Create a RAM role for OOS and grant permissions

Updated at: 2025-03-26 09:10

CloudOps Orchestration Service (OOS) requires different permissions to access the APIs of other cloud services when different OOS templates are executed. You can call the GenerateExecutionPolicy operation of OOS to obtain a set of permissions that are required to execute a specific template. Then, grant the RAM role the required permissions to execute the OOS template based on the principle of least privilege. You can also grant full permissions on related cloud services to the RAM role. This topic describes how to use Resource Access Management (RAM) to authorize OOS to access other cloud services.

Background information

Note

If you want to authorize users to access OOS, you can perform access control. For more information, see Access control.

OOS uses temporary Security Token Service (STS) tokens to access the APIs of other cloud services. You must authorize OOS to access your resources by assuming a RAM role.

  • If no RAM role is specified in a template, OOS uses the permissions of the current Alibaba Cloud account.

  • If a RAM role is specified in a template, OOS assumes the specified role.

Procedure

Step 1: Create a RAM role assumed by OOS

  1. Go to the RAM console>Identities>Roles page and click Create Role.

  2. On the Create Role page, set Principal Type to Cloud Service, set Principal Name to CloudOps Orchestration Service, and then click OK.

    创建角色

    Note

    Available Alibaba Cloud services for the Principal Name parameter are subject to the RAM console.

  3. In the dialog box that appears, specify a role name and click OK.

Step 2: Grant permissions to the RAM role assumed by OOS

After a RAM role is created, the RAM role has no permissions. You need to grant permissions to the RAM role.

  1. Go to the RAM console> Identities> Roles page.

  2. In the role list, find the role, such as OOSServiceRole, and click Grant Permission in the Actions column.

  3. In the Grant Permission panel, set the parameters to create a policy for the RAM role and click Grant permissions.

    授权

    Parameters:

    • Principal: The system automatically selects the current RAM role by default.

    • Policy: Select one or more policies based on the permissions that are required to execute an CloudOps Orchestration Service template. In this example, the AliyunECSFullAccess policy is attached to the OOSServiceRole role. This allows the role to execute ECS API-related tasks.

  4. After the permissions are granted to the user, click Close.

  • On this page (1, M)
  • Background information
  • Procedure
  • Step 1: Create a RAM role assumed by OOS
  • Step 2: Grant permissions to the RAM role assumed by OOS
Feedback