全部产品
Search
文档中心

资源编排:ALIYUN::KMS::Policy

更新时间:Dec 03, 2024

ALIYUN::KMS::Policy类型用于创建一个权限策略,设置允许应用访问的密钥和凭据。

语法

{
  "Type": "ALIYUN::KMS::Policy",
  "Properties": {
    "AccessControlRules": Map,
    "KmsInstanceId": String,
    "PolicyName": String,
    "Permissions": List,
    "Resources": List,
    "Description": String
  }
}

属性

属性名称

类型

必须

允许更新

描述

约束

AccessControlRules

Map

网络控制规则名称集合。

更多信息,请参见AccessControlRules属性

KmsInstanceId

String

权限策略的作用域。

即要访问的KMS实例。

PolicyName

String

权限策略名称。

Permissions

List

权限策略支持的操作。

取值:

  • RbacPermission/Template/CryptoServiceKeyUser:可以对KMS实例进行密码运算操作。

  • RbacPermission/Template/CryptoServiceSecretUser:可以对KMS实例进行凭据相关操作。

支持同时选择这两种操作。

Resources

List

允许访问的密钥和凭据。

取值格式:

  • 密钥:格式为key/${KeyId},如果允许访问当前KMS实例的所有密钥请输入key/*。

  • 凭据:格式为secret/${SecretName},如果允许访问当前KMS实例的所有凭据请输入secret/*。

Description

String

描述信息。

AccessControlRules语法

"AccessControlRules": {
  "NetworkRules": List
}

AccessControlRules属性

属性名称

类型

必须

允许更新

描述

约束

NetworkRules

List

网络控制规则名称列表。

最多支持输入40组规则。

返回值

Fn::GetAtt

  • Description:描述信息。

  • AccessControlRules:网络控制规则名称集合。

  • PolicyName:权限策略名称。

  • Permissions:权限策略支持的操作。

  • KmsInstanceId:权限策略的作用域。

  • Resources:允许访问的密钥和凭据。

示例

ROSTemplateFormatVersion: '2015-09-01'
Parameters:
  AccessControlRules:
    AssociationPropertyMetadata:
      Parameters:
        NetworkRules:
          AssociationPropertyMetadata:
            Parameter:
              Type: String
              Description:
                en: The name of the access control rule.
              Required: true
          AssociationProperty: List[Parameter]
          Type: Json
          Description:
            en: NetworkRule list, Supports a maximum of 40 network control rules.
          Required: true
          MinLength: 1
          MaxLength: 40
    Type: Json
    Description:
      en: Network Rules info.
    Required: true
  PolicyName:
    Type: String
    Description:
      en: The name of the permission policy.
    Required: true
  Permissions:
    AssociationPropertyMetadata:
      Parameter:
        Type: String
        AllowedValues:
          - RbacPermission/Template/CryptoServiceKeyUser
          - RbacPermission/Template/CryptoServiceSecretUser
        Required: true
    AssociationProperty: List[Parameter]
    Type: Json
    Description:
      en: |-
        The operations that can be performed. Valid values:
        RbacPermission/Template/CryptoServiceKeyUser: allows you to perform cryptographic operations.
        RbacPermission/Template/CryptoServiceSecretUser: allows you to perform secret-related operations.
    Required: true
    MinLength: 1
    MaxLength: 2
  KmsInstanceId:
    Type: String
    Description:
      en: The scope of the permission policy. You need to specify the KMS instance that you want to access.
    Required: true
  Resources:
    AssociationPropertyMetadata:
      Parameter:
        Type: String
        Required: true
    AssociationProperty: List[Parameter]
    Type: Json
    Description:
      en: |-
        The key and secret that are allowed to access. Supports a maximum of 30 key and secret.
        Key: Enter a key in the key/${KeyId} format. To allow access to all keys of a KMS instance, enter key/*. 
        Secret: Enter a secret in the secret/${SecretName} format. To allow access to all secrets of a KMS instance, enter secret/*.
    Required: true
    MinLength: 1
    MaxLength: 30
Resources:
  ExtensionResource:
    Type: ALIYUN::KMS::Policy
    Properties:
      AccessControlRules:
        Ref: AccessControlRules
      PolicyName:
        Ref: PolicyName
      Permissions:
        Ref: Permissions
      KmsInstanceId:
        Ref: KmsInstanceId
      Resources:
        Ref: Resources
Outputs:
  Description:
    Description: Description.
    Value:
      Fn::GetAtt:
        - ExtensionResource
        - Description
  AccessControlRules:
    Description: Network Rules info.
    Value:
      Fn::GetAtt:
        - ExtensionResource
        - AccessControlRules
  PolicyName:
    Description: The name of the permission policy.
    Value:
      Fn::GetAtt:
        - ExtensionResource
        - PolicyName
  Permissions:
    Description: RbacPermission Template, support RbacPermission/Template/CryptoServiceKeyUser and RbacPermission/Template/CryptoServiceSecretUser.
    Value:
      Fn::GetAtt:
        - ExtensionResource
        - Permissions
  KmsInstanceId:
    Description: The scope of the permission policy. You need to specify the KMS instance that you want to access.
    Value:
      Fn::GetAtt:
        - ExtensionResource
        - KmsInstanceId
  Resources:
