The ALIYUN::RAM::AccessKey resource type retrieves a specified RAM user’s AccessKey ID, AccessKey secret, and AccessKey status.
Syntax
{
"Type": "ALIYUN::RAM::AccessKey ",
"Properties": {
"UserName": String
}
}Properties
Property Name | Type | Required | Updatable | Description | Constraint |
UserName | String | Yes | No | username | None |
Return Values
Fn::GetAtt
AccessKeyId: The AccessKey ID.
AccessKeySecret: The AccessKey secret.
Status: The AccessKey status, which is either enabled or disabled.
Examples
Scenario 1: Create an AccessKey for a specified user.
ROSTemplateFormatVersion: '2015-09-01'
Parameters:
UserName:
Type: String
AssociationProperty: ALIYUN::RAM::User
Resources:
AccessKey:
Type: ALIYUN::RAM::AccessKey
Properties:
UserName:
Ref: UserName
Outputs:
Status:
Description: Status of access key.
Value:
Fn::GetAtt:
- AccessKey
- Status
AccessKeyId:
Description: Id of access key.
Value:
Fn::GetAtt:
- AccessKey
- AccessKeyId
AccessKeySecret:
Description: Secret of access key.
Value:
Fn::GetAtt:
- AccessKey
- AccessKeySecret{
"ROSTemplateFormatVersion": "2015-09-01",
"Parameters": {
"UserName": {
"Type": "String",
"AssociationProperty": "ALIYUN::RAM::User"
}
},
"Resources": {
"AccessKey": {
"Type": "ALIYUN::RAM::AccessKey",
"Properties": {
"UserName": {
"Ref": "UserName"
}
}
}
},
"Outputs": {
"Status": {
"Description": "Status of access key.",
"Value": {
"Fn::GetAtt": [
"AccessKey",
"Status"
]
}
},
"AccessKeyId": {
"Description": "Id of access key.",
"Value": {
"Fn::GetAtt": [
"AccessKey",
"AccessKeyId"
]
}
},
"AccessKeySecret": {
"Description": "Secret of access key.",
"Value": {
"Fn::GetAtt": [
"AccessKey",
"AccessKeySecret"
]
}
}
}
}Scenario 2: Access OSS using STS temporary access credentials.
ROSTemplateFormatVersion: '2015-09-01'
Description:
en: Use STS Temporary access credentials to access OSS.
Conditions:
CreateInstance:
Fn::Equals:
- Ref: SelectInstance
- false
Parameters:
UserName:
Type: String
Description:
en: Customize the RAM user name.
Label:
en: RAM User Name
AssociationProperty: AutoCompleteInput
AssociationPropertyMetadata:
Length: 6
Prefix: RamOssTest-
CharacterClasses:
- Class: lowercase
min: 1
RoleName:
Type: String
Description:
en: Customize the RAM role name.
Label:
en: RAM Rol Name
AssociationProperty: AutoCompleteInput
AssociationPropertyMetadata:
Length: 6
Prefix: RamOssTest-
CharacterClasses:
- Class: lowercase
min: 1
SelectInstance:
Type: Boolean
Label:
en: Whether to select an existing Bucket
Default: true
ExistBucketName:
Type: String
Label:
en: Existing Bucket
AssociationProperty: ALIYUN::OSS::Bucket::BucketName
AssociationPropertyMetadata:
Visible:
Condition:
Fn::Equals:
- ${SelectInstance}
- true
Default: ''
BucketName:
Type: String
Label:
en: NewBucketName
Description:
en: Bucket names must be globally unique within the scope of OSS. The length is 3~63 characters. Must start and end with a lowercase English letter or number, and can contain lowercase English letters, numbers, and dashes (-).
