All Products
Search
Document Center

Resource Orchestration Service:ALIYUN::RAM::Group

Last Updated:Jul 03, 2023

ALIYUN::RAM::Group is used to create a Resource Access Management (RAM) user group.

Syntax

{
  "Type": "ALIYUN::RAM::Group",
  "Properties": {
    "GroupName": String,
    "Comments": String,
    "Policies": List,
    "PolicyAttachments": Map,
    "DeletionForce": Boolean,
    "IgnoreExisting": Boolean
  }
}

Properties

Property

Type

Required

Editable

Description

Constraint

GroupName

String

Yes

No

The name of the RAM user group.

The name must be 1 to 64 characters in length, and can contain letters, digits, and hyphens (-).

Comments

String

No

Yes

The comments on the RAM user group.

The comments must be 1 to 128 characters in length.

Policies

List

No

Yes

The policies that you want to attach to the RAM user group.

For more information, see Policies properties.

PolicyAttachments

Map

No

Yes

The names of the system and custom policies that you want to attach to the RAM user group.

For more information, see PolicyAttachments properties.

DeletionForce

Boolean

No

Yes

Specifies whether to forcefully detach the policy from the RAM user group.

Valid values:

  • true

  • false (default)

IgnoreExisting

Boolean

No

No

Specifies whether to ignore the existing RAM user group that has the same name as the new RAM user group.  

Valid values:

  • true: ignores the existing RAM user group. Resource Orchestration Service (ROS) does not check the name uniqueness of RAM user groups. If an existing group with the same name exists in the ROS console, the group is ignored when ROS creates the new group. If the existing group is not created in the ROS console, the group is ignored when ROS updates or deletes the new group.  

  • false: does not ignore the existing RAM user group. ROS checks the name uniqueness of RAM user groups. If an existing group with the same name exists in the ROS console, an error is reported when ROS creates the new group.  

Policies syntax

"Policies": [
  {
    "Description": String,
    "PolicyName": String,
    "PolicyDocument": Map,
    "IgnoreExisting": Boolean
  }
]

Policies properties

Property

Type

Required

Editable

Description

Constraint

Description

String

No

No

The description of the policy.

The description must be 1 to 1,024 characters in length.

PolicyName

String

Yes

No

The name of the policy.

The name must be 1 to 128 characters in length, and can contain letters, digits, and hyphens (-).

PolicyDocument

Map

Yes

Yes

The content of the policy.

The content can be up to 2,048 characters in length.

For more information about policy elements and sample policies, see Policy elements and Overview of sample policies.

For more information, see PolicyDocument properties.

IgnoreExisting

Boolean

No

No

Specifies whether to ignore the existing policy that has the same name as the new policy.

Valid values:

  • true: ignores the existing policy. ROS does not check the name uniqueness of policies. If an existing policy with the same name exists in the ROS console, the policy is ignored when ROS creates the new policy. If the existing policy is not created in the ROS console, the policy is ignored when ROS updates or deletes the new policy.

  • false: does not ignore the existing policy. ROS checks the name uniqueness of policies. If an existing policy with the same name exists in the ROS console, an error is reported when ROS creates the new policy.  

PolicyDocument syntax

"PolicyDocument": {
  "Version": String,
  "Statement": List
}

PolicyDocument properties

Property

Type

Required

Editable

Description

Constraint

Version

String

Yes

No

The version of the policy.

None.

Statement

List

Yes

No

The statement of the policy.

For more information, see Statement properties.

Statement syntax

"Statement": [
  {
    "Condition": Map,
    "Action": List,
    "Resource": List,
    "Effect": String
  }
]

Statement properties

Property

Type

Required

Editable

Description

Constraint

Condition

Map

No

No

The condition that is required for the policy to take effect.

None.

Action

List

No

No

The action that you want to perform based on the policy.

None.

Resource

List

No

No

The resource to which you want to apply the policy.

None.

Effect

String

No

No

The effect of the statement.

Valid values:

  • Allow

  • Deny

PolicyAttachments syntax

"PolicyAttachments": {
  "System": List,
  "Custom": List
}

PolicyAttachments properties

Property

Type

Required

Editable

Description

Constraint

Custom

List

No

Yes

The names of custom policies.

You can attach up to five custom policies.

System

List

No

Yes

The names of system policies.

You can attach up to 20 system policies.

Return values

Fn::GetAtt

GroupName: the name of the RAM user group.

Examples

YAML format

ROSTemplateFormatVersion: '2015-09-01'
Parameters: {}
Resources:
  Group:
    Type: ALIYUN::RAM::Group
    Properties:
      GroupName: TestGroup
      Policies:
        - PolicyName:
            Fn::Sub: GroupPolicy-${ALIYUN::StackId}
          PolicyDocument:
            Version: '1'
            Statement:
              - Action:
                  - oss:Get*
                Resource:
                  - '*'
                Effect: Allow
Outputs:
  GroupName:
    Description: Id of ram group.
    Value:
      Fn::GetAtt:
        - Group
        - GroupName

JSON format

{
  "ROSTemplateFormatVersion": "2015-09-01",
  "Parameters": {
  },
  "Resources": {
    "Group": {
      "Type": "ALIYUN::RAM::Group",
      "Properties": {
        "GroupName": "TestGroup",
        "Policies": [
          {
            "PolicyName": {
              "Fn::Sub": "GroupPolicy-${ALIYUN::StackId}"
            },
            "PolicyDocument": {
              "Version": "1",
              "Statement": [
                {
                  "Action": [
                    "oss:Get*"
                  ],
                  "Resource": [
                    "*"
                  ],
                  "Effect": "Allow"
                }
              ]
            }
          }
        ]
      }
    }
  },
  "Outputs": {
    "GroupName": {
      "Description": "Id of ram group.",
      "Value": {
        "Fn::GetAtt": [
          "Group",
          "GroupName"
        ]
      }
    }
  }
}

For more examples, visit User.json and User.yml. In the examples, the following resource types are used: ALIYUN::RAM::User, ALIYUN::RAM::Group, ALIYUN::RAM::AttachPolicyToUser, and ALIYUN::RAM::UserToGroupAddition.