All Products
Search

This Product

    Resource Orchestration Service:Grant self-managed permissions

    Document Center

    Resource Orchestration Service:Grant self-managed permissions

    Last Updated:Feb 17, 2025

    Before you create a stack group that has self-managed permissions in Resource Orchestration Service (ROS), you must manually create Resource Access Management (RAM) roles within the administrator and execution accounts and establish a trust relationship between the accounts. Then, you can deploy stacks within the execution account.

    Background information

    Before you grant self-managed permissions, you must create RAM roles for the Alibaba Cloud accounts in the following table and grant permissions to the roles.

    Alibaba Cloud account

    RAM role

    Policy

    Policy description

    Administrator account

    AliyunROSStackGroupAdministrationRole

    Custom policy: AssumeRole-AliyunROSStackGroupExecutionRole

    Allows the AliyunROSStackGroupAdministrationRole RAM role to assume the AliyunROSStackGroupExecutionRole RAM role.

    Execution account

    AliyunROSStackGroupExecutionRole

    System policy: AdministratorAccess

    Allows the AliyunROSStackGroupExecutionRole RAM role to manage all Alibaba Cloud resources that belong to the execution account.

    Note

    The administrator account and the execution account can be the same Alibaba Cloud account. For more information about administrator and execution accounts, see Overview.

    When you use the administrator account to create a stack group in the ROS console after you grant the permissions to the roles, you can create stack instances in the stack group to deploy stacks within the execution account.

    Method 1: Grant self-managed permissions in the RAM console

    1. Grant permissions to the desired execution account.

      1. Log on to the RAM console by using the execution account.

      2. Create the AliyunROSStackGroupExecutionRole RAM role for the execution account and specify the desired administrator account as the trusted entity of the role.

        1. In the left-side navigation pane, choose Identities > Roles.

        2. On the Roles page, click Create Role.

        3. In the Select Role Type step of the Create Role wizard, set the Select Trusted Entity parameter to Alibaba Cloud Account and click Next.

        4. Configure information about the RAM role.

          1. In the RAM Role Name field, enter AliyunROSStackGroupExecutionRole.

          2. In the Note field, enter a description for the RAM role.

          3. Set the Select Trusted Alibaba Cloud Account parameter to Other Alibaba Cloud Account and enter the ID of the administrator account in the field.

        5. Click OK.

        6. Click Close.

      3. Attach the AdministratorAccess policy to the AliyunROSStackGroupExecutionRole RAM role.

        1. On the Roles page, find the AliyunROSStackGroupExecutionRole RAM role and click Grant Permission in the Actions column.

        2. In the Grant Permission panel, set the Resource Scope parameter to Account. The value of the Selected Principal parameter is autopopulated.

        3. In the Policy section, select System Policy from the drop-down list and select AdministratorAccess.

        4. Click Grant permissions.

        5. Click Close.

    2. Grant permissions to the administrator account.

      1. Log on to the RAM console by using the administrator account.

      2. Create the AliyunROSStackGroupAdministrationRole RAM role for the administrator account and specify ROS as the trusted entity of the role.

        1. In the left-side navigation pane, choose Identities > Roles.

        2. On the Roles page, click Create Role.

        3. In the Select Role Type step of the Create Role wizard, set the Select Trusted Entity parameter to Alibaba Cloud Service and click Next.

        4. Set the Role Type parameter to Normal Service Role.

        5. Configure information about the RAM role.

          1. In the RAM Role Name field, enter AliyunROSStackGroupAdministrationRole.

          2. In the Note field, enter a description for the RAM role.

          3. Select Resource Orchestration Service from the Select Trusted Service drop-down list.

        6. Click OK.

        7. Click Close.

      3. Create the AssumeRole-AliyunROSStackGroupExecutionRole custom policy.

        1. In the left-side navigation pane, choose Permissions > Policies.

        2. On the Policies page, click Create Policy.

        3. On the Create Policy page, click the JSON tab, enter the following policy content in the editor, and then click OK. In the Create Policy dialog box, enter AssumeRole-AliyunROSStackGroupExecutionRole in the Name field.

          This policy allows the AliyunROSStackGroupAdministrationRole RAM role to assume the AliyunROSStackGroupExecutionRole RAM role. 

          {
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "sts:AssumeRole",
      "Resource": "acs:ram::*:role/AliyunROSStackGroupExecutionRole"
    }
  ],
  "Version": "1"
}

        4. Click OK.

      4. Attach the AssumeRole-AliyunROSStackGroupExecutionRole policy to the AliyunROSStackGroupAdministrationRole RAM role.

        1. In the left-side navigation pane, choose Identities > Roles.

        2. On the Roles page, find the AliyunROSStackGroupAdministrationRole RAM role and click Grant Permission in the Actions column.