AssociationProperty: AutoCompleteInput
AssociationPropertyMetadata:
Length: 6
Prefix: my-bucketname-
CharacterClasses:
- Class: lowercase
min: 1
Visible:
Condition:
Fn::Equals:
- ${SelectInstance}
- false
AllowedPattern: ^[a-z0-9][a-z0-9-]{1,61}[a-z0-9]$
Default: null
AccessControl:
Type: String
Label:
en: Access Control
Description:
en: Set the access permission of the bucket
Default: private
AssociationPropertyMetadata:
Visible:
Condition:
Fn::Equals:
- ${SelectInstance}
- false
AllowedValues:
- private
- public-read
- public-read-write
Resources:
RamUser:
Type: ALIYUN::RAM::User
Properties:
UserName:
Ref: UserName
RamAK:
Type: ALIYUN::RAM::AccessKey
Properties:
UserName:
Fn::GetAtt:
- RamUser
- UserName
DependsOn: RamUser
AttachPolicyToUser:
Type: ALIYUN::RAM::AttachPolicyToUser
Properties:
PolicyType: System
UserName:
Fn::GetAtt:
- RamUser
- UserName
PolicyName: AliyunSTSAssumeRoleAccess
DependsOn: RamAK
MyBucket:
Condition: CreateInstance
Type: ALIYUN::OSS::Bucket
Properties:
AccessControl:
Ref: AccessControl
BucketName:
Ref: BucketName
Role:
Type: ALIYUN::RAM::Role
Properties:
RoleName:
Ref: RoleName
AssumeRolePolicyDocument:
Version: '1'
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
RAM:
- Fn::Sub: acs:ram::${ALIYUN::TenantId}:root
Service:
- fc.aliyuncs.com
- ram.aliyuncs.com
Policies:
- PolicyName:
Fn::Join:
- ''
- - Policy-
- Ref: ALIYUN::StackId
PolicyDocument:
Version: '1'
Statement:
- Effect: Allow
Action:
- oss:*
Resource:
- 'Fn::Sub':
- 'acs:oss:*:*:${BucketName}/*'
- BucketName:
Fn::If:
- CreateInstance
- Ref: BucketName
- Ref: ExistBucketName
FCRamRole:
Type: ALIYUN::RAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
Service:
- fc.aliyuncs.com
- ram.aliyuncs.com
Version: '1'
Policies:
- PolicyDocument:
Statement:
- Action:
- log:*
Effect: Allow
Resource:
- acs:log:*:*:*
- Action:
- fc:*
Effect: Allow
Resource:
- '*'
- Action:
- ram:*
Effect: Allow
Resource:
- '*'
Version: '1'
PolicyName:
Fn::Join:
- '-'
- - StackId
- Ref: ALIYUN::StackId
RoleName:
Fn::Join:
- '-'
- - StackId
- Ref: ALIYUN::StackId
FcService:
Type: ALIYUN::FC::Service
Properties:
ServiceName:
Fn::Join:
- '-'
- - StackId
- Ref: ALIYUN::StackId
- FC-Service
Role:
Fn::GetAtt:
- FCRamRole
- Arn
Function:
Type: ALIYUN::FC::Function
Properties:
ServiceName:
Fn::GetAtt:
- FcService
- ServiceName
FunctionName:
Fn::Join:
- '-'
- - AssumeRoleFunction
- Ref: ALIYUN::StackId
Handler: index.handler
Runtime: python3.9
Code:
SourceCode: |
#!/usr/bin/env python
# coding=utf-8
import json, time, urllib.request
from aliyunsdkcore.client import AcsClient
from aliyunsdkcore.acs_exception.exceptions import ClientException
from aliyunsdkcore.acs_exception.exceptions import ServerException
from aliyunsdkcore.auth.credentials import AccessKeyCredential
from aliyunsdkcore.auth.credentials import StsTokenCredential
from aliyunsdksts.request.v20150401.AssumeRoleRequest import AssumeRoleRequest
def handler(event, context):
event = json.loads(event)
creds = context.credentials
r_ps = event['ResourceProperties']
credentials = StsTokenCredential(r_ps['AKId'], r_ps['AKSecret'], creds.security_token)
