The ALIYUN::RAM::User resource creates a RAM user.
Syntax
{
"Type": "ALIYUN::RAM::User",
"Properties": {
"UserName": String,
"DisplayName": String,
"LoginProfile": Map,
"Groups": List,
"MobilePhone": String,
"Email": String,
"Comments": String,
"Policies": List,
"PolicyAttachments": Map,
"DeletionForce": Boolean
}
}Properties
|
Property Name |
Type |
Required |
Updatable |
Description |
Constraints |
|
UserName |
String |
Yes |
No |
The name of the RAM user. |
The length is 1 to 64 characters. It can contain letters, digits, periods (.), hyphens (-), and underscores (_). |
|
DisplayName |
String |
No |
Yes |
The display name of the RAM user. |
The length is 1 to 128 characters. |
|
LoginProfile |
Map |
No |
No |
The logon profile of the RAM user. |
For more information, see LoginProfile properties. |
|
Groups |
List |
No |
No |
The user groups that the RAM user joins. |
None |
|
MobilePhone |
String |
No |
Yes |
The mobile phone number of the RAM user. |
None |
|
|
String |
No |
Yes |
The mailbox of the RAM user. |
None |
|
Comments |
String |
No |
Yes |
The remarks. |
The length is 1 to 128 characters. |
|
Policies |
List |
No |
Yes |
The access policies that apply to the RAM user. |
For more information, see Policies properties. |
|
PolicyAttachments |
Map |
No |
Yes |
The names of the system policies and custom policies to add. |
For more information, see PolicyAttachments properties. |
|
DeletionForce |
Boolean |
No |
Yes |
Specifies whether to forcibly unbind the access policies from the RAM user. |
Valid values:
|
LoginProfile syntax
"LoginProfile": {
"MFABindRequired": Boolean,
"Password": String,
"PasswordResetRequired": Boolean
} LoginProfile properties
|
Property Name |
Type |
Required |
Updatable |
Description |
Constraints |
|
MFABindRequired |
Boolean |
No |
No |
Specifies whether multi-factor authentication (MFA) is required for the RAM user. |
Valid values:
|
|
Password |
String |
No |
No |
The new console logon password for the RAM user. |
The password must meet the password strength requirements. The length is 8 to 32 characters. |
|
PasswordResetRequired |
Boolean |
No |
No |
Specifies whether the RAM user must reset the password at the next logon. |
Valid values:
|
Policies syntax
"Policies": [
{
"PolicyName": String,
"PolicyDocument": Map,
"Description": String,
"IgnoreExisting": Boolean
}
] Policies properties
|
Property Name |
Type |
Required |
Updatable |
Description |
Constraints |
|
Description |
String |
No |
No |
The description. |
The length is 1 to 1024 characters. |
|
PolicyName |
String |
Yes |
No |
The name of the access policy. |
The length is 1 to 128 characters. It can contain letters, digits, and hyphens (-). |
|
PolicyDocument |
Map |
Yes |
Yes |
The policy document. |
The length does not exceed 2048 characters. For more information, see PolicyDocument properties. |
|
IgnoreExisting |
Boolean |
No |
No |
Specifies whether to ignore existing policies. |
Valid values:
|
PolicyDocument syntax
"PolicyDocument": {
"Version": String,
"Statement": List
}PolicyDocument properties
|
Property Name |
Type |
Required |
Updatable |
Description |
Constraints |
|
Version |
String |
Yes |
No |
The version of the access policy. |
None |
|
Statement |
List |
Yes |
No |
The specific rules of the access policy. |
For more information, see Statement properties. |
Statement syntax
"Statement": [
{
"Condition": Map,
"Action": List,
"Resource": List,
"Effect": String
}
]Statement properties
|
Property Name |
Type |
Required |
Updatable |
Description |
Constraints |
|
Condition |
Map |
No |
No |
The conditions that restrict the authorization. |
None |
|
Action |
List |
No |
No |
The specific operations for the access policy. |
None |
|
Resource |
List |
No |
No |
The specific resources for the access policy. |
None |
|
Effect |
String |
No |
No |
The authorization effect. |
Valid values:
|
PolicyAttachments syntax
"PolicyAttachments": {
"Custom": List,
"System": List
}PolicyAttachments properties
|
Property Name |
Type |
Required |
Allow Updates |
Description |
Constraints |
|
Custom |
List |
No |
Yes |
The list of custom policy names. |
The number of policies must be less than or equal to 5. |
|
System |
List |
No |
Yes |
The list of system policy names. |
The number of policies must be less than or equal to 20. |
Return values
Fn::GetAtt
-
UserName: The name of the RAM user.
