Before you create a stack group that is granted self-managed permissions, you must
create RAM roles within the administrator and execution accounts to establish a trust
relationship between the accounts. Then, stacks that correspond to the stack group
are automatically deployed within the execution account.
Background information
Before you grant self-managed permissions to the stack group, you must create RAM
roles for the Alibaba Cloud accounts in the following table and grant permissions
to the roles.
Alibaba Cloud account |
RAM role |
Policy |
Description |
Administrator account (Account A) |
AliyunROSStackGroupAdministrationRole |
The AssumeRole-AliyunROSStackGroupExecutionRole custom policy |
Allows the AliyunROSStackGroupAdministrationRole administrator role to assume the
AliyunROSStackGroupExecutionRole execution role.
|
Execution account (Account B) |
AliyunROSStackGroupExecutionRole |
The AdministratorAccess system policy |
Allows the AliyunROSStackGroupExecutionRole execution role to manage all Alibaba Cloud
resources that belong to the execution account.
|
Note The administrator account and the execution account can be the same Alibaba Cloud
account. For more information about administrator and execution accounts, see
Terms.
When you use the administrator account to create a stack group in the Resource Orchestration
Service (ROS) console after you grant the permissions to the roles, stacks that correspond
to the stack group are automatically deployed within the execution account.
Method 1: Grant self-managed permissions in the ROS console
- Grant permissions to the execution account.
- Log on to the Resource Access Management (RAM) console with the execution account.
- Create the AliyunROSStackGroupExecutionRole RAM role for the execution account and
specify the administrator account as a trusted entity of the role.
- In the left-side navigation pane, choose .
- On the Roles page, click Create Role.
- In the Create Role panel, set Select Trusted Entity to Alibaba Cloud Account and click Next.
- Enter AliyunROSStackGroupExecutionRole in the RAM Role Name field, set Select Trusted Alibaba Cloud Account to Other Alibaba Cloud Account, and then enter the ID of the administrator account.
- Click OK.
- Attach the AdministratorAccess policy to the AliyunROSStackGroupExecutionRole execution role.
- In the Configure Role step of the Create Role panel, click Add Permissions to RAM role.
- By default, the Principal parameter is configured in the Add Permissions panel. Set Authorized Scope to Alibaba Cloud Account.
- Set Select Policy to System Policy and click AdministratorAccess.
- Click OK.
- Click Complete.
- Grant permissions to the administrator account.
- Log on to the RAM console with the administrator account.
- Create the AliyunROSStackGroupAdministrationRole RAM role for the administrator account
and specify ROS as a trusted entity of the role.
- In the left-side navigation pane, choose .
- On the Roles page, click Create Role.
- In the Create Role panel, set Select Trusted Entity to Alibaba Cloud Service and click Next.
- Set Role Type to Normal Service Role.
- Enter AliyunROSStackGroupAdministrationRole in the RAM Role Name field and select Resource Orchestration Service from the Select Trusted Service drop-down list.
- Click OK.
- Click Close.
- Create the AssumeRole-AliyunROSStackGroupExecutionRole custom policy.
- In the left-side navigation pane, choose .
- On the policy management page, click Create Policy.
- On the Create Custom Policy page, enter AssumeRole-AliyunROSStackGroupExecutionRole in the Policy Name field, set Configuration Mode to Script, and then enter the following script in the script editor.
This policy allows the AliyunROSStackGroupAdministrationRole administrator role to
assume the AliyunROSStackGroupExecutionRole execution role.
{
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "acs:ram::*:role/AliyunROSStackGroupExecutionRole"
}
],
"Version": "1"
}
- Click OK.
- Attach the AssumeRole-AliyunROSStackGroupExecutionRole policy to the AliyunROSStackGroupAdministrationRole administrator role.
- In the left-side navigation pane, choose .
- On the Roles page, find the AliyunROSStackGroupAdministrationRole administrator role, and click
Add Permissions in the Actions column.
- By default, the Principal parameter is configured in the Add Permissions panel. Set Authorized Scope to Alibaba Cloud Account.
- Set Select Policy to System Policy and click AssumeRole-AliyunROSStackGroupExecutionRole.
- Click OK.
- Click Complete.
Method 2: Grant self-managed permissions by using an ROS template
You can use an ROS template to create RAM roles for the administrator and execution
accounts, and grant permissions on stack groups and stacks to the roles.
- Log on to the ROS console with the administrator account.
- Use the AliyunROSStackGroupAdministrationRole template to create a RAM role for the administrator account and grant the permissions
to the administrator role.
- Use the AliyunROSStackGroupExecutionRole template to create a RAM role for the execution account and grant the permissions
to the execution role.