        3. In the Grant Permission panel, set the Resource Scope parameter to Account. The value of the Selected Principal parameter is autopopulated.

        4. In the Policy section, select Custom Policy from the drop-down list and select AssumeRole-AliyunROSStackGroupExecutionRole.

        5. Click Grant permissions.

    Method 2: Grant self-managed permissions in the ROS console

    You can use a ROS template to create RAM roles for the administrator and execution accounts and grant the permissions on stack groups and stacks to the roles.

    1. Log on to the ROS console by using the administrator account. Then, use the AliyunROSStackGroupAdministrationRole template to create the RAM role and grant the required permissions to the role.

      Sample template 

      ROSTemplateFormatVersion: '2015-09-01'
Description: Configure the AliyunROSStackGroupAdministrationRole to enable use of Alibaba Cloud ROS StackGroup.
Parameters:
  AdministrationRoleName:
    Type: String
    Default: AliyunROSStackGroupAdministrationRole
    Description:
      en: Role name of administration account
       
  ExecutionRoleName:
    Type: String
    Default: AliyunROSStackGroupExecutionRole
    Description:
      en: Execution role name of target account
       
Metadata:
  ALIYUN::ROS::Interface:
    ParameterGroups:
      - Parameters:
          - AdministrationRoleName
          - ExecutionRoleName
        Label:
          default:
            en: RAM
             
    TemplateTags:
      - acs:example:Security:Grant permissions to the administrator account of a stack group
Resources:
  AliyunROSStackGroupAdministrationRole:
    Type: ALIYUN::RAM::Role
    Properties:
      RoleName:
        Ref: AdministrationRoleName
      AssumeRolePolicyDocument:
        Version: 1
        Statement:
          - Action: sts:AssumeRole
            Effect: Allow
            Principal:
              Service:
                - ros.aliyuncs.com
      Policies:
        - PolicyName:
            Fn::Sub:
              - AssumeRole-${ExecutionRoleName}
              - ExecutionRoleName:
                  Ref: ExecutionRoleName
          PolicyDocument:
            Statement:
              - Effect: Allow
                Action:
                  - sts:AssumeRole
                Resource:
                  - Fn::Sub: acs:ram::*:role/${ExecutionRoleName}
            Version: '1'
Outputs:
  AdministrationRoleName:
    Value:
      Fn::GetAtt:
        - AliyunROSStackGroupAdministrationRole
        - RoleName

    2. Log on to the ROS console by using the execution account. Then, use the AliyunROSStackGroupExecutionRole template to create the RAM role and grant the required permissions to the role.

      Sample template 

      ROSTemplateFormatVersion: '2015-09-01'
Description: Configure the AliyunROSStackGroupExecutionRole to enable use of your account as a target account in Alibaba Cloud ROS StackGroup.
Conditions:
  CurrentAccount:
    Fn::Equals:
      - Ref: AdministrationAccountId
      - ''
Parameters:
  ExecutionRoleName:
    Type: String
    Default: AliyunROSStackGroupExecutionRole
    Description:
      en: Execution role name of target account
       
  AdministrationAccountId:
    Type: String
    Description:
       
      en: Administration account ID. If not, authorize the current account
    Default: ''
Metadata:
  ALIYUN::ROS::Interface:
    ParameterGroups:
      - Parameters:
          - ExecutionRoleName
          - AdministrationAccountId
        Label:
          default: RAM
    TemplateTags:
      - acs:example:Security:Grant permissions to the execution account of a stack group
Resources:
  AliyunROSStackGroupExecutionRole:
    Type: ALIYUN::RAM::Role
    Properties:
      RoleName:
        Ref: ExecutionRoleName
      AssumeRolePolicyDocument:
        Version: 1
        Statement:
          - Action: sts:AssumeRole
            Effect: Allow
            Principal:
              RAM:
                - Fn::Join:
                    - ''
                    - - 'acs:ram::'
                      - Fn::If:
                          - CurrentAccount
                          - Ref: ALIYUN::TenantId
                          - Ref: AdministrationAccountId
                      - ':root'
  AttachPolicy:
    Type: ALIYUN::RAM::AttachPolicyToRole
    Properties:
      PolicyName: AdministratorAccess
      PolicyType: System
      RoleName:
        Fn::GetAtt:
          - AliyunROSStackGroupExecutionRole
          - RoleName
Outputs:
  ExecutionRoleName:
    Value:
      Fn::GetAtt:
        - AliyunROSStackGroupExecutionRole
        - RoleName