client = AcsClient(region_id=context.region, credential=credentials)
if event['RequestType'] != 'Delete':
request = AssumeRoleRequest()
request.set_accept_format('json')
request.set_DurationSeconds(3600)
request.set_Policy(r_ps['RolePolicy'])
request.set_RoleArn(r_ps['RoleArn'])
request.set_RoleSessionName("RoleSessionName")
response = client.do_action_with_exception(request)
print(str(response, encoding='utf-8'))
response = json.loads(response)
result = {
'RequestId': event['RequestId'],
'LogicalResourceId': event['LogicalResourceId'],
'StackId': event['StackId'],
'Status': 'SUCCESS',
'PhysicalResourceId': 'MyCustomResourceId',
'Data': {}
}
if event['RequestType'] != 'Delete':
result['Data'] = response.get('Credentials')
headers = {'Content-type': 'application/json', 'Accept': 'application/json','Date': time.strftime('%a, %d %b %Y %X GMT', time.gmtime()), 'User-Agent': 'MyCustomUserAgent'}
req = urllib.request.Request(event['ResponseURL'], data=json.dumps(result).encode('utf-8'), headers=headers)
urllib.request.urlopen(req)
AssumeRoleCredentials:
Type: Custom::AssumeRole
DeletionPolicy: Retain
Properties:
ServiceToken:
Fn::GetAtt:
- Function
- ARN
Parameters:
RolePolicy:
'Fn::Sub':
- "{\"Version\":\"1\",\"Statement\":[{\"Action\":[\"oss:PutObject\", \"oss:GetObject\"],\"Resource\":[\"acs:oss:*:*:${BucketName}/*\"],\"Effect\":\"Allow\"}]}"
- BucketName:
Fn::If:
- CreateInstance
- Ref: BucketName
- Ref: ExistBucketName
RoleArn:
Fn::GetAtt:
- Role
- Arn
AKId:
Fn::GetAtt:
- RamAK
- AccessKeyId
AKSecret:
Fn::GetAtt:
- RamAK
- AccessKeySecret
RoleSessionName:
Fn::Join:
- '-'
- - RoleSessionName
- Ref: ALIYUN::StackId
Timeout: 120
Outputs:
AccessKeyId:
Description:
en: Temporary access certificate contains temporary access key AccessKey ID.
Value:
Fn::GetAtt:
- AssumeRoleCredentials
- AccessKeyId
SecurityToken:
Description:
en: SecurityToken is the security temporary card contained in the temporary access certificate. The SecurityToken contains many characters. Click the Copy icon to get a complete SecurityToken.
Value:
Fn::GetAtt:
- AssumeRoleCredentials
- SecurityToken
AccessKeySecret:
Description:
en: Temporary access certificate contains temporary access key AccessKey Secret.
Value:
Fn::GetAtt:
- AssumeRoleCredentials
- AccessKeySecret
Expiration:
Description:
en: The Expiration time of the temporary access certificate. Click the copy icon to get the complete expiration. The temporary access certificate expiration time format is UTC, which is 8 hours behind UTC+8. For example, if the temporary access certificate expiration time is 2024-04-18T11:33:40Z, it expires before 19:33:40 UTC+8 on April 18, 2024.
Value:
Fn::GetAtt:
- AssumeRoleCredentials
- Expiration
Metadata:
ALIYUN::ROS::Interface:
Outputs:
- AccessKeyId
- AccessKeySecret
- SecurityToken
- Expiration
ParameterGroups:
- Parameters:
- SelectInstance
- ExistBucketName
- BucketName
- AccessControl
Label:
default: OSS
- Parameters:
- UserName
- RoleName
Label:
default: RAM
TemplateTags:
- acs:document-help:oss:Access OSS using STS temporary access credentials{
"ROSTemplateFormatVersion": "2015-09-01",
"Description": {
"en": "Use STS Temporary access credentials to access OSS."
