When customers create fully managed service instances, Compute Nest uses the permissions of a Resource Access Management (RAM) role within the Alibaba Cloud account of the service provider to create resources. If service providers want to create fully managed services as a RAM user, they must grant permissions on the PassRole action to the RAM user. This topic describes how to grant permissions on the PassRole action to a RAM user.
Prerequisites
A RAM role with Compute Nest as the trusted entity is created. For more information, see Create a role with Compute Nest as a trusted service.
Procedure
Log on to the RAM console by using the Alibaba Cloud account.
Create a custom policy.
In the left-side navigation pane, choose .
On the Policies page, click Create Policy.
On the Create Policy page, click JSON.
On the JSON tab, enter the following content in the code editor:
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ram:PassRole" ], "Resource": [ "*" ], "Condition": { "StringEquals": { "acs:Service": [ "supplier.computenest.aliyuncs.com" ] } } } ] }
Click OK. In the dialog box that appears, configure the policy name and other basic information and click OK.
After the policy is created, attach the policy to a RAM user or RAM user group.
In this step, find and select the custom policy created in the previous step. For more information, see Grant permissions to RAM users and Grant permissions to a RAM user group.