All Products
Search

This Product

    Resource Orchestration Service:Use a stack role

    Document Center

    Resource Orchestration Service:Use a stack role

    Last Updated:Nov 19, 2025

    This topic describes how to create a stack role and use it to create resources.

    Scenarios

    A stack role is a Resource Access Management (RAM) role that trusts Resource Orchestration Service (ROS). If you want ROS to deploy resources using an account with specific permissions instead of the current account, you can specify a stack role when you manage a stack. ROS then assumes the role to deploy the resources.

    For example, an enterprise may want to allow an employee to create multiple cloud resources without granting excessive permissions to that employee. In this case, the enterprise can provide a stack role with the required permissions. The employee can then select the stack role when creating a stack to create the resources using ROS. This topic provides an example in which an Alibaba Cloud account creates a stack role, and a RAM user assumes that role to create VPC resources.

    Procedure

    Step 1: Create a stack role

    1. Log on to the Resource Access Management (RAM) console using an Alibaba Cloud account.

    2. In the navigation pane on the left, choose Identities > Roles.

    3. On the Roles page, click Create Role.

    4. On the Create Role page, set Principal Type to Cloud Service.

    5. Set Principal Name to Resource Orchestration Service, and click OK.

    6. In the dialog box, enter a Role Name and click OK.

    Step 2: Get the policy required by the template

    1. Define a template to create VPC resources.

      For more information, see View resource types.

      ROSTemplateFormatVersion: '2015-09-01'
Resources:
  Vpc:
    Type: ALIYUN::ECS::VPC
    Properties:
      CidrBlock: 192.168.0.0/24
      VpcName: TestVpc

    2. Obtain the access policy.

      1. In OpenAPI Explorer, go to the GenerateTemplatePolicy API operation.

      2. For the TemplateBody parameter, enter the sample VPC template.

      3. Click Initiate Call to obtain the access policy for creating VPC resources.

        {
  "Policy": {
    "Version": "1",
    "Statement": [
      {
        "Action": [
          "quotas:ListProductQuotas"
        ],
        "Resource": "*",
        "Effect": "Allow"
      },
      {
        "Action": [
          "vpc:AssociateVpcCidrBlock",
          "vpc:CreateVpc",
          "vpc:DeleteVpc",
          "vpc:DescribeVpcs",
          "vpc:ModifyVpcAttribute",
          "vpc:TagResources",
          "vpc:UnTagResources"
        ],
        "Resource": "*",
        "Effect": "Allow"
      }
    ]
  },
  "RequestId": "607A8E4E-4423-5D2D-8392-E74C5DC42EC5"
}

    Step 3: Create a custom permission policy

    1. Log on to the Resource Access Management (RAM) console using an Alibaba Cloud account.

    2. In the left-side navigation pane, choose Permissions > Policies.

    3. On the Policies page, click Create Policy.

    4. On the Create Policy page, click the JSON tab.

    5. Enter the policy document, and then click OK.

      Replace the content with the `Policy` section from the access policy that you obtained in Step 2: Obtain the policy required by the template.

    6. Enter a Name and Note for the policy.

    7. Click OK.

    Step 4: Grant permissions to the stack role

    1. In the navigation pane on the left, choose Identities > Roles.

    2. On the Roles page, find the RAM role that you created in Step 1: Create a stack role and click Grant Permission in the Actions column.

      The default authorization scope is the current Alibaba Cloud account.

    3. In the Grant Permission panel, set the permission policy type to Custom Policy. Then, enter the Policy Name of the policy that you created in Step 3: Create a custom policy.

      For more information, see View policy information.

    4. Click OK.

    Step 5: Use the stack role to create a stack

    Prerequisites

    Create a RAM user using an Alibaba Cloud account and grant the `AliyunROSFullAccess` permission to the RAM user. This permission allows the RAM user to manage ROS. For more information, see Create a RAM user and Grant permissions to a RAM user.

    Procedure

    1. Log on to the Resource Orchestration Service (ROS) console as the RAM user.

    2. In the navigation pane on the left, click Stacks.

    3. In the top navigation bar, select the region where you want to create the stack.

    4. On the Stacks page, click Create Stack. In the Specify Template section, click Select an Existing Template.

      Note

      • If you select Create a New Template or Infrastructure Composer, you are redirected to the corresponding page.

    5. On the Select Template page, specify a template and then click Next.

      For example, you can enter the template for creating VPC resources. For more information, see Configure a template.

    6. On the Configure Parameters page, enter a Stack Name and Configure Template Parameters.

      Note

      The template parameters that you must configure vary based on the template. Follow the instructions in the console to enter the parameter values.

    7. In the Configure Stack section, set RAM Role to the name of the role that you created in Step 1: Create a stack role.

      For more information, see Create a stack.

    8. On the Compliance Precheck (Optional) page, complete the compliance check and click Next.

      Note

      The compliance precheck feature is supported only for some resources. For more information, see Compliance precheck.

      1. In the Detection Rules section, add detection rules.

        You can select the rules to check based on the cloud resources in the ROS template.

      2. Click Start Check.

        If a resource is detected as Non-compliant, click Remediation Plan. Modify the cloud resource configuration or the ROS template content based on the Remediation Plan to ensure resource compliance.

        image

    9. On the Check and Confirm (Optional) page, click Create.

      After the stack is created, Create Succeeded appears in the Status column.