Step 1: Grant self-managed permissions

0.0.201

This topic was translated by AI and is currently in queue for revision by our editors. Alibaba Cloud does not guarantee the accuracy of AI-translated content. Request expedited revision

Before you create a stack group with self-managed permissions, you must manually create RAM roles within the administrator and execution accounts and establish a trust relationship between them. This enables you to deploy stacks within the execution account.

Background information

Before granting self-managed permissions, you must create RAM roles for the Alibaba Cloud accounts in the following table and grant permissions to these roles:

Alibaba Cloud account	RAM role	Policy	Policy description

Alibaba Cloud account	RAM role	Policy	Policy description
Administrator account	AliyunROSStackGroupAdministrationRole	Custom policy: AssumeRole-AliyunROSStackGroupExecutionRole	Allows the AliyunROSStackGroupAdministrationRole RAM role to assume the AliyunROSStackGroupExecutionRole RAM role.
Execution account	AliyunROSStackGroupExecutionRole	System policy: AdministratorAccess	Allows the AliyunROSStackGroupExecutionRole RAM role to manage all Alibaba Cloud resources that belong to the execution account.

Note

The administrator account and the execution account can be the same Alibaba Cloud account. For more information about administrator accounts and execution accounts, see Overview.

After granting permissions to the roles, you can use the administrator account to create a stack group in the ROS console. You can then create stack instances in the stack group to deploy stacks within the execution account.

Method 1: Grant self-managed permissions in the RAM console

Configure permissions for the execution account.
1. Use the execution account to log on to the RAM console.
2. Create a RAM role (AliyunROSStackGroupExecutionRole) for the execution account. The trusted entity of the role is the administrator account.
  1. In the left navigation bar, select Identity Management > Roles.
  2. On the Roles page, click Create Role.
  3. On the Create Role page, select Trusted Entity Type as Alibaba Cloud Account.
  4. Select Trusted Alibaba Cloud Account as Other Alibaba Cloud Account, and enter the ID of the administrator account.
  5. Click OK, and enter Role Name as AliyunROSStackGroupExecutionRole in the dialog box.
  6. Click OK to complete the creation.
3. Grant the AdministratorAccess permission to the AliyunROSStackGroupExecutionRole RAM role.
  1. On the Roles page, click Add Permissions in the Actions column of the AliyunROSStackGroupExecutionRole RAM role.
  2. In the Add Authorization panel, select Account Level as the resource scope, and the authorization entity will be automatically filled in.
  3. Select System Policy for Select Policy, and then select AdministratorAccess.
  4. Click OK.
Configure permissions for the administrator account.
1. Use the administrator account to log on to the RAM console.
2. Create a RAM role (AliyunROSStackGroupAdministrationRole) for the administrator account. The trusted entity of the role is Resource Orchestration Service.
  1. In the left navigation bar, select Identity Management > Roles.
  2. On the Roles page, click Create Role.
  3. On the Create Role page, select Trusted Entity Type as Alibaba Cloud Service.
  4. Select Select Trusted Service as Resource Orchestration Service, and click OK.
  5. In the dialog box, enter Role Name as AliyunROSStackGroupAdministrationRole.
  6. Click OK to complete the creation.
3. Create a custom policy (AssumeRole-AliyunROSStackGroupExecutionRole).
  1. In the left navigation bar, select Permission Management > Policies.
  2. On the Policies page, click Create Policy.
  3. On the Create Policy page, click the Script tab, enter the following policy content, and click OK. Enter the Policy Name as AssumeRole-AliyunROSStackGroupExecutionRole.
    This policy allows the AliyunROSStackGroupAdministrationRole RAM role to assume the AliyunROSStackGroupExecutionRole RAM role.
    
