Use ALIYUN::RAM::Role in a call to create a RAM role - Resource Orchestration Service

ALIYUN::RAM::Role is used to create a Resource Access Management (RAM) role.

Syntax

{
  "Type": "ALIYUN::RAM::Role",
  "Properties": {
    "RoleName": String,
    "Description": String,
    "AssumeRolePolicyDocument": Map,
    "MaxSessionDuration": Integer,
    "Policies": List,
    "IgnoreExisting": Boolean,
    "DeletionForce": Boolean,
    "PolicyAttachments": Map
  }
}

Properties

Property	Type	Required	Editable	Description	Constraint
AssumeRolePolicyDocument	Map	Yes	Yes	The identities that can assume the RAM role.	The trust policy that specifies one or more trusted entities to assume the RAM role. The trusted entities can be Alibaba Cloud accounts, Alibaba Cloud services, or identity providers (IdPs).
RoleName	String	Yes	No	The name of the RAM role.	The name must be 1 to 64 characters in length, and can contain letters, digits, periods (.), and hyphens (-).
Description	String	No	No	The description of the RAM role.	The description can be up to 1,024 characters in length.
MaxSessionDuration	Integer	No	Yes	The maximum session duration of the RAM role.	Valid values: 3600 to 43200. Unit: seconds. Default value: 3600.
Policies	List	No	Yes	The policies that you want to attach to the RAM role.	For more information, see Policy overview.
IgnoreExisting	Boolean	No	No	Specifies whether to ignore an existing RAM role.	Valid values: false: does not ignore an existing RAM role. Resource Orchestration Service (ROS) performs a uniqueness check. If a RAM role that has the same name already exists, ROS reports an error when you create a new RAM role. true: ignores an existing RAM role. ROS does not perform a uniqueness check. If a RAM role that has the same name already exists, ROS ignores the existing role when you create a new RAM role. Note If the existing role is not created by ROS, ROS ignores the role when you update or delete the new role.
DeletionForce	Boolean	No	Yes	Specifies whether to forcefully detach policies from the RAM role.	Default value: false.
PolicyAttachments	Map	No	Yes	The names of the system policies and custom policies that you want to attach to the RAM role.	For more information, see the "PolicyAttachments properties" section of this topic.

AssumeRolePolicyDocument syntax

"AssumeRolePolicyDocument": {
  "Version": String,
  "Statement": List
}

AssumeRolePolicyDocument properties

Property	Type	Required	Editable	Description	Constraint
Version	String	Yes	No	The version of the policy.	None.
Statement	List	Yes	No	The statements in the policy.	For more information, see the "Statement properties" section of this topic.

Statement syntax

"Statement": [
  {
    "Condition": Map,
    "Action": String,
    "Effect": String,
    "Principal": Map
  }
]

Statement properties

Property	Type	Required	Editable	Description	Constraint
Condition	Map	No	No	The conditions.	None.
Action	String	No	No	The action to be performed based on the policy.	None.
Effect	String	No	No	The effect of the statement.	Valid values: Allow Deny
Principal	Map	No	No	The type of the trusted entity.	For more information, see Principal properties.

Principal syntax

"Principal": {
  "Service": List,
  "Federated": List,
  "RAM": List
}

Principal properties

Property	Type	Required	Editable	Description	Constraint
Service	List	No	No	The Alibaba Cloud services.	None.
Federated	List	No	No	The IdPs.	None.
RAM	List	No	No	The Alibaba Cloud accounts.	None.

Policies syntax

"Policies": [
  {
    "Description": String,
    "PolicyName": String,
    "PolicyDocument": Map
  }
]

Policies properties

Property	Type	Required	Editable	Description	Constraint
Description	String	No	No	The description.	The description must be 1 to 1,024 characters in length.
PolicyName	String	Yes	No	The policy name.	The name must be 1 to 128 characters in length, and can contain letters, digits, and hyphens (-).
PolicyDocument	Map	Yes	Yes	The policy content.	The content can be up to 2,048 characters in length. For more information, see PolicyDocument properties.

