Before you create a stack group that is granted self-managed permissions, you must create RAM roles within the administrator and execution accounts to establish a trust relationship between the accounts. Then, stacks that correspond to the stack group are automatically deployed within the execution account.

Background information

Before you grant self-managed permissions to the stack group, you must create RAM roles for the Alibaba Cloud accounts in the following table and grant permissions to the roles.

Alibaba Cloud account RAM role Policy Description
Administrator account (Account A) AliyunROSStackGroupAdministrationRole The AssumeRole-AliyunROSStackGroupExecutionRole custom policy Allows the AliyunROSStackGroupAdministrationRole administrator role to assume the AliyunROSStackGroupExecutionRole execution role.
Execution account (Account B) AliyunROSStackGroupExecutionRole The AdministratorAccess system policy Allows the AliyunROSStackGroupExecutionRole execution role to manage all Alibaba Cloud resources that belong to the execution account.
Note The administrator account and the execution account can be the same Alibaba Cloud account. For more information about administrator and execution accounts, see Terms.

When you use the administrator account to create a stack group in the Resource Orchestration Service (ROS) console after you grant the permissions to the roles, stacks that correspond to the stack group are automatically deployed within the execution account.

Method 1: Grant self-managed permissions in the ROS console

  1. Grant permissions to the execution account.
    1. Log on to the Resource Access Management (RAM) console with the execution account.
    2. Create the AliyunROSStackGroupExecutionRole RAM role for the execution account and specify the administrator account as a trusted entity of the role.
      1. In the left-side navigation pane, choose Identities > Roles.
      2. On the Roles page, click Create Role.
      3. In the Create Role panel, set Select Trusted Entity to Alibaba Cloud Account and click Next.
      4. Enter AliyunROSStackGroupExecutionRole in the RAM Role Name field, set Select Trusted Alibaba Cloud Account to Other Alibaba Cloud Account, and then enter the ID of the administrator account.
      5. Click OK.
    3. Attach the AdministratorAccess policy to the AliyunROSStackGroupExecutionRole execution role.
      1. In the Configure Role step of the Create Role panel, click Add Permissions to RAM role.
      2. By default, the Principal parameter is configured in the Add Permissions panel. Set Authorized Scope to Alibaba Cloud Account.
      3. Set Select Policy to System Policy and click AdministratorAccess.
      4. Click OK.
      5. Click Complete.
  2. Grant permissions to the administrator account.
    1. Log on to the RAM console with the administrator account.
    2. Create the AliyunROSStackGroupAdministrationRole RAM role for the administrator account and specify ROS as a trusted entity of the role.
      1. In the left-side navigation pane, choose Identities > Roles.
      2. On the Roles page, click Create Role.
      3. In the Create Role panel, set Select Trusted Entity to Alibaba Cloud Service and click Next.
      4. Set Role Type to Normal Service Role.
      5. Enter AliyunROSStackGroupAdministrationRole in the RAM Role Name field and select Resource Orchestration Service from the Select Trusted Service drop-down list.
      6. Click OK.
      7. Click Close.
    3. Create the AssumeRole-AliyunROSStackGroupExecutionRole custom policy.
      1. In the left-side navigation pane, choose Permissions > Policies.
      2. On the policy management page, click Create Policy.
      3. On the Create Custom Policy page, enter AssumeRole-AliyunROSStackGroupExecutionRole in the Policy Name field, set Configuration Mode to Script, and then enter the following script in the script editor.
        This policy allows the AliyunROSStackGroupAdministrationRole administrator role to assume the AliyunROSStackGroupExecutionRole execution role. 
        {
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "sts:AssumeRole",
      "Resource": "acs:ram::*:role/AliyunROSStackGroupExecutionRole"
    }
  ],
  "Version": "1"
}
      4. Click OK.
    4. Attach the AssumeRole-AliyunROSStackGroupExecutionRole policy to the AliyunROSStackGroupAdministrationRole administrator role.
      1. In the left-side navigation pane, choose Identities > Roles.
      2. On the Roles page, find the AliyunROSStackGroupAdministrationRole administrator role, and click Add Permissions in the Actions column.
      3. By default, the Principal parameter is configured in the Add Permissions panel. Set Authorized Scope to Alibaba Cloud Account.
      4. Set Select Policy to System Policy and click AssumeRole-AliyunROSStackGroupExecutionRole.
      5. Click OK.
      6. Click Complete.

Method 2: Grant self-managed permissions by using an ROS template

You can use an ROS template to create RAM roles for the administrator and execution accounts, and grant permissions on stack groups and stacks to the roles.

  1. Log on to the ROS console with the administrator account.
  2. Use the AliyunROSStackGroupAdministrationRole template to create a RAM role for the administrator account and grant the permissions to the administrator role.
  3. Use the AliyunROSStackGroupExecutionRole template to create a RAM role for the execution account and grant the permissions to the execution role.