All Products
Search
Document Center

Resource Orchestration Service:GenerateTemplatePolicy

Last Updated:Feb 22, 2024

Generates the information about a policy that is required by a template.

Operation description

If the policy information is related to Enterprise Distributed Application Service (EDAS), you must log on to your Alibaba Cloud account and grant the required permissions to the relevant RAM users.

In this example, a policy is generated for a template whose ID is 5ecd1e10-b0e9-4389-a565-e4c15efc****.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer.

Authorization information

The following table shows the authorization information corresponding to the API. The authorization information can be used in the Action policy element to grant a RAM user or RAM role the permissions to call this API operation. Description:

  • Operation: the value that you can use in the Action element to specify the operation on a resource.
  • Access level: the access level of each operation. The levels are read, write, and list.
  • Resource type: the type of the resource on which you can authorize the RAM user or the RAM role to perform the operation. Take note of the following items:
    • The required resource types are displayed in bold characters.
    • If the permissions cannot be granted at the resource level, All Resources is used in the Resource type column of the operation.
  • Condition Key: the condition key that is defined by the cloud service.
  • Associated operation: other operations that the RAM user or the RAM role must have permissions to perform to complete the operation. To complete the operation, the RAM user or the RAM role must have the permissions to perform the associated operations.
OperationAccess levelResource typeCondition keyAssociated operation
ros:GenerateTemplatePolicyWRITE
  • template
    acs:ros:{#regionId}:{#accountId}:template/{#templateId}
    none
none

Request parameters

ParameterTypeRequiredDescriptionExample
TemplateURLstringNo

The URL of the file that contains the template body. The URL must point to a template that is located on an HTTP or HTTPS web server or in an Object Storage Service (OSS) bucket, such as oss://ros/template/demo or oss://ros/template/demo?RegionId=cn-hangzhou. The template body can be up to 524,288 bytes in length.

Note If you do not specify the region ID of the OSS bucket, the value of the RegionId parameter is used.

You can specify only one of the following parameters: TemplateBody, TemplateURL, and TemplateId.

The URL can be up to 1,024 bytes in length.

oss://ros/template/demo
TemplateBodystringNo

The structure that contains the template body. The template body must be 1 to 524,288 bytes in length.

If the length of the template body exceeds the upper limit, we recommend that you add parameters to the HTTP POST request body to prevent request failures caused by excessively long URLs.

You can specify only one of the following parameters: TemplateBody, TemplateURL, and TemplateId.

{"ROSTemplateFormatVersion":"2015-09-01"}
TemplateIdstringNo

The ID of the template. This parameter applies to shared templates and private templates.

You can specify only one of the following parameters: TemplateBody, TemplateURL, and TemplateId.

5ecd1e10-b0e9-4389-a565-e4c15efc****
TemplateVersionstringNo

The version of the template. This parameter takes effect only when the TemplateId parameter is specified.

v1
OperationTypesarrayNo

The type of operation N for which you want to generate the policy information.

Valid values:

  • CreateStack: creates a stack by calling the CreateStack operation.
  • UpdateStack: updates a stack by calling the UpdateStack operation.
  • DeleteStack: deletes a stack by calling the DeleteStack operation.
  • DetectStackDrift: detects drifts on a stack by calling the DelectStackDrift operation.
  • ListStackOperationRisks: lists the risks of a deletion operation on a stack by setting the OperationType parameter to DeleteStack in the ListStackOperationRisks operation.
  • GetTemplateEstimateCost: queries the estimated prices of resources that you want to use in the template by calling the GetTemplateEstimateCost operation.
  • GetTemplateParameterConstraints: queries the values of parameters in the template by calling the GetTemplateParameterConstraints operation.
  • ImportResourcesToStack: imports resources to a stack by setting the ChangeSetType parameter to IMPORT in the CreateChangeSet operation.
  • SignalResource: sends a signal to a stack.
Note The default value is the combination of all valid values.
stringNo

The type of operation N for which you want to generate the policy information.

Valid values:

  • CreateStack: creates a stack by calling the CreateStack operation.
  • UpdateStack: updates a stack by calling the UpdateStack operation.
  • DeleteStack: deletes a stack by calling the DeleteStack operation.
  • DetectStackDrift: detects drifts on a stack by calling the DelectStackDrift operation.
  • ListStackOperationRisks: lists the risks of a deletion operation on a stack by setting the OperationType parameter to DeleteStack in the ListStackOperationRisks operation.
  • GetTemplateEstimateCost: queries the estimated prices of resources that you want to use in the template by calling the GetTemplateEstimateCost operation.
  • GetTemplateParameterConstraints: queries the values of parameters in the template by calling the GetTemplateParameterConstraints operation.
  • ImportResourcesToStack: imports resources to a stack by setting the ChangeSetType parameter to IMPORT in the CreateChangeSet operation.
  • SignalResource: sends a signal to a stack.
Note The default value is the combination of all valid values.
["CreateStack"]

For more information about common request parameters, see Common parameters.

Response parameters

ParameterTypeDescriptionExample
object
Policyobject

The information about the policy.

Versionstring

The version number.

1
Statementobject []

The statements that are contained in the policy.

Effectstring

The effect of the statement. Valid values:

  • Allow
  • Deny
Allow
Resourcestring

The objects that the statement covers. An asterisk (*) indicates all resources.

*
Actionarray

The operations that are performed on the specified resource.

string

The operation that is performed on the specified resource.

[ "apigateway:CreateApi", "apigateway:DeleteApi","apigateway:DescribeApi","apigateway:ModifyApi"]
Conditionobject

The condition that is required for the policy to take effect.

{ "StringEquals": { "acs:Service": "fc.aliyuncs.com" } }
RequestIdstring

The ID of the request.

B288A0BE-D927-4888-B0F7-B35EF84B6E6
HttpCodeError codeError messageDescription
400StackValidationFailed{reason}.The error message returned because the stack failed to be validated. reason indicates the cause of the error.
404TemplateNotFoundThe Tempalte ({ ID }) could not be found.The error message returned because the specified template does not exist. ID indicates the template ID.
404TemplateNotFoundThe Template { ID } with version { version } could not be found.The error message returned because the template or template version does not exist. ID indicates the template ID. version indicates the template version.

Examples

Sample success responses

JSONformat

{
  "Policy": {
    "Version": "1",
    "Statement": [
      {
        "Effect": "Allow",
        "Resource": "*",
        "Action": [
          "[ \"apigateway:CreateApi\", \"apigateway:DeleteApi\",\"apigateway:DescribeApi\",\"apigateway:ModifyApi\"]"
        ],
        "Condition": {
          "StringEquals": {
            "acs:Service": "fc.aliyuncs.com"
          }
        }
      }
    ]
  },
  "RequestId": "B288A0BE-D927-4888-B0F7-B35EF84B6E6"
}

Error codes

For a list of error codes, visit the Service error codes.

Change history

Change timeSummary of changesOperation
2023-06-02The response structure of the API has changedsee changesets
Change itemChange content
Output ParametersThe response structure of the API has changed.