The ALIYUN::RAM::Role type is used to create a RAM role.

Syntax

{
	"Type" : "ALIYUN::RAM::Role",
    "Properties" : {
    	"RoleName" : String,
		"Description": String,
        "AssumeRolePolicyDocument" : Map,
		"Policies " : List
    }
}

Properties

Name Type Required Description Constraint
RoleName string Yes Role name The role name can contain a maximum of 64 characters
Description string No Role description The description can contain a maximum of 1,024 characters
AssumeRolePolicyDocument map Yes Identity that can assume this role N/A
Policies list No Policy applied to the role N/A

AssumeRolePolicyDocument syntax

"AssumeRolePolicyDocument" : {
	"Version": String,
	"Statement" : [
		{
			"Effect" : String,
			"Action" : List,
			"Principal" : {
			    "Service": List
			}
		}
	]
}

AssumeRolePolicyDocument properties

Name Type Required Description Constraint
Version string No Policy version N/A
Statement list No Policy rules N/A
Action list No Policy-specific operation N/A
Principal map No Service to which the policy is applied N/A
Effect string No Whether the operation defined by the Action parameter can be performed on the service defined by the Principal parameter N/A
Service list No Specific service N/A

Policies syntax

"Policies" : [
    {
       "PolicyName" : String,
       "PolicyDocument" : {
           "Version": String,
           "Statement" : [
		       {
                   "Effect" : String,
                   "Action" : List,
                   "Resource" : List
               }
			]
        }
    }
]

Policies properties

Name Type Required Description Constraint
PolicyName string Yes Policy name The policy name can contain a maximum of 128 characters
PolicyDocument map No Policy details N/A
Version string No Policy version N/A
Statement list No Policy rules N/A
Action list No Policy-specific operation N/A
Resource list No Resource to which the policy is applied N/A
Effect string No Whether the operation defined by the Action parameter can be performed on the resource defined by the Resource parameter N/A

Response value

Fn::GetAtt

  • RoleId: role ID
  • RoleName: role name
  • Arn: resource descriptor of the role

Example

{
	"ROSTemplateFormatVersion" : "2015-09-01",
	"Resources" : {
		"RamRole": {
			"Type": "ALIYUN::RAM::Role",
			"Properties": {
				"RoleName": "RosRole",
				"Description": "createdByRos",
				"AssumeRolePolicyDocument": {
					"Statement" : [
						{
							"Action": "sts:AssumeRole",
							"Effect": "Allow",
							"Principal":{
								"Service":["actiontrail.aliyuncs.com"]
							}
						}
					],
					"Version": "1"
				},
				"Policies" : [
					{
						"PolicyName" : "RosRolePolicy",
						"PolicyDocument" : 
						{
							"Version": "1",
							"Statement" : [
								{
									"Effect" : "Allow",
									"Action" : [ "oss:*" ],
									"Resource" : ["acs:oss:*:*:*"]
								}
							]
						}
					}
				]
			}
		}
	},
	"Outputs": {
		"RoleName": {
			"Value": {
				"Fn::GetAtt": ["RamRole","RoleName"]
			}
		},
		"Arn": {
			"Value": {
				"Fn::GetAtt": ["RamRole","Arn"]
			}
		}
	}
}