All Products
Search
Document Center

Resource Orchestration Service:ALIYUN::RAM::ManagedPolicy

更新時間:Jul 06, 2023

ALIYUN::RAM::ManagedPolicy is used to create a Resource Access Management (RAM) policy.

Syntax

{
  "Type": "ALIYUN::RAM::ManagedPolicy",
  "Properties": {
    "PolicyName": String,
    "Description": String,
    "Roles": List,
    "PolicyDocumentUnchecked": Map,
    "PolicyDocument": Map,
    "Groups": List,
    "Users": List,
    "IgnoreExisting": Boolean
  }
}

Properties

Property

Type

Required

Editable

Description

Constraint

PolicyName

String

Yes

No

The name of the policy.

The name can be up to 128 characters in length.

Description

String

No

No

The description of the policy.

The description can be up to 1,024 characters in length.

PolicyDocument

Map

No

Yes

Details of the policy.

For more information, see PolicyDocument properties.

Users

List

No

No

The users to whom you want to attach the policy.

None.

Groups

List

No

No

The user groups to whom you want to attach the policy.

None.

Roles

List

No

No

The roles to whom you want to attach the policy.

None.

PolicyDocumentUnchecked

Map

No

Yes

The policy document that describes specific actions performed on specific resources.

If you specify this property, PolicyDocument is ignored.

IgnoreExisting

Boolean

No

No

Specifies whether to ignore the existing policy that has the same name as the new policy.

Valid values:

  • true: ignores the existing policy. Resource Orchestration Service (ROS) does not check the name uniqueness of policies. If an existing policy with the same name exists in the ROS console, the policy is ignored when ROS creates the new policy. If the existing policy is not created in the ROS console, the policy is ignored when ROS updates or deletes the new policy.  

  • false: does not ignore the existing policy. ROS checks the name uniqueness of policies. If an existing policy with the same name exists in the ROS console, an error is reported when ROS creates the new policy.

PolicyDocument syntax

"PolicyDocument": {
  "Version": String,
  "Statement": List
}

PolicyDocument properties

Property

Type

Required

Editable

Description

Constraint

Version

String

Yes

No

The version of the policy.

None.

Statement

List

Yes

No

The statements of the policy.

For more information, see Statement properties.

Statement syntax

"Statement": [
  {
    "Condition": Map,
    "Action": List,
    "Resource": List,
    "Effect": String
  }
]

Statement properties

Property

Type

Required

Editable

Description

Constraint

Condition

Map

No

No

The condition that is required for the policy to take effect.

None.

Action

List

No

No

The actions that are performed based on the policy.

None.

Resource

List

No

No

The resources to which you want to apply the policy.

None.

Effect

String

No

No

The effect of the statement.

Valid values:

  • Allow

  • Deny

Return values

Fn::GetAtt

PolicyName: the name of the policy.

Examples

YAML format

ROSTemplateFormatVersion: '2015-09-01'
Description: Test RAM ManagedPolicy
Parameters:
  User:
    Type: String
    AssociationProperty: ALIYUN::RAM::User
Resources:
  ManagePolicy:
    Type: ALIYUN::RAM::ManagedPolicy
    Properties:
      PolicyName: TestPolicy
      PolicyDocument:
        Version: '1'
        Statement:
          - Action:
              - '*'
            Resource:
              - '*'
            Effect: Allow
      Users:
        - Ref: User
Outputs: {}

JSON format

{
  "ROSTemplateFormatVersion": "2015-09-01",
  "Description": "Test RAM ManagedPolicy",
  "Parameters": {
    "User": {
      "Type": "String",
      "AssociationProperty": "ALIYUN::RAM::User"
    }
  },
  "Resources": {
    "ManagePolicy": {
      "Type": "ALIYUN::RAM::ManagedPolicy",
      "Properties": {
        "PolicyName": "TestPolicy",
        "PolicyDocument": {
          "Version": "1",
          "Statement": [
            {
              "Action": [
                "*"
              ],
              "Resource": [
                "*"
              ],
              "Effect": "Allow"
            }
          ]
        },
        "Users": [
          {
            "Ref": "User"
          }
        ]
      }
    }
  },
  "Outputs": {
  }
}