All Products
Search
Document Center

Resource Orchestration Service:ALIYUN::CS::GrantPermissions

更新時間:Aug 12, 2024

ALIYUN::CS::GrantPermissions is used to grant role-based access control (RBAC) permissions to a Resource Access Management (RAM) user or RAM role.

Syntax

{
  "Type": "ALIYUN::CS::GrantPermissions",
  "Properties": {
    "Permissions": List,
    "UserId": String
  }
}

Properties

Property

Type

Required

Editable

Description

Constraint

Permissions

List

Yes

Yes

The permissions that you want to grant to the RAM user.

For more information, see Permissions properties.

UserId

String

Yes

Yes

The ID of the RAM role.

None.

Permissions syntax

"Permissions": [
  {
    "RoleName": String,
    "ClusterId": String,
    "RoleType": String,
    "IsCustom": Boolean,
    "IsRamRole": Boolean,
    "Namespace": String
  }
]

Permissions properties

Property

Type

Required

Editable

Description

Constraint

ClusterId

String

Yes

Yes

The ID of the cluster on which you want to grant the RBAC permissions.

You must leave this property empty when RoleType is set all-clusters.

RoleName

String

Yes

Yes

The predefined role.

Valid values:

  • admin: an administrator

  • ops: an O&M engineer

  • dev: a developer

  • restricted: a restricted user

  • Cluster role: a cluster role that you specify

RoleType

String

Yes

Yes

The authorization scope.

Valid values:

  • cluster

  • namespace

  • all-clusters

IsCustom

Boolean

No

Yes

Specifies whether to perform a custom authorization.

Valid values:

  • true

  • false

IsRamRole

Boolean

No

Yes

Specifies whether to grant the permissions to a RAM role.

Valid values:

  • true

  • false

Namespace

String

No

Yes

The namespace.

By default, this property is empty when RoleType is set to cluster.

Return values

Fn::GetAtt

None.

Examples

YAML format

ROSTemplateFormatVersion: '2015-09-01'
Parameters:
  UserId:
    Type: String
    Description:
      en: The ID of the RAM user.
    Required: true
  Permissions:
    AssociationPropertyMetadata:
      Parameters:
        RoleName:
          Type: String
          Description:
            en: |-
              he predefined role name. Valid values:
              admin: administrator
              ops: O&M engineer
              dev: developer
              restricted: restricted user
              The custom cluster role.
          Required: true
        ClusterId:
          Type: String
          Description:
            en: The ID of the cluster that you want to manage. When the role_type parameter is set to all-clusters, this parameter is set to an empty string.
          Required: true
        RoleType:
          Type: String
          Description:
            en: |-
              The authorization type. Valid values:
              cluster: indicates that the permissions are scoped to a cluster.
              namespace: specifies that the permissions are scoped to a namespace of a cluster.
              all-clusters: specifies that the permissions are scoped to all clusters.
          AllowedValues:
            - cluster
            - namespace
            - all-clusters
          Required: true
    AssociationProperty: List[Parameters]
    Type: Json
    Description:
      en: 'The permissions that you want to grant to the RAM user. '
    Required: true
    MinLength: 0
    MaxLength: 20
Resources:
  GrantPermissions:
    Type: ALIYUN::CS::GrantPermissions
    Properties:
      UserId:
        Ref: UserId
      Permissions:
        Ref: Permissions

JSON format

{
  "ROSTemplateFormatVersion": "2015-09-01",
  "Parameters": {
    "UserId": {
      "Type": "String",
      "Description": {
        "en": "The ID of the RAM user."
      },
      "Required": true
    },
    "Permissions": {
      "AssociationPropertyMetadata": {
        "Parameters": {
          "RoleName": {
            "Type": "String",
            "Description": {
              "en": "he predefined role name. Valid values:\nadmin: administrator\nops: O&M engineer\ndev: developer\nrestricted: restricted user\nThe custom cluster role."
            },
            "Required": true
          },
          "ClusterId": {
            "Type": "String",
            "Description": {
              "en": "The ID of the cluster that you want to manage. When the role_type parameter is set to all-clusters, this parameter is set to an empty string."
            },
            "Required": true
          },
          "RoleType": {
            "Type": "String",
            "Description": {
              "en": "The authorization type. Valid values:\ncluster: indicates that the permissions are scoped to a cluster.\nnamespace: specifies that the permissions are scoped to a namespace of a cluster.\nall-clusters: specifies that the permissions are scoped to all clusters."
            },
            "AllowedValues": [
              "cluster",
              "namespace",
              "all-clusters"
            ],
            "Required": true
          }
        }
      },
      "AssociationProperty": "List[Parameters]",
      "Type": "Json",
      "Description": {
        "en": "The permissions that you want to grant to the RAM user. "
      },
      "Required": true,
      "MinLength": 0,
      "MaxLength": 20
    }
  },
  "Resources": {
    "GrantPermissions": {
      "Type": "ALIYUN::CS::GrantPermissions",
      "Properties": {
        "UserId": {
          "Ref": "UserId"
        },
        "Permissions": {
          "Ref": "Permissions"
        }
      }
    }
  }
}