-
UserId: The ID of the RAM user.
-
CreateDate: The time when the RAM user was created.
-
LastLoginDate: The time when the RAM user last logged on.
Examples
Scenario 1: Create a RAM user.
ROSTemplateFormatVersion: '2015-09-01'
Description: Test RAM User
Parameters: {}
Resources:
User:
Type: ALIYUN::RAM::User
Properties:
UserName: dev
Policies:
- PolicyName:
Fn::Join:
- '-'
- - StackId
- Ref: ALIYUN::StackId
PolicyDocument:
Statement:
- Action:
- oss:*
Effect: Allow
Resource:
- '*'
Version: '1'
Outputs: {}{
"ROSTemplateFormatVersion": "2015-09-01",
"Description": "Test RAM User",
"Parameters": {
},
"Resources": {
"User": {
"Type": "ALIYUN::RAM::User",
"Properties": {
"UserName": "dev",
"Policies": [
{
"PolicyName": {
"Fn::Join": [
"-",
[
"StackId",
{
"Ref": "ALIYUN::StackId"
}
]
]
},
"PolicyDocument": {
"Statement": [
{
"Action": [
"oss:*"
],
"Effect": "Allow",
"Resource": [
"*"
]
}
],
"Version": "1"
}
}
]
}
}
},
"Outputs": {
}
}Scenario 2: Create a RAM user and an AccessKey.
ROSTemplateFormatVersion: '2015-09-01'
Conditions:
CreateInstance:
Fn::Equals:
- Ref: SelectInstance
- false
Parameters:
UserName:
Type: String
Description: Custom RAM user name
Label:
zh-cn: RAM User Name
en: RAM User Name
Default: test123123123
RoleName:
Type: String
Description: Custom RAM role name
Label:
zh-cn: RAM Role Name
en: RAM Role Name
Default: test123123123
SelectInstance:
Type: Boolean
Label:
en: Whether to select an existing Bucket
zh-cn: Whether to select an existing Bucket
Default: true
ExistBucketName:
Type: String
Label:
en: Existing Bucket
zh-cn: Existing Bucket
AssociationProperty: ALIYUN::OSS::Bucket::BucketName
AssociationPropertyMetadata:
Visible:
Condition:
Fn::Equals:
- ${SelectInstance}
- true
Default: ''
BucketName:
Type: String
Label:
zh-cn: New Bucket Name
en: NewBucketName
Description:
zh-cn: Bucket names must be globally unique within the scope of OSS. The length is 3 to 63 characters. It must start and end with a lowercase letter or digit, and can contain lowercase letters, digits, and hyphens (-).
en: Bucket names must be globally unique within the scope of OSS. The length is 3 to 63 characters. It must start and end with a lowercase letter or digit, and can contain lowercase letters, digits, and hyphens (-).
AssociationProperty: AutoCompleteInput
AssociationPropertyMetadata:
Length: 6
Prefix: my-bucketname-
CharacterClasses:
- Class: lowercase
min: 1
Visible:
Condition:
Fn::Equals:
- ${SelectInstance}
- false
AllowedPattern: ^[a-z0-9][a-z0-9-]{1,61}[a-z0-9]$
AccessControl:
Type: String
Label:
en: Access Control
zh-cn: Access Control
Description:
en: Set the access permission of the bucket
zh-cn: Set the access permission of the bucket
Default: private
AssociationPropertyMetadata:
Visible:
Condition:
Fn::Equals:
- ${SelectInstance}
- false
AllowedValues:
- private
- public-read
- public-read-write
Resources:
RamUser:
Type: ALIYUN::RAM::User
Properties:
UserName:
Ref: UserName
RamAK:
Type: ALIYUN::RAM::AccessKey
Properties:
UserName:
Fn::GetAtt:
- RamUser
- UserName
DependsOn: RamUser
MyBucket:
Condition: CreateInstance
Type: ALIYUN::OSS::Bucket
Properties:
AccessControl:
Ref: AccessControl
BucketName:
Ref: BucketName
Role:
Type: ALIYUN::RAM::Role
Properties:
RoleName:
Ref: RoleName
AssumeRolePolicyDocument:
Version: '1'
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
RAM:
- Fn::Sub: acs:ram::${ALIYUN::TenantId}:root
Policies:
- PolicyName:
Fn::Join:
- ''
- - Policy-
- Ref: ALIYUN::StackId
PolicyDocument:
Version: '1'
Statement:
- Effect: Allow
Action:
- oss:PutObject
Resource:
- Fn::Sub:
- acs:oss:*:*:${BucketName}/*
- BucketName:
Fn::If:
- CreateInstance
- Ref: BucketName
- Ref: ExistBucketName
Outputs:
AKSecret:
Value:
Fn::GetAtt:
- RamAK
- AccessKeySecret
AKId:
Value:
Fn::GetAtt:
- RamAK
- AccessKeyId
UserId:
Value:
Fn::GetAtt:
- RamUser
- UserId
Metadata:
ALIYUN::ROS::Interface:
ParameterGroups:
- Parameters:
- SelectInstance
- ExistBucketName
- BucketName
- AccessControl
Label:
default: OSS
- Parameters:
- UserName
- RoleName
Label:
default: RAM
{
"ROSTemplateFormatVersion": "2015-09-01",
"Conditions": {
"CreateInstance": {
"Fn::Equals": [
{
"Ref": "SelectInstance"
},
false
]
}
},
"Parameters": {
"UserName": {
"Type": "String",
"Description": "Custom RAM user name",
"Label": {
"zh-cn": "RAM User Name",
"en": "RAM User Name"
},
"Default": "test123123123"
},
"RoleName": {
"Type": "String",
"Description": "Custom RAM role name",
"Label": {
"zh-cn": "RAM Role Name",
"en": "RAM Role Name"
},
"Default": "test123123123"
},
"SelectInstance": {
"Type": "Boolean",
"Label": {
"en": "Whether to select an existing Bucket",
"zh-cn": "Whether to select an existing Bucket"
},
"Default": true
},
"ExistBucketName": {
"Type": "String",
"Label": {
"en": "Existing Bucket",
"zh-cn": "Existing Bucket"
},
"AssociationProperty": "ALIYUN::OSS::Bucket::BucketName",
"AssociationPropertyMetadata": {
"Visible": {
"Condition": {
"Fn::Equals": [
"${SelectInstance}",
true
]
}
}
},
"Default": ""
},
"BucketName": {
"Type": "String",
"Label": {
"zh-cn": "New Bucket Name",
"en": "NewBucketName"
},
"Description": {
"zh-cn": "Bucket names must be globally unique within the scope of OSS. The length is 3 to 63 characters. It must start and end with a lowercase letter or digit, and can contain lowercase letters, digits, and hyphens (-).",
"en": "Bucket names must be globally unique within the scope of OSS. The length is 3 to 63 characters. It must start and end with a lowercase letter or digit, and can contain lowercase letters, digits, and hyphens (-)."
},
"AssociationProperty": "AutoCompleteInput",
"AssociationPropertyMetadata": {
"Length": 6,
"Prefix": "my-bucketname-",
"CharacterClasses": [
{
"Class": "lowercase",
"min": 1
}
],
"Visible": {
"Condition": {
"Fn::Equals": [
"${SelectInstance}",
false
]
}
}
},
"AllowedPattern": "^[a-z0-9][a-z0-9-]{1,61}[a-z0-9]$"
},
"AccessControl": {
"Type": "String",
"Label": {
"en": "Access Control",
"zh-cn": "Access Control"
},
"Description": {
"en": "Set the access permission of the bucket",
"zh-cn": "Set the access permission of the bucket"
},
"Default": "private",
"AssociationPropertyMetadata": {
"Visible": {
"Condition": {
"Fn::Equals": [
"${SelectInstance}",
false
]
}
}
},
"AllowedValues": [
"private",
"public-read",
"public-read-write"
]
}
},
"Resources": {
"RamUser": {
"Type": "ALIYUN::RAM::User",
"Properties": {
"UserName": {
"Ref": "UserName"
}
}
},
"RamAK": {
"Type": "ALIYUN::RAM::AccessKey",
"Properties": {
"UserName": {
"Fn::GetAtt": [
"RamUser",
"UserName"
]
}
}
},
"MyBucket": {
"Condition": "CreateInstance",
"Type": "ALIYUN::OSS::Bucket",
"Properties": {
"AccessControl": {
"Ref": "AccessControl"
},
"BucketName": {
"Ref": "BucketName"
}
}
},
"Role": {
"Type": "ALIYUN::RAM::Role",
"Properties": {
"RoleName": {
"Ref": "RoleName"
},
"AssumeRolePolicyDocument": {
"Version": "1",
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"RAM": [
{
"Fn::Sub": "acs:ram::${ALIYUN::TenantId}:root"
}
]
}
}
]
},
"Policies": [
{
"PolicyName": {
"Fn::Join": [
"",
[
"Policy-",
