All Products
Search

This Product

    CloudOps Orchestration Service:Use OOS to manage ECS instances by group

    Document Center

    CloudOps Orchestration Service:Use OOS to manage ECS instances by group

    Last Updated:Feb 17, 2025

    To allow multiple users to access resources in your enterprise at the same time, you can create multiple Resource Access Management (RAM) users and grant permissions to the RAM users based on the principle of least privilege. This prevents multiple users from sharing the password or AccessKey pair of an Alibaba Cloud account and reduces security risks for your enterprise. This topic describes how to execute a CloudOps Orchestration Service (OOS) template as a RAM user.

    Scenarios

    A company purchased several Elastic Compute Service (ECS) instances. Two ECS instances are tagged with TagKey:TagValue and added to a group. Staff A needs to be assigned the RAM user subUser1ForOOS to execute Template T in OOS. Template T is used to run shell commands on ECS instances tagged with TagKey:TagValue. Staff A needs to be granted the permissions to read and execute Template T and the permissions to call the API operations, such as RunCommand, that are specified in Template T to manage ECS instances tagged with TagKey:TagValue.

    Policy descriptions

    To meet the preceding requirements, the policies must include the permissions on OOS resources and ECS resources.

    • OOS-related permissions: the permissions to execute and query templates.

    • ECS-related permissions: the permissions to call the API operations specified in Template T to manage ECS instances tagged with TagKey:TagValue.

    Note

    After you create the preceding policies, attach the policies to the RAM user assigned to Staff A or a user group that has the same duties as Staff A.

    Procedure

    Step 1: Add tags to the ECS instance

    1. In the left-side navigation pane, choose Instances & Images > Instances.

    2. In the top navigation bar, select the region where the ECS instance resides.image.png

    3. Find the ECS instance and choose Instance Settings > Edit Tags in the Actions column.

    4. In the Configure Tags dialog box, set Tag Key and Tag Value, and click OK.

      In this example, Tag Key is set to TagKey and Tag Value is set to TagValue.

      biaoqian-zh

    Step 2: Create a RAM user and grant permissions to the RAM user

    1. Log on to the RAM console and create a RAM user, such as subUser1ForOOS.

      The following table describes the key parameters. For more information, see Create a RAM user.

      RAM

      Parameter

      Description

      Logon Name

      Enter the name of the RAM user. The name can contain letters, digits, periods (.), underscores (_), and hyphens (-). The name can be at most 64 characters in length.

      Access Mode

      Select Console Access to access the Alibaba Cloud Management Console by using the password.

      Set Logon Password

      Select Reset Custom Password and specify a custom password.

    2. Create a custom policy.

      Choose Permissions > Policies > Create Policy to create a custom policy for OOS and a custom policy for ECS. For more information, see Create a custom policy.

      Note

      You must replace $AliyunMasterAccountID, $TagKey, $TagValue, and $RegionID in the policy content with the ID of your Alibaba Cloud account, the tag key and value configured for the ECS instances, and the region ID.

      • Manage custom policies for OOS

        { 
"Statement": [
    {
        "Action": [
            "oos:StartExecution",
            "oos:List*",
            "oos:Get*"
        ],
        "Resource": [
            "acs:oos:$RegionID:$AliyunMasterAccountID:template/*",
            "acs:oos:$RegionID:$AliyunMasterAccountID:execution/*"
        ],
        "Effect": "Allow"
    }
],
"Version": "1"
}

      • Manage custom policies for ECS

        {
"Statement": [
    {
        "Effect": "Allow",
        "Action": [
            "ecs:DescribeInstances",
            "ecs:RebootInstance"
        ],
        "Resource": "acs:ecs:$RegionID:$AliyunMasterAccountID:instance/*",
        "Condition": {
            "StringEquals": {
                "ecs:tag/$TagKey": [
                    "$TagValue"
                ]
            }
        }
    },
    {
        "Effect": "Allow",
        "Action": [
            "ecs:DescribeCloudAssistantStatus",
            "ecs:InstallCloudAssistant"
        ],
        "Resource": "acs:ecs:*:$AliyunMasterAccountID:instance/*",
        "Condition": {
            "StringEquals": {
                "ecs:tag/$TagKey": [
                    "$TagValue"
                ]
            }
        }
    },
    {
        "Action": "ecs:DescribeTagKeys",
        "Effect": "Allow",
        "Resource": "*"
    },
    {
        "Action": "ecs:DescribeTags",
        "Effect": "Allow",
        "Resource": "*"
    },
    {
        "Effect": "Deny",
        "Action": [
            "ecs:DeleteTags",
            "ecs:UntagResources",
            "ecs:CreateTags",
            "ecs:TagResources"
        ],
        "Resource": "*"
    },
     {
        "Effect": "Allow",
        "Action": [
            "ecs:RunCommand"
        ],
        "Resource": "acs:ecs:*:$AliyunMasterAccountID:instance/*",
        "Condition": {
            "StringEquals": {
                "ecs:tag/$TagKey": [
                    "$TagValue"
                ]
            }
        }
    },
    {
        "Action": [
            "ecs:RunCommand"
        ],
        "Resource": [
            "acs:ecs:*:$AliyunMasterAccountID:command/*"
        ],
        "Effect": "Allow"
    },
    {
        "Action": [
            "ecs:DescribeInvocations",
            "ecs:DescribeInvocationResults"
        ],
        "Resource": [
            "*"
        ],
        "Effect": "Allow"
    }
],
"Version": "1"
}

    3. Grant the required permissions to the RAM user.

      Choose Permissions > Grants > Grant Permission to attach OOS custom policies and ECS custom policies to the RAM user. For more information, see Grant permissions to a RAM user.

    Step 3: Execute the OOS template

    1. Log on to the CloudOps Orchestration Service console by as the RAM user.

    2. In the left-side navigation pane, choose Automated Task > Public Template.

    3. On the Public Template page, search for the ACS-ECS-BulkyRunCommand template and click Create Execution.

      image

    4. In the Basic Information step, confirm the template information and click Next Step: Parameter Settings. image

    5. In the Parameter Settings step, set the parameters and click Next Step: OK.

      Set TargetInstance to Specify Instance Tags and specify the tag key and tag value.

      renwu

    6. Confirm the settings and click Create.