},
"Conditions": {
"CreateInstance": {
"Fn::Equals": [
{
"Ref": "SelectInstance"
},
false
]
}
},
"Parameters": {
"UserName": {
"Type": "String",
"Description": {
"en": "Customize the RAM user name."
},
"Label": {
"en": "RAM User Name"
},
"AssociationProperty": "AutoCompleteInput",
"AssociationPropertyMetadata": {
"Length": 6,
"Prefix": "RamOssTest-",
"CharacterClasses": [
{
"Class": "lowercase",
"min": 1
}
]
}
},
"RoleName": {
"Type": "String",
"Description": {
"en": "Customize the RAM role name."
},
"Label": {
"en": "RAM Rol Name"
},
"AssociationProperty": "AutoCompleteInput",
"AssociationPropertyMetadata": {
"Length": 6,
"Prefix": "RamOssTest-",
"CharacterClasses": [
{
"Class": "lowercase",
"min": 1
}
]
}
},
"SelectInstance": {
"Type": "Boolean",
"Label": {
"en": "Whether to select an existing Bucket"
},
"Default": true
},
"ExistBucketName": {
"Type": "String",
"Label": {
"en": "Existing Bucket"
},
"AssociationProperty": "ALIYUN::OSS::Bucket::BucketName",
"AssociationPropertyMetadata": {
"Visible": {
"Condition": {
"Fn::Equals": [
"${SelectInstance}",
true
]
}
}
},
"Default": ""
},
"BucketName": {
"Type": "String",
"Label": {
"en": "NewBucketName"
},
"Description": {
"en": "Bucket names must be globally unique within the scope of OSS. The length is 3~63 characters. Must start and end with a lowercase English letter or number, and can contain lowercase English letters, numbers, and dashes (-)."
},
"AssociationProperty": "AutoCompleteInput",
"AssociationPropertyMetadata": {
"Length": 6,
"Prefix": "my-bucketname-",
"CharacterClasses": [
{
"Class": "lowercase",
"min": 1
}
]
},
"Visible": {
"Condition": {
"Fn::Equals": [
"${SelectInstance}",
false
]
}
},
"AllowedPattern": "^[a-z0-9][a-z0-9-]{1,61}[a-z0-9]$",
"Default": null
},
"AccessControl": {
"Type": "String",
"Label": {
"en": "Access Control"
},
"Description": {
"en": "Set the access permission of the bucket"
},
"Default": "private",
"AssociationPropertyMetadata": {
"Visible": {
"Condition": {
"Fn::Equals": [
"${SelectInstance}",
false
]
}
}
},
"AllowedValues": [
"private",
"public-read",
"public-read-write"
]
}
},
"Resources": {
"RamUser": {
"Type": "ALIYUN::RAM::User",
"Properties": {
"UserName": {
"Ref": "UserName"
}
}
},
"RamAK": {
"Type": "ALIYUN::RAM::AccessKey",
"Properties": {
"UserName": {
"Fn::GetAtt": [
"RamUser",
"UserName"
]
}
},
"DependsOn": "RamUser"
},
"AttachPolicyToUser": {
"Type": "ALIYUN::RAM::AttachPolicyToUser",
"Properties": {
"PolicyType": "System",
"UserName": {
"Fn::GetAtt": [
"RamUser",
"UserName"
]
},
"PolicyName": "AliyunSTSAssumeRoleAccess"
},
"DependsOn": "RamAK"
},
"MyBucket": {
"Condition": "CreateInstance",
"Type": "ALIYUN::OSS::Bucket",
"Properties": {
"AccessControl": {
"Ref": "AccessControl"
},
"BucketName": {
"Ref": "BucketName"
}
}
},
"Role": {
"Type": "ALIYUN::RAM::Role",
"Properties": {
"RoleName": {
"Ref": "RoleName"
},
"AssumeRolePolicyDocument": {
"Version": "1",
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"RAM": [
