This topic describes how to authorize a Resource Access Management (RAM) user to use Logic Composer to orchestrate workflows on Alibaba Cloud resources.

Background

Logic Composer may need to use APIs of various Alibaba Cloud services to orchestrate workflows. You can use your Alibaba Cloud account to assign a RAM role with necessary permissions to Logic Composer for calling the required API operations. Though Logic Composer has the permission to use this RAM role, it does not mean that a RAM user that runs Logic Composer has the permission to use this RAM role. You must grant the PassRole permission to the RAM user so that the RAM user can use the target RAM role through Logic Composer.

The following figure shows the procedure for authorizing a RAM user to use a RAM role of Logic Composer.

Notice You only need to perform step 1 through step 5. Subsequent steps are automatically performed by the authorized Alibaba Cloud services.

Procedure for authorizing a RAM user without the AliyunRAMFullAccess permission

  1. Create a RAM role. On the RAM Roles page of the RAM console, you can view your current RAM roles and create RAM roles as required. In this example, create a RAM role named AliyunLogicComposerDefaultRole. For more information, see Create a RAM role for a trusted Alibaba Cloud service.
Notice In this example, set the RAM role name to AliyunLogicComposerDefaultRole and select Logic Composer as the trusted service.
2. Grant permissions to the created RAM role. On the Policies page of the RAM console, you can view your current permission policies and create permission policies as required. In this example, create a custom permission policy. For more information about how to create a custom permission policy, see Create a custom policy. The following is a sample permission policy. Modify the permission in the sample code as required.
{    
  "Statement": [        
    {            
      "Action": [                
        "*:TagResources",
        "oss:PutBucketTags"
      ],
      "Effect": "Allow",   
      "Resource": "*"
    }    
  ],    
  "Version": "1"
}

Grant the created permission policy to the RAM role created in step 1. You can find the RAM role on the RAM Roles page of the RAM console. For more information about how to grant permissions to a RAM role, see Grant permissions to a RAM user. Note that the permission policy created and used in this example is a custom one.

3. Use your Alibaba Cloud account to create a RAM user. For more information, see Create a RAM user. If a RAM user exists under your Alibaba Cloud account, skip this step. Then, grant the RAM user the permissions to use Logic Composer. For more information, see Grant permissions to a RAM user.

4. Assign the RAM role AliyunLogicComposerDefaultRole created in step 2 to the RAM user created or used in step 3. In this step, create a permission policy as instructed in step 2. A sample permission policy for this step is as follows:
{    
  "Statement": [       
   {            
     "Action": "ram:PassRole",            
     "Resource": "acs:ram::<parent uid>:role/aliyunlogiccomposerdefaultrole",            
     "Effect": "Allow",            
     "Condition": {                
        "StringEquals": {                    
          "acs:Service": "composer.aliyuncs.com"                
        }           
      }        
    }
  ],    
  "Version": "1"
}
Notice Set the value of the Resource parameter to the Alibaba Cloud Resource Name (ARN) of the Alibaba Cloud service specified by the RAM role.

5. Grant the permission policy to the RAM user. For more information, see Grant permissions to a RAM user.

6. After the previous steps are completed, you can log on to the Logic Composer console as the RAM user. When you configure a workflow in the Logic Composer console, you must grant a RAM role to Logic Composer for calling the required API operations.

6.1 If the RAM user does not have the AliyunRAMReadOnlyAccess permission, grant the RAM role AliyunLogicComposerDefaultRole to Logic Composer.

6.2 If the RAM user has the AliyunRAMReadOnlyAccess permission, select a RAM role as required.

Procedure for authorizing a RAM user with the AliyunRAMFullAccess permission

1. When you configure a workflow in the Logic Composer console, grant a role to Logic Composer for calling the required API operations. You can attach a permission policy to the RAM role as required.