The ALIYUN::RAM::Role resource creates a RAM role.
Syntax
{
"Type": "ALIYUN::RAM::Role",
"Properties": {
"RoleName": String,
"Description": String,
"AssumeRolePolicyDocument": Map,
"MaxSessionDuration": Integer,
"Policies": List,
"IgnoreExisting": Boolean,
"DeletionForce": Boolean,
"PolicyAttachments": Map
}
}Properties
Property Name | Type | Required | Updatable | Description | Constraints |
AssumeRolePolicyDocument | Map | Yes | Yes | The identity that can assume this RAM role. | Trust policy. Specify one or more trusted entities that can assume this RAM role. This entity can be an Alibaba Cloud account, an Alibaba Cloud service, or an identity provider. |
RoleName | String | Yes | No | The RAM role name. | Length: 1 to 64 characters. Can contain English letters, numbers, periods (.), and hyphens (-). |
Description | String | No | No | The description of the RAM role. | Maximum length: 1024 characters. |
MaxSessionDuration | Integer | No | Yes | The maximum session duration for the RAM role. | Value range: 3600 seconds to 43200 seconds. Default value: 3600 seconds. |
Policies | List | No | Yes | The policies applicable to the RAM role. | For more information, see Access Policy Overview. |
IgnoreExisting | Boolean | No | No | Whether to ignore existing roles. | Values:
Note If ROS did not create the role, it is ignored during update and deletion. |
DeletionForce | Boolean | No | Yes | Whether to forcibly detach policies associated with the role. | Default value: false. |
PolicyAttachments | Map | No | Yes | The names of system and custom policies to attach. | For more information, see PolicyAttachments properties. |
AssumeRolePolicyDocument Syntax
"AssumeRolePolicyDocument": {
"Version": String,
"Statement": List
}AssumeRolePolicyDocument Properties
Property Name | Type | Required | Allow Updates | Description | Constraints |
Version | String | Yes | No | The policy version. | None |
Statement | List | Yes | No | The specific rules of the policy. | For more information, see Statement properties. |
Statement Syntax
"Statement": [
{
"Condition": Map,
"Action": String,
"Effect": String,
"Principal": Map
}
]Statement Properties
Property Name | Type | Required | Updatable | Description | Constraints |
Condition | Map | No | No | The conditions. | None |
Action | String | No | No | The specific actions targeted by the policy. | None |
Effect | String | No | No | The effect of the permission. | Values:
|
Principal | Map | No | No | The type of trusted entity. | For more information, see Principal properties. |
Principal Syntax
"Principal": {
"Service": List,
"Federated": List,
"RAM": List
}Principal Properties
Property Name | Type | Required | Updatable | Description | Constraints |
Service | List | No | No | Alibaba Cloud services. | None |
Federated | List | No | No | Identity provider | None |
RAM | List | No | No | Alibaba Cloud accounts. | None |
Policies Syntax
"Policies": [
{
"Description": String,
"PolicyName": String,
"PolicyDocument": Map
}
]Policies Properties
Property Name | Type | Required | Updatable | Description | Constraints |
Description | String | No | No | The description. | Length: 1 to 1024 characters. |
PolicyName | String | Yes | No | The access policy name. | Length: 1 to 128 characters. Can contain English letters, numbers, and hyphens (-). |
PolicyDocument | Map | Yes | Yes | The policy document. | Maximum length: 2048 characters. For more information, see PolicyDocument properties. |
PolicyAttachments Syntax
"PolicyAttachments": {
"System": List,
"Custom": List
}PolicyAttachments Properties
Property Name | Type | Required | Updatable | Description | Constraints |
Custom | List | No | Yes | A list of custom policy names. | The number of policies must be less than or equal to 5. |
System | List | No | Yes | A list of system policy names. | The number of policies must be less than or equal to 20. |
PolicyDocument Syntax
"PolicyDocument": {
"Version": String,
"Statement": List
}PolicyDocument Properties
Property Name | Type | Required | Updatable | Description | Constraints |
Version | String | Yes | No | The access policy version. | None |
Statement | List | Yes | No | The specific rules of the access policy. | None |
Return Values
Fn::GetAtt
RoleId: The role ID.
RoleName: The role name.
Arn: The resource descriptor of the role.