    { "Statement": [ { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "acs:ram::*:role/AliyunROSStackGroupExecutionRole" } ], "Version": "1" }
  4. Click OK to complete the creation.
4. Grant the AssumeRole-AliyunROSStackGroupExecutionRole permission to the AliyunROSStackGroupAdministrationRole RAM role.
  1. In the left navigation bar, select Identity Management > Roles.
  2. On the Roles page, click Add Permissions in the Actions column of the AliyunROSStackGroupAdministrationRole RAM role.
  3. In the Add Permissions panel, select Scope For Authorization as Alibaba Cloud Account. The authorized principal is automatically filled in.
  4. Select Custom Policy for Select Policy, and then select AssumeRole-AliyunROSStackGroupExecutionRole.
  5. Click OK.

Method 2: Grant self-managed permissions in the ROS console

You can use a ROS template to create RAM roles for the administrator and execution accounts and grant permissions on stack groups and stacks to these roles.

The administrator account logs on to the ROS console and uses the AliyunROSStackGroupAdministrationRole template to create a RAM role and grant permissions to the role.

Example template:

ROSTemplateFormatVersion: '2015-09-01'
Description: Configure the AliyunROSStackGroupAdministrationRole to enable use of Alibaba Cloud ROS StackGroup.
Parameters:
  AdministrationRoleName:
    Type: String
    Default: AliyunROSStackGroupAdministrationRole
    Description:
      en: Role name of administration account
      zh-cn: 创建授权给管理员账号的角色的名称
  ExecutionRoleName:
    Type: String
    Default: AliyunROSStackGroupExecutionRole
    Description:
      en: Execution role name of target account
      zh-cn: 目标账号执行角色名称
Metadata:
  ALIYUN::ROS::Interface:
    ParameterGroups:
      - Parameters:
          - AdministrationRoleName
          - ExecutionRoleName
        Label:
          default:
            en: RAM
            zh-cn: 账号权限
    TemplateTags:
      - acs:example:Security:Grant permissions to the administrator account of a stack group
Resources:
  AliyunROSStackGroupAdministrationRole:
    Type: ALIYUN::RAM::Role
    Properties:
      RoleName:
        Ref: AdministrationRoleName
      AssumeRolePolicyDocument:
        Version: 1
        Statement:
          - Action: sts:AssumeRole
            Effect: Allow
            Principal:
              Service:
                - ros.aliyuncs.com
      Policies:
        - PolicyName:
            Fn::Sub:
              - AssumeRole-${ExecutionRoleName}
              - ExecutionRoleName:
                  Ref: ExecutionRoleName
          PolicyDocument:
            Statement:
              - Effect: Allow
                Action:
                  - sts:AssumeRole
                Resource:
                  - Fn::Sub: acs:ram::*:role/${ExecutionRoleName}
            Version: '1'
Outputs:
  AdministrationRoleName:
    Value:
      Fn::GetAtt:
        - AliyunROSStackGroupAdministrationRole
        - RoleName

The execution account logs on to the ROS console and uses the AliyunROSStackGroupExecutionRole template to create a RAM role and grant permissions to the role.

Example template:

ROSTemplateFormatVersion: '2015-09-01'
Description: Configure the AliyunROSStackGroupExecutionRole to enable use of your account as a target account in Alibaba Cloud ROS StackGroup.
Conditions:
  CurrentAccount:
    Fn::Equals:
      - Ref: AdministrationAccountId
      - ''
Parameters:
  ExecutionRoleName:
    Type: String
    Default: AliyunROSStackGroupExecutionRole
    Description:
      en: Execution role name of target account
      zh-cn: 为目标账号创建执行角色的名称
  AdministrationAccountId:
    Type: String
    Description:
      zh-cn: 管理员主账号ID，不填则授权给当前账号
      en: Administration account ID. If not, authorize the current account
    Default: ''
Metadata:
  ALIYUN::ROS::Interface:
    ParameterGroups:
      - Parameters:
          - ExecutionRoleName
          - AdministrationAccountId
        Label:
          default: RAM
    TemplateTags:
      - acs:example:Security:Grant permissions to the execution account of a stack group
Resources:
  AliyunROSStackGroupExecutionRole:
    Type: ALIYUN::RAM::Role
    Properties:
      RoleName:
        Ref: ExecutionRoleName
      AssumeRolePolicyDocument:
        Version: 1
        Statement:
          - Action: sts:AssumeRole
            Effect: Allow
            Principal:
              RAM:
                - Fn::Join:
                    - ''
                    - - 'acs:ram::'
                      - Fn::If:
                          - CurrentAccount
                          - Ref: ALIYUN::TenantId
                          - Ref: AdministrationAccountId
                      - ':root'
  AttachPolicy:
    Type: ALIYUN::RAM::AttachPolicyToRole
    Properties:
      PolicyName: AdministratorAccess
      PolicyType: System
      RoleName:
        Fn::GetAtt:
          - AliyunROSStackGroupExecutionRole
          - RoleName
Outputs:
  ExecutionRoleName:
    Value:
      Fn::GetAtt:
        - AliyunROSStackGroupExecutionRole
        - RoleName

