All Products
Search

This Product

    Resource Orchestration Service:ALIYUN::RAM::Group

    Document Center

    Resource Orchestration Service:ALIYUN::RAM::Group

    Last Updated:Jul 03, 2023

    ALIYUN::RAM::Group is used to create a Resource Access Management (RAM) user group.

    Syntax

    {
  "Type": "ALIYUN::RAM::Group",
  "Properties": {
    "GroupName": String,
    "Comments": String,
    "Policies": List,
    "PolicyAttachments": Map,
    "DeletionForce": Boolean,
    "IgnoreExisting": Boolean
  }
}

    Properties

    Property

    Type

    Required

    Editable

    Description

    Constraint

    GroupName

    String

    Yes

    No

    The name of the RAM user group.

    The name must be 1 to 64 characters in length, and can contain letters, digits, and hyphens (-).

    Comments

    String

    No

    Yes

    The comments on the RAM user group.

    The comments must be 1 to 128 characters in length.

    Policies

    List

    No

    Yes

    The policies that you want to attach to the RAM user group.

    For more information, see Policies properties.

    PolicyAttachments

    Map

    No

    Yes

    The names of the system and custom policies that you want to attach to the RAM user group.

    For more information, see PolicyAttachments properties.

    DeletionForce

    Boolean

    No

    Yes

    Specifies whether to forcefully detach the policy from the RAM user group.

    Valid values:

    • true

    • false (default)

    IgnoreExisting

    Boolean

    No

    No

    Specifies whether to ignore the existing RAM user group that has the same name as the new RAM user group.  

    Valid values:

    • true: ignores the existing RAM user group. Resource Orchestration Service (ROS) does not check the name uniqueness of RAM user groups. If an existing group with the same name exists in the ROS console, the group is ignored when ROS creates the new group. If the existing group is not created in the ROS console, the group is ignored when ROS updates or deletes the new group.  

    • false: does not ignore the existing RAM user group. ROS checks the name uniqueness of RAM user groups. If an existing group with the same name exists in the ROS console, an error is reported when ROS creates the new group.  

    Policies syntax

    "Policies": [
  {
    "Description": String,
    "PolicyName": String,
    "PolicyDocument": Map,
    "IgnoreExisting": Boolean
  }
]

    Policies properties

    Property

    Type

    Required

    Editable

    Description

    Constraint

    Description

    String

    No

    No

    The description of the policy.

    The description must be 1 to 1,024 characters in length.

    PolicyName

    String

    Yes

    No

    The name of the policy.

    The name must be 1 to 128 characters in length, and can contain letters, digits, and hyphens (-).

    PolicyDocument

    Map

    Yes

    Yes

    The content of the policy.

    The content can be up to 2,048 characters in length.

    For more information about policy elements and sample policies, see Policy elements and Overview of sample policies.

    For more information, see PolicyDocument properties.

    IgnoreExisting

    Boolean

    No

    No

    Specifies whether to ignore the existing policy that has the same name as the new policy.

    Valid values:

    • true: ignores the existing policy. ROS does not check the name uniqueness of policies. If an existing policy with the same name exists in the ROS console, the policy is ignored when ROS creates the new policy. If the existing policy is not created in the ROS console, the policy is ignored when ROS updates or deletes the new policy.

    • false: does not ignore the existing policy. ROS checks the name uniqueness of policies. If an existing policy with the same name exists in the ROS console, an error is reported when ROS creates the new policy.  

    PolicyDocument syntax

    "PolicyDocument": {
  "Version": String,
  "Statement": List
}

    PolicyDocument properties

    Property

    Type

    Required

    Editable

    Description

    Constraint

    Version

    String

    Yes

    No

    The version of the policy.

    None.

    Statement

    List

    Yes

    No

    The statement of the policy.

    For more information, see Statement properties.

    Statement syntax

    "Statement": [
  {
    "Condition": Map,
    "Action": List,
    "Resource": List,
    "Effect": String
  }
]

    Statement properties

    Property

    Type

    Required

    Editable

    Description

    Constraint

    Condition

    Map

    No

    No

    The condition that is required for the policy to take effect.

    None.

    Action

    List

    No

    No

    The action that you want to perform based on the policy.

    None.

    Resource

    List

    No

    No

    The resource to which you want to apply the policy.

    None.

    Effect

    String

    No

    No

    The effect of the statement.

    Valid values:

    • Allow

    • Deny

    PolicyAttachments syntax

    "PolicyAttachments": {
  "System": List,
  "Custom": List
}

    PolicyAttachments properties

    Property

    Type

    Required

    Editable

    Description

    Constraint

    Custom

    List

    No

    Yes

    The names of custom policies.

    You can attach up to five custom policies.

    System

    List

    No

    Yes

    The names of system policies.

    You can attach up to 20 system policies.

    Return values

    Fn::GetAtt

    GroupName: the name of the RAM user group.

    Examples

    YAML format 

    ROSTemplateFormatVersion: '2015-09-01'
Parameters: {}
Resources:
  Group:
    Type: ALIYUN::RAM::Group
    Properties:
      GroupName: TestGroup
      Policies:
        - PolicyName:
            Fn::Sub: GroupPolicy-${ALIYUN::StackId}
          PolicyDocument:
            Version: '1'
            Statement:
              - Action:
                  - oss:Get*
                Resource:
                  - '*'
                Effect: Allow
Outputs:
  GroupName:
    Description: Id of ram group.
    Value:
      Fn::GetAtt:
        - Group
        - GroupName

    JSON format 

    {
  "ROSTemplateFormatVersion": "2015-09-01",
  "Parameters": {
  },
  "Resources": {
    "Group": {
      "Type": "ALIYUN::RAM::Group",
      "Properties": {
        "GroupName": "TestGroup",
        "Policies": [
          {
            "PolicyName": {
              "Fn::Sub": "GroupPolicy-${ALIYUN::StackId}"
            },
            "PolicyDocument": {
              "Version": "1",
              "Statement": [
                {
                  "Action": [
                    "oss:Get*"
                  ],
                  "Resource": [
                    "*"
                  ],
                  "Effect": "Allow"
                }
              ]
            }
          }
        ]
      }
    }
  },
  "Outputs": {
    "GroupName": {
      "Description": "Id of ram group.",
      "Value": {
        "Fn::GetAtt": [
          "Group",
          "GroupName"
        ]
      }
    }
  }
}

    For more examples, visit User.json and User.yml. In the examples, the following resource types are used: ALIYUN::RAM::User, ALIYUN::RAM::Group, ALIYUN::RAM::AttachPolicyToUser, and ALIYUN::RAM::UserToGroupAddition.