Examples
Scenario 1: Create a RAM role.
ROSTemplateFormatVersion: '2015-09-01'
Description: Test RAM Role
Parameters: {}
Resources:
Role:
Type: ALIYUN::RAM::Role
Properties:
RoleName: TestRole
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
Service:
- actiontrail.aliyuncs.com
Version: '1'
Outputs:
RoleId:
Description: Id of ram role.
Value:
Fn::GetAtt:
- Role
- RoleId
Arn:
Description: Name of alicloud resource.
Value:
Fn::GetAtt:
- Role
- Arn
RoleName:
Description: Name of ram role.
Value:
Fn::GetAtt:
- Role
- RoleName{
"ROSTemplateFormatVersion": "2015-09-01",
"Description": "Test RAM Role",
"Parameters": {
},
"Resources": {
"Role": {
"Type": "ALIYUN::RAM::Role",
"Properties": {
"RoleName": "TestRole",
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": [
"actiontrail.aliyuncs.com"
]
}
}
],
"Version": "1"
}
}
}
},
"Outputs": {
"RoleId": {
"Description": "Id of ram role.",
"Value": {
"Fn::GetAtt": [
"Role",
"RoleId"
]
}
},
"Arn": {
"Description": "Name of alicloud resource.",
"Value": {
"Fn::GetAtt": [
"Role",
"Arn"
]
}
},
"RoleName": {
"Description": "Name of ram role.",
"Value": {
"Fn::GetAtt": [
"Role",
"RoleName"
]
}
}
}
}Scenario 2: Create a RAM role, attach a custom policy, and allow specified services to assume the role and define policy operations.
ROSTemplateFormatVersion: '2015-09-01'
Description:
en: Create a RAM role, attach a custom policy allowing specified services to assume the role, and define policy operations.
Parameters:
RoleName:
Type: String
Label:
en: Role Name
Description:
en: The name of role, Change the name if it already exists,
Consist of english letters, numbers or '-',not more than 64 characters.
ConstraintDescription:
en: No more than 64 characters,English letters, Numbers, or '-' are allowed.
Default: test-role
AllowedPattern: ^[a-zA-Z0-9\-]+$
MinLength: 1
MaxLength: 64
AssumeRolePrincipalServices:
Type: Json
Label:
en: Principal Services
Description:
en: The specifies role-trusted services that can be added more than once.
Default:
- ecs.aliyuncs.com
PolicyName:
Type: String
Label:
en: Policy Name
Description:
en: The policy name, Change the name if it already exists,<br>Consist of english letters, numbers or '-', 5-128 characters.
ConstraintDescription:
en: Consist of english letters, numbers or '-',5-128 characters.
Default: test-policy-name
AllowedPattern: ^[a-zA-Z0-9\-]+$
MinLength: 5
MaxLength: 128
SpecificAction:
Type: String
Label:
en: Specific Action
Description:
en: 'The specific action of the policy,Separated by English commas; <a href=''https://www.alibabacloud.com/help/document_detail/93738.html'' target=''_blank''><b><font color=''blue''>View Policy elements - Action</font></font></a><br>For example: <br>[oss.*,ecs.*: <font color=''green''>all the action of oss and ecs</font>]<br>[oss.*: <font color=''green''>all the action of oss</font>]<br>[oss.GetObjectUrl: <font color=''green''>action is GetObjectUrl of oss</font>]<br>.'