Feedback

Previous: Deploy stacks by using the self-managed permission modelNext: Step 2: Create a stack group

On this page （1, T）

Background information

Method 1: Grant self-managed permissions in the RAM console

Method 2: Grant self-managed permissions in the ROS console

Chat now with Alibaba Cloud Customer Service to assist you in finding the right products and services to meet your needs.

Background information

Method 1: Grant self-managed permissions in the RAM console

Method 2: Grant self-managed permissions in the ROS console

Sales Support

Technical Support

Connect & Report Abuse

About Alibaba Cloud

Our Global Network

Quick Start

Global Offices

Olympic Games Paris 2024 New

Stade Roland Garros – Glitz from the Past New

Place de la Concorde – “Breaking” the Barriers New

Vaires-sur-Marne Nautical Stadium – Sports with Sustainability New

International Broadcast Center – Images, Sounds, and Data that Captivate Billions New

Customer Success Stories New

Trust Center

Security & Compliance Center

Cloud Compliance Resources

Security Compliance FAQs

Product & Feature Update New

Cloud Forward

Press Room

Alibaba Cloud e-Magazine New

Alibaba Cloud in Analyst Research

Notice

Go Global Service New

Go Global Alliance with Alibaba Cloud

Asia Accelerator Hot

Information Compliance

China Gateway - MLPS 2.0 Compliance New

China Gateway - Networking

China Gateway - Global Application Acceleration New

China Gateway - Security

China Gateway - Data Security New

ICP Support Hot

China Gateway - Omnichannel Data Mid-End New

China Gateway - Organizational Data Mid-End New

China Gateway - Business Mid-End New

China Gateway - AI Service for Conversational Chatbots New

China Gateway - Online Education

China Gateway - Domain Registration

Work at Alibaba Cloud

Experienced Professionals

Students and Graduates

Free Trial

Pricing

Promo Center

Price Reduction

Pay Less and Deploy More

FinOps

Elastic Compute Service (ECS)

Simple Application Server (SAS)

Elastic GPU Service

Elastic Desktop Service (EDS)

Object Storage Service (OSS)

Cloud Enterprise Network (CEN)

Web Application Firewall (WAF)

Domain Names

Container Compute Service (ACS)

Secure Access Service Edge (SASE)

Intelligent Media Services(IMS)

Edge Security Acceleration (ESA)(Original DCDN)

Intelligent Media Management

DingTalk Enterprise

YiDA

Alibaba Cloud Model Studio

Apsara Prime - For Easy Cloud Product Selection

Alibaba Cloud ECS - Cater All Your Cloud Hosting Needs

1TB CDN—Get Free 1 TB Outbound Traffic Plan Now

Security—Under Attack? Get Free Security Support

Short Message Service - Free Testing is Available

Elastic Compute Service (ECS) Hot

CloudBox

Compute Nest

Dedicated Host Hot

ECS Bare Metal Instance

Elastic GPU Service Featured

Simple Application Server (SAS) Hot

Auto Scaling

Cloud Phone Beta

Elastic Desktop Service (EDS) Featured

Batch Compute

Elastic High Performance Computing (E-HPC)

Super Computing Cluster (SCC)

Function Compute (FC)