All Products
Search

This Product

    Resource Orchestration Service:ALIYUN::RAM::User

    Document Center

    Resource Orchestration Service:ALIYUN::RAM::User

    Last Updated:Jul 05, 2023

    ALIYUN::RAM::User is used to create a Resource Access Management (RAM) user.

    Syntax

    {
  "Type": "ALIYUN::RAM::User",
  "Properties": {
    "UserName": String,
    "DisplayName": String,
    "LoginProfile": Map,
    "Groups": List,
    "MobilePhone": String,
    "Email": String,
    "Comments": String,
    "Policies": List,
    "PolicyAttachments": Map,
    "DeletionForce": Boolean
  }
}

    Properties

    Property

    Type

    Required

    Editable

    Description

    Constraint

    UserName

    String

    Yes

    No

    The name of the RAM user.

    The name must be 1 to 64 characters in length, and can contain letters, digits, periods (.), hyphens (-), and underscores (_).

    DisplayName

    String

    No

    Yes

    The display name of the RAM user.

    The display name must be 1 to 128 characters in length.

    LoginProfile

    Map

    No

    No

    The logon configurations of the RAM user.

    For more information, see LoginProfile properties.

    Groups

    List

    No

    No

    The user groups to which you want to add the RAM user.

    None.

    MobilePhone

    String

    No

    Yes

    The mobile number of the RAM user.

    None.

    Email

    String

    No

    Yes

    The email address of the RAM user.

    None.

    Comments

    String

    No

    Yes

    The comments on the RAM user.

    The comments must be 1 to 128 characters in length.

    Policies

    List

    No

    Yes

    The policies that you want to attach to the RAM user.

    For more information, see Policies properties.

    PolicyAttachments

    Map

    No

    Yes

    The names of the system and custom policies that you want to attach to the RAM user.

    For more information, see PolicyAttachments properties.

    DeletionForce

    Boolean

    No

    Yes

    Specifies whether to forcefully detach the policy from the RAM user.

    Valid values:

    • true

    • false (default)

    LoginProfile syntax

    "LoginProfile": {
  "MFABindRequired": Boolean,
  "Password": String,
  "PasswordResetRequired": Boolean
}

    LoginProfile properties

    Property

    Type

    Required

    Editable

    Description

    Constraint

    MFABindRequired

    Boolean

    No

    No

    Specifies whether to forcefully enable multi-factor authentication (MFA) for the RAM user.

    Valid values:

    • true: forcefully enables MFA. The RAM user must bind an MFA device at the next logon.

    • false: does not forcefully enable MFA.

    Password

    String

    No

    No

    The new password that the RAM user uses to log on to the RAM console.

    The password must be 8 to 32 characters in length, and must comply with the strong password requirements.

    PasswordResetRequired

    Boolean

    No

    No

    Specifies whether the RAM user must reset the password at the next logon.

    Valid values:

    • true

    • false

    Policies syntax

    "Policies": [
  {
    "PolicyName": String,
    "PolicyDocument": Map,
    "Description": String,
    "IgnoreExisting": Boolean
  }
]

    Policies properties

    Property

    Type

    Required

    Editable

    Description

    Constraint

    Description

    String

    No

    No

    The description of the policy.

    The description must be 1 to 1,024 characters in length.

    PolicyName

    String

    Yes

    No

    The name of the policy.

    The name must be 1 to 128 characters in length, and can contain letters, digits, and hyphens (-).

    PolicyDocument

    Map

    Yes

    Yes

    The content of the policy.

    The content can be up to 2,048 characters in length.

    For more information, see PolicyDocument properties.

    IgnoreExisting

    Boolean

    No

    No

    Specifies whether to ignore the existing policy that has the same name as the new policy.

    Valid values:

    • true: ignores the existing policy. Resource Orchestration Service (ROS) does not check the name uniqueness of policies. If an existing policy with the same name exists in the ROS console, the policy is ignored when ROS creates the new policy. If the existing policy is not created in the ROS console, the policy is ignored when ROS updates or deletes the new policy.  

    • false: does not ignore the existing policy. ROS checks the name uniqueness of policies. If an existing policy with the same name exists in the ROS console, an error is reported when ROS creates the new policy.

    PolicyDocument syntax

    "PolicyDocument": {
  "Version": String,
  "Statement": List
}

    PolicyDocument properties

    Property

    Type

    Required

    Editable

    Description

    Constraint

    Version

    String

    Yes

    No

    The version of the policy.

    None.

    Statement

    List

    Yes

    No

    The statements of the policy.

    For more information, see Statement properties.

    Statement syntax

    "Statement": [
  {
    "Condition": Map,
    "Action": List,
    "Resource": List,
    "Effect": String
  }
]

    Statement properties

    Property

    Type

    Required

    Editable

    Description

    Constraint

    Condition

    Map

    No

    No

    The condition that is required for the policy to take effect.

    None.

    Action

    List

    No

    No

    The actions that you want to perform based on the policy.

    None.

    Resource

    List

    No

    No

    The resources to which you want to apply the policy.

    None.

    Effect

    String

    No

    No

    The effect of the statement.

    Valid values:

    • Allow

    • Deny

    PolicyAttachments syntax

    "PolicyAttachments": {
  "Custom": List,
  "System": List
}

    PolicyAttachments properties

    Property

    Type

    Required

    Editable

    Description

    Constraint

    Custom

    List

    No

    Yes

    The names of the custom policies.

    You can attach up to five custom policies.

    System

    List

    No

    Yes

    The names of the system policies.

    You can attach up to 20 system policies.

    Return values

    Fn::GetAtt

    • UserName: the name of the RAM user.

    • UserId: the ID of the RAM user.

    • CreateDate: the time when the RAM user was created.

    • LastLoginDate: the last logon time of the RAM user.

    Examples

    YAML format 

    ROSTemplateFormatVersion: '2015-09-01'
Description: Test RAM User
Parameters: {}
Resources:
  User:
    Type: ALIYUN::RAM::User
    Properties:
      UserName: dev
      Policies:
        - PolicyName:
            Fn::Join:
              - '-'
              - - StackId
                - Ref: ALIYUN::StackId
          PolicyDocument:
            Statement:
              - Action:
                  - oss:*
                Effect: Allow
                Resource:
                  - '*'
            Version: '1'
Outputs: {}

    JSON format 

    {
  "ROSTemplateFormatVersion": "2015-09-01",
  "Description": "Test RAM User",
  "Parameters": {
  },
  "Resources": {
    "User": {
      "Type": "ALIYUN::RAM::User",
      "Properties": {
        "UserName": "dev",
        "Policies": [
          {
            "PolicyName": {
              "Fn::Join": [
                "-",
                [
                  "StackId",
                  {
                    "Ref": "ALIYUN::StackId"
                  }
                ]
              ]
            },
            "PolicyDocument": {
              "Statement": [
                {
                  "Action": [
                    "oss:*"
                  ],
                  "Effect": "Allow",
                  "Resource": [
                    "*"
                  ]
                }
              ],
              "Version": "1"
            }
          }
        ]
      }
    }
  },
  "Outputs": {
  }
}