Template name
ACS-RAM-CreateRoleAndAttachCustomPolicy
Template description
Creates a RAM role and attaches a custom policy to the RAM role.
Template type
Automated
Owner
Alibaba Cloud
Input parameters
Parameter | Description | Data type | Required | Default value | Limit |
roleName | The name of the RAM role that you want to create. | String | Yes | ||
policyName | The name of the custom policy that you want to create and attach to the RAM role. | String | Yes | ||
policyDocument | The document of the custom policy that you want to attach to the RAM role. | String | Yes | ||
rolePlayerUid | The unique ID (UID) of the trusted Alibaba Cloud account of the RAM role. | String | No | {{ ACS::AccountId }} | |
OOSAssumeRole | The RAM role that is assumed by CloudOps Orchestration Service (OOS). | String | No | "" |
Output parameters
Parameter | Description | Data type |
stackId | String |
Permission policy that is required to execute the template
{
"Version": "1",
"Statement": [
{
"Action": [
"ros:CreateStack",
"ros:GetStack"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
References
ACS-RAM-CreateRoleAndAttachCustomPolicy
Template content
FormatVersion: OOS-2019-06-01
Description:
en: Create RAM role and attach custom policy
name-en: ACS-RAM-CreateRoleAndAttachCustomPolicy
categories:
- security
Parameters:
roleName:
Label:
en: RoleName
Type: String
rolePlayerUid:
Label:
en: RolePlayerUid
Type: String
Default: '{{ ACS::AccountId }}'
policyName:
Label:
en: PolicyName
Type: String
policyDocument:
Label:
en: PolicyDocument
Description:
en: 'e.g.{ "Version": "1", "Statement": [ { "Action": [ "oos:List*", "oos:Get*" ], "Resource": "*", "Effect": "Allow" } ] }'
Type: String
AssociationProperty: Code
OOSAssumeRole:
Label:
en: OOSAssumeRole
Type: String
Default: ''
RamRole: '{{ OOSAssumeRole }}'
Tasks:
- Name: createStackForRoleAndPolicy
Action: 'ACS::ROS::CreateStack'
Description:
en: Create role and attach policy by Ros resource stack
Properties:
stackName:
Fn::Replace:
- .: _
- OOS-{{ACS::ExecutionId}}
disableRollback: true
parameters:
- ParameterKey: RoleName
ParameterValue: '{{ roleName }}'
- ParameterKey: RolePlayerUid
ParameterValue: '{{ rolePlayerUid }}'
- ParameterKey: PolicyName
ParameterValue: '{{ policyName }}'
- ParameterKey: PolicyDocument
ParameterValue: '{{ policyDocument }}'
templateBody: |
{
"ROSTemplateFormatVersion": "2015-09-01",
"Resources": {
"Role": {
"Type": "ALIYUN::RAM::Role",
"Properties": {
"RoleName": {
"Ref": "RoleName"
},
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"RAM": [
{
"Fn::Sub": [
"acs:ram::${uid}:root",
{
"uid": {
"Ref": "RolePlayerUid"
}
}
]
}
]
}
}
],
"Version": "1"
}
}
},
"Policy": {
"Type": "ALIYUN::RAM::ManagedPolicy",
"Properties": {
"PolicyName": {
"Ref": "PolicyName"
},
"PolicyDocumentUnchecked": {
"Ref": "PolicyDocument"
},
"Roles": [
{
"Fn::GetAtt": [
"Role",
"RoleName"
]
}
]
}
}
},
"Parameters": {
"RoleName": {
"Type": "String",
"Description": "Role name."
},
"RolePlayerUid": {
"Type": "String",
"Description": "Role player uid."
},
"PolicyName": {
"Type": "String",
"Description": "Policy name."
},
"PolicyDocument": {
"Type": "Json",
"Description": "A policy document that describes what actions are allowed on which resources."
}
},
"Outputs": {
"RoleName": {
"Description": "When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the ARN.",
"Value": {
"Fn::GetAtt": [
"Role",
"RoleName"
]
}
}
},
"Metadata": {
"ALIYUN::ROS::Interface": {
"TemplateTags": [
"acs:integrate:oos:ram_create_role_and_attach_custom_policy"
]
}
}
}
Outputs:
stackId:
Type: String
ValueSelector: stackId
Outputs:
stackId:
Type: String
Value: '{{createStackForRoleAndPolicy.stackId}}'