ALIYUN::KMS::Policy类型用于创建一个权限策略,设置允许应用访问的密钥和凭据。
语法
{
"Type": "ALIYUN::KMS::Policy",
"Properties": {
"AccessControlRules": Map,
"KmsInstanceId": String,
"PolicyName": String,
"Permissions": List,
"Resources": List,
"Description": String
}
}
属性
属性名称 | 类型 | 必须 | 允许更新 | 描述 | 约束 |
AccessControlRules | Map | 是 | 是 | 网络控制规则名称集合。 | 更多信息,请参见AccessControlRules属性。 |
KmsInstanceId | String | 是 | 否 | 权限策略的作用域。 | 即要访问的KMS实例。 |
PolicyName | String | 是 | 否 | 权限策略名称。 | 无 |
Permissions | List | 是 | 是 | 权限策略支持的操作。 | 取值:
支持同时选择这两种操作。 |
Resources | List | 是 | 是 | 允许访问的密钥和凭据。 | 取值格式:
|
Description | String | 否 | 是 | 描述信息。 | 无 |
AccessControlRules语法
"AccessControlRules": {
"NetworkRules": List
}
AccessControlRules属性
属性名称 | 类型 | 必须 | 允许更新 | 描述 | 约束 |
NetworkRules | List | 是 | 是 | 网络控制规则名称列表。 | 最多支持输入40组规则。 |
返回值
Fn::GetAtt
Description:描述信息。
AccessControlRules:网络控制规则名称集合。
PolicyName:权限策略名称。
Permissions:权限策略支持的操作。
KmsInstanceId:权限策略的作用域。
Resources:允许访问的密钥和凭据。
示例
ROSTemplateFormatVersion: '2015-09-01'
Parameters:
AccessControlRules:
AssociationPropertyMetadata:
Parameters:
NetworkRules:
AssociationPropertyMetadata:
Parameter:
Type: String
Description:
en: The name of the access control rule.
Required: true
AssociationProperty: List[Parameter]
Type: Json
Description:
en: NetworkRule list, Supports a maximum of 40 network control rules.
Required: true
MinLength: 1
MaxLength: 40
Type: Json
Description:
en: Network Rules info.
Required: true
PolicyName:
Type: String
Description:
en: The name of the permission policy.
Required: true
Permissions:
AssociationPropertyMetadata:
Parameter:
Type: String
AllowedValues:
- RbacPermission/Template/CryptoServiceKeyUser
- RbacPermission/Template/CryptoServiceSecretUser
Required: true
AssociationProperty: List[Parameter]
Type: Json
Description:
en: |-
The operations that can be performed. Valid values:
RbacPermission/Template/CryptoServiceKeyUser: allows you to perform cryptographic operations.
RbacPermission/Template/CryptoServiceSecretUser: allows you to perform secret-related operations.
Required: true
MinLength: 1
MaxLength: 2
KmsInstanceId:
Type: String
Description:
en: The scope of the permission policy. You need to specify the KMS instance that you want to access.
Required: true
Resources:
AssociationPropertyMetadata:
Parameter:
Type: String
Required: true
AssociationProperty: List[Parameter]
Type: Json
Description:
en: |-
The key and secret that are allowed to access. Supports a maximum of 30 key and secret.
Key: Enter a key in the key/${KeyId} format. To allow access to all keys of a KMS instance, enter key/*.
Secret: Enter a secret in the secret/${SecretName} format. To allow access to all secrets of a KMS instance, enter secret/*.
Required: true
MinLength: 1
MaxLength: 30
Resources:
ExtensionResource:
Type: ALIYUN::KMS::Policy
Properties:
AccessControlRules:
Ref: AccessControlRules
PolicyName:
Ref: PolicyName
Permissions:
Ref: Permissions
KmsInstanceId:
Ref: KmsInstanceId
Resources:
Ref: Resources
Outputs:
Description:
Description: Description.
Value:
Fn::GetAtt:
- ExtensionResource
- Description
AccessControlRules:
Description: Network Rules info.
Value:
Fn::GetAtt:
- ExtensionResource
- AccessControlRules
PolicyName:
Description: The name of the permission policy.
Value:
Fn::GetAtt:
- ExtensionResource
- PolicyName
Permissions:
Description: RbacPermission Template, support RbacPermission/Template/CryptoServiceKeyUser and RbacPermission/Template/CryptoServiceSecretUser.
Value:
Fn::GetAtt:
- ExtensionResource
- Permissions
KmsInstanceId:
Description: The scope of the permission policy. You need to specify the KMS instance that you want to access.
Value:
Fn::GetAtt:
- ExtensionResource
- KmsInstanceId
Resources:
Description: Resources that allowed access by this policy.
Value:
Fn::GetAtt:
- ExtensionResource
- Resources
{
"ROSTemplateFormatVersion": "2015-09-01",
"Parameters": {
"AccessControlRules": {
"AssociationPropertyMetadata": {
"Parameters": {
"NetworkRules": {
"AssociationPropertyMetadata": {
"Parameter": {
"Type": "String",
"Description": {
"en": "The name of the access control rule."
},
"Required": true
}
},
"AssociationProperty": "List[Parameter]",
"Type": "Json",
"Description": {
"en": "NetworkRule list, Supports a maximum of 40 network control rules."
},
"Required": true,
"MinLength": 1,
"MaxLength": 40
}
}
},
"Type": "Json",
"Description": {
"en": "Network Rules info."
},
"Required": true
},
"PolicyName": {
"Type": "String",
"Description": {
"en": "The name of the permission policy."
},
"Required": true
},
"Permissions": {
"AssociationPropertyMetadata": {
"Parameter": {
"Type": "String",
"AllowedValues": [
"RbacPermission/Template/CryptoServiceKeyUser",
"RbacPermission/Template/CryptoServiceSecretUser"
],
"Required": true
}
},
"AssociationProperty": "List[Parameter]",
"Type": "Json",
"Description": {
"en": "The operations that can be performed. Valid values:\nRbacPermission/Template/CryptoServiceKeyUser: allows you to perform cryptographic operations.\nRbacPermission/Template/CryptoServiceSecretUser: allows you to perform secret-related operations."
},
"Required": true,
"MinLength": 1,
"MaxLength": 2
},
"KmsInstanceId": {
"Type": "String",
"Description": {
"en": "The scope of the permission policy. You need to specify the KMS instance that you want to access."
},
"Required": true
},
"Resources": {
"AssociationPropertyMetadata": {
"Parameter": {
"Type": "String",
"Required": true
}
},
"AssociationProperty": "List[Parameter]",
"Type": "Json",
"Description": {
"en": "The key and secret that are allowed to access. Supports a maximum of 30 key and secret.\nKey: Enter a key in the key/${KeyId} format. To allow access to all keys of a KMS instance, enter key/*. \nSecret: Enter a secret in the secret/${SecretName} format. To allow access to all secrets of a KMS instance, enter secret/*."
},
"Required": true,
"MinLength": 1,
"MaxLength": 30
}
},
"Resources": {
"ExtensionResource": {
"Type": "ALIYUN::KMS::Policy",
"Properties": {
"AccessControlRules": {
"Ref": "AccessControlRules"
},
"PolicyName": {
"Ref": "PolicyName"
},
"Permissions": {
"Ref": "Permissions"
},
"KmsInstanceId": {
"Ref": "KmsInstanceId"
},
"Resources": {
"Ref": "Resources"
}
}
}
},
"Outputs": {
"Description": {
"Description": "Description.",
"Value": {
"Fn::GetAtt": [
"ExtensionResource",
"Description"
]
}
},
"AccessControlRules": {
"Description": "Network Rules info.",
"Value": {
"Fn::GetAtt": [
"ExtensionResource",
"AccessControlRules"
]
}
},
"PolicyName": {
"Description": "The name of the permission policy.",
"Value": {
"Fn::GetAtt": [
"ExtensionResource",
"PolicyName"
]
}
},
"Permissions": {
"Description": "RbacPermission Template, support RbacPermission/Template/CryptoServiceKeyUser and RbacPermission/Template/CryptoServiceSecretUser.",
"Value": {
"Fn::GetAtt": [
"ExtensionResource",
"Permissions"
]
}
},
"KmsInstanceId": {
"Description": "The scope of the permission policy. You need to specify the KMS instance that you want to access.",
"Value": {
"Fn::GetAtt": [
"ExtensionResource",
"KmsInstanceId"
]
}
},
"Resources": {
"Description": "Resources that allowed access by this policy.",
"Value": {
"Fn::GetAtt": [
"ExtensionResource",
"Resources"
]
}
}
}
}