All Products
Search

This Product

    Resource Orchestration Service:ALIYUN::CS::GrantPermissions

    Document Center

    Resource Orchestration Service:ALIYUN::CS::GrantPermissions

    Last Updated:Aug 12, 2024

    ALIYUN::CS::GrantPermissions is used to grant role-based access control (RBAC) permissions to a Resource Access Management (RAM) user or RAM role.

    Syntax

    {
  "Type": "ALIYUN::CS::GrantPermissions",
  "Properties": {
    "Permissions": List,
    "UserId": String
  }
}

    Properties

    Property

    Type

    Required

    Editable

    Description

    Constraint

    Permissions

    List

    Yes

    Yes

    The permissions that you want to grant to the RAM user.

    For more information, see Permissions properties.

    UserId

    String

    Yes

    Yes

    The ID of the RAM role.

    None.

    Permissions syntax

    "Permissions": [
  {
    "RoleName": String,
    "ClusterId": String,
    "RoleType": String,
    "IsCustom": Boolean,
    "IsRamRole": Boolean,
    "Namespace": String
  }
]

    Permissions properties

    Property

    Type

    Required

    Editable

    Description

    Constraint

    ClusterId

    String

    Yes

    Yes

    The ID of the cluster on which you want to grant the RBAC permissions.

    You must leave this property empty when RoleType is set all-clusters.

    RoleName

    String

    Yes

    Yes

    The predefined role.

    Valid values:

    • admin: an administrator

    • ops: an O&M engineer

    • dev: a developer

    • restricted: a restricted user

    • Cluster role: a cluster role that you specify

    RoleType

    String

    Yes

    Yes

    The authorization scope.

    Valid values:

    • cluster

    • namespace

    • all-clusters

    IsCustom

    Boolean

    No

    Yes

    Specifies whether to perform a custom authorization.

    Valid values:

    • true

    • false

    IsRamRole

    Boolean

    No

    Yes

    Specifies whether to grant the permissions to a RAM role.

    Valid values:

    • true

    • false

    Namespace

    String

    No

    Yes

    The namespace.

    By default, this property is empty when RoleType is set to cluster.

    Return values

    Fn::GetAtt

    None.

    Examples

    YAML format

    ROSTemplateFormatVersion: '2015-09-01'
Parameters:
  UserId:
    Type: String
    Description:
      en: The ID of the RAM user.
    Required: true
  Permissions:
    AssociationPropertyMetadata:
      Parameters:
        RoleName:
          Type: String
          Description:
            en: |-
              he predefined role name. Valid values:
              admin: administrator
              ops: O&M engineer
              dev: developer
              restricted: restricted user
              The custom cluster role.
          Required: true
        ClusterId:
          Type: String
          Description:
            en: The ID of the cluster that you want to manage. When the role_type parameter is set to all-clusters, this parameter is set to an empty string.
          Required: true
        RoleType:
          Type: String
          Description:
            en: |-
              The authorization type. Valid values:
              cluster: indicates that the permissions are scoped to a cluster.
              namespace: specifies that the permissions are scoped to a namespace of a cluster.
              all-clusters: specifies that the permissions are scoped to all clusters.
          AllowedValues:
            - cluster
            - namespace
            - all-clusters
          Required: true
    AssociationProperty: List[Parameters]
    Type: Json
    Description:
      en: 'The permissions that you want to grant to the RAM user. '
    Required: true
    MinLength: 0
    MaxLength: 20
Resources:
  GrantPermissions:
    Type: ALIYUN::CS::GrantPermissions
    Properties:
      UserId:
        Ref: UserId
      Permissions:
        Ref: Permissions

    JSON format

    {
  "ROSTemplateFormatVersion": "2015-09-01",
  "Parameters": {
    "UserId": {
      "Type": "String",
      "Description": {
        "en": "The ID of the RAM user."
      },
      "Required": true
    },
    "Permissions": {
      "AssociationPropertyMetadata": {
        "Parameters": {
          "RoleName": {
            "Type": "String",
            "Description": {
              "en": "he predefined role name. Valid values:\nadmin: administrator\nops: O&M engineer\ndev: developer\nrestricted: restricted user\nThe custom cluster role."
            },
            "Required": true
          },
          "ClusterId": {
            "Type": "String",
            "Description": {
              "en": "The ID of the cluster that you want to manage. When the role_type parameter is set to all-clusters, this parameter is set to an empty string."
            },
            "Required": true
          },
          "RoleType": {
            "Type": "String",
            "Description": {
              "en": "The authorization type. Valid values:\ncluster: indicates that the permissions are scoped to a cluster.\nnamespace: specifies that the permissions are scoped to a namespace of a cluster.\nall-clusters: specifies that the permissions are scoped to all clusters."
            },
            "AllowedValues": [
              "cluster",
              "namespace",
              "all-clusters"
            ],
            "Required": true
          }
        }
      },
      "AssociationProperty": "List[Parameters]",
      "Type": "Json",
      "Description": {
        "en": "The permissions that you want to grant to the RAM user. "
      },
      "Required": true,
      "MinLength": 0,
      "MaxLength": 20
    }
  },
  "Resources": {
    "GrantPermissions": {
      "Type": "ALIYUN::CS::GrantPermissions",
      "Properties": {
        "UserId": {
          "Ref": "UserId"
        },
        "Permissions": {
          "Ref": "Permissions"
        }
      }
    }
  }
}