Use RAM to control the access of Alibaba Cloud accounts to OOS - CloudOps Orchestration Service

This topic describes how to use Resource Access Management (RAM) to control the access of Alibaba Cloud accounts to CloudOps Orchestration Service (OOS). To implement access control, you must create RAM users or groups, and grant required permissions to the users or groups.

Scenarios

RAM is a resource access control service that is provided by Alibaba Cloud. The following section describes how you can use RAM to implement access control in OOS:

CloudOps Orchestration Service administrator: You can create an CloudOps Orchestration Service administrator group and grant full access permissions on CloudOps Orchestration Service to the administrator group. This way, a member of this group can create, modify, and execute templates.

Template developer: The template developer group requires the permissions to modify templates. You can attach a policy to the template developer group to grant the group members the permissions to call API operations such as CreateTemplate and UpdateTemplate.

Template execution: You can grant only the permission to execute OOS templates to some users. This way, these users can only execute OOS templates and cannot create or modify OOS templates.

Template authentication: You can restrict a template to be executed only by specified users or user groups.

Grant the PassRole permission to a RAM user

You can create an OOS-trusted RAM role to grant permissions to CloudOps Orchestration Service. For more information, see Grant RAM permissions to OOS. This way, CloudOps Orchestration Service has the permission to access this RAM role. However, it does not mean that the RAM user that uses CloudOps Orchestration Service has the permission to assume this RAM role. You need to grant the PassRole permission to the RAM user and the RAM role. This way, the RAM user can assume the RAM role by using CloudOps Orchestration Service.

To authorize a RAM user to assume all RAM roles of CloudOps Orchestration Service, create the following policy and attach the policy to the RAM user:

{
  "Version": "1",
  "Statement": [
    {
      "Action": "ram:PassRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "acs:Service": "oos.aliyuncs.com"
        }
      }
    }
  ]
}

For security reasons, you may need to restrict the RAM user to assume only a specific RAM role, such as the default role OOSServiceRole. In this case, you can create the following policy and attach the policy to the RAM user:CloudOps Orchestration Service

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "ram:PassRole",
      "Resource": "acs:ram::{parent_uid}:role/OOSServiceRole"
    }
  ]
}

If a RAM role, such as the default role OOSServiceRole, is internally used in a template and does not need to be specified as an input parameter for template execution, you do not need to grant the PassRole permission to the RAM user for executing the template. However, you must grant the PassRole permission to the RAM user to create or modify the template.
If a RAM role is dynamically obtained by using an input parameter for template execution and the template does not specify the RAM role that is required, you do not need to grant the PassRole permission to the RAM user for creating or modifying a template. However, you must grant the PassRole permission to the RAM user to execute the template so that the RAM user can assume the specified RAM role.
In the preceding sample code, {parent_uid} indicates the ID of your Alibaba Cloud account.

Grant permissions to a RAM user

Step 1

Create a custom policy in the RAM console.

Log on to the RAM console.
In the left-side navigation pane, choose Permissions > Policies.
On the Policies page, click Create Policy.

On the Create Policy page, click the JSON tab. Then, edit the policy based on the following script.

Sample policy 1: grants a RAM user the permissions to execute templates but not modify templates.

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "oos:List*",
                "oos:Get*",
                "oos:StartExecution",
                "oos:CancelExecution",
                "oos:NotifyExecution"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

Sample policy 2: grants a RAM user the permissions to create and modify templates but not execute templates.

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "oos:List*",
                "oos:Get*",
                "oos:CreateTemplate",
                "oos:UpdateTemplate",
                "oos:ValidateTemplateContent"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

Sample policy 3: grants a RAM user the permissions of an CloudOps Orchestration Service administrator.

{
    "Version": "1",
    "Statement": [
        {
            "Action": "oos:*",
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": "ram:PassRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "acs:Service": "oos.aliyuncs.com"
                }
            }
        }
    ]
}

Click Next to edit policy information. Configure the basic information about the policy and click OK.

Step 2

Grant a RAM user relevant permissions in the RAM console.

In the left-side navigation pane, choose Identities > Users.
On the Users page, find the RAM user that you created and click Add Permissions in the Actions column. In the Policy section of the Grant Permission panel, select one or more system policies or custom policies.
Click Grant permissions.