ALIYUN::RAM::Role類型用於建立RAM角色。
文法
{
"Type": "ALIYUN::RAM::Role",
"Properties": {
"RoleName": String,
"Description": String,
"AssumeRolePolicyDocument": Map,
"MaxSessionDuration": Integer,
"Policies": List,
"IgnoreExisting": Boolean,
"DeletionForce": Boolean,
"PolicyAttachments": Map
}
}屬性
屬性名稱 | 類型 | 必須 | 允許更新 | 描述 | 約束 |
AssumeRolePolicyDocument | Map | 是 | 是 | 可以扮演此RAM角色的身份。 | 信任策略。指定允許扮演該 RAM 角色的一個或多個主體,這個主體可以是阿里雲帳號、阿里雲服務或身份供應商。 |
RoleName | String | 是 | 否 | RAM角色名稱。 | 長度為 1~64 個字元,可包含英文字母、數字、半形句號(.)和短劃線(-)。 |
Description | String | 否 | 否 | RAM角色描述。 | 最大長度為1024個字元。 |
MaxSessionDuration | Integer | 否 | 是 | RAM角色最大會話時間。 | 取值範圍:3600秒~43200秒。 預設值:3600秒。 |
Policies | List | 否 | 是 | 適用RAM角色的策略。 | 更多資訊,請參見權限原則概覽。 |
IgnoreExisting | Boolean | 否 | 否 | 是否忽略現有角色。 | 取值:
說明 如果角色不是由ROS建立的,在更新和刪除階段將被忽略。 |
DeletionForce | Boolean | 否 | 是 | 是否強制解除與角色關聯的策略。 | 預設值為false。 |
PolicyAttachments | Map | 否 | 是 | 要添加的系統和自訂策略名稱稱。 | 更多資訊,請參見PolicyAttachments屬性。 |
AssumeRolePolicyDocument文法
"AssumeRolePolicyDocument": {
"Version": String,
"Statement": List
}AssumeRolePolicyDocument屬性
屬性名稱 | 類型 | 必須 | 允許更新 | 描述 | 約束 |
Version | String | 是 | 否 | 策略版本。 | 無 |
Statement | List | 是 | 否 | 策略具體規則。 | 更多資訊,請參見Statement屬性。 |
Statement文法
"Statement": [
{
"Condition": Map,
"Action": String,
"Effect": String,
"Principal": Map
}
]Statement屬性
屬性名稱 | 類型 | 必須 | 允許更新 | 描述 | 約束 |
Condition | Map | 否 | 否 | 限制條件。 | 無 |
Action | String | 否 | 否 | 策略針對的具體操作。 | 無 |
Effect | String | 否 | 否 | 許可權效力。 | 取值:
|
Principal | Map | 否 | 否 | 可信實體類型。 | 更多資訊,請參見Principal屬性。 |
Principal文法
"Principal": {
"Service": List,
"Federated": List,
"RAM": List
}Principal屬性
屬性名稱 | 類型 | 必須 | 允許更新 | 描述 | 約束 |
Service | List | 否 | 否 | 阿里雲服務。 | 無 |
Federated | List | 否 | 否 | 身份供應商。 | 無 |
RAM | List | 否 | 否 | 阿里雲帳號。 | 無 |
Policies文法
"Policies": [
{
"Description": String,
"PolicyName": String,
"PolicyDocument": Map
}
]Policies屬性
屬性名稱 | 類型 | 必須 | 允許更新 | 描述 | 約束 |
Description | String | 否 | 否 | 描述。 | 長度為1~1024個字元。 |
PolicyName | String | 是 | 否 | 權限原則名稱。 | 長度為1~128個字元,可包含英文字母、數字和短劃線(-)。 |
PolicyDocument | Map | 是 | 是 | 權限原則內容。 | 最大長度為2048個字元。 更多資訊,請參見PolicyDocument屬性。 |
PolicyAttachments文法
"PolicyAttachments": {
"System": List,
"Custom": List
}PolicyAttachments屬性
屬性名稱 | 類型 | 必須 | 允許更新 | 描述 | 約束 |
Custom | List | 否 | 是 | 自訂策略名稱稱列表。 | 策略數量小於等於5。 |
System | List | 否 | 是 | 系統策略名稱稱列表。 | 策略數量小於等於20。 |
PolicyDocument文法
"PolicyDocument": {
"Version": String,
"Statement": List
}PolicyDocument屬性
屬性名稱 | 類型 | 必須 | 允許更新 | 描述 | 約束 |
Version | String | 是 | 否 | 權限原則版本。 | 無 |
Statement | List | 是 | 否 | 權限原則具體規則。 | 無 |
傳回值
Fn::GetAtt
RoleId:角色ID。
RoleName:角色名稱。
Arn:角色的資源描述符。
樣本
情境 1 :建立RAM角色。
ROSTemplateFormatVersion: '2015-09-01'
Description: Test RAM Role
Parameters: {}
Resources:
Role:
Type: ALIYUN::RAM::Role
Properties:
RoleName: TestRole
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
Service:
- actiontrail.aliyuncs.com
Version: '1'
Outputs:
RoleId:
Description: Id of ram role.
