Use encryption parameters for template executions

更新时间:
复制 MD 格式

OOS masks sensitive values — such as passwords and API keys — stored as encryption parameters in Parameter Store, so they never appear in plaintext in execution inputs, log output, or audit records.

CloudOps Orchestration Service (OOS) stores sensitive values such as passwords and API keys as encryption parameters in Parameter Store. When an encryption parameter is referenced in a template execution, OOS uses the value without exposing it in plaintext — the value is masked in the execution input, log output, and audit records. This topic walks through creating an encryption parameter, referencing it in a template, and verifying that the value stays masked throughout execution.

Use an encryption parameter in a template execution

  1. Log on to the OOS console.

  2. In the left-side navigation pane, click Parameter Store. On the Encryption Parameters tab, create an encryption parameter. For more information, see the Create an encryption parameter section of the Encryption parameters topic. In this example, an encryption parameter named InstancePassword is created, as shown in the following figure.image

  3. Create a template, or select an existing custom template or a public template. In this example, a template that changes the password of an ECS instance is created using the following sample code:

    FormatVersion: OOS-2019-06-01
    Description: Bulk modify the password of an ECS instance.
    Parameters:
      regionId:
        Type: String
        Description: The id of region.
        AssociationProperty: RegionId
        Default: '{{ ACS::RegionId }}'
      targets:
        Type: Json
        AssociationProperty: Targets
        AssociationPropertyMetadata:
          ResourceType: 'ALIYUN::ECS::Instance'
          RegionId: regionId
      instancePassword:
        Description: The password of the ECS instance.
        Type: String
      rateControl:
        Description: Concurrency ratio of task execution.
        Type: Json
        AssociationProperty: RateControl
        Default:
          Mode: Concurrency
          MaxErrors: 0
          Concurrency: 10
      OOSAssumeRole:
        Description: The RAM role to be assumed by OOS.
        Type: String
        Default: OOSServiceRole
    RamRole: '{{ OOSAssumeRole }}'
    Tasks:
      - Name: getInstance
        Description: Views the ECS instances.
        Action: 'ACS::SelectTargets'
        Properties:
          ResourceType: 'ALIYUN::ECS::Instance'
          RegionId: '{{ regionId }}'
          Filters:
            - '{{ targets }}'
        Outputs:
          instanceIds:
            Type: List
            ValueSelector: 'Instances.Instance[].InstanceId'
      - Name: resetPassword
        Action: 'ACS::ECS::ResetPassword'
        Description: Modify the password of an ECS instance.
        Properties:
          regionId: '{{ regionId }}'
          instanceId: '{{ ACS::TaskLoopItem }}'
          password: '{{ instancePassword }}'
        Loop:
          RateControl: '{{ rateControl }}'
          Items: '{{ getInstance.instanceIds }}'
        Outputs:
          instanceId:
            Type: String
            ValueSelector: instanceId
  4. On the Custom Template page, find the template and click Create Execution in the Actions column. In the Basic Information step of the Create Task wizard, click Next Step: Parameter Settings.

  5. In the Parameter Settings step, enter a value in the instancePassword field, or click the Select Parameter icon next to the field to select a parameter from Parameter Store — for example, the encryption parameter created in step 2, as shown in the following figure.

    instance-secret-password-02

  6. In the Select Parameter dialog box, set Parameter Type to Encryption Parameters, select the encryption parameter you created, and click OK.

    instance-secret-password-03

  7. Configure all remaining parameters and click Next Step: OK.

    instance-secret-password-04

  8. In the OK step, review the parameter settings and click Create.

    instance-secret-password-05

  9. On the Task Execution Management page, find the execution and click Details in the Actions column. In the Execution Steps and Results section, click the Input step and locate the instancePassword parameter. The value is not displayed in plaintext, confirming that the encryption parameter masks sensitive values in the execution input.secret-instance-password-09

  10. Click the Log tab. In the logs for the call to the encryption parameter, the value remains encrypted — the sensitive data is not exposed in the execution log or audit records.instance-secret-password-08

  11. After the template completes, log on to the instance using the password stored in the encryption parameter to verify that the password was changed successfully.

    instance-secret-password-07