PolicyAttachments syntax

"PolicyAttachments": {
  "System": List,
  "Custom": List
}

PolicyAttachments properties

Property	Type	Required	Editable	Description	Constraint
Custom	List	No	Yes	The names of the custom policies.	You can attach up to five custom policies.
System	List	No	Yes	The names of the system policies.	You can attach up to 20 system policies.

PolicyDocument syntax

"PolicyDocument": {
  "Version": String,
  "Statement": List
}

PolicyDocument properties

Property	Type	Required	Editable	Description	Constraint
Version	String	Yes	No	The version of the policy.	None.
Statement	List	Yes	No	The statements in the policy.	None.

Statement syntax

"Statement": [
  {
    "Condition": Map,
    "Action": List,
    "Resource": List,
    "Effect": String
  }
]

Statement properties

Property	Type	Required	Editable	Description	Constraint
Condition	Map	No	No	The conditions that are required for the policy to take effect.	None.
Action	List	No	No	The actions to be performed based on the policy.	None.
Resource	List	No	No	The resources to which you want to apply the policy.	None.
Effect	String	No	No	The effect of the statement.	Valid values: Allow Deny

Return values

Fn::GetAtt

RoleId: the ID of the RAM role.
RoleName: the name of the RAM role.
Arn: the Alibaba Cloud Resource Name (ARN) of the RAM role.

Examples

`YAML` format

ROSTemplateFormatVersion: '2015-09-01'
Description: Test RAM Role
Parameters: {}
Resources:
  Role:
    Type: ALIYUN::RAM::Role
    Properties:
      RoleName: TestRole
      AssumeRolePolicyDocument:
        Statement:
          - Action: sts:AssumeRole
            Effect: Allow
            Principal:
              Service:
                - actiontrail.aliyuncs.com
        Version: '1'
Outputs:
  RoleId:
    Description: Id of ram role.
    Value:
      Fn::GetAtt:
        - Role
        - RoleId
  Arn:
    Description: Name of alicloud resource.
    Value:
      Fn::GetAtt:
        - Role
        - Arn
  RoleName:
    Description: Name of ram role.
    Value:
      Fn::GetAtt:
        - Role
        - RoleName

`JSON` format

{
  "ROSTemplateFormatVersion": "2015-09-01",
  "Description": "Test RAM Role",
  "Parameters": {
  },
  "Resources": {
    "Role": {
      "Type": "ALIYUN::RAM::Role",
      "Properties": {
        "RoleName": "TestRole",
        "AssumeRolePolicyDocument": {
          "Statement": [
            {
              "Action": "sts:AssumeRole",
              "Effect": "Allow",
              "Principal": {
                "Service": [
                  "actiontrail.aliyuncs.com"
                ]
              }
            }
          ],
          "Version": "1"
        }
      }
    }
  },
  "Outputs": {
    "RoleId": {
      "Description": "Id of ram role.",
      "Value": {
        "Fn::GetAtt": [
          "Role",
          "RoleId"
        ]
      }
    },
    "Arn": {
      "Description": "Name of alicloud resource.",
      "Value": {
        "Fn::GetAtt": [
          "Role",
          "Arn"
        ]
      }
    },
    "RoleName": {
      "Description": "Name of ram role.",
      "Value": {
        "Fn::GetAtt": [
          "Role",
          "RoleName"
        ]
      }
    }
  }
}

Syntax

Properties

AssumeRolePolicyDocument syntax

AssumeRolePolicyDocument properties

Statement syntax

Statement properties

Principal syntax

Principal properties

Policies syntax

Policies properties

PolicyAttachments syntax

PolicyAttachments properties

PolicyDocument syntax

PolicyDocument properties

Return values

Examples

YAML format

JSON format

`YAML` format

`JSON` format