Value:
Fn::GetAtt:
- Role
- RoleId
Arn:
Description: Name of alicloud resource.
Value:
Fn::GetAtt:
- Role
- Arn
RoleName:
Description: Name of ram role.
Value:
Fn::GetAtt:
- Role
- RoleName{
"ROSTemplateFormatVersion": "2015-09-01",
"Description": "Test RAM Role",
"Parameters": {
},
"Resources": {
"Role": {
"Type": "ALIYUN::RAM::Role",
"Properties": {
"RoleName": "TestRole",
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": [
"actiontrail.aliyuncs.com"
]
}
}
],
"Version": "1"
}
}
}
},
"Outputs": {
"RoleId": {
"Description": "Id of ram role.",
"Value": {
"Fn::GetAtt": [
"Role",
"RoleId"
]
}
},
"Arn": {
"Description": "Name of alicloud resource.",
"Value": {
"Fn::GetAtt": [
"Role",
"Arn"
]
}
},
"RoleName": {
"Description": "Name of ram role.",
"Value": {
"Fn::GetAtt": [
"Role",
"RoleName"
]
}
}
}
}情境 2 : 建立RAM角色,並附加自訂策略,允許指定服務假設角色及定義策略操作。
ROSTemplateFormatVersion: '2015-09-01'
Description:
zh-cn: 建立RAM角色,附加自訂策略,允許指定服務假設角色及定義策略操作。
en: Create a RAM role, attach a custom policy allowing specified services to assume the role, and define policy operations.
Parameters:
RoleName:
Type: String
Label:
en: Role Name
zh-cn: 角色的名稱
Description:
en: The name of role, Change the name if it already exists,<br>Consist of english letters, numbers or '-',not more than 64 characters.
zh-cn: 角色的名稱,如果已經存在,請更改名稱,<br>由英文字母、數字或'-'組成,不超過64個字元。
ConstraintDescription:
en: No more than 64 characters,English letters, Numbers, or '-' are allowed.
zh-cn: 不得超過 64 個字元、英文字母、數字或'-'。
Default: test-role
AllowedPattern: ^[a-zA-Z0-9\-]+$
MinLength: 1
MaxLength: 64
AssumeRolePrincipalServices:
Type: Json
Label:
en: Principal Services
zh-cn: 角色可信的服務
Description:
en: The specifies role-trusted services that can be added more than once.
zh-cn: 指定角色可信的服務,可以添加多個。
Default:
- ecs.aliyuncs.com
PolicyName:
Type: String
Label:
en: Policy Name
zh-cn: 策略名稱
Description:
en: The policy name, Change the name if it already exists,<br>Consist of english letters, numbers or '-', 5-128 characters.
zh-cn: 策略名稱,改變名稱如果它已經存在,<br>由英文字母,數字或'-',5-128個字元組成。
ConstraintDescription:
en: Consist of english letters, numbers or '-',5-128 characters.
zh-cn: 由英文字母、數字或'-',5-128個字元組成。
Default: test-policy-name
AllowedPattern: ^[a-zA-Z0-9\-]+$
MinLength: 5
MaxLength: 128
SpecificAction:
Type: String
Label:
en: Specific Action
zh-cn: 策略的操作
Description:
en: 'The specific action of the policy,Separated by English commas; <a href=''https://www.alibabacloud.com/help/document_detail/93738.html'' target=''_blank''><b><font color=''blue''>View Policy elements-Action</font></b></font></a><br>For example: <br>[oss.*,ecs.*: <font color=''green''>all the action of oss and ecs</font>]<br>[oss.*: <font color=''green''>all the action of oss</font>]<br>[oss.GetObjectUrl: <font color=''green''>action is GetObjectUrl of oss</font>]<br>.'