{
"Fn::Sub": "acs:ram::${ALIYUN::TenantId}:root"
}
],
"Service": [
"fc.aliyuncs.com",
"ram.aliyuncs.com"
]
}
}
]
},
"Policies": [
{
"PolicyName": {
"Fn::Join": [
"",
[
"Policy-",
{
"Ref": "ALIYUN::StackId"
}
]
]
},
"PolicyDocument": {
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"oss:*"
],
"Resource": [
{
"Fn::Sub": [
"acs:oss:*:*:${BucketName}/*",
{
"BucketName": {
"Fn::If": [
"CreateInstance",
{
"Ref": "BucketName"
},
{
"Ref": "ExistBucketName"
}
]
}
}
]
}
]
}
]
}
}
]
}
},
"FCRamRole": {
"Type": "ALIYUN::RAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": [
"fc.aliyuncs.com",
"ram.aliyuncs.com"
]
}
}
],
"Version": "1"
},
"Policies": [
{
"PolicyDocument": {
"Statement": [
{
"Action": [
"log:*"
],
"Effect": "Allow",
"Resource": [
"acs:log:*:*:*"
]
},
{
"Action": [
"fc:*"
],
"Effect": "Allow",
"Resource": [
"*"
]
},
{
"Action": [
"ram:*"
],
"Effect": "Allow",
"Resource": [
"*"
]
}
],
"Version": "1"
},
"PolicyName": {
"Fn::Join": [
"-",
[
"StackId",
{
"Ref": "ALIYUN::StackId"
}
]
]
}
}
],
"RoleName": {
"Fn::Join": [
"-",
[
"StackId",
{
"Ref": "ALIYUN::StackId"
}
]
]
}
}
},
"FcService": {
"Type": "ALIYUN::FC::Service",
"Properties": {
"ServiceName": {
"Fn::Join": [
"-",
[
"StackId",
{
"Ref": "ALIYUN::StackId"
},
"FC-Service"
]
]
},
"Role": {
"Fn::GetAtt": [
"FCRamRole",
"Arn"
]
}
}
},
"Function": {
"Type": "ALIYUN::FC::Function",
"Properties": {
"ServiceName": {
"Fn::GetAtt": [
"FcService",
"ServiceName"
]
},
"FunctionName": {
"Fn::Join": [
"-",
[
"AssumeRoleFunction",
{
"Ref": "ALIYUN::StackId"
}
]
]
},
"Handler": "index.handler",
"Runtime": "python3.9",
"Code": {
"SourceCode": "#!/usr/bin/env python\n# coding=utf-8\nimport json, time, urllib.request\nfrom aliyunsdkcore.client import AcsClient\nfrom aliyunsdkcore.acs_exception.exceptions import ClientException \nfrom aliyunsdkcore.acs_exception.exceptions import ServerException \nfrom aliyunsdkcore.auth.credentials import AccessKeyCredential \nfrom aliyunsdkcore.auth.credentials import StsTokenCredential \nfrom aliyunsdksts.request.v20150401.AssumeRoleRequest import AssumeRoleRequest \ndef handler(event, context):\n event = json.loads(event)\n creds = context.credentials\n r_ps = event['ResourceProperties']\n\n credentials = StsTokenCredential(r_ps['AKId'], r_ps['AKSecret'], creds.security_token)\n client = AcsClient(region_id=context.region, credential=credentials)\n\n\n if event['RequestType'] != 'Delete':\n request = AssumeRoleRequest()\n request.set_accept_format('json')\n request.set_DurationSeconds(3600)\n request.set_Policy(r_ps['RolePolicy'])\n request.set_RoleArn(r_ps['RoleArn'])\n request.set_RoleSessionName(\"RoleSessionName\")\n\n response = client.do_action_with_exception(request)\n\n print(str(response, encoding='utf-8'))\n response = json.loads(response)\n result = {\n 'RequestId': event['RequestId'],\n 'LogicalResourceId': event['LogicalResourceId'],\n 'StackId': event['StackId'],\n 'Status': 'SUCCESS',\n 'PhysicalResourceId': 'MyCustomResourceId',\n 'Data': {}\n }\n if event['RequestType'] != 'Delete':\n result['Data'] = response.get('Credentials')\n headers = {'Content-type': 'application/json', 'Accept': 'application/json','Date': time.strftime('%a, %d %b %Y %X GMT', time.gmtime()), 'User-Agent': 'MyCustomUserAgent'}
