RAM permission management

Prerequisites

To manage permissions for an e-commerce project with RAM, use the ROS template RAM Permission Management to automatically set up an environment for user management and permission configuration. Before you start, perform the following operations:

• Ensure you have access to ECS, VPC, ApsaraDB RDS, OSS, and RAM.

• Ensure you have created resource groups for your development, production, and test environments and obtained their IDs. For more information about how to create a resource group, see Create a resource group.

Step 1: Create a stack

1. Log on to the Resource Orchestration Service console.

2. In the left-side navigation pane, click Public Templates.

3. Find the Use RAM to Manage Account Permissions template.

4. Click Create Stack.

5. On the Configure Parameters page, enter a Stack Name and configure the following parameters.

   Category	Parameter	Description	Example
   RESOURCE	Development resource group ID	The ID of the resource group for your development environment.	rg-aekzs3xmizs****
   	Production resource group ID	The ID of the resource group for your production environment.	rg-aekzko7fsuj****
   	Test resource group ID	The ID of the resource group for your test environment.	rg-aekzsvnra53****
   VPC	Development environment VPC CIDR block	The CIDR block of the VPC for the development environment.	172.16.0.0/12
   	Production environment VPC CIDR block	The CIDR block of the VPC for the production environment.	10.0.0.0/8
   	Test environment VPC CIDR block	The CIDR block of the VPC for the test environment.	192.168.0.0/16
   	vSwitch Zone	The ID of the availability zone for the vSwitch.	China (Hangzhou) Zone K
   	Development vSwitch CIDR block	The CIDR block of the vSwitch for the development environment. The CIDR block must be a subset of the VPC CIDR block.	172.16.10.0/24
   	Production vSwitch CIDR block	The CIDR block of the vSwitch for the production environment. The CIDR block must be a subset of the VPC CIDR block.	10.0.10.0/24
   	Test vSwitch CIDR block	The CIDR block of the vSwitch for the test environment. The CIDR block must be a subset of the VPC CIDR block.	192.168.10.0/24
   ECS	Instance specification	The instance type of the ECS instance. Select a valid instance type. For more information, see Instance families.	ecs.c5.large
   	Image	The ID of the image for the ECS instance. The default image is centos_7. For more information, see Image overview.	centos_7
   	System Disk Type	The type of system disk for the ECS instance. Valid values: cloud_efficiency: ultra disk cloud_ssd: standard SSD cloud_essd: ESSD cloud: basic disk ephemeral_ssd: local SSD For more information, see Disks.	cloud_efficiency
   	System disk space	The size of the system disk. Valid values: 40 to 500. Unit: GB.	40
   	Instance password	The password of the ECS instance.	Test_12****
   RDS	Type and version	The database engine type and version of the ApsaraDB RDS instance.	MySQL-5.7
   	Instance specification	The instance type of the ApsaraDB RDS instance. Select a valid instance type. For more information, see Primary ApsaraDB RDS instance types.	rds.mysql.s2.large
   	Storage Capacity	The storage space of the ApsaraDB RDS instance. Valid values: 5 to 1000. The value must be a multiple of 5. Unit: GB.	5
   OSS	Access control	The access control list (ACL) for objects in the OSS bucket. Valid values: private: All access to objects requires authentication. public-read: Write operations require authentication, but anonymous read operations are allowed. public-read-write: Anyone can read and write objects in the bucket.	private
   	Storage class	The storage class of the OSS bucket. Valid values: Standard IA (Infrequent Access) Archive	Standard
   	Development bucket name	The name of the OSS bucket for the development environment.	ros-projects-dev
   	Production bucket name	The name of the OSS bucket for the production environment.	ros-projects-prod
   	Test bucket name	The name of the OSS bucket for the test environment.	ros-projects-test
   	Code release bucket name	The name of the OSS bucket used for code releases.	ros-projects-code
   	Other bucket name	The name of the OSS bucket used for other purposes.	ros-projects-other
   	Release bucket release directory	The name of the OSS directory for code releases.	release
   	Release bucket production directory	The name of the OSS directory for production deployments.	prod
   RAM	Operations user group name	The name of the user group for operations and maintenance (O&M) staff.	sa
   	Development user group name	The name of the user group for developers.	dev
   	Test user group name	The name of the user group for testers.	test
   	Development app user group name	The name of the application user group for the development environment.	app-dev
   	Production app user group name	The name of the application user group for the production environment.	app-prod
   	Test app user group name	The name of the application user group for the test environment.	app-test
   	Development RAM user name	The name of the RAM user for the development environment.	sts_dev
   	Production RAM user name	The name of the RAM user for the production environment.	sts_prod
   	Test RAM user name	The name of the RAM user for the test environment.	sts_test

6. Click Create.

7. On the Stack Information tab, view the status of the stack. After the stack is created, click the Output tab to obtain the AccessKey ID and AccessKey Secret for the development, test, and production environments.

Step 2: View resources

1. In the left-side navigation pane, click Resource stack.

2. On the Stacks page, click the name of the target stack.

3. Click the Resources tab to view the resource information.

   The following table describes the resources created in this example.

   Resource	Quantity	Description	Specifications
   ALIYUN::RAM::Group	6	Six user groups are created. They allow you to classify RAM users with the same responsibilities, which simplifies permission management.	None
   ALIYUN::ECS::SecurityGroup	3	Three security groups are created to define virtual firewalls for your cloud resources.	None
   ALIYUN::RDS::DBInstance	1	One ApsaraDB RDS instance is created to store data.	rds.mysql.s2.large: General-purpose instance type with 2 vCPUs and 4 GB of memory. Storage space: 20 GB.
   ALIYUN::ECS::VSwitch	3	Three vSwitches are created to manage resources within an availability zone.	None
   ALIYUN::OSS::Bucket	5	Five buckets are created to store data for the development, production, and test environments.	None
   ALIYUN::ECS::Instance	3	Three ECS instances are created to host workloads in the development, production, and test environments.	Total quantity: 3 Instance type: ecs.c5.large System disk type: ultra disk System disk space: 40 GB Public IP address assigned: No
   ALIYUN::RAM::Role	3	Three RAM roles are created to issue temporary STS tokens for granting access permissions more securely.	None
   ALIYUN::RAM::User	3	Three RAM users are created. They are individuals or applications within your organization that require access to cloud resources.	None
   ALIYUN::ECS::VPC	3	Three VPCs are created to improve network security in the cloud.	None

   Note

   For information about resource fees, see the pricing information on the official website or the pricing document for each product.