All Products
Search

This Product

    Resource Orchestration Service:Use a stack role

    Document Center

    Resource Orchestration Service:Use a stack role

    Last Updated:Dec 28, 2023

    This topic describes how to create a stack role and use the stack role to create resources.

    Scenario

    A stack role is a Resource Access Management (RAM) role whose trusted entity is Resource Orchestration Service (ROS). If you want ROS to deploy resources by using an account that has specific permissions rather than the current account, you can select a stack role when you create a stack in ROS. This way, ROS assumes the role to deploy resources.

    If an enterprise wants to grant the least permissions that allow an employee to create resources of multiple cloud services, the enterprise can assign a stack role that has the permissions to the employee. When the employee creates a stack, the employee can select a stack role to create the resources by using ROS. This topic describes how to use a stack role. In this example, an Alibaba Cloud account is used to create a stack role, and the stack role is assumed by a RAM user to create virtual private cloud (VPC) resources.

    Procedure

    Step 1: Create a stack role

    1. Log on to the RAM console with your Alibaba Cloud account.

    2. In the left-side navigation pane, choose Identities > Roles.

    3. On the Roles page, click Create Role.

    4. In the Create Role panel, set Select Trusted Entity to Alibaba Cloud Service and click Next.

    5. Set Role Type to Normal Service Role.

    6. Configure the RAM Role Name and Note parameters.

    7. From the Select Trusted Service drop-down list, select Resource Orchestration Service. Then, click OK.

    Step 2: Obtain the policy required by a template

    1. Define the template that you want to use to create the VPC resources.

      For more information about how to create a template, see View resource types. 

      ROSTemplateFormatVersion: '2015-09-01'
Resources:
  Vpc:
    Type: ALIYUN::ECS::VPC
    Properties:
      CidrBlock: 192.168.0.0/24
      VpcName: TestVpc

    2. Obtain the policy that is required by the template.

      1. Access the GenerateTemplatePolic operation in OpenAPI Explorer.

      2. In the TemplateBody field, enter the defined template.

      3. Click Initiate Call to obtain the policy that is used to create the VPC resources. 

        {
  "Policy": {
    "Version": "1",
    "Statement": [
      {
        "Action": [
          "quotas:ListProductQuotas"
        ],
        "Resource": "*",
        "Effect": "Allow"
      },
      {
        "Action": [
          "vpc:AssociateVpcCidrBlock",
          "vpc:CreateVpc",
          "vpc:DeleteVpc",
          "vpc:DescribeVpcs",
          "vpc:ModifyVpcAttribute",
          "vpc:TagResources",
          "vpc:UnTagResources"
        ],
        "Resource": "*",
        "Effect": "Allow"
      }
    ]
  },
  "RequestId": "607A8E4E-4423-5D2D-8392-E74C5DC42EC5"
}

    Step 3: Create a custom policy

    1. Log on to the RAM console with your Alibaba Cloud account.

    2. In the left-side navigation pane, choose Permissions > Policies.

    3. On the Policies page, click Create Policy.

    4. On the Create Policy page, click the JSON tab.

    5. Enter the content of your custom policy and click Next to edit policy information.

      In this topic, replace the default policy content with the policy content that you obtained in Step 2: Obtain the policy required by a template and modify the policy content based on your business requirements.

    6. Configure the Name and Description parameters for the policy.

    7. Click OK.

    Step 4: Grant permissions to the stack role

    1. In the left-side navigation pane, choose Identities > Roles.

    2. On the Roles page, find the RAM role that you created in Step 1: Create a stack role and click Input and Attach in the Actions column.

      By default, the authorization scope of precise access control is the current Alibaba Cloud account.

    3. In the Add Permissions panel, set Type to Custom Policy and enter the name of the custom policy that you created in Step 3: Create a custom policy in the Policy Name field.

      For more information about how to view the name of a policy, see View the basic information about a policy.

    4. Click OK.

    Step 5: Create a stack by using the stack role

    Prerequisites

    The following operations are performed: Use your Alibaba Cloud account to create a RAM user and grant the RAM user the AliyunROSFullAccess permission. The AliyunROSFullAccess permission allows the RAM user to manage ROS. For more information, see Create a RAM user and Grant permissions to a RAM user.

    Procedure

    1. Log on to the ROS console as the RAM user.

    2. In the left-side navigation pane, click Stacks.

    3. In the top navigation bar, select the region where you want to create a stack from the region drop-down list.

    4. On the Stacks page, click Create Stack and select Use ROS from the drop-down list.

    5. In the Select Template step, specify a template that you want to use based on your business requirements, and click Next.

      In this topic, enter the template that you defined to create VPC resources. For more information about how to specify a template, see the configurations in the Select Template step provided in the Create a stack topic.

    6. In the Configure Parameters step, specify the Stack Name parameter and configure parameters in the Configure Template Parameters section.

    7. In the Configure Stack Settings section, enter the name of the stack role that you created in Step 1: Create a stack role in the RAM Role field.

      For more information about how to configure other parameters, see Create a stack.

    8. In the Compliance Precheck step, complete compliance precheck and click Next.

      Note

      The compliance precheck feature is available only in the China (Hangzhou) region for specific resources. For more information, see Compliance precheck of ROS.

      1. In the Evaluate Rules section, add a compliance rule.

        You can add compliance rules based on the cloud resources in the ROS template.

      2. Click Evaluate.

        You can modify the template content based on the suggestions that are provided to remediate non-compliant or invalid resources to ensure the compliance of the resources.

    9. In the Check and Confirm step, click Create.

      After the stack is created, Created appears in the Status column of the stack.