All Products
Search
Document Center

CloudOps Orchestration Service:Configure permissions for using OOS to manage ECS instances by group

Last Updated:Sep 20, 2024

To allow multiple users to access resources in your enterprise at the same time, you can create multiple Resource Access Management (RAM) users and grant permissions to the RAM users based on the principle of least privilege. This prevents multiple users from sharing the password or AccessKey pair of an Alibaba Cloud account and reduces security risks for your enterprise. This topic describes how to execute a CloudOps Orchestration Service (OOS) template as a RAM user.

Scenario

An enterprise has purchased several Elastic Compute Service (ECS) instances. Among the ECS instances, two instances are tagged with TagKey:TagValue and added to a group. Staff A needs to be assigned the RAM user subUser1ForOOS to execute Template T in OOS. Template T is used to run shell commands on ECS instances tagged with TagKey:TagValue. Staff A needs to be granted the permissions to read and execute Template T and the permissions to call the API operations, such as RunCommand, that are specified in Template T to manage ECS instances tagged with TagKey:TagValue.

Solution

To meet the requirements of the preceding scenario, separately grant the permissions on OOS and ECS to the RAM user assigned to Staff A.

  • OOS: Create a policy in RAM to grant the permissions that are required to execute Template T and query executions.

  • ECS: Create a policy in RAM to grant the permissions that are required to call the API operations specified in Template T to manage ECS instances tagged with TagKey:TagValue.

After you create the preceding policies, attach the policies to the RAM user assigned to Staff A or a user group that has the same duties as Staff A.

Procedure

  1. Tag and group ECS instances.

  2. Create a RAM user.

  3. Create custom policies in RAM.

  4. Grant permissions to the RAM user.

  5. Execute an OOS template as the RAM user.

Tag and group ECS instances

  1. Log on to the ECS console.

  2. On the Instances page, select two ECS instances that you want to manage, click the More icon in the Actions column, and then choose Instance Settings > Edit Tags.

    image

  3. In the Configure Tags dialog box, specify a tag key and a tag value. Then, click OK.

    In this example, the tag key is set to TagKey and the tag value is set to TagValue.

    image

Create a RAM user

  1. Log on to the RAM console with your Alibaba Cloud account or as a RAM user that has administrator permissions.

  2. In the left-side navigation pane, choose Identities > Users. On the Users page, click Create User.image

  3. On the Create User page, configure the Logon Name and Display Name parameters.image

  4. In the Access Mode section, select Console Access. Set the Set Logon Password parameter to Reset Custom Password and enter a password for the RAM user. Click OK. image

Create custom policies in RAM

  1. Log on to the RAM console with your Alibaba Cloud account or as a RAM user that has administrator permissions.

  2. In the left-side navigation pane, choose Permissions > Policies. On the Policies page, click Create Policy.

  3. Create the policies for OOS and ECS. The following sample code shows the policy content.

    Note

    You must replace $AliyunMasterAccountID, $TagKey, $TagValue, and $RegionID in the policy content with the ID of your Alibaba Cloud account, the tag key and value configured for the ECS instances, and the region ID.

    1. Policy for OOS:

      { 
      "Statement": [
          {
              "Action": [
                  "oos:StartExecution",
                  "oos:List*",
                  "oos:Get*"
              ],
              "Resource": [
                  "acs:oos:$RegionID:$AliyunMasterAccountID:template/*",
                  "acs:oos:$RegionID:$AliyunMasterAccountID:execution/*"
              ],
              "Effect": "Allow"
          }
      ],
      "Version": "1"
      }
    2. Policy for ECS:

      {
      "Statement": [
          {
              "Effect": "Allow",
              "Action": [
                  "ecs:DescribeInstances",
                  "ecs:RebootInstance"
              ],
              "Resource": "acs:ecs:$RegionID:$AliyunMasterAccountID:instance/*",
              "Condition": {
                  "StringEquals": {
                      "ecs:tag/$TagKey": [
                          "$TagValue"
                      ]
                  }
              }
          },
          {
              "Effect": "Allow",
              "Action": [
                  "ecs:DescribeCloudAssistantStatus",
                  "ecs:InstallCloudAssistant"
              ],
              "Resource": "acs:ecs:*:$AliyunMasterAccountID:instance/*",
              "Condition": {
                  "StringEquals": {
                      "ecs:tag/$TagKey": [
                          "$TagValue"
                      ]
                  }
              }
          },
          {
              "Action": "ecs:DescribeTagKeys",
              "Effect": "Allow",
              "Resource": "*"
          },
          {
              "Action": "ecs:DescribeTags",
              "Effect": "Allow",
              "Resource": "*"
          },
          {
              "Effect": "Deny",
              "Action": [
                  "ecs:DeleteTags",
                  "ecs:UntagResources",
                  "ecs:CreateTags",
                  "ecs:TagResources"
              ],
              "Resource": "*"
          },
           {
              "Effect": "Allow",
              "Action": [
                  "ecs:RunCommand"
              ],
              "Resource": "acs:ecs:*:$AliyunMasterAccountID:instance/*",
              "Condition": {
                  "StringEquals": {
                      "ecs:tag/$TagKey": [
                          "$TagValue"
                      ]
                  }
              }
          },
          {
              "Action": [
                  "ecs:RunCommand"
              ],
              "Resource": [
                  "acs:ecs:*:$AliyunMasterAccountID:command/*"
              ],
              "Effect": "Allow"
          },
          {
              "Action": [
                  "ecs:DescribeInvocations",
                  "ecs:DescribeInvocationResults"
              ],
              "Resource": [
                  "*"
              ],
              "Effect": "Allow"
          }
      ],
      "Version": "1"
      }            
  4. Configure the Name and Description parameters and click OK.

Grant permissions to the RAM user or a user group

  1. Log on to the RAM console with your Alibaba Cloud account or as a RAM user that has administrator permissions.

  2. In the left-side navigation pane, choose Permissions > Grants. On the Permission page, click Grant Permission.

  3. In the Grant Permission panel, select the check box before the name of the RAM user or user group in the Principal section. In the Policy section, select Custom Policy and select the check boxes before the names of the custom policies to be attached to the RAM user or user group to add the policies to the Selected Policy section. image

  4. Click Grant permissions.

Execute the OOS template

  1. Log on to the Alibaba Cloud Management Console as the created RAM user.

  2. Log on to the CloudOps Orchestration Service console.

  3. In the left-side navigation pane, choose Automated Task > Public Template. On the Public Template page, find the ACS-ECS-BulkyRunCommand template and click Create Execution.

    image

  4. In the Create Task wizard, configure the basic information and click Next Step: Parameter Settings.image

  5. In the Parameter Settings step, configure the required parameters and click Next Step: OK.image

  6. In the OK step, click Create.image