Default: oss.*,ecs.*
Resources:
RamManagedPolicy:
Type: ALIYUN::RAM::ManagedPolicy
Properties:
PolicyDocument:
Statement:
- Action:
Fn::Split:
- ','
- Ref: SpecificAction
Effect: Allow
Resource:
- '*'
Version: '1'
PolicyName:
Ref: PolicyName
RamRole:
Type: ALIYUN::RAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
Service:
Ref: AssumeRolePrincipalServices
Version: '1'
Policies:
- PolicyDocument:
Statement:
- Action:
- ros:*
Effect: Allow
Resource:
- '*'
Version: '1'
PolicyName:
Fn::Join:
- ''
- - Policy-
- Ref: ALIYUN::StackId
RoleName:
Ref: RoleName
RamAttachPolicyToRole:
Type: ALIYUN::RAM::AttachPolicyToRole
Properties:
PolicyName:
Fn::GetAtt:
- RamManagedPolicy
- PolicyName
PolicyType: Custom
RoleName:
Fn::GetAtt:
- RamRole
- RoleName
DependsOn:
- RamManagedPolicy
- RamRole
Outputs:
PolicyName:
Value:
Fn::GetAtt:
- RamManagedPolicy
- PolicyName
RoleArn:
Value:
Fn::GetAtt:
- RamRole
- Arn
RoleName:
Value:
Fn::GetAtt:
- RamRole
- RoleName
Metadata:
ALIYUN::ROS::Interface:
ParameterGroups:
- Parameters:
- RoleName
- AssumeRolePrincipalServices
- PolicyName
- SpecificAction
Label:
default: RAM
{
"ROSTemplateFormatVersion": "2015-09-01",
"Description": {
"en": "Create a RAM role, attach a custom policy allowing specified services to assume the role, and define policy operations."
},
"Parameters": {
"RoleName": {
"Type": "String",
"Label": {
"en": "Role Name"
},
"Description": {
"en": "The name of role, Change the name if it already exists,
Consist of english letters, numbers or '-',not more than 64 characters."
},
"ConstraintDescription": {
"en": "No more than 64 characters,English letters, Numbers, or '-' are allowed."
},
"Default": "test-role",
"AllowedPattern": "^[a-zA-Z0-9\\-]+$",
"MinLength": 1,
"MaxLength": 64
},
"AssumeRolePrincipalServices": {
"Type": "Json",
"Label": {
"en": "Principal Services"
},
"Description": {
"en": "The specifies role-trusted services that can be added more than once."
},
"Default": [
"ecs.aliyuncs.com"
]
},
"PolicyName": {
"Type": "String",
"Label": {
"en": "Policy Name"
},
"Description": {
"en": "The policy name, Change the name if it already exists,<br>Consist of english letters, numbers or '-', 5-128 characters."
},
"ConstraintDescription": {
"en": "Consist of english letters, numbers or '-',5-128 characters."
},
"Default": "test-policy-name",
"AllowedPattern": "^[a-zA-Z0-9\\-]+$",
"MinLength": 5,
"MaxLength": 128
},
"SpecificAction": {
"Type": "String",
"Label": {
"en": "Specific Action"
},
"Description": {
"en": "The specific action of the policy,Separated by English commas; <a href='https://www.alibabacloud.com/help/document_detail/93738.html' target='_blank'><b><font color='blue'>View Policy elements - Action</font></font></a><br>For example: <br>[oss.*,ecs.*: <font color='green'>all the action of oss and ecs</font>]<br>[oss.*: <font color='green'>all the action of oss</font>]<br>[oss.GetObjectUrl: <font color='green'>action is GetObjectUrl of oss</font>]<br>."
},
"Default": "oss.*,ecs.*"
}
},
"Resources": {
"RamManagedPolicy": {
"Type": "ALIYUN::RAM::ManagedPolicy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": {
"Fn::Split": [
",",
{
"Ref": "SpecificAction"
}
]
},
"Effect": "Allow",
"Resource": [
"*"
]
}
],
"Version": "1"
},
"PolicyName": {
"Ref": "PolicyName"
}
}
},
"RamRole": {
"Type": "ALIYUN::RAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": {
"Ref": "AssumeRolePrincipalServices"
}
}
}
],
"Version": "1"
},
"Policies": [
{
"PolicyDocument": {
"Statement": [
{
"Action": [
"ros:*"
],
"Effect": "Allow",
"Resource": [
"*"
]
}
],
"Version": "1"
},
"PolicyName": {
"Fn::Join": [
"",
[
"Policy-",
{
"Ref": "ALIYUN::StackId"
}
]
]
}
}
],
"RoleName": {
"Ref": "RoleName"
}
}
},
"RamAttachPolicyToRole": {
"Type": "ALIYUN::RAM::AttachPolicyToRole",
"Properties": {
"PolicyName": {
"Fn::GetAtt": [
"RamManagedPolicy",
"PolicyName"
]
},
"PolicyType": "Custom",
"RoleName": {
"Fn::GetAtt": [
"RamRole",
"RoleName"
]
}
},
"DependsOn": [
"RamManagedPolicy",
"RamRole"
]
}
},
"Outputs": {
"PolicyName": {
"Value": {
"Fn::GetAtt": [
"RamManagedPolicy",
"PolicyName"
]
}
},
"RoleArn": {
"Value": {
"Fn::GetAtt": [
"RamRole",
"Arn"
]
}
},
"RoleName": {
"Value": {
"Fn::GetAtt": [
"RamRole",
"RoleName"
]
}
}
},
"Metadata": {
"ALIYUN::ROS::Interface": {
"ParameterGroups": [
{
"Parameters": [
"RoleName",
"AssumeRolePrincipalServices",
"PolicyName",
"SpecificAction"
],
"Label": {
"default": "RAM"
}
}
]
}
}
}Scenario 3: Create a RAM role to manage ActionTrail, store audit logs in a specified OSS bucket, and configure an SLS project.
