All Products
Document Center

Operation Orchestration Service:Use encryption parameters for template executions

Last Updated:Sep 22, 2021

You can use the encryption parameter feature in the parameter warehouse of Operation Orchestration Service (OOS) to store sensitive data such as passwords and keys. This way, such data is no longer displayed in plaintext, and the stored data can also be directly used. This topic describes how to use encryption parameters in a template of OOS.


  1. Log on to the OOS console.

  2. In the left-side navigation pane, click Parameter Store. On the Encryption Parameters tab, create an encryption parameter. For more information, see the Create encryption parameters section of the Manage encryption parameters topic. In this example, an encryption parameter named InstancePassword is created, as shown in the following figure.instance-secret-password-01

  3. After the encryption parameter is created, create a template, or select an existing custom template or a public template. In this example, a template used to change the password of an instance is created. Use the following sample code:

    FormatVersion: OOS-2019-06-01
    Description: Bulky modify the password of an ECS instance.
        Type: String
        Description: The id of region.
        AssociationProperty: RegionId
        Default: '{{ ACS::RegionId }}'
        Type: Json
        AssociationProperty: Targets
          ResourceType: 'ALIYUN::ECS::Instance'
          RegionId: regionId
        Description: The password of the ECS instance.
        Type: String
        Description: Concurrency ratio of task execution.
        Type: Json
        AssociationProperty: RateControl
          Mode: Concurrency
          MaxErrors: 0
          Concurrency: 10
        Description: The RAM role to be assumed by OOS.
        Type: String
        Default: OOSServiceRole
    RamRole: '{{ OOSAssumeRole }}'
      - Name: getInstance
        Description: Views the ECS instances.
        Action: 'ACS::SelectTargets'
          ResourceType: 'ALIYUN::ECS::Instance'
          RegionId: '{{ regionId }}'
            - '{{ targets }}'
            Type: List
            ValueSelector: 'Instances.Instance[].InstanceId'
      - Name: resetPassword
        Action: 'ACS::ECS::ResetPassword'
        Description: Modify the password of an ECS instance.
          regionId: '{{ regionId }}'
          instanceId: '{{ ACS::TaskLoopItem }}'
          password: '{{ instancePassword }}'
          RateControl: '{{ rateControl }}'
          Items: '{{ getInstance.instanceIds }}'
            Type: String
            ValueSelector: instanceId
  4. After the template is created, find the template on the My Templates page and click Create Execution in the Actions column. In the Create wizard, configure the basic information and click Next: Parameter Settings.

  5. In the Parameter Settings step, enter a value in the instancePassword field. You can also click the Select Parameter icon next to the instancePassword field to select a parameter from the parameter warehouse, such as the encryption parameter created in Step 2, as shown in the following figure.

  6. After you click the Select Parameter icon, the Select Parameter dialog box appears. In the Select Parameter dialog box, set the Parameter Type parameter to Encryption Parameters, search for and select the encryption parameter that you created, and then click OK.

  7. After you set all the parameters as required, click Next: OK.

  8. In the OK step, confirm the parameter settings and click Create.

  9. On the execution details page that appears, view the execution of the current template. On the Basic Information tab, find the instancePassword parameter that uses the encryption parameter. The value of the instancePassword parameter is not displayed in plaintext.secret-instance-password-09

  10. On the execution details page, click the Logs tab. Find the logs of the call to the encryption parameter and view the original request. In the logs, the called encryption parameter is also encrypted. This indicates that you can use encryption parameters to encrypt sensitive data such as passwords.instance-secret-password-08

  11. After the template is executed, find the instance whose password is changed and use the preset password in the encryption parameter to log on to the instance. Verify that you can log on to the instance.