OOS masks sensitive values — such as passwords and API keys — stored as encryption parameters in Parameter Store, so they never appear in plaintext in execution inputs, log output, or audit records.
CloudOps Orchestration Service (OOS) stores sensitive values such as passwords and API keys as encryption parameters in Parameter Store. When an encryption parameter is referenced in a template execution, OOS uses the value without exposing it in plaintext — the value is masked in the execution input, log output, and audit records. This topic walks through creating an encryption parameter, referencing it in a template, and verifying that the value stays masked throughout execution.
Use an encryption parameter in a template execution
Log on to the OOS console.
In the left-side navigation pane, click Parameter Store. On the Encryption Parameters tab, create an encryption parameter. For more information, see the Create an encryption parameter section of the Encryption parameters topic. In this example, an encryption parameter named
InstancePasswordis created, as shown in the following figure.
-
Create a template, or select an existing custom template or a public template. In this example, a template that changes the password of an ECS instance is created using the following sample code:
FormatVersion: OOS-2019-06-01 Description: Bulk modify the password of an ECS instance. Parameters: regionId: Type: String Description: The id of region. AssociationProperty: RegionId Default: '{{ ACS::RegionId }}' targets: Type: Json AssociationProperty: Targets AssociationPropertyMetadata: ResourceType: 'ALIYUN::ECS::Instance' RegionId: regionId instancePassword: Description: The password of the ECS instance. Type: String rateControl: Description: Concurrency ratio of task execution. Type: Json AssociationProperty: RateControl Default: Mode: Concurrency MaxErrors: 0 Concurrency: 10 OOSAssumeRole: Description: The RAM role to be assumed by OOS. Type: String Default: OOSServiceRole RamRole: '{{ OOSAssumeRole }}' Tasks: - Name: getInstance Description: Views the ECS instances. Action: 'ACS::SelectTargets' Properties: ResourceType: 'ALIYUN::ECS::Instance' RegionId: '{{ regionId }}' Filters: - '{{ targets }}' Outputs: instanceIds: Type: List ValueSelector: 'Instances.Instance[].InstanceId' - Name: resetPassword Action: 'ACS::ECS::ResetPassword' Description: Modify the password of an ECS instance. Properties: regionId: '{{ regionId }}' instanceId: '{{ ACS::TaskLoopItem }}' password: '{{ instancePassword }}' Loop: RateControl: '{{ rateControl }}' Items: '{{ getInstance.instanceIds }}' Outputs: instanceId: Type: String ValueSelector: instanceId On the Custom Template page, find the template and click Create Execution in the Actions column. In the Basic Information step of the Create Task wizard, click Next Step: Parameter Settings.
-
In the Parameter Settings step, enter a value in the instancePassword field, or click the Select Parameter icon next to the field to select a parameter from Parameter Store — for example, the encryption parameter created in step 2, as shown in the following figure.

-
In the Select Parameter dialog box, set Parameter Type to Encryption Parameters, select the encryption parameter you created, and click OK.

-
Configure all remaining parameters and click Next Step: OK.

-
In the OK step, review the parameter settings and click Create.

On the Task Execution Management page, find the execution and click Details in the Actions column. In the Execution Steps and Results section, click the Input step and locate the
instancePasswordparameter. The value is not displayed in plaintext, confirming that the encryption parameter masks sensitive values in the execution input.
Click the Log tab. In the logs for the call to the encryption parameter, the value remains encrypted — the sensitive data is not exposed in the execution log or audit records.

-
After the template completes, log on to the instance using the password stored in the encryption parameter to verify that the password was changed successfully.



