAM Role Name to AliyunROSStackGroupAdministrationRole and Select Trusted Service to Resource Orchestration Service.
- Click OK.
- Create a custom policy named AssumeRole-AliyunROSStackGroupExecutionRole.
- In the left-side navigation pane, choose .
- On the Policies page, click Create Policy.
- Set Policy Name to AssumeRole-AliyunROSStackGroupExecutionRole and Configuration Mode to Script.
In the
Policy Document section, enter the following policy content to allow the
AliyunROSStackGroupAdministrationRole role to assume the
AliyunROSStackGroupExecutionRole role:
{
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "acs:ram::*:role/AliyunROSStackGroupExecutionRole"
}
],
"Version": "1"
}
- Click OK.
- Grant permissions specified in the AssumeRole-AliyunROSStackGroupExecutionRole policy to the RAM role named AliyunROSStackGroupAdministrationRole.
- In the left-side navigation pane, click RAM Roles.
- In the RAM Role Name column, click AliyunROSStackGroupAdministrationRole.
- On the Basic Information page of AliyunROSStackGroupAdministrationRole, click Add Permissions.
- In the Add Permissions panel, set Principal to AliyunROSStackGroupAdministrationRole and Custom Policy to AssumeRole-AliyunROSStackGroupExecutionRole.
- Click OK.
- Click Complete.
Set permissions by using ROS templates
Create RAM roles for the administrator and execution accounts by using ROS templates,
and grant them permissions to perform operations on stack groups and stacks.
- Log on to the ROS console by using the administrator account.
- Use the AliyunROSStackGroupAdministrationRole template to create a RAM role for the administrator account and grant permissions
to the role.
- Use the AliyunROSStackGroupExecutionRole template to create a RAM role for the execution account and grant permissions to
the role.