This topic describes how to create a Resource Access Management (RAM) user and grant permissions to the RAM user when you create a stack in the Resource Orchestration Service (ROS) console.
Background information
The procedure for creating a RAM user and granting permissions to the RAM user in the RAM console is complex. ROS provides a simplified procedure that allows you to perform the operations in the ROS console at higher efficiency. For more information about RAM users, see Overview of RAM users.
Step 1: Create a template
The following sample code provides an example of a template. You can use the template to create a RAM user, a custom policy, and an AccessKey pair, and grant permissions to the RAM user.
For more information about resource types, see List of resource types by service.
ROSTemplateFormatVersion: '2015-09-01'
Parameters:
UserName:
Type: String
Description: RAM User Name
Label:
en: RAM User Name
PolicyName:
Type: String
Description: RAM Policy Name
Label:
en: RAM Policy Name
Action:
Default:
- vpc:*
Type: Json
Description:
en: The operation of products and services defined by the strategy, Resources for operations, refer to <a href='https://www.alibabacloud.com/help/doc-detail/93738.htm'>Policy elements</a> for more info.
Label:
en: PolicyAction
Effect:
Default: Allow
AllowedValues:
- Allow
- Deny
Type: String
Description:
en: Allow/Deny Action for Resource
Label:
en: Authority
Resource:
Default:
- '*'
Type: Json
Description:
en: Resources for operations, refer to <a href='https://www.alibabacloud.com/help/doc-detail/93738.htm'>Policy elements</a> for more info.
Label:
en: Resource
Resources:
ManagedPolicy:
Type: ALIYUN::RAM::ManagedPolicy
Properties:
PolicyName:
Ref: PolicyName
PolicyDocument:
Version: '1'
Statement:
- Action:
Ref: Action
Resource:
Ref: Resource
Effect:
Ref: Effect
RamAK:
Type: ALIYUN::RAM::AccessKey
Properties:
UserName:
Fn::GetAtt:
- RamUser
- UserName
DependsOn: RamUser
RamUser:
Type: ALIYUN::RAM::User
Properties:
UserName:
Ref: UserName
AttachPolicyToUser:
DependsOn:
- ManagedPolicy
- RamUser
Type: ALIYUN::RAM::AttachPolicyToUser
Properties:
PolicyType: Custom
UserName:
Fn::GetAtt:
- RamUser
- UserName
PolicyName:
Fn::GetAtt:
- ManagedPolicy
- PolicyName
Outputs:
AKSecret:
Value:
Fn::GetAtt:
- RamAK
- AccessKeySecret
AKId:
Value:
Fn::GetAtt:
- RamAK
- AccessKeyId
UserId:
Value:
Fn::GetAtt:
- RamUser
- UserIdStep 2: Create a stack
Log on to the ROS console.
In the left-side navigation pane, click Stacks.
In the top navigation bar, select the region where you want to create a stack from the region drop-down list. For example, select China (Hangzhou).
On the Stacks page, click Create Stack and select Use ROS from the drop-down list.
In the Select Template step, select Select an Existing Template, set Template Import Method to Enter Template Content, enter the YAML template created in Step 1, and then click Next.
In the Configure Parameters step, specify Stack Name and configure the following parameters.
In this example, the parameters are configured to create a RAM user named vpc-dev, attach the vpcDevPolicy policy that grants the full management permissions on virtual private clouds (VPCs) to the RAM user, and create an AccessKey pair.
Parameter
Description
Example
RAM User Name
The custom name of the RAM user.
For more information, see Overview of RAM users.
vpc-dev
RAM Policy Name
The policy name.
For more information, see Policy overview.
vpcDevPolicy
PolicyAction
The operations to be performed on specific resources based on the policy.
For more information, see Policy elements.
["vpc:*"]
Note["vpc:*"]specifies the full management permissions on VPCs.Authority
The authorization effect of the policy. Valid values:
Allow
Deny
For more information, see Policy elements.
Allow
Resource
The resources for which the policy takes effect.
For more information, see Policy elements.
["*"]
Note["*"]specifies all resources.Click Create.
After the stack is created, you can log on to the RAM console to view the information about the RAM user, AccessKey pair, and policy.