All Products
Search
Document Center

CloudOps Orchestration Service:Use RAM to grant permissions to OOS

Last Updated:Sep 11, 2024

CloudOps Orchestration Service (OOS) requires different permissions to access the APIs of other cloud services when different OOS templates are executed. You can call the GenerateExecutionPolicy operation of OOS to obtain a set of permissions that are required to execute a specific template. Then, grant the RAM role the required permissions to execute the template based on the principle of least privilege. You can also grant full permissions on related cloud services to the RAM role.OOS This topic describes how to use Resource Access Management (RAM) to authorize OOS to access other cloud services.

Note

If you want to authorize users to access OOS, you can perform access control. For more information, see Access control.

OOS uses temporary Security Token Service (STS) tokens to access the APIs of other cloud services. You must authorize OOS to access your resources by assuming a RAM role.

  • If no RAM role is specified in a template, OOS uses the permissions of the current Alibaba Cloud account.

  • If a RAM role is specified in a template, OOS assumes the specified role.

Create a RAM role for OOS

  1. Log on to the RAM console as a RAM user who has administrative rights.

  2. In the left-side navigation pane, choose Identities > Roles.

  3. On the Roles page, click Create Role.

  4. On the Create Role page, select Alibaba Cloud Service in the Select Trusted Entity section and click Next.

  5. Select Normal Service Role for the Role Type parameter.

  6. Specify the RAM Role Name and Note parameters.

  7. Select CloudOps Orchestration Service as the trusted service.image

  8. Click OK.

  9. Click Close.

Attach the required policy to the OOS-trusted role

For more information, see Grant permissions to a RAM role. To attach the required policy to the OOS-trusted role, perform the following steps:

  1. Log on to the RAM console by using your Alibaba Cloud account.

  2. In the left-side navigation pane, choose Identities > Roles.

  3. On the Roles page, find the RAM role to which you want to grant permissions and click Grant Permission in the Actions column.

  4. In the Grant Permission panel, grant permissions to the RAM role.

    1. Principal: Select the RAM role that you created, such as OOSServiceRole.

    2. Policy: Select one or more policies based on the permissions that are required to execute an CloudOps Orchestration Service template. For example, you can attach the AliyunECSFullAccess policy to the RAM role. This allows the role to execute tasks that involve calling the Elastic Compute Service (ECS) API.p494986

  5. Click Grant permissions.

  6. Click Close.