    Description: Resources that allowed access by this policy.
    Value:
      Fn::GetAtt:
        - ExtensionResource
        - Resources
{
  "ROSTemplateFormatVersion": "2015-09-01",
  "Parameters": {
    "AccessControlRules": {
      "AssociationPropertyMetadata": {
        "Parameters": {
          "NetworkRules": {
            "AssociationPropertyMetadata": {
              "Parameter": {
                "Type": "String",
                "Description": {
                  "en": "The name of the access control rule."
                },
                "Required": true
              }
            },
            "AssociationProperty": "List[Parameter]",
            "Type": "Json",
            "Description": {
              "en": "NetworkRule list, Supports a maximum of 40 network control rules."
            },
            "Required": true,
            "MinLength": 1,
            "MaxLength": 40
          }
        }
      },
      "Type": "Json",
      "Description": {
        "en": "Network Rules info."
      },
      "Required": true
    },
    "PolicyName": {
      "Type": "String",
      "Description": {
        "en": "The name of the permission policy."
      },
      "Required": true
    },
    "Permissions": {
      "AssociationPropertyMetadata": {
        "Parameter": {
          "Type": "String",
          "AllowedValues": [
            "RbacPermission/Template/CryptoServiceKeyUser",
            "RbacPermission/Template/CryptoServiceSecretUser"
          ],
          "Required": true
        }
      },
      "AssociationProperty": "List[Parameter]",
      "Type": "Json",
      "Description": {
        "en": "The operations that can be performed. Valid values:\nRbacPermission/Template/CryptoServiceKeyUser: allows you to perform cryptographic operations.\nRbacPermission/Template/CryptoServiceSecretUser: allows you to perform secret-related operations."
      },
      "Required": true,
      "MinLength": 1,
      "MaxLength": 2
    },
    "KmsInstanceId": {
      "Type": "String",
      "Description": {
        "en": "The scope of the permission policy. You need to specify the KMS instance that you want to access."
      },
      "Required": true
    },
    "Resources": {
      "AssociationPropertyMetadata": {
        "Parameter": {
          "Type": "String",
          "Required": true
        }
      },
      "AssociationProperty": "List[Parameter]",
      "Type": "Json",
      "Description": {
        "en": "The key and secret that are allowed to access. Supports a maximum of 30 key and secret.\nKey: Enter a key in the key/${KeyId} format. To allow access to all keys of a KMS instance, enter key/*. \nSecret: Enter a secret in the secret/${SecretName} format. To allow access to all secrets of a KMS instance, enter secret/*."
      },
      "Required": true,
      "MinLength": 1,
      "MaxLength": 30
    }
  },
  "Resources": {
    "ExtensionResource": {
      "Type": "ALIYUN::KMS::Policy",
      "Properties": {
        "AccessControlRules": {
          "Ref": "AccessControlRules"
        },
        "PolicyName": {
          "Ref": "PolicyName"
        },
        "Permissions": {
          "Ref": "Permissions"
        },
        "KmsInstanceId": {
          "Ref": "KmsInstanceId"
        },
        "Resources": {
          "Ref": "Resources"
        }
      }
    }
  },
  "Outputs": {
    "Description": {
      "Description": "Description.",
      "Value": {
        "Fn::GetAtt": [
          "ExtensionResource",
          "Description"
        ]
      }
    },
    "AccessControlRules": {
      "Description": "Network Rules info.",
      "Value": {
        "Fn::GetAtt": [
          "ExtensionResource",
          "AccessControlRules"
        ]
      }
    },
    "PolicyName": {
      "Description": "The name of the permission policy.",
      "Value": {
        "Fn::GetAtt": [
          "ExtensionResource",
          "PolicyName"
        ]
      }
    },
    "Permissions": {
      "Description": "RbacPermission Template, support RbacPermission/Template/CryptoServiceKeyUser and RbacPermission/Template/CryptoServiceSecretUser.",
      "Value": {
        "Fn::GetAtt": [
          "ExtensionResource",
          "Permissions"
        ]
      }
    },
    "KmsInstanceId": {
      "Description": "The scope of the permission policy. You need to specify the KMS instance that you want to access.",
      "Value": {
        "Fn::GetAtt": [
          "ExtensionResource",
          "KmsInstanceId"
        ]
      }
    },
    "Resources": {
      "Description": "Resources that allowed access by this policy.",
      "Value": {
        "Fn::GetAtt": [
          "ExtensionResource",
          "Resources"
        ]
      }
    }
  }
}