ROSTemplateFormatVersion: '2015-09-01'
Description:
en: Create RAM roles to manage operation auditing, with audit logs stored in a designated OSS bucket, and configure an SLS project for further log processing and analysis.
Parameters:
RoleName:
Type: String
Label:
en: Role Name
Description:
en: Ram role name, 1 to 64 characters in length, beginning with English letters or numbers, hyphens allowed, unique in the account.
ConstraintDescription:
en: 1 to 64 characters in length, beginning with English letters or numbers, hyphens allowed.
Default: ActionTrailTestRole
MinLength: 1
MaxLength: 64
TrailName:
Type: String
Label:
en: Trail Name
Description:
en: Trail Name, 6 to 36 characters in length, must start with a letter, and can contain letters, numbers, dashes (-), and underscores (_), unique in the account
Default: TestTrail
EventRW:
Type: String
Label:
en: Event RW
Description:
en: Read and write types of delivery events
Default: Write
AllowedValues:
- Write
- Read
- All
OssBucketName:
Type: String
Label:
en: Bucket Name
Description:
en: Tracking OSS storage space written
AssociationProperty: ALIYUN::OSS::Bucket::BucketName
AssociationPropertyMetadata:
RegionId: ${RegionId}
OssKeyPrefix:
Type: String
Label:
en: Key Prefix
Description:
en: Track the prefix of the OSS storage space file name written, can be empty. 6 to 32 characters in length, must start with a letter, and can contain letters, numbers, dashes (-), slashes (/), and underscores (_)
Default: ''
SlsProjectName:
Type: String
Label:
en: Project Name
Description:
en: Log service items to track delivery targets
Resources:
Role:
Type: ALIYUN::RAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
Service:
- actiontrail.aliyuncs.com
Version: '1'
Policies:
- PolicyDocument:
Statement:
- Action:
- oss:ListObjects
- oss:PutObject
- oss:GetBucketLocation
Effect: Allow
Resource:
- '*'
- Action:
- log:PostLogStoreLogs
- log:CreateLogstore
Effect: Allow
Resource:
- '*'
- Action:
- mns:PublishMessage
Effect: Allow
Resource:
- '*'
Version: '1'
PolicyName:
Fn::Sub: ActionTrailPolicy-${ALIYUN::StackId}
RoleName:
Ref: RoleName
Trail:
Type: ALIYUN::ACTIONTRAIL::Trail
Properties:
EventRW:
Ref: EventRW
Name:
Ref: TrailName
OssBucketName:
Ref: OssBucketName
OssKeyPrefix:
Ref: OssKeyPrefix
RoleName:
Fn::GetAtt:
- Role
- RoleName
SlsProjectArn:
Fn::Sub: acs:log:${ALIYUN::Region}::project/${SlsProjectName}
SlsWriteRoleArn:
Fn::Sub: acs:ram::${ALIYUN::TenantId}:role/${Role.RoleName}
DependsOn: Role
Metadata:
ALIYUN::ROS::Interface:
ParameterGroups:
- Parameters:
- RoleName
Label:
default: RAM
- Parameters:
- TrailName
- EventRW
Label:
default: Trail
- Parameters:
- OssBucketName
- OssKeyPrefix
Label:
default: OSS
- Parameters:
- SlsProjectName
Label:
default: SLS
{
"ROSTemplateFormatVersion": "2015-09-01",
"Description": {
"en": "Create RAM roles to manage operation auditing, with audit logs stored in a designated OSS bucket, and configure an SLS project for further log processing and analysis."