{
"Ref": "ALIYUN::StackId"
}
]
]
},
"PolicyDocument": {
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"oss:PutObject"
],
"Resource": [
{
"Fn::Sub": [
"acs:oss:*:*:${BucketName}/*",
{
"BucketName": {
"Fn::If": [
"CreateInstance",
{
"Ref": "BucketName"
},
{
"Ref": "ExistBucketName"
}
]
}
}
]
}
]
}
]
}
}
]
}
}
},
"Outputs": {
"AKSecret": {
"Value": {
"Fn::GetAtt": [
"RamAK",
"AccessKeySecret"
]
}
},
"AKId": {
"Value": {
"Fn::GetAtt": [
"RamAK",
"AccessKeyId"
]
}
},
"UserId": {
"Value": {
"Fn::GetAtt": [
"RamUser",
"UserId"
]
}
}
},
"Metadata": {
"ALIYUN::ROS::Interface": {
"ParameterGroups": [
{
"Parameters": [
"SelectInstance",
"ExistBucketName",
"BucketName",
"AccessControl"
],
"Label": {
"default": "OSS"
}
},
{
"Parameters": [
"UserName",
"RoleName"
],
"Label": {
"default": "RAM"
}
}
]
}
}
}Scenario 3: Create a RAM user and an AccessKey, and grant write permission (oss:PutObject) to a specified OSS bucket.
ROSTemplateFormatVersion: '2015-09-01'
Conditions:
CreateInstance:
Fn::Equals:
- Ref: SelectInstance
- false
Parameters:
UserName:
Type: String
Description: Custom RAM user name
Label:
zh-cn: RAM User Name
en: RAM User Name
Default: test123123123
RoleName:
Type: String
Description: Custom RAM role name
Label:
zh-cn: RAM Role Name
en: RAM Role Name
Default: test123123123
SelectInstance:
Type: Boolean
Label:
en: Whether to select an existing Bucket
zh-cn: Whether to select an existing Bucket
Default: true
ExistBucketName:
Type: String
Label:
en: Existing Bucket
zh-cn: Existing Bucket
AssociationProperty: ALIYUN::OSS::Bucket::BucketName
AssociationPropertyMetadata:
Visible:
Condition:
Fn::Equals:
- ${SelectInstance}
- true
Default: ''
BucketName:
Type: String
Label:
zh-cn: New Bucket Name
en: NewBucketName
Description:
zh-cn: Bucket names must be globally unique within the scope of OSS. The length is 3 to 63 characters. It must start and end with a lowercase letter or digit, and can contain lowercase letters, digits, and hyphens (-).
en: Bucket names must be globally unique within the scope of OSS. The length is 3 to 63 characters. It must start and end with a lowercase letter or digit, and can contain lowercase letters, digits, and hyphens (-).
AssociationProperty: AutoCompleteInput
AssociationPropertyMetadata:
Length: 6
Prefix: my-bucketname-
CharacterClasses:
- Class: lowercase
min: 1
Visible:
Condition:
Fn::Equals:
- ${SelectInstance}
- false
AllowedPattern: ^[a-z0-9][a-z0-9-]{1,61}[a-z0-9]$
AccessControl:
Type: String
Label:
en: Access Control
zh-cn: Access Control
Description:
en: Set the access permission of the bucket
zh-cn: Set the access permission of the bucket
Default: private
AssociationPropertyMetadata:
Visible:
Condition:
Fn::Equals:
- ${SelectInstance}
- false
AllowedValues:
- private
- public-read
- public-read-write
Resources:
RamUser:
Type: ALIYUN::RAM::User
Properties:
UserName:
Ref: UserName
RamAK:
Type: ALIYUN::RAM::AccessKey
Properties:
UserName:
Fn::GetAtt:
- RamUser
- UserName
DependsOn: RamUser
MyBucket:
Condition: CreateInstance
Type: ALIYUN::OSS::Bucket
Properties:
AccessControl:
Ref: AccessControl
BucketName:
Ref: BucketName
Role:
Type: ALIYUN::RAM::Role
Properties:
RoleName:
Ref: RoleName
AssumeRolePolicyDocument:
Version: '1'
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
RAM:
- Fn::Sub: acs:ram::${ALIYUN::TenantId}:root
Policies:
- PolicyName:
Fn::Join:
- ''
- - Policy-
- Ref: ALIYUN::StackId
PolicyDocument:
Version: '1'
Statement:
- Effect: Allow
Action:
- oss:PutObject
Resource:
- Fn::Sub:
- acs:oss:*:*:${BucketName}/*
- BucketName:
Fn::If:
- CreateInstance
- Ref: BucketName
- Ref: ExistBucketName
Outputs:
AKSecret:
Value:
Fn::GetAtt:
- RamAK
- AccessKeySecret
AKId:
Value:
Fn::GetAtt:
- RamAK
- AccessKeyId
UserId:
Value:
Fn::GetAtt:
- RamUser
- UserId
Metadata:
ALIYUN::ROS::Interface:
ParameterGroups:
- Parameters:
- SelectInstance
- ExistBucketName
- BucketName
- AccessControl
Label:
default: OSS
- Parameters:
- UserName
- RoleName
Label:
default: RAM
{
"ROSTemplateFormatVersion": "2015-09-01",
"Conditions": {
"CreateInstance": {
"Fn::Equals": [
{
"Ref": "SelectInstance"
},
false
]
}
},
"Parameters": {
"UserName": {
"Type": "String",
"Description": "Custom RAM user name",
"Label": {
"zh-cn": "RAM User Name",
"en": "RAM User Name"
},
"Default": "test123123123"
},
"RoleName": {
"Type": "String",
"Description": "Custom RAM role name",
"Label": {
"zh-cn": "RAM Role Name",
"en": "RAM Role Name"
},
"Default": "test123123123"
},
"SelectInstance": {
"Type": "Boolean",
"Label": {
"en": "Whether to select an existing Bucket",
"zh-cn": "Whether to select an existing Bucket"
},
"Default": true
},
"ExistBucketName": {
"Type": "String",
"Label": {
"en": "Existing Bucket",
"zh-cn": "Existing Bucket"
},
"AssociationProperty": "ALIYUN::OSS::Bucket::BucketName",
"AssociationPropertyMetadata": {
"Visible": {
"Condition": {
"Fn::Equals": [
"${SelectInstance}",
true
]
}
}
},
"Default": ""
},
"BucketName": {
"Type": "String",
"Label": {
"zh-cn": "New Bucket Name",
"en": "NewBucketName"
},
"Description": {
"zh-cn": "Bucket names must be globally unique within the scope of OSS. The length is 3 to 63 characters. It must start and end with a lowercase letter or digit, and can contain lowercase letters, digits, and hyphens (-).",
"en": "Bucket names must be globally unique within the scope of OSS. The length is 3 to 63 characters. It must start and end with a lowercase letter or digit, and can contain lowercase letters, digits, and hyphens (-)."
},
"AssociationProperty": "AutoCompleteInput",
"AssociationPropertyMetadata": {
"Length": 6,
"Prefix": "my-bucketname-",
"CharacterClasses": [
{
"Class": "lowercase",
"min": 1
}
],
"Visible": {
"Condition": {
"Fn::Equals": [
"${SelectInstance}",
false
]
}
}
},
"AllowedPattern": "^[a-z0-9][a-z0-9-]{1,61}[a-z0-9]$"
},
"AccessControl": {
"Type": "String",
"Label": {
"en": "Access Control",
"zh-cn": "Access Control"
},
"Description": {
"en": "Set the access permission of the bucket",
"zh-cn": "Set the access permission of the bucket"
},
"Default": "private",
"AssociationPropertyMetadata": {
"Visible": {
"Condition": {
"Fn::Equals": [
"${SelectInstance}",
false
]
}
}
},
"AllowedValues": [
"private",
"public-read",
"public-read-write"
]
}
},
"Resources": {
"RamUser": {
"Type": "ALIYUN::RAM::User",
"Properties": {
"UserName": {
"Ref": "UserName"
}
}
},
"RamAK": {
"Type": "ALIYUN::RAM::AccessKey",
"Properties": {
"UserName": {
"Fn::GetAtt": [
"RamUser",
"UserName"
]
}
}
},
"MyBucket": {
"Condition": "CreateInstance",
"Type": "ALIYUN::OSS::Bucket",
"Properties": {
"AccessControl": {
"Ref": "AccessControl"
},
"BucketName": {
"Ref": "BucketName"
}
}
},
"Role": {
"Type": "ALIYUN::RAM::Role",
"Properties": {
"RoleName": {
"Ref": "RoleName"
},
"AssumeRolePolicyDocument": {
"Version": "1",
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"RAM": [
{
"Fn::Sub": "acs:ram::${ALIYUN::TenantId}:root"
}
]
}
}
]
},
"Policies": [
{
"PolicyName": {
"Fn::Join": [
"",
[
"Policy-",
{
"Ref": "ALIYUN::StackId"
}
]
]
},
"PolicyDocument": {
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"oss:PutObject"
],
"Resource": [
{
"Fn::Sub": [
"acs:oss:*:*:${BucketName}/*",
{
"BucketName": {
"Fn::If": [
"CreateInstance",
{
"Ref": "BucketName"
},
{
"Ref": "ExistBucketName"
}
]
}
}
]
}
]
}
]
}
}
]
}
}
},
"Outputs": {
"AKSecret": {
"Value": {
"Fn::GetAtt": [
"RamAK",
"AccessKeySecret"
]
}
},
"AKId": {
"Value": {
"Fn::GetAtt": [
"RamAK",
"AccessKeyId"
]
}
},
"UserId": {
"Value": {
"Fn::GetAtt": [
"RamUser",
"UserId"
]
}
}
},
"Metadata": {
"ALIYUN::ROS::Interface": {
"ParameterGroups": [
{
"Parameters": [
"SelectInstance",
"ExistBucketName",
"BucketName",
"AccessControl"
],
"Label": {
"default": "OSS"
}
},
{
"Parameters": [
"UserName",
"RoleName"
],
"Label": {
"default": "RAM"
}
}
]
}
}
}Scenario 4: Create users for user groups with different policies.
ROSTemplateFormatVersion: '2015-09-01'
Description:
zh-cn: Create sub-accounts, assign them to user groups and administrator groups, enable logon, generate AccessKeys, and attach read permissions for ECS and OSS.
en: Create sub-accounts, assign them to user groups and administrator groups, enable logon, generate AccessKeys, and attach read permissions for ECS and OSS.
Parameters:
GroupName1:
Type: String
Label:
en: Group 1 Name
zh-cn: Group 1 Name
Description:
en: The name of user group 1.
Specify a group name that contains up to 64 characters, letters, digits, or hyphens (-).
zh-cn: The name of user group 1. <br/>Specify a group name that contains up to 64 characters, letters, digits, or hyphens (-).
ConstraintDescription:
en: No more than 64 characters, letters, digits, or hyphens (-).
zh-cn: No more than 64 characters, letters, digits, or hyphens (-).
Default: UserGroup
AllowedPattern: ^[a-zA-Z0-9\-]+$
MinLength: 1
MaxLength: 64
GroupName2:
Type: String
Label:
en: Group 2 Name
zh-cn: Group 2 Name
Description:
en: The name of user group 2. <br>Specify a group name that contains up to 64 characters, letters, digits, or hyphens (-).
zh-cn: The name of user group 2. <br>Specify a group name that contains up to 64 characters, letters, digits, or hyphens (-).
ConstraintDescription:
en: No more than 64 characters, letters, digits, or hyphens (-).
zh-cn: No more than 64 characters, letters, digits, or hyphens (-).
Default: AdminGroup
AllowedPattern: ^[a-zA-Z0-9\-]+$
MinLength: 1
MaxLength: 64
UserName:
Type: String
Label:
en: User Name
zh-cn: User Name
Description:
en: The user name cannot already exist. <br>It can contain letters, digits, periods (.), underscores (_), or hyphens (-), and must not exceed 64 characters.
zh-cn: The user name cannot already exist. <br>It can contain letters, digits, periods (.), underscores (_), or hyphens (-), and must not exceed 64 characters.
ConstraintDescription:
en: No more than 64 characters, letters, digits, or hyphens (-).
zh-cn: No more than 64 characters, letters, digits, or hyphens (-).
Default: test-user
AllowedPattern: '[a-zA-Z0-9\.\-\_]+$'
MinLength: 1
MaxLength: 64
UserPassword:
Type: String
Label:
en: User Password
zh-cn: User Password
Description:
en: Specify a password that meets the password strength requirements. <br>For more information about password strength policies, see <a>GetPasswordPolicy</a>.
zh-cn: Specify a password that meets the password strength requirements. <br>For more information about password strength policies, see <a href='https://www.alibabacloud.com/help/document_detail/28740.html' target='_blank'><b><font color='blue'>GetPasswordPolicy</font><font color='blue'></a>.