req = urllib.request.Request(event['ResponseURL'], data=json.dumps(result).encode('utf-8'), headers=headers)
urllib.request.urlopen(req)\n"
}
}
},
"AssumeRoleCredentials": {
"Type": "Custom::AssumeRole",
"DeletionPolicy": "Retain",
"Properties": {
"ServiceToken": {
"Fn::GetAtt": [
"Function",
"ARN"
]
},
"Parameters": {
"RolePolicy": {
"Fn::Sub": [
"{\"Version\":\"1\",\"Statement\":[{\"Action\":[\"oss:PutObject\", \"oss:GetObject\"],\"Resource\":[\"acs:oss:*:*:${BucketName}/*\"],\"Effect\":\"Allow\"}]}",
{
"BucketName": {
"Fn::If": [
"CreateInstance",
{
"Ref": "BucketName"
},
{
"Ref": "ExistBucketName"
}
]
}
}
]
},
"RoleArn": {
"Fn::GetAtt": [
"Role",
"Arn"
]
},
"AKId": {
"Fn::GetAtt": [
"RamAK",
"AccessKeyId"
]
},
"AKSecret": {
"Fn::GetAtt": [
"RamAK",
"AccessKeySecret"
]
},
"RoleSessionName": {
"Fn::Join": [
"-",
[
"RoleSessionName",
{
"Ref": "ALIYUN::StackId"
}
]
]
}
},
"Timeout": 120
}
}
},
"Outputs": {
"AccessKeyId": {
"Description": {
"en": "Temporary access certificate contains temporary access key AccessKey ID."
},
"Value": {
"Fn::GetAtt": [
"AssumeRoleCredentials",
"AccessKeyId"
]
}
},
"SecurityToken": {
"Description": {
"en": "SecurityToken is the security temporary card contained in the temporary access certificate. The SecurityToken contains many characters. Click the Copy icon to get a complete SecurityToken."
},
"Value": {
"Fn::GetAtt": [
"AssumeRoleCredentials",
"SecurityToken"
]
}
},
"AccessKeySecret": {
"Description": {
"en": "Temporary access certificate contains temporary access key AccessKey Secret."
},
"Value": {
"Fn::GetAtt": [
"AssumeRoleCredentials",
"AccessKeySecret"
]
}
},
"Expiration": {
"Description": {
"en": "The Expiration time of the temporary access certificate. Click the copy icon to get the complete expiration. The temporary access certificate expiration time format is UTC, which is 8 hours behind UTC+8. For example, if the temporary access certificate expiration time is 2024-04-18T11:33:40Z, it expires before 19:33:40 UTC+8 on April 18, 2024."
},
"Value": {
"Fn::GetAtt": [
"AssumeRoleCredentials",
"Expiration"
]
}
}
},
"Metadata": {
"ALIYUN::ROS::Interface": {
"Outputs": [
"AccessKeyId",
"AccessKeySecret",
"SecurityToken",
"Expiration"
],
"ParameterGroups": [
{
"Parameters": [
"SelectInstance",
"ExistBucketName",
"BucketName",
"AccessControl"
],
"Label": {
"default": "OSS"
}
},
{
"Parameters": [
"UserName",
"RoleName"
],
"Label": {
"default": "RAM"
}
}
],
"TemplateTags": [
"acs:document-help:oss:Access OSS using STS temporary access credentials"
]
}
}
}For more examples, see public templates that include this resource.