},
"Parameters": {
"RoleName": {
"Type": "String",
"Label": {
"en": "Role Name"
},
"Description": {
"en": "Ram role name, 1 to 64 characters in length, beginning with English letters or numbers, hyphens allowed, unique in the account."
},
"ConstraintDescription": {
"en": "1 to 64 characters in length, beginning with English letters or numbers, hyphens allowed."
},
"Default": "ActionTrailTestRole",
"MinLength": 1,
"MaxLength": 64
},
"TrailName": {
"Type": "String",
"Label": {
"en": "Trail Name"
},
"Description": {
"en": "Trail Name, 6 to 36 characters in length, must start with a letter, and can contain letters, numbers, dashes (-), and underscores (_), unique in the account"
},
"Default": "TestTrail"
},
"EventRW": {
"Type": "String",
"Label": {
"en": "Event RW"
},
"Description": {
"en": "Read and write types of delivery events"
},
"Default": "Write",
"AllowedValues": [
"Write",
"Read",
"All"
]
},
"OssBucketName": {
"Type": "String",
"Label": {
"en": "Bucket Name"
},
"Description": {
"en": "Tracking OSS storage space written"
},
"AssociationProperty": "ALIYUN::OSS::Bucket::BucketName",
"AssociationPropertyMetadata": {
"RegionId": "${RegionId}"
}
},
"OssKeyPrefix": {
"Type": "String",
"Label": {
"en": "Key Prefix"
},
"Description": {
"en": "Track the prefix of the OSS storage space file name written, can be empty. 6 to 32 characters in length, must start with a letter, and can contain letters, numbers, dashes (-), slashes (/), and underscores (_)"
},
"Default": ""
},
"SlsProjectName": {
"Type": "String",
"Label": {
"en": "Project Name"
},
"Description": {
"en": "Log service items to track delivery targets"
}
}
},
"Resources": {
"Role": {
"Type": "ALIYUN::RAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": [
"actiontrail.aliyuncs.com"
]
}
}
],
"Version": "1"
},
"Policies": [
{
"PolicyDocument": {
"Statement": [
{
"Action": [
"oss:ListObjects",
"oss:PutObject",
"oss:GetBucketLocation"
],
"Effect": "Allow",
"Resource": [
"*"
]
},
{
"Action": [
"log:PostLogStoreLogs",
"log:CreateLogstore"
],
"Effect": "Allow",
"Resource": [
"*"
]
},
{
"Action": [
"mns:PublishMessage"
],
"Effect": "Allow",
"Resource": [
"*"
]
}
],
"Version": "1"
},
"PolicyName": {
"Fn::Sub": "ActionTrailPolicy-${ALIYUN::StackId}"
}
}
],
"RoleName": {
"Ref": "RoleName"
}
}
},
"Trail": {
"Type": "ALIYUN::ACTIONTRAIL::Trail",
"Properties": {
"EventRW": {
"Ref": "EventRW"
},
"Name": {
"Ref": "TrailName"
},
"OssBucketName": {
"Ref": "OssBucketName"
},
"OssKeyPrefix": {
"Ref": "OssKeyPrefix"
},
"RoleName": {
"Fn::GetAtt": [
"Role",
"RoleName"
]
},
"SlsProjectArn": {
"Fn::Sub": "acs:log:${ALIYUN::Region}::project/${SlsProjectName}"
},
"SlsWriteRoleArn": {
"Fn::Sub": "acs:ram::${ALIYUN::TenantId}:role/${Role.RoleName}"
}
},
"DependsOn": "Role"
}
},
"Metadata": {
"ALIYUN::ROS::Interface": {
"ParameterGroups": [
{
"Parameters": [
"RoleName"
],
"Label": {
"default": "RAM"
}
},
{
"Parameters": [
"TrailName",
"EventRW"
],
"Label": {
"default": "Trail"
}
},
{
"Parameters": [
"OssBucketName",
"OssKeyPrefix"
],
"Label": {
"default": "OSS"
}
},
{
"Parameters": [
"SlsProjectName"
],
"Label": {
"default": "SLS"
}
}
]
}
}
}For more examples, see public templates that include this resource.