NoEcho: true
Resources:
RamGroup1:
Type: ALIYUN::RAM::Group
Properties:
GroupName:
Ref: GroupName1
RamGroup2:
Type: ALIYUN::RAM::Group
Properties:
GroupName:
Ref: GroupName2
RamUser:
Type: ALIYUN::RAM::User
Properties:
Groups:
- Ref: RamGroup1
- Ref: RamGroup2
LoginProfile:
Password:
Ref: UserPassword
PasswordResetRequired: false
UserName:
Ref: UserName
RamAK:
Type: ALIYUN::RAM::AccessKey
Properties:
UserName:
Fn::GetAtt:
- RamUser
- UserName
RamManagedPolicy1:
Type: ALIYUN::RAM::ManagedPolicy
Properties:
Groups:
- Ref: RamGroup1
PolicyDocument:
Statement:
- Action:
- ecs:Describe*
Effect: Allow
Resource:
- '*'
- Action:
- ecs:List*
Effect: Allow
Resource:
- '*'
- Action:
- vpc:DescribeVpcs
- vpc:DescribeVSwitches
Effect: Allow
Resource:
- '*'
Version: '1'
PolicyName:
Fn::Join:
- '-'
- - ECSReadOnly
- StackId
- Ref: ALIYUN::StackId
RamManagedPolicy2:
Type: ALIYUN::RAM::ManagedPolicy
Properties:
Groups:
- Ref: RamGroup2
PolicyDocument:
Statement:
- Action:
- oss:*
Effect: Allow
Resource:
- '*'
Version: '1'
PolicyName:
Fn::Join:
- '-'
- - OSSReadOnly
- StackId
- Ref: ALIYUN::StackId
Outputs:
RamAccessKeyId:
Value:
Fn::GetAtt:
- RamAK
- AccessKeyId
RamUserId:
Value:
Fn::GetAtt:
- RamUser
- UserId
Metadata:
ALIYUN::ROS::Interface:
ParameterGroups:
- Parameters:
- GroupName1
- GroupName2
- UserName
- UserPassword
Label:
default: RAM
TemplateTags:
- acs:example:elastic computing:Create a user with different policies for user groups
{
"ROSTemplateFormatVersion": "2015-09-01",
"Description": {
"zh-cn": "Create sub-accounts, assign them to user groups and administrator groups, enable logon, generate AccessKeys, and attach read permissions for ECS and OSS.",
"en": "Create sub-accounts, assign them to user groups and administrator groups, enable logon, generate AccessKeys, and attach read permissions for ECS and OSS."
},
"Parameters": {
"GroupName1": {
"Type": "String",
"Label": {
"en": "Group 1 Name",
"zh-cn": "Group 1 Name"
},
"Description": {
"en": "The name of user group 1. \u003cbr\u003eSpecify a group name that contains up to 64 characters, letters, digits, or hyphens (-).",
"zh-cn": "The name of user group 1. \u003cbr\u003eSpecify a group name that contains up to 64 characters, letters, digits, or hyphens (-)."
},
"ConstraintDescription": {
"en": "No more than 64 characters, letters, digits, or hyphens (-).",
"zh-cn": "No more than 64 characters, letters, digits, or hyphens (-)."
},
"Default": "UserGroup",
"AllowedPattern": "^[a-zA-Z0-9\\-]+$",
"MinLength": 1,
"MaxLength": 64
},
"GroupName2": {
"Type": "String",
"Label": {
"en": "Group 2 Name",
"zh-cn": "Group 2 Name"
},
"Description": {
"en": "The name of user group 2. \u003cbr\u003eSpecify a group name that contains up to 64 characters, letters, digits, or hyphens (-).",
"zh-cn": "The name of user group 2. \u003cbr\u003eSpecify a group name that contains up to 64 characters, letters, digits, or hyphens (-)."
},
"ConstraintDescription": {
"en": "No more than 64 characters, letters, digits, or hyphens (-).",
"zh-cn": "No more than 64 characters, letters, digits, or hyphens (-)."
},
"Default": "AdminGroup",
"AllowedPattern": "^[a-zA-Z0-9\\-]+$",
"MinLength": 1,
"MaxLength": 64
},
"UserName": {
"Type": "String",
"Label": {
"en": "User Name",
"zh-cn": "User Name"
},
"Description": {
"en": "The user name cannot already exist. \u003cbr\u003eIt can contain letters, digits, periods (.), underscores (_), or hyphens (-), and must not exceed 64 characters.",
"zh-cn": "The user name cannot already exist. \u003cbr\u003eIt can contain letters, digits, periods (.), underscores (_), or hyphens (-), and must not exceed 64 characters."
