This topic describes how to use Resource Access Management (RAM) to manage permissions for a RAM user. This topic also describes how to manage RAM users, create resource groups, grant permissions, and configure access control. In this example, an e-commerce website project is used.
Prerequisites
If you need to use RAM to manage permissions for a RAM user, you can use the sample template that is provided by Resource Orchestration Service (ROS). You can use this template to build environments in which you can manage RAM users and grant permissions. To build the environments, go to the Manage Account Permissions with RAM page. Before you build the environments, make sure that the following operations are performed:
- You are authorized to access Elastic Compute Service (ECS), Virtual Private Cloud (VPC), ApsaraDB RDS, Object Storage Service (OSS), and RAM.
- The resource groups for development, production, and test environments are created. The IDs of the resource groups are obtained. For more information about how to create resource groups, see Create a resource group.
Step 1: Create a stack
- Log on to the ROS console.
- In the left-side navigation pane, click Solution Center.
- On the page that appears, find the Manage Account Permissions with RAM template.
- Click Create Stack.
- In the Configure Template Parameters step, specify Stack Name and configure the following parameters.
Section Parameter Description Example RESOURCE Development Resource Group ID The ID of the resource group that you use in the development environment. ∗rg-aekzs3xmizs∗∗∗∗ Production Resource Group ID The ID of the resource group that you use in the production environment. rg-aekzko7fsuj∗∗∗∗ Test Resource Group ID The ID of the resource group that you use in the test environment. rg-aekzsvnra53∗∗∗∗ VPC Develop Environment VPC CIDR Block The CIDR block of the VPC that you use in the development environment. 172.16.0.0/12 Production Environment VPC CIDR Block The CIDR block of the VPC that you use in the production environment. 10.0.0.0/8 Test Environment VPC CIDR Block The CIDR block of the VPC that you use in the test environment. 192.168.0.0/16 VSwitch Availability Zone The zone ID of the vSwitch in the VPC. Hangzhou Zone K Develop VSwitch CIDR Block The CIDR block of the vSwitch that you use in the development environment. The value must be a subnet of the CIDR block of the VPC that you use in the development environment.
172.16.10.0/24 Production VSwitch CIDR Block The CIDR block of the vSwitch that you use in the production environment. The value must be a subnet of the CIDR block of the VPC that you use in the production environment.
10.0.10.0/24 Test VSwitch CIDR Block The CIDR block of the vSwitch that you use in the test environment. The value must be a subnet of the CIDR block of the VPC that you use in the test environment.
192.168.10.0/24 ECS Instance Type The instance type of the ECS instance. Select a valid instance type. For more information, see Overview of instance families.
ecs.c5.large Image The ID of the image that you want to use for the ECS instance. By default, centos_7 is used. For more information, see Image overview.
centos_7 System Disk Type The type of the system disk that you want to use for the ECS instance. Valid values: - cloud_efficiency: the ultra disk
- cloud_ssd: the standard SSD
- cloud_essd: the enhanced SSD (ESSD)
- cloud: the basic disk
- ephemeral_ssd: the local SSD
For more information, see Disks.
cloud_efficiency System Disk Space The size of the system disk. Valid values: 40 to 500.
Unit: GB.
40 Instance Password The password that you use to log on to the ECS instance. Test_12∗∗∗∗ RDS Type And Version The database type and version number of the ApsaraDB RDS database. MySQL-5.7 Specifications The instance type of the ApsaraDB RDS instance. Select a valid instance type. For more information, see Primary ApsaraDB RDS instance types.
rds.mysql.s2.large Storage Space The storage space of the ApsaraDB RDS instance. Valid values: 5 to 1000. The value must be in 5 GB increments.
Unit: GB.
5 OSS Access Control The permissions to access objects in OSS buckets. Valid values: - private: RAM verifies your identity for all your operations on the objects.
- public-read: RAM verifies your identity for your write operations on the objects. RAM does not verify your identity for your read operations on the objects.
- public-read-write: RAM does not verify your identity for your read and write operations on the objects.
private Storage Type The storage class for OSS buckets. Valid values: - Standard: the Standard storage class
- IA: the Infrequent Access (IA) storage class
- Archive: the Archive storage class
Standard Develop Bucket Name The name of the OSS bucket that you use in the development environment. ros-projects-dev Production Bucket Name The name of the OSS bucket that you use in the production environment. ros-projects-prod Test Bucket Name The name of the OSS bucket that you use in the test environment. ros-projects-test Code Release Bucket Name The name of the OSS bucket that stores code to be released. ros-projects-code Other Bucket Name The name of the OSS bucket that you use for other purposes. ros-projects-other Publish Directory The name of the OSS directory that you use in the development environment. release Production Directory The name of the OSS directory that you use in the production environment. prod RAM Operation User Group Name The name of the user group that you use for O&M. dev Develop User Group Name The name of the user group that you use for development. sa Test User Group Name The name of the user group that you use for test. test Development Environment User Group Name The name of the user group that you use in the development environment. app-dev Production Environment User Group Name The name of the user group that you use in the production environment. app-prod Test Environment User Group Name The name of the user group that you use in the test environment. app-test Development Permission User Name The name of the RAM user that has development permissions. sts_dev Production Permission User Name The name of the RAM user that has production permissions. sts_prod Test Permission User Name The name of the RAM user that has test permissions. sts_test - Click Create.
- On the Stack Information tab, view the status of the stack. After the stack is created, you can obtain the AccessKey IDs and AccessKey secrets for the development, test, and production environments on the Output tab.
Step 2: View resources in the stack
- In the left-side navigation pane, click Stacks.
- On the Stacks page, click the stack that you created in Step 1.
- Click the Resources tab to view the information about resources in the stack. The following table describes the resources in this example.
Resource type Quantity Description Specifications ALIYUN::RAM::Group 6 Creates six RAM user groups. You can use the user groups to classify and grant permissions to RAM users that have the same responsibilities. This simplifies the management of RAM users and their permissions. None. ALIYUN::ECS::SecurityGroup 3 Creates three security groups to divide security domains in Alibaba Cloud. None. ALIYUN::RDS::DBInstance 1 Creates an ApsaraDB RDS instance to store data. - rds.mysql.s2.large: the general-purpose instance family with 2 cores and 4 GB memory.
- Storage space: 20 GB.
ALIYUN::ECS::VSwitch 3 Creates three vSwitches to manage instances in a zone. None. ALIYUN::OSS::Bucket 5 Creates five OSS buckets to store data for development, production, and test environments. None. ALIYUN::ECS::Instance 3 Creates three ECS instances to share business loads in development, production, and test environments. - Quantity: 3.
- Instance type: ecs.c5.large.
- Disk type: the ultra disk.
- System disk size: 40 GB.
- Public IP address: Public IP addresses are not assigned.
ALIYUN::RAM::Role 3 Creates three RAM roles to issue Security Token Service (STS) tokens that are valid within a temporary period. This way, you can securely grant access permissions to the roles. None. ALIYUN::RAM::User 3 Create three RAM users for the users or applications that frequently access Alibaba Cloud resources. None. ALIYUN::ECS::VPC 3 Creates three VPCs to ensure network security in Alibaba Cloud. None. Note For more information about the resource charges, see the pricing schedule on the official website or the product pricing documentation.