zh-cn: '指定策略的操作,以英文逗號分隔;<a href=''https://www.alibabacloud.com/help/document_detail/93738.html'' target=''_blank''><b><font color=''blue''>查看策略元素-Action</font></b></font></a><br>例如: <br>[oss.*,ecs.*: <font color=''green''>oss和ecs的所有操作</font>]<br>[oss.*: <font color=''green''>oss的所有操作</font>]<br>[oss.GetObjectUrl: <font color=''green''>oss的GetObjectUrl操作</font>]<br>'
Default: oss.*,ecs.*
Resources:
RamManagedPolicy:
Type: ALIYUN::RAM::ManagedPolicy
Properties:
PolicyDocument:
Statement:
- Action:
Fn::Split:
- ','
- Ref: SpecificAction
Effect: Allow
Resource:
- '*'
Version: '1'
PolicyName:
Ref: PolicyName
RamRole:
Type: ALIYUN::RAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
Service:
Ref: AssumeRolePrincipalServices
Version: '1'
Policies:
- PolicyDocument:
Statement:
- Action:
- ros:*
Effect: Allow
Resource:
- '*'
Version: '1'
PolicyName:
Fn::Join:
- ''
- - Policy-
- Ref: ALIYUN::StackId
RoleName:
Ref: RoleName
RamAttachPolicyToRole:
Type: ALIYUN::RAM::AttachPolicyToRole
Properties:
PolicyName:
Fn::GetAtt:
- RamManagedPolicy
- PolicyName
PolicyType: Custom
RoleName:
Fn::GetAtt:
- RamRole
- RoleName
DependsOn:
- RamManagedPolicy
- RamRole
Outputs:
PolicyName:
Value:
Fn::GetAtt:
- RamManagedPolicy
- PolicyName
RoleArn:
Value:
Fn::GetAtt:
- RamRole
- Arn
RoleName:
Value:
Fn::GetAtt:
- RamRole
- RoleName
Metadata:
ALIYUN::ROS::Interface:
ParameterGroups:
- Parameters:
- RoleName
- AssumeRolePrincipalServices
- PolicyName
- SpecificAction
Label:
default: RAM
{
"ROSTemplateFormatVersion": "2015-09-01",
"Description": {
"zh-cn": "建立RAM角色,附加自訂策略,允許指定服務假設角色及定義策略操作。",
"en": "Create a RAM role, attach a custom policy allowing specified services to assume the role, and define policy operations."
},
"Parameters": {
"RoleName": {
"Type": "String",
"Label": {
"en": "Role Name",
"zh-cn": "角色的名稱"
},
"Description": {
"en": "The name of role, Change the name if it already exists,<br>Consist of english letters, numbers or '-',not more than 64 characters.",
"zh-cn": "角色的名稱,如果已經存在,請更改名稱,<br>由英文字母、數字或'-'組成,不超過64個字元。"
},
"ConstraintDescription": {
"en": "No more than 64 characters,English letters, Numbers, or '-' are allowed.",
"zh-cn": "不得超過 64 個字元、英文字母、數字或'-'。"
},
"Default": "test-role",
"AllowedPattern": "^[a-zA-Z0-9\\-]+$",
"MinLength": 1,
"MaxLength": 64
},
"AssumeRolePrincipalServices": {
"Type": "Json",
"Label": {
"en": "Principal Services",
"zh-cn": "角色可信的服務"
},
"Description": {
"en": "The specifies role-trusted services that can be added more than once.",
"zh-cn": "指定角色可信的服務,可以添加多個。"
},
"Default": [
"ecs.aliyuncs.com"
]
},
"PolicyName": {
"Type": "String",
"Label": {
"en": "Policy Name",
"zh-cn": "策略名稱"
},
"Description": {
"en": "The policy name, Change the name if it already exists,<br>Consist of english letters, numbers or '-', 5-128 characters.",
"zh-cn": "策略名稱,改變名稱如果它已經存在,<br>由英文字母,數字或'-',5-128個字元組成。"
},
"ConstraintDescription": {
"en": "Consist of english letters, numbers or '-',5-128 characters.",
"zh-cn": "由英文字母、數字或'-',5-128個字元組成。"
},
"Default": "test-policy-name",
"AllowedPattern": "^[a-zA-Z0-9\\-]+$",
"MinLength": 5,
"MaxLength": 128
},
"SpecificAction": {
"Type": "String",
"Label": {
"en": "Specific Action",
"zh-cn": "策略的操作"
},
"Description": {
"en": "The specific action of the policy,Separated by English commas; <a href='https://www.alibabacloud.com/help/document_detail/93738.html' target='_blank'><b><font color='blue'>View Policy elements-Action</font></b></font></a><br>For example: <br>[oss.*,ecs.*: <font color='green'>all the action of oss and ecs</font>]<br>[oss.*: <font color='green'>all the action of oss</font>]<br>[oss.GetObjectUrl: <font color='green'>action is GetObjectUrl of oss</font>]<br>.",
"zh-cn": "指定策略的操作,以英文逗號分隔;<a href='https://www.alibabacloud.com/help/document_detail/93738.html' target='_blank'><b><font color='blue'>查看策略元素-Action</font></b></font></a><br>例如: <br>[oss.*,ecs.*: <font color='green'>oss和ecs的所有操作</font>]<br>[oss.*: <font color='green'>oss的所有操作</font>]<br>[oss.GetObjectUrl: <font color='green'>oss的GetObjectUrl操作</font>]<br>"
},
"Default": "oss.*,ecs.*"
}
},
"Resources": {
"RamManagedPolicy": {
"Type": "ALIYUN::RAM::ManagedPolicy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": {
"Fn::Split": [
",",
{
"Ref": "SpecificAction"
}
]
},
"Effect": "Allow",
"Resource": [
"*"
]
}
],
"Version": "1"
},
"PolicyName": {
"Ref": "PolicyName"
}
}
},
"RamRole": {
"Type": "ALIYUN::RAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": {
"Ref": "AssumeRolePrincipalServices"
}
}
}
],
"Version": "1"
},
"Policies": [
{
"PolicyDocument": {
"Statement": [
{
"Action": [
"ros:*"
],
"Effect": "Allow",
"Resource": [
"*"
]
}
],
"Version": "1"
},
"PolicyName": {
"Fn::Join": [
"",
[
"Policy-",
{
"Ref": "ALIYUN::StackId"
}
]
]
}
}
],
"RoleName": {
"Ref": "RoleName"
}
}
},
"RamAttachPolicyToRole": {
"Type": "ALIYUN::RAM::AttachPolicyToRole",
"Properties": {
"PolicyName": {
"Fn::GetAtt": [
"RamManagedPolicy",
"PolicyName"
]
},
"PolicyType": "Custom",
"RoleName": {
"Fn::GetAtt": [
"RamRole",
"RoleName"
]
}
},
"DependsOn": [
"RamManagedPolicy",
"RamRole"
]
}
},
"Outputs": {
"PolicyName": {
"Value": {
"Fn::GetAtt": [
"RamManagedPolicy",
"PolicyName"
]
}
},
"RoleArn": {
"Value": {
"Fn::GetAtt": [
"RamRole",
"Arn"
]
}
},
"RoleName": {
"Value": {
"Fn::GetAtt": [
"RamRole",
"RoleName"
]
}
}
},
"Metadata": {
"ALIYUN::ROS::Interface": {
"ParameterGroups": [
{
"Parameters": [
"RoleName",
"AssumeRolePrincipalServices",
"PolicyName",
"SpecificAction"
],
"Label": {
"default": "RAM"
}
}
]
}
}
}情境 3 :建立RAM角色以管理Action Trail,將審計日誌儲存至指定OSS桶,並配置SLS專案。
ROSTemplateFormatVersion: '2015-09-01'
Description:
zh-cn: 建立RAM角色以管理Action Trail,將審計日誌儲存至指定OSS桶,並配置SLS專案。
en: Create RAM roles to manage operation auditing, with audit logs stored in a designated OSS bucket, and configure an SLS project for further log processing and analysis.
Parameters:
RoleName:
Type: String
Label:
en: Role Name
zh-cn: 角色名稱
Description:
en: Ram role name, 1 to 64 characters in length, beginning with English letters or numbers, hyphens allowed, unique in the account.
zh-cn: Ram角色名稱,長度為1-64個字元,以英文字母或數字開頭,允許使用連字號,帳號內唯一。
ConstraintDescription:
en: 1 to 64 characters in length, beginning with English letters or numbers, hyphens allowed.
zn-cn: 長度為1-64個字元,以英文字母或數字開頭,允許使用連字號。
Default: ActionTrailTestRole
MinLength: 1
MaxLength: 64
TrailName:
Type: String
Label:
en: Trail Name
zh-cn: 跟蹤名稱
Description:
en: Trail Name, 6 to 36 characters in length, must start with a letter, and can contain letters, numbers, dashes (-), and underscores (_), unique in the account
zh-cn: 跟蹤名稱,長度為6-36個字元,必須以字母開頭,可包含字母、數字、虛線(-)和底線(_),帳號內唯一。
Default: TestTrail
EventRW:
Type: String
Label:
en: Event RW
zh-cn: 讀寫類型
Description:
en: Read and write types of delivery events
zh-cn: 投遞事件的讀寫類型
Default: Write
AllowedValues:
- Write
- Read
- All
OssBucketName:
Type: String
Label:
en: Bucket Name
zh-cn: Bucket名稱
Description:
en: Tracking OSS storage space written
zh-cn: 跟蹤寫入的OSS儲存空間
AssociationProperty: ALIYUN::OSS::Bucket::BucketName
AssociationPropertyMetadata:
RegionId: ${RegionId}
OssKeyPrefix:
Type: String
Label:
en: Key Prefix
zh-cn: 檔案名稱首碼
Description:
en: Track the prefix of the OSS storage space file name written, can be empty. 6 to 32 characters in length, must start with a letter, and can contain letters, numbers, dashes (-), slashes (/), and underscores (_)
zh-cn: 跟蹤寫入的OSS儲存空間檔案名稱的首碼,可以為空白。長度為6-32個字元,必須以字母開頭,可包含字母、數字、虛線(-)、斜杠(/)和底線(_)
Default: ''
SlsProjectName:
Type: String
Label:
en: Project Name
zh-cn: 記錄項目名稱
Description:
en: Log service items to track delivery targets
zh-cn: 跟蹤投遞目標的Log Service專案
Resources:
Role:
Type: ALIYUN::RAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
Service:
- actiontrail.aliyuncs.com
Version: '1'
Policies:
- PolicyDocument:
Statement:
- Action:
- oss:ListObjects
- oss:PutObject
- oss:GetBucketLocation
Effect: Allow
Resource:
- '*'
- Action:
- log:PostLogStoreLogs
- log:CreateLogstore
Effect: Allow
Resource:
- '*'
- Action:
- mns:PublishMessage
Effect: Allow
Resource:
- '*'
Version: '1'
PolicyName:
Fn::Sub: ActionTrailPolicy-${ALIYUN::StackId}
RoleName:
Ref: RoleName
Trail:
Type: ALIYUN::ACTIONTRAIL::Trail
Properties:
EventRW:
Ref: EventRW
Name:
Ref: TrailName
OssBucketName:
Ref: OssBucketName
OssKeyPrefix:
Ref: OssKeyPrefix
RoleName:
Fn::GetAtt:
- Role
- RoleName
SlsProjectArn:
Fn::Sub: acs:log:${ALIYUN::Region}::project/${SlsProjectName}
SlsWriteRoleArn:
Fn::Sub: acs:ram::${ALIYUN::TenantId}:role/${Role.RoleName}
DependsOn: Role
Metadata:
ALIYUN::ROS::Interface:
ParameterGroups:
- Parameters:
- RoleName
Label:
default: RAM
- Parameters:
- TrailName
- EventRW
Label:
default: Trail
- Parameters:
- OssBucketName
- OssKeyPrefix
Label:
default: OSS
- Parameters:
- SlsProjectName
Label:
default: SLS
{
"ROSTemplateFormatVersion": "2015-09-01",
"Description": {
"zh-cn": "建立RAM角色以管理Action Trail,將審計日誌儲存至指定OSS桶,並配置SLS專案。",
"en": "Create RAM roles to manage operation auditing, with audit logs stored in a designated OSS bucket, and configure an SLS project for further log processing and analysis."
},
"Parameters": {
"RoleName": {
"Type": "String",
"Label": {
"en": "Role Name",
"zh-cn": "角色名稱"
},
"Description": {
"en": "Ram role name, 1 to 64 characters in length, beginning with English letters or numbers, hyphens allowed, unique in the account.",
"zh-cn": "Ram角色名稱,長度為1-64個字元,以英文字母或數字開頭,允許使用連字號,帳號內唯一。"
},
"ConstraintDescription": {
"en": "1 to 64 characters in length, beginning with English letters or numbers, hyphens allowed.",
"zn-cn": "長度為1-64個字元,以英文字母或數字開頭,允許使用連字號。"
},
"Default": "ActionTrailTestRole",
"MinLength": 1,
"MaxLength": 64
},
"TrailName": {
"Type": "String",
"Label": {
"en": "Trail Name",
"zh-cn": "跟蹤名稱"
},
"Description": {
"en": "Trail Name, 6 to 36 characters in length, must start with a letter, and can contain letters, numbers, dashes (-), and underscores (_), unique in the account",
"zh-cn": "跟蹤名稱,長度為6-36個字元,必須以字母開頭,可包含字母、數字、虛線(-)和底線(_),帳號內唯一。"
},
"Default": "TestTrail"
},
"EventRW": {
"Type": "String",
"Label": {
"en": "Event RW",
"zh-cn": "讀寫類型"
},
"Description": {
"en": "Read and write types of delivery events",
"zh-cn": "投遞事件的讀寫類型"
},
"Default": "Write",
"AllowedValues": [
"Write",
"Read",
"All"
]
},
"OssBucketName": {
"Type": "String",
"Label": {
"en": "Bucket Name",
"zh-cn": "Bucket名稱"
},
"Description": {
"en": "Tracking OSS storage space written",
"zh-cn": "跟蹤寫入的OSS儲存空間"
},
"AssociationProperty": "ALIYUN::OSS::Bucket::BucketName",
"AssociationPropertyMetadata": {
"RegionId": "${RegionId}"
}
},
"OssKeyPrefix": {
"Type": "String",
"Label": {
"en": "Key Prefix",
"zh-cn": "檔案名稱首碼"
},
"Description": {
"en": "Track the prefix of the OSS storage space file name written, can be empty. 6 to 32 characters in length, must start with a letter, and can contain letters, numbers, dashes (-), slashes (/), and underscores (_)",
"zh-cn": "跟蹤寫入的OSS儲存空間檔案名稱的首碼,可以為空白。長度為6-32個字元,必須以字母開頭,可包含字母、數字、虛線(-)、斜杠(/)和底線(_)"
},
"Default": ""
},
"SlsProjectName": {
"Type": "String",
"Label": {
"en": "Project Name",
"zh-cn": "記錄項目名稱"
},
"Description": {
"en": "Log service items to track delivery targets",
"zh-cn": "跟蹤投遞目標的Log Service專案"
}
}
},
"Resources": {
"Role": {
"Type": "ALIYUN::RAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": [
"actiontrail.aliyuncs.com"
]
}
}
],
"Version": "1"
},
"Policies": [
{
"PolicyDocument": {
"Statement": [
{
"Action": [
"oss:ListObjects",
"oss:PutObject",
"oss:GetBucketLocation"
],
"Effect": "Allow",
"Resource": [
"*"
]
},
{
"Action": [
"log:PostLogStoreLogs",
"log:CreateLogstore"
],
"Effect": "Allow",
"Resource": [
"*"
]
},
{
"Action": [
"mns:PublishMessage"
],
"Effect": "Allow",
"Resource": [
"*"
]
}
],
"Version": "1"
},
"PolicyName": {
"Fn::Sub": "ActionTrailPolicy-${ALIYUN::StackId}"
}
}
],
"RoleName": {
"Ref": "RoleName"
}
}
},
"Trail": {
"Type": "ALIYUN::ACTIONTRAIL::Trail",
"Properties": {
"EventRW": {
"Ref": "EventRW"
},
"Name": {
"Ref": "TrailName"
},
"OssBucketName": {
"Ref": "OssBucketName"
},
"OssKeyPrefix": {
"Ref": "OssKeyPrefix"
},
"RoleName": {
"Fn::GetAtt": [
"Role",
"RoleName"
]
},
"SlsProjectArn": {
"Fn::Sub": "acs:log:${ALIYUN::Region}::project/${SlsProjectName}"
},
"SlsWriteRoleArn": {
"Fn::Sub": "acs:ram::${ALIYUN::TenantId}:role/${Role.RoleName}"
}
},
"DependsOn": "Role"
}
},
"Metadata": {
"ALIYUN::ROS::Interface": {
"ParameterGroups": [
{
"Parameters": [
"RoleName"
],
"Label": {
"default": "RAM"
}
},
{
"Parameters": [
"TrailName",
"EventRW"
],
"Label": {
"default": "Trail"
}
},
{
"Parameters": [
"OssBucketName",
"OssKeyPrefix"
],
"Label": {
"default": "OSS"
}
},
{
"Parameters": [
"SlsProjectName"
],
"Label": {
"default": "SLS"
}
}
]
}
}
}更多樣本,請參考包含此資源的公用模板。