},
"ConstraintDescription": {
"en": "No more than 64 characters, letters, digits, or hyphens (-).",
"zh-cn": "No more than 64 characters, letters, digits, or hyphens (-)."
},
"Default": "test-user",
"AllowedPattern": "[a-zA-Z0-9\\.\\-\\_]+$",
"MinLength": 1,
"MaxLength": 64
},
"UserPassword": {
"Type": "String",
"Label": {
"en": "User Password",
"zh-cn": "User Password"
},
"Description": {
"en": "Specify a password that meets the password strength requirements. \u003cbr\u003eFor more information about password strength policies, see \u003ca href='https://www.alibabacloud.com/help/document_detail/28740.html' target='_blank'\u003e\u003cb\u003e\u003cfont color='blue'\u003eGetPasswordPolicy\u003c/font\u003e\u003c/b\u003e\u003cfont color='blue'\u003e\u003c/a\u003e.",
"zh-cn": "Specify a password that meets the password strength requirements. \u003cbr\u003eFor more information about password strength policies, see \u003ca href='https://www.alibabacloud.com/help/document_detail/28740.html' target='_blank'\u003e\u003cb\u003e\u003cfont color='blue'\u003eGetPasswordPolicy\u003c/font\u003e\u003c/b\u003e\u003cfont color='blue'\u003e\u003c/a\u003e."
},
"NoEcho": true
}
},
"Resources": {
"RamGroup1": {
"Type": "ALIYUN::RAM::Group",
"Properties": {
"GroupName": {
"Ref": "GroupName1"
}
}
},
"RamGroup2": {
"Type": "ALIYUN::RAM::Group",
"Properties": {
"GroupName": {
"Ref": "GroupName2"
}
}
},
"RamUser": {
"Type": "ALIYUN::RAM::User",
"Properties": {
"Groups": [
{
"Ref": "RamGroup1"
},
{
"Ref": "RamGroup2"
}
],
"LoginProfile": {
"Password": {
"Ref": "UserPassword"
},
"PasswordResetRequired": false
},
"UserName": {
"Ref": "UserName"
}
}
},
"RamAK": {
"Type": "ALIYUN::RAM::AccessKey",
"Properties": {
"UserName": {
"Fn::GetAtt": [
"RamUser",
"UserName"
]
}
}
},
"RamManagedPolicy1": {
"Type": "ALIYUN::RAM::ManagedPolicy",
"Properties": {
"Groups": [
{
"Ref": "RamGroup1"
}
],
"PolicyDocument": {
"Statement": [
{
"Action": [
"ecs:Describe*"
],
"Effect": "Allow",
"Resource": [
"*"
]
},
{
"Action": [
"ecs:List*"
],
"Effect": "Allow",
"Resource": [
"*"
]
},
{
"Action": [
"vpc:DescribeVpcs",
"vpc:DescribeVSwitches"
],
"Effect": "Allow",
"Resource": [
"*"
]
}
],
"Version": "1"
},
"PolicyName": {
"Fn::Join": [
"-",
[
"ECSReadOnly",
"StackId",
{
"Ref": "ALIYUN::StackId"
}
]
]
}
}
},
"RamManagedPolicy2": {
"Type": "ALIYUN::RAM::ManagedPolicy",
"Properties": {
"Groups": [
{
"Ref": "RamGroup2"
}
],
"PolicyDocument": {
"Statement": [
{
"Action": [
"oss:*"
],
"Effect": "Allow",
"Resource": [
"*"
]
}
],
"Version": "1"
},
"PolicyName": {
"Fn::Join": [
"-",
[
"OSSReadOnly",
"StackId",
{
"Ref": "ALIYUN::StackId"
}
]
]
}
}
}
},
"Outputs": {
"RamAccessKeyId": {
"Value": {
"Fn::GetAtt": [
"RamAK",
"AccessKeyId"
]
}
},
"RamUserId": {
"Value": {
"Fn::GetAtt": [
"RamUser",
"UserId"
]
}
}
},
"Metadata": {
"ALIYUN::ROS::Interface": {
"ParameterGroups": [
{
"Parameters": [
"GroupName1",
"GroupName2",
"UserName",
"UserPassword"
],
"Label": {
"default": "RAM"
}
}
],
"TemplateTags": [
"acs:example:elastic computing:Create a user with different policies for user groups"
]
}
}
}For more examples, see public templates that contain this resource.