This topic describes how to authorize a Resource Access Management (RAM) user to use Logic Composer to orchestrate workflows on Alibaba Cloud resources.
Background information
Logic Composer may need to use the APIs of various Alibaba Cloud services to orchestrate workflows. You can use your Alibaba Cloud account to assign a RAM role that has the necessary permissions to Logic Composer to call the required API operations. Logic Composer has the permissions to use this RAM role. However, a RAM user that runs Logic Composer may not have the permissions to use this RAM role. You must grant the PassRole permission to the RAM user and the required RAM role. This way, the RAM user can use Logic Composer to use the required RAM role to access service resources.
The following figure shows the procedure for authorizing a RAM user to use a RAM role of Logic Composer.
You need to only perform Steps 1 to 5. The subsequent steps are automatically performed by the authorized Alibaba Cloud services.
Procedure for authorizing a RAM user without the read and write permissions on RAM
Create a RAM role. In this example, a RAM role named AliyunLogicComposerDefaultRole is created. For more information, see Create a RAM role for a trusted Alibaba Cloud service.
In this example, the RAM Role Name parameter is set to AliyunLogicComposerDefaultRole and the Select Trusted Service parameter is set to Logic Composer.
2. Grant permissions to the created RAM role. You must create a custom policy. For more information about how to create a custom policy, see Create a custom policy. The following sample code provides an example of a policy. You must modify the permissions in the sample code based on your business requirements.
{
"Statement": [
{
"Action": [
"*:TagResources",
"oss:PutBucketTags"
],
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "1"
}Grant the created custom policy to the RAM role created in Step 1. For more information, see Grant permissions to a RAM user. The policy created and used in this example is the custom policy that you created.
3. Create a RAM user. If a RAM user exists within your Alibaba Cloud account, skip this step. For more information about how to create a RAM user, see Create a RAM user. Grant the RAM user the permissions to use Logic Composer. For more information, see Grant permissions to a RAM user.
4. Assign the AliyunLogicComposerDefaultRole RAM role created in Step 2 to the RAM user that you created or used in Step 3. In this step, you must first create a policy as instructed in step 2. Sample policy:
{
"Statement": [
{
"Action": "ram:PassRole",
"Resource": "acs:ram::<parent uid>:role/aliyunlogiccomposerdefaultrole",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"acs:Service": "composer.aliyuncs.com"
}
}
}
],
"Version": "1"
}Set the value of the Resource parameter to the Alibaba Cloud Resource Name (ARN) of the Alibaba Cloud service to which the RAM role is assigned. The ARN of a RAM role is the globally unique resource identifier of the RAM role. ARNs follow the ARN naming conventions that are provided by Alibaba Cloud. For example, the ARN of the devops RAM role that belongs to an Alibaba Cloud account is acs:ram::123456789012****:role/samplerole. After you create a RAM role, you can click the name of the RAM role and view the ARN of the RAM role in the Basic Information section.
5. Grant the policy to the RAM user. For more information, see Grant permissions to a RAM user.
6. After the previous steps are complete, log on to the Logic Composer console by using the RAM user to configure a workflow and call the required API operations to grant permissions on Logic Composer.
6.1 If the RAM user does not have the read-only permissions on RAM, assign the RAM role to Logic Composer.
6.2 If the RAM user has the read-only permissions on RAM, select a RAM role as required.
Procedure for authorizing a RAM user with the read and write permissions on RAM
1. When you configure a workflow in the Logic Composer console, assign a RAM role to Logic Composer to call the required API operations. You can attach a policy to the RAM role as prompted.
