模板名稱
ACS-RAM-CreateRoleAndAttachCustomPolicy 建立角色並授予自訂權限原則
模板描述
建立角色並授予自訂權限原則
模板類型
自動化
所有者
Alibaba Cloud
輸入參數
參數名稱 | 描述 | 類型 | 是否必填 | 預設值 | 約束 |
roleName | 建立角色名稱 | String | 是 | ||
policyName | 建立並授予的自訂權限原則名稱 | String | 是 | ||
policyDocument | 授權的自訂權限原則指令碼 | String | 是 | ||
rolePlayerUid | 角色信任的雲帳號 | String | 否 | {{ ACS::AccountId }} | |
OOSAssumeRole | OOS扮演的RAM角色 | String | 否 | "" |
輸出參數
參數名稱 | 描述 | 類型 |
stackId | String |
執行此模板需要的權限原則
{
"Version": "1",
"Statement": [
{
"Action": [
"ros:CreateStack",
"ros:GetStack"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
詳情
ACS-RAM-CreateRoleAndAttachCustomPolicy詳情
模板內容
FormatVersion: OOS-2019-06-01
Description:
en: Create RAM role and attach custom policy
zh-cn: 建立角色並授予自訂權限原則
name-en: ACS-RAM-CreateRoleAndAttachCustomPolicy
name-zh-cn: 建立角色並授予自訂權限原則
categories:
- security
Parameters:
roleName:
Label:
en: RoleName
zh-cn: 建立角色名稱
Type: String
rolePlayerUid:
Label:
en: RolePlayerUid
zh-cn: 角色信任的雲帳號
Type: String
Default: '{{ ACS::AccountId }}'
policyName:
Label:
en: PolicyName
zh-cn: 建立並授予的自訂權限原則名稱
Type: String
policyDocument:
Label:
en: PolicyDocument
zh-cn: 授權的自訂權限原則指令碼
Description:
en: 'e.g.{ "Version": "1", "Statement": [ { "Action": [ "oos:List*", "oos:Get*" ], "Resource": "*", "Effect": "Allow" } ] }'
zh-cn: '如{ "Version": "1", "Statement": [ { "Action": [ "oos:List*", "oos:Get*" ], "Resource": "*", "Effect": "Allow" } ] }'
Type: String
AssociationProperty: Code
OOSAssumeRole:
Label:
en: OOSAssumeRole
zh-cn: OOS扮演的RAM角色
Type: String
Default: ''
RamRole: '{{ OOSAssumeRole }}'
Tasks:
- Name: createStackForRoleAndPolicy
Action: 'ACS::ROS::CreateStack'
Description:
en: Create role and attach policy by Ros resource stack
zh-cn: 通過Ros資源棧建立角色並授權策略
Properties:
stackName:
Fn::Replace:
- .: _
- OOS-{{ACS::ExecutionId}}
disableRollback: true
parameters:
- ParameterKey: RoleName
ParameterValue: '{{ roleName }}'
- ParameterKey: RolePlayerUid
ParameterValue: '{{ rolePlayerUid }}'
- ParameterKey: PolicyName
ParameterValue: '{{ policyName }}'
- ParameterKey: PolicyDocument
ParameterValue: '{{ policyDocument }}'
templateBody: |
{
"ROSTemplateFormatVersion": "2015-09-01",
"Resources": {
"Role": {
"Type": "ALIYUN::RAM::Role",
"Properties": {
"RoleName": {
"Ref": "RoleName"
},
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"RAM": [
{
"Fn::Sub": [
"acs:ram::${uid}:root",
{
"uid": {
"Ref": "RolePlayerUid"
}
}
]
}
]
}
}
],
"Version": "1"
}
}
},
"Policy": {
"Type": "ALIYUN::RAM::ManagedPolicy",
"Properties": {
"PolicyName": {
"Ref": "PolicyName"
},
"PolicyDocumentUnchecked": {
"Ref": "PolicyDocument"
},
"Roles": [
{
"Fn::GetAtt": [
"Role",
"RoleName"
]
}
]
}
}
},
"Parameters": {
"RoleName": {
"Type": "String",
"Description": "Role name."
},
"RolePlayerUid": {
"Type": "String",
"Description": "Role player uid."
},
"PolicyName": {
"Type": "String",
"Description": "Policy name."
},
"PolicyDocument": {
"Type": "Json",
"Description": "A policy document that describes what actions are allowed on which resources."
}
},
"Outputs": {
"RoleName": {
"Description": "When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the ARN.",
"Value": {
"Fn::GetAtt": [
"Role",
"RoleName"
]
}
}
},
"Metadata": {
"ALIYUN::ROS::Interface": {
"TemplateTags": [
"acs:integrate:oos:ram_create_role_and_attach_custom_policy"
]
}
}
}
Outputs:
stackId:
Type: String
ValueSelector: stackId
Outputs:
stackId:
Type: String
Value: '{{createStackForRoleAndPolicy.stackId}}'