ALIYUN::RAM::Role is used to create a RAM role.

Syntax

{
  "Type": "ALIYUN::RAM::Role",
  "Properties": {
    "RoleName": String,
    "Description": String,
    "AssumeRolePolicyDocument": Map,
    "MaxSessionDuration": Integer,
    "Policies": List
  }
}

Properties

Property Type Required Editable Description Constraint
RoleName String Yes No The name of the RAM role. The name must be 0 to 64 characters in length, and can contain letters, digits, periods (.), underscores (_), and hyphens (-).
Description String No No The description of the RAM role. The description can be up to 1,024 characters in length.
AssumeRolePolicyDocument Map Yes Yes The identity to which the RAM role can be assigned. For more information, see AssumeRolePolicyDocument properties.
MaxSessionDuration Integer No Yes The maximum session duration of the RAM role. Valid values: 3600 to 43200. Unit: seconds.

Default value: 3600.

Policies List No Yes The policies that are applied to the RAM role. For more information, see Policies properties.

AssumeRolePolicyDocument syntax

"AssumeRolePolicyDocument": {
  "Version": String,
  "Statement": List
}

AssumeRolePolicyDocument properties

Property Type Required Editable Description Constraint
Version String Yes No The version of the policy. None.
Statement List Yes No The statement of the policy. None.

Statement syntax

"Statement": [
  {
    "Condition": Map,
    "Action": String,
    "Effect": String,
    "Principal": Map
  }
]

Statement properties

Property Type Required Editable Description Constraint
Condition Map No No The condition element in a statement. The condition element specifies the conditions under which the principal can perform actions on resources. None.
Action String No No The action element in a statement. The action element specifies the actions that the principal can perform on resources under specific conditions. None.
Effect String No No The effect element in a statement. The effect element specifies whether the principal can perform actions on resources under specific conditions. Valid values:
  • Allow
  • Deny
Principal Map No No The type of the trusted entity. For more information, see Principal properties.

Principal syntax

"Principal": {
  "Service": List,
  "Federated": List,
  "RAM": List
}

Principal properties

Property Type Required Editable Description Constraint
Service List No No The name of an Alibaba Cloud service. None.
Federated List No No The identity provider (IdP). None.
RAM List No No The RAM user. None.

Policies syntax

"Policies": [
  {
    "Description": String,
    "PolicyName": String,
    "PolicyDocument": Map
  }
]

Policies properties

Property Type Required Editable Description Constraint
Description String No No The description of the policy. The description must be 1 to 1,024 characters in length.
PolicyName String Yes No The name of the policy. The name must be 1 to 128 characters in length, and can contain letters, digits, and hyphens (-).
PolicyDocument Map Yes Yes The content of the policy. The document can be up to 2,048 characters in length.

For more information, see PolicyDocument properties.

PolicyDocument syntax

"PolicyDocument": {
  "Version": String,
  "Statement": List
}

PolicyDocument properties

Property Type Required Editable Description Constraint
Version String Yes No The version of the policy. None.
Statement List Yes No The statement of the policy. None.

Statement syntax

"Statement": [
  {
    "Condition": Map,
    "Action": List,
    "Resource": List,
    "Effect": String
  }
]

Statement properties

Property Type Required Editable Description Constraint
Condition Map No No The condition that is required for the policy to take effect. None.
Action List No No The action that you want to perform based on the policy. None.
Resource List No No The resource to which you want to apply the policy. None.
Effect String No No The effect of the statement. Valid values:
  • Allow
  • Deny

Return values

Fn::GetAtt

  • RoleId: the ID of the role.
  • RoleName: the name of the role.
  • Arn: the Alibaba Cloud Resource Name (ARN) of the role.

Examples

  • YAMLformat

    ROSTemplateFormatVersion: '2015-09-01'
    Description: Test RAM Role
    Parameters: {}
    Resources:
      Role:
        Type: ALIYUN::RAM::Role
        Properties:
          RoleName: TestRole
          AssumeRolePolicyDocument:
            Statement:
              - Action: sts:AssumeRole
                Effect: Allow
                Principal:
                  Service:
                    - actiontrail.aliyuncs.com
            Version: '1'
    Outputs:
      RoleId:
        Description: Id of ram role.
        Value:
          Fn::GetAtt:
            - Role
            - RoleId
      Arn:
        Description: Name of alicloud resource.
        Value:
          Fn::GetAtt:
            - Role
            - Arn
      RoleName:
        Description: Name of ram role.
        Value:
          Fn::GetAtt:
            - Role
            - RoleName
  • JSONformat

    {
      "ROSTemplateFormatVersion": "2015-09-01",
      "Description": "Test RAM Role",
      "Parameters": {
      },
      "Resources": {
        "Role": {
          "Type": "ALIYUN::RAM::Role",
          "Properties": {
            "RoleName": "TestRole",
            "AssumeRolePolicyDocument": {
              "Statement": [
                {
                  "Action": "sts:AssumeRole",
                  "Effect": "Allow",
                  "Principal": {
                    "Service": [
                      "actiontrail.aliyuncs.com"
                    ]
                  }
                }
              ],
              "Version": "1"
            }
          }
        }
      },
      "Outputs": {
        "RoleId": {
          "Description": "Id of ram role.",
          "Value": {
            "Fn::GetAtt": [
              "Role",
              "RoleId"
            ]
          }
        },
        "Arn": {
          "Description": "Name of alicloud resource.",
          "Value": {
            "Fn::GetAtt": [
              "Role",
              "Arn"
            ]
          }
        },
        "RoleName": {
          "Description": "Name of ram role.",
          "Value": {
            "Fn::GetAtt": [
              "Role",
              "RoleName"
            ]
          }
        }
      }
    }