All Products
Search

This Product

    CloudOps Orchestration Service:Grant RAM permissions to OOS

    Document Center

    CloudOps Orchestration Service:Grant RAM permissions to OOS

    Last Updated:Dec 28, 2023

    This topic describes how to authorize CloudOps Orchestration Service (OOS) to access other cloud services. You can also authorize a user to access OOS. For more information, see Access control.

    OOS uses temporary tokens that are issued by Security Token Service (STS) to access the APIs of other cloud services. To access your resources, assign a RAM role to the OOS account.

    • If no RAM role is specified in a template, OOS uses the default role OOSServiceRole.

    • If a RAM role is specified in a template, OOS uses the specified role.

    Note

    Temporary tokens are updated on a periodic basis.

    Required permissions for OOS

    The set of cloud service API-specific permissions varies based on the specified OOS template to be executed. You can call the GenerateExecutionPolicy operation of OOS to obtain a set of permissions that are required to execute a specified template. Then, grant the RAM role the required permissions to execute the template based on the principle of least privilege. You can also grant all the permissions to access the related cloud services to the RAM role.

    Create a RAM role for OOS

    For more information, see Create a RAM role for a trusted Alibaba Cloud service. To create a RAM role for OOS, perform the following steps:

    1. Log on to the Resource Access Management (RAM) console by using your Alibaba Cloud account.

    2. In the left-side navigation pane, choose Identities > Roles.

    3. On the Roles page, click Create Role.

    4. In the Create Role panel, select Alibaba Cloud Service as Select Trusted Entity and click Next.

    5. Select Normal Service Role as Role Type and enter a role name. If no RAM role is specified in a template, OOS uses the default role OOSServiceRole. Select Operation Orchestration Service from the Select Trusted Service drop-down list.

    6. Click OK.

    7. Click Close.

    Attach the required policy to the OOS-trusted role

    For more information, see Grant permissions to a RAM role. To attach the required policy to the OOS-trusted role, perform the following steps:

    1. Log on to the RAM console by using your Alibaba Cloud account.

    2. In the left-side navigation pane, choose Identities > Roles.

    3. On the Roles page, find the RAM role to which you want to grant permissions and click Add Permissions in the Actions column.

    4. In the Add Permissions panel, grant permissions to the RAM role.

      1. Principal: Select the RAM role that you created, such as OOSServiceRole.

      2. Select Policy: Select one or more policies based on the permissions that are required to execute an OOS template. In this example, the AliyunECSFullAccess policy is attached to the OOSServiceRole role. This allows the role to execute ECS API-related tasks.

    5. Click OK.

    6. Click Complete.