This topic describes how to create a Resource Access Management (RAM) user and grant permissions to the RAM user when you create a stack in the Resource Orchestration Service (ROS) console.
Background information
The procedure for creating a RAM user and granting permissions to the RAM user in the RAM console is complex. However, the ROS console provides a simplified procedure to perform this operation. For more information about RAM users, see Overview of RAM users.
Step 1: Edit a template
The following sample code shows how to create a RAM user, a custom policy, and an AccessKey pair, and how to grant permissions to the RAM user.
For more information about resource types, see List of resource types by service.
ROSTemplateFormatVersion: '2015-09-01'
Parameters:
UserName:
Type: String
Description: RAM User Name
Label:
en: RAM User Name
PolicyName:
Type: String
Description: RAM Policy Name
Label:
en: RAM Policy Name
Action:
Default:
- vpc:*
Type: Json
Description:
en: The operation of products and services defined by the strategy, Resources for operations, refer to <a href='https://www.alibabacloud.com/help/doc-detail/93738.htm'>Policy elements</a> for more info.
Label:
en: PolicyAction
Effect:
Default: Allow
AllowedValues:
- Allow
- Deny
Type: String
Description:
en: Allow/Deny Action for Resource
Label:
en: Authority
Resource:
Default:
- '*'
Type: Json
Description:
en: Resources for operations, refer to <a href='https://www.alibabacloud.com/help/doc-detail/93738.htm'>Policy elements</a> for more info.
Label:
en: Resource
Resources:
ManagedPolicy:
Type: ALIYUN::RAM::ManagedPolicy
Properties:
PolicyName:
Ref: PolicyName
PolicyDocument:
Version: '1'
Statement:
- Action:
Ref: Action
Resource:
Ref: Resource
Effect:
Ref: Effect
RamAK:
Type: ALIYUN::RAM::AccessKey
Properties:
UserName:
