All Products
Search
Document Center

Resource Orchestration Service:ALIYUN::RAM::User

Last Updated:Jul 05, 2023

ALIYUN::RAM::User is used to create a Resource Access Management (RAM) user.

Syntax

{
  "Type": "ALIYUN::RAM::User",
  "Properties": {
    "UserName": String,
    "DisplayName": String,
    "LoginProfile": Map,
    "Groups": List,
    "MobilePhone": String,
    "Email": String,
    "Comments": String,
    "Policies": List,
    "PolicyAttachments": Map,
    "DeletionForce": Boolean
  }
}

Properties

Property

Type

Required

Editable

Description

Constraint

UserName

String

Yes

No

The name of the RAM user.

The name must be 1 to 64 characters in length, and can contain letters, digits, periods (.), hyphens (-), and underscores (_).

DisplayName

String

No

Yes

The display name of the RAM user.

The display name must be 1 to 128 characters in length.

LoginProfile

Map

No

No

The logon configurations of the RAM user.

For more information, see LoginProfile properties.

Groups

List

No

No

The user groups to which you want to add the RAM user.

None.

MobilePhone

String

No

Yes

The mobile number of the RAM user.

None.

Email

String

No

Yes

The email address of the RAM user.

None.

Comments

String

No

Yes

The comments on the RAM user.

The comments must be 1 to 128 characters in length.

Policies

List

No

Yes

The policies that you want to attach to the RAM user.

For more information, see Policies properties.

PolicyAttachments

Map

No

Yes

The names of the system and custom policies that you want to attach to the RAM user.

For more information, see PolicyAttachments properties.

DeletionForce

Boolean

No

Yes

Specifies whether to forcefully detach the policy from the RAM user.

Valid values:

  • true

  • false (default)

LoginProfile syntax

"LoginProfile": {
  "MFABindRequired": Boolean,
  "Password": String,
  "PasswordResetRequired": Boolean
}            

LoginProfile properties

Property

Type

Required

Editable

Description

Constraint

MFABindRequired

Boolean

No

No

Specifies whether to forcefully enable multi-factor authentication (MFA) for the RAM user.

Valid values:

  • true: forcefully enables MFA. The RAM user must bind an MFA device at the next logon.

  • false: does not forcefully enable MFA.

Password

String

No

No

The new password that the RAM user uses to log on to the RAM console.

The password must be 8 to 32 characters in length, and must comply with the strong password requirements.

PasswordResetRequired

Boolean

No

No

Specifies whether the RAM user must reset the password at the next logon.

Valid values:

  • true

  • false

Policies syntax

"Policies": [
  {
    "PolicyName": String,
    "PolicyDocument": Map,
    "Description": String,
    "IgnoreExisting": Boolean
  }
]            

Policies properties

Property

Type

Required

Editable

Description

Constraint

Description

String

No

No

The description of the policy.

The description must be 1 to 1,024 characters in length.

PolicyName

String

Yes

No

The name of the policy.

The name must be 1 to 128 characters in length, and can contain letters, digits, and hyphens (-).

PolicyDocument

Map

Yes

Yes

The content of the policy.

The content can be up to 2,048 characters in length.

For more information, see PolicyDocument properties.

IgnoreExisting

Boolean

No

No

Specifies whether to ignore the existing policy that has the same name as the new policy.

Valid values:

  • true: ignores the existing policy. Resource Orchestration Service (ROS) does not check the name uniqueness of policies. If an existing policy with the same name exists in the ROS console, the policy is ignored when ROS creates the new policy. If the existing policy is not created in the ROS console, the policy is ignored when ROS updates or deletes the new policy.  

  • false: does not ignore the existing policy. ROS checks the name uniqueness of policies. If an existing policy with the same name exists in the ROS console, an error is reported when ROS creates the new policy.

PolicyDocument syntax

"PolicyDocument": {
  "Version": String,
  "Statement": List
}

PolicyDocument properties

Property

Type

Required

Editable

Description

Constraint

Version

String

Yes

No

The version of the policy.

None.

Statement

List

Yes

No

The statements of the policy.

For more information, see Statement properties.

Statement syntax

"Statement": [
  {
    "Condition": Map,
    "Action": List,
    "Resource": List,
    "Effect": String
  }
]

Statement properties

Property

Type

Required

Editable

Description

Constraint

Condition

Map

No

No

The condition that is required for the policy to take effect.

None.

Action

List

No

No

The actions that you want to perform based on the policy.

None.

Resource

List

No

No

The resources to which you want to apply the policy.

None.

Effect

String

No

No

The effect of the statement.

Valid values:

  • Allow

  • Deny

PolicyAttachments syntax

"PolicyAttachments": {
  "Custom": List,
  "System": List
}

PolicyAttachments properties

Property

Type

Required

Editable

Description

Constraint

Custom

List

No

Yes

The names of the custom policies.

You can attach up to five custom policies.

System

List

No

Yes

The names of the system policies.

You can attach up to 20 system policies.

Return values

Fn::GetAtt

  • UserName: the name of the RAM user.

  • UserId: the ID of the RAM user.

  • CreateDate: the time when the RAM user was created.

  • LastLoginDate: the last logon time of the RAM user.

Examples

YAML format

ROSTemplateFormatVersion: '2015-09-01'
Description: Test RAM User
Parameters: {}
Resources:
  User:
    Type: ALIYUN::RAM::User
    Properties:
      UserName: dev
      Policies:
        - PolicyName:
            Fn::Join:
              - '-'
              - - StackId
                - Ref: ALIYUN::StackId
          PolicyDocument:
            Statement:
              - Action:
                  - oss:*
                Effect: Allow
                Resource:
                  - '*'
            Version: '1'
Outputs: {}

JSON format

{
  "ROSTemplateFormatVersion": "2015-09-01",
  "Description": "Test RAM User",
  "Parameters": {
  },
  "Resources": {
    "User": {
      "Type": "ALIYUN::RAM::User",
      "Properties": {
        "UserName": "dev",
        "Policies": [
          {
            "PolicyName": {
              "Fn::Join": [
                "-",
                [
                  "StackId",
                  {
                    "Ref": "ALIYUN::StackId"
                  }
                ]
              ]
            },
            "PolicyDocument": {
              "Statement": [
                {
                  "Action": [
                    "oss:*"
                  ],
                  "Effect": "Allow",
                  "Resource": [
                    "*"
                  ]
                }
              ],
              "Version": "1"
            }
          }
        ]
      }
    }
  },
  "Outputs": {
  }
}