DocsICP FilingConsole
官方文档
首页

Use a stack role

更新时间:
复制 MD 格式
产品详情
我的收藏

Create a stack role and use it to deploy resources with specific permissions, without granting excessive permissions to individual users.

Use cases

A stack role is a RAM role whose trusted entity is Resource Orchestration Service (ROS). When you specify a stack role for a stack, ROS assumes that role to deploy resources instead of using the current user's permissions.

For example, an enterprise may need an employee to create multiple cloud resources but does not want to grant the employee broad permissions. The enterprise can create a stack role with only the required permissions. The employee then selects this stack role when creating a stack, and ROS uses it to create the resources. This topic walks through an example in which an Alibaba Cloud account creates a stack role, and a RAM user uses that role to create VPC resources.

Procedure

Step 1: Create a stack role

  1. Log on to the Resource Access Management (RAM) console with an Alibaba Cloud account.

  2. In the left-side navigation pane, choose Identities > Roles.

  3. On the Roles page, click Create Role.

  4. On the Create Role page, select Cloud Service for Principal Type.

  5. Select Resource Orchestration Service for Principal Name and click OK.

  6. In the dialog box that appears, enter a Role Name and click OK.

Step 2: Obtain template permission policy

  1. Define a template to create VPC resources.

    For more information about creating resource templates, see View resource types.

    ROSTemplateFormatVersion: '2015-09-01'
Resources:
  Vpc:
    Type: ALIYUN::ECS::VPC
    Properties:
      CidrBlock: 192.168.0.0/24
      VpcName: TestVpc

  2. Obtain the permission policy.

    1. Go to the GenerateTemplatePolicy API operation in OpenAPI Explorer.

    2. Enter the sample VPC template in the TemplateBody parameter.

    3. Click Initiate Call to obtain the permission policy for creating VPC resources.

      {
  "Policy": {
    "Version": "1",
    "Statement": [
      {
        "Action": [
          "quotas:ListProductQuotas"
        ],
        "Resource": "*",
        "Effect": "Allow"
      },
      {
        "Action": [
          "vpc:AssociateVpcCidrBlock",
          "vpc:CreateVpc",
          "vpc:DeleteVpc",
          "vpc:DescribeVpcs",
          "vpc:ModifyVpcAttribute",
          "vpc:TagResources",
          "vpc:UnTagResources"
        ],
        "Resource": "*",
        "Effect": "Allow"
      }
    ]
  },
  "RequestId": "607A8E4E-4423-5D2D-8392-E74C5DC42EC5"
}

Step 3: Create a custom permission policy

  1. Log on to the Resource Access Management (RAM) console with an Alibaba Cloud account.

  2. In the left-side navigation pane, choose Permissions > Policies.

  3. On the Policies page, click Create Policy.

  4. On the Create Policy page, click the JSON tab.

  5. Enter the policy document and click OK.

    Replace the content with the Policy section from the permission policy obtained in Step 2: Obtain template permission policy.

  6. Enter a policy Name and Note.

  7. Click OK.

Step 4: Grant permissions to the stack role

  1. In the left-side navigation pane, choose Identities > Roles.

  2. On the Roles page, find the RAM role that you created in Step 1 and click Grant Permission in the Actions column.

    By default, the authorization scope is the current Alibaba Cloud account.

  3. In the Add Permissions panel, select Custom Policy as the policy type, and then enter the name of the Policy you created in Step 3: Create a custom permission policy.

    For more information about how to view a policy name, see View policy information.

  4. Click OK.

Step 5: Use the stack role to create a stack

Prerequisites

Before you begin, use an Alibaba Cloud account to create a RAM user and grant the user the AliyunROSFullAccess permission. For more information, see Create a RAM user and Grant permissions to a RAM user.

Procedure

  1. Log on to the Resource Orchestration Service (ROS) console as the RAM user.

  2. In the left-side navigation pane, click Stacks.

  3. In the top navigation bar, select the region where you want to create the stack.

  4. On the Stacks page, click Create Stack. In the Specify Template section, click Select an Existing Template.

    Note

    • If you select Create Template or ROS Infrastructure Composer, you are redirected to the corresponding page.

    • If you select Synchronize Template from Code Repository, see Manage stacks by using a code repository.

  5. On the Select Template page, specify a template and then click Next.

    Enter the template for creating the VPC resources. For more information about how to specify a template, see Set a template.

  6. On the Configure Parameters page, enter a Stack Name and configure the Configure Template Parameters.

    Note

    The required parameters vary by template. Enter the parameter values as prompted.

  7. In the Configure stack section, set RAM Role to the name of the role you created in Step 1: Create a stack role.

    For more information about how to configure other parameters, see Create a stack.

  8. On the Compliance Precheck page, complete the compliance check, and then click Next.

    Note

    The compliance precheck feature is available only for specific resources. For more information, see Compliance precheck.

    1. In the Detection Rules section, add detection rules.

      Select detection rules based on the cloud resources defined in the ROS template.

    2. Click Start Check.

      If a resource is found to be Non-compliant, you can click Remediation Plan and modify the cloud resource configuration or ROS template content based on the Remediation Plan to ensure resource compliance.

  9. On the Check and Confirm page, click Create.

    After the stack is created, the Status column displays Successful Creation.

Previous:Use RAM to control resource accessNext:Stack Management