All Products
Search

This Product

    Resource Orchestration Service:Best practices for permission management for a RAM user

    Document Center

    Resource Orchestration Service:Best practices for permission management for a RAM user

    Last Updated:Mar 06, 2025

    This topic describes how to use Resource Access Management (RAM) to manage permissions for a RAM user. This topic also describes how to manage RAM users, create resource groups, grant permissions, and configure access control. In this example, an e-commerce website project is used.

    Prerequisites

    If you need to use RAM to manage permissions for a RAM user, you can use the sample template that is provided by Resource Orchestration Service (ROS). You can use this template to build environments in which you can manage RAM users and grant permissions. To build the environments, go to the Use RAM to Manage Account Permissions page. Before you build the environments, make sure that the following operations are performed:

    • You are authorized to access Elastic Compute Service (ECS), Virtual Private Cloud (VPC), ApsaraDB RDS, Object Storage Service (OSS), and RAM.

    • The resource groups for development, production, and test environments are created. The IDs of the resource groups are obtained. For more information about how to create resource groups, see Create a resource group.

    Step 1: Create a stack

    1. Log on to the ROS console.

    2. In the left-side navigation pane, choose Templates > Public Templates.

    3. On the page that appears, find the Use RAM to Manage Account Permissions template.

    4. Click Create Stack.

    5. On the page that appears, configure the Stack Name parameter and the following parameters.

      Section

      Parameter

      Description

      Example

      RESOURCE

      Development Resource Group ID

      The ID of the resource group that you use in the development environment.

      rg-aekzs3xmizs****

      Production Resource Group ID

      The ID of the resource group that you use in the production environment.

      rg-aekzko7fsuj****

      Test Resource Group ID

      The ID of the resource group that you use in the test environment.

      rg-aekzsvnra53****

      VPC

      Develop Environment VPC CIDR Block

      The CIDR block of the VPC that you use in the development environment.

      172.16.0.0/12

      Production Environment VPC CIDR Block

      The CIDR block of the VPC that you use in the production environment.

      10.0.0.0/8

      Test Environment VPC CIDR Block

      The CIDR block of the VPC that you use in the test environment.

      192.168.0.0/16

      VSwitch Availability Zone

      The zone ID of the vSwitch in the VPC.

      Hangzhou Zone K

      Develop VSwitch CIDR Block

      The CIDR block of the vSwitch that you use in the development environment.

      The value must be a subnet of the CIDR block of the VPC that you use in the development environment.

      172.16.10.0/24

      Production VSwitch CIDR Block

      The CIDR block of the vSwitch that you use in the production environment.

      The value must be a subnet of the CIDR block of the VPC that you use in the production environment.

      10.0.10.0/24

      Test VSwitch CIDR Block

      The CIDR block of the vSwitch that you use in the test environment.

      The value must be a subnet of the CIDR block of the VPC that you use in the test environment.

      192.168.10.0/24

      ECS

      Instance Type

      The instance type of the ECS instance.

      Select a valid instance type. For more information, see Overview of instance families.

      ecs.c5.large

      Image

      The ID of the image that you want to use for the ECS instance. By default, centos_7 is used.

      For more information, see Overview.

      centos_7

      System Disk Type

      The type of the system disk that you want to use for the ECS instance. Valid values:

      • cloud_efficiency: the ultra disk.

      • cloud_ssd: the standard SSD.

      • cloud_essd: the Enterprise SSD (ESSD).

      • cloud: the basic disk.

      • ephemeral_ssd: the local SSD.

      For more information, see Disks.

      cloud_efficiency

      System Disk Space

      The size of the system disk.

      Valid values: 40 to 500.

      Unit: GB.

      40

      Instance Password

      The password that you use to log on to the ECS instance.

      Test_12****

      RDS

      Type And Version

      The database type and version number of the ApsaraDB RDS database.

      MySQL-5.7

      Specifications

      The instance type of the ApsaraDB RDS instance.

      Select a valid instance type. For more information, see Primary ApsaraDB RDS instance types.

      rds.mysql.s2.large

      Storage Space

      The storage space of the ApsaraDB RDS instance.

      Valid values: 5 to 1000. The value must be in 5 GB increments.

      Unit: GB.

      5

      OSS

      Access Control

      The permissions to access objects in OSS buckets. Valid values:

      • private: RAM verifies your identity for all your operations on the objects.

      • public-read: RAM verifies your identity for your write operations on the objects. RAM does not verify your identity for your read operations on the objects.

      • public-read-write: RAM does not verify your identity for your read and write operations on the objects.

      private

      Storage Type

      The storage class for OSS buckets. Valid values:

      • Standard: the Standard storage class.

      • IA: the Infrequent Access (IA) storage class.

      • Archive: the Archive storage class.

      Standard

      Develop Bucket Name

      The name of the OSS bucket that you use in the development environment.

      ros-projects-dev

      Production Bucket Name

      The name of the OSS bucket that you use in the production environment.

      ros-projects-prod

      Test Bucket Name

      The name of the OSS bucket that you use in the test environment.

      ros-projects-test

      Code Release Bucket Name

      The name of the OSS bucket that stores code to be released.

      ros-projects-code

      Other Bucket Name

      The name of the OSS bucket that you use for other purposes.

      ros-projects-other

      Publish Directory

      The name of the OSS directory that you use in the development environment.

      release

      Production Directory

      The name of the OSS directory that you use in the production environment.

      prod

      RAM

      Operation User Group Name

      The name of the user group that you use for O&M.

      sa

      Develop User Group Name

      The name of the user group that you use for development.

      dev

      Test User Group Name

      The name of the user group that you use for test.

      test

      Development Environment User Group Name

      The name of the user group that you use in the development environment.

      app-dev

      Production Environment User Group Name

      The name of the user group that you use in the production environment.

      app-prod

      Test Environment User Group Name

      The name of the user group that you use in the test environment.

      app-test

      Development Permission User Name

      The name of the RAM user that has development permissions.

      sts_dev

      Production Permission User Name

      The name of the RAM user that has production permissions.

      sts_prod

      Test Permission User Name

      The name of the RAM user that has test permissions.

      sts_test

    6. Click Create.

    7. On the Stack Information tab, view the status of the stack. After the stack is created, you can obtain the AccessKey IDs and AccessKey secrets for the development, test, and production environments on the Outputs tab.

    Step 2: View resources in the stack

    1. In the left-side navigation pane, choose Deployment > Stacks.

    2. On the Stacks page, click the ID of the created stack.

    3. Click the Resources tab to view the information about resources in the stack.

      The following table describes the resources in this example.

      Resource

      Quantity

      Description

      Specification

      ALIYUN::RAM::Group

      6

      Creates six RAM user groups. You can use the user groups to classify and grant permissions to RAM users that have the same responsibilities. This simplifies the management of RAM users and their permissions.

      None.

      ALIYUN::ECS::SecurityGroup

      3

      Creates three security groups to divide security domains in Alibaba Cloud.

      None.

      ALIYUN::RDS::DBInstance

      1

      Creates an ApsaraDB RDS instance to store data.

      • rds.mysql.s2.large: the general-purpose instance family with 2 cores and 4 GB memory.

      • Storage space: 20 GB.

      ALIYUN::ECS::VSwitch

      3

      Creates three vSwitches to manage instances in a zone.

      None.

      ALIYUN::OSS::Bucket

      5

      Creates five OSS buckets to store data for development, production, and test environments.

      None.

      ALIYUN::ECS::Instance

      3

      Creates three ECS instances to share business loads in development, production, and test environments.

      • Quantity: 3.

      • Instance type: ecs.c5.large.

      • Disk type: the ultra disk.

      • System disk size: 40 GB.

      • Public IP address: Public IP addresses are not assigned.

      ALIYUN::RAM::Role

      3

      Creates three RAM roles to issue Security Token Service (STS) tokens that are valid within a temporary period. This way, you can securely grant access permissions to the roles.

      None.

      ALIYUN::RAM::User

      3

      Create three RAM users for the users or applications that frequently access Alibaba Cloud resources.

      None.

      ALIYUN::ECS::VPC

      3

      Creates three VPCs to ensure network security in Alibaba Cloud.

      None.

      Note

      For more information about the pricing details of resources, go to the relevant console or refer to the pricing documentation of each resource.