Best practices for permission management for a RAM user - Resource Orchestration Service

This topic describes how to use Resource Access Management (RAM) to manage permissions for a RAM user. This topic also describes how to manage RAM users, create resource groups, grant permissions, and configure access control. In this example, an e-commerce website project is used.

Prerequisites

If you need to use RAM to manage permissions for a RAM user, you can use the sample template that is provided by Resource Orchestration Service (ROS). You can use this template to build environments in which you can manage RAM users and grant permissions. To build the environments, go to the Manage Account Permissions with RAM page. Before you build the environments, make sure that the following operations are performed:

You are authorized to access Elastic Compute Service (ECS), Virtual Private Cloud (VPC), ApsaraDB RDS, Object Storage Service (OSS), and RAM.
The resource groups for development, production, and test environments are created. The IDs of the resource groups are obtained. For more information about how to create resource groups, see Create a resource group.

Step 1: Create a stack

Log on to the ROS console.
In the left-side navigation pane, click Solution Center.
On the page that appears, find the Manage Account Permissions with RAM template.
Click Create Stack.

In the Configure Template Parameters step, specify Stack Name and configure the following parameters.


Section	Parameter	Description	Example
RESOURCE	Development Resource Group ID	The ID of the resource group that you use in the development environment.	∗rg-aekzs3xmizs∗∗∗∗
	Production Resource Group ID	The ID of the resource group that you use in the production environment.	rg-aekzko7fsuj∗∗∗∗
	Test Resource Group ID	The ID of the resource group that you use in the test environment.	rg-aekzsvnra53∗∗∗∗
VPC	Develop Environment VPC CIDR Block	The CIDR block of the VPC that you use in the development environment.	172.16.0.0/12
	Production Environment VPC CIDR Block	The CIDR block of the VPC that you use in the production environment.	10.0.0.0/8
	Test Environment VPC CIDR Block	The CIDR block of the VPC that you use in the test environment.	192.168.0.0/16
	VSwitch Availability Zone	The zone ID of the vSwitch in the VPC.	Hangzhou Zone K
	Develop VSwitch CIDR Block	The CIDR block of the vSwitch that you use in the development environment. The value must be a subnet of the CIDR block of the VPC that you use in the development environment.	172.16.10.0/24
	Production VSwitch CIDR Block	The CIDR block of the vSwitch that you use in the production environment. The value must be a subnet of the CIDR block of the VPC that you use in the production environment.	10.0.10.0/24
	Test VSwitch CIDR Block	The CIDR block of the vSwitch that you use in the test environment. The value must be a subnet of the CIDR block of the VPC that you use in the test environment.	192.168.10.0/24
ECS	Instance Type	The instance type of the ECS instance. Select a valid instance type. For more information, see Overview of instance families.	ecs.c5.large
	Image	The ID of the image that you want to use for the ECS instance. By default, centos_7 is used. For more information, see Image overview.	centos_7
	System Disk Type	The type of the system disk that you want to use for the ECS instance. Valid values: cloud_efficiency: the ultra disk cloud_ssd: the standard SSD cloud_essd: the enhanced SSD (ESSD) cloud: the basic disk ephemeral_ssd: the local SSD For more information, see Disks.	cloud_efficiency
	System Disk Space	The size of the system disk. Valid values: 40 to 500. Unit: GB.	40
	Instance Password	The password that you use to log on to the ECS instance.	Test_12∗∗∗∗
RDS	Type And Version	The database type and version number of the ApsaraDB RDS database.	MySQL-5.7
	Specifications	The instance type of the ApsaraDB RDS instance. Select a valid instance type. For more information, see Primary ApsaraDB RDS instance types.	rds.mysql.s2.large
	Storage Space	The storage space of the ApsaraDB RDS instance. Valid values: 5 to 1000. The value must be in 5 GB increments. Unit: GB.	5
OSS	Access Control	The permissions to access objects in OSS buckets. Valid values: private: RAM verifies your identity for all your operations on the objects. public-read: RAM verifies your identity for your write operations on the objects. RAM does not verify your identity for your read operations on the objects. public-read-write: RAM does not verify your identity for your read and write operations on the objects.	private
	Storage Type	The storage class for OSS buckets. Valid values: Standard: the Standard storage class IA: the Infrequent Access (IA) storage class Archive: the Archive storage class	Standard
	Develop Bucket Name	The name of the OSS bucket that you use in the development environment.	ros-projects-dev
	Production Bucket Name	The name of the OSS bucket that you use in the production environment.	ros-projects-prod
	Test Bucket Name	The name of the OSS bucket that you use in the test environment.	ros-projects-test
	Code Release Bucket Name	The name of the OSS bucket that stores code to be released.	ros-projects-code
	Other Bucket Name	The name of the OSS bucket that you use for other purposes.	ros-projects-other
	Publish Directory	The name of the OSS directory that you use in the development environment.	release
	Production Directory	The name of the OSS directory that you use in the production environment.	prod
RAM	Operation User Group Name	The name of the user group that you use for O&M.	dev
	Develop User Group Name	The name of the user group that you use for development.	sa
	Test User Group Name	The name of the user group that you use for test.	test
	Development Environment User Group Name	The name of the user group that you use in the development environment.	app-dev
	Production Environment User Group Name	The name of the user group that you use in the production environment.	app-prod
	Test Environment User Group Name	The name of the user group that you use in the test environment.	app-test
	Development Permission User Name	The name of the RAM user that has development permissions.	sts_dev
	Production Permission User Name	The name of the RAM user that has production permissions.	sts_prod
	Test Permission User Name	The name of the RAM user that has test permissions.	sts_test

Click Create.
On the Stack Information tab, view the status of the stack. After the stack is created, you can obtain the AccessKey IDs and AccessKey secrets for the development, test, and production environments on the Output tab.

Step 2: View resources in the stack

In the left-side navigation pane, click Stacks.
On the Stacks page, click the stack that you created in Step 1.

Click the Resources tab to view the information about resources in the stack.

The following table describes the resources in this example.


Resource type	Quantity	Description	Specifications
ALIYUN::RAM::Group	6	Creates six RAM user groups. You can use the user groups to classify and grant permissions to RAM users that have the same responsibilities. This simplifies the management of RAM users and their permissions.	None.
ALIYUN::ECS::SecurityGroup	3	Creates three security groups to divide security domains in Alibaba Cloud.	None.
ALIYUN::RDS::DBInstance	1	Creates an ApsaraDB RDS instance to store data.	rds.mysql.s2.large: the general-purpose instance family with 2 cores and 4 GB memory. Storage space: 20 GB.
ALIYUN::ECS::VSwitch	3	Creates three vSwitches to manage instances in a zone.	None.
ALIYUN::OSS::Bucket	5	Creates five OSS buckets to store data for development, production, and test environments.	None.
ALIYUN::ECS::Instance	3	Creates three ECS instances to share business loads in development, production, and test environments.	Quantity: 3. Instance type: ecs.c5.large. Disk type: the ultra disk. System disk size: 40 GB. Public IP address: Public IP addresses are not assigned.
ALIYUN::RAM::Role	3	Creates three RAM roles to issue Security Token Service (STS) tokens that are valid within a temporary period. This way, you can securely grant access permissions to the roles.	None.
ALIYUN::RAM::User	3	Create three RAM users for the users or applications that frequently access Alibaba Cloud resources.	None.
ALIYUN::ECS::VPC	3	Creates three VPCs to ensure network security in Alibaba Cloud.	None.

Note For more information about the resource charges, see the pricing schedule on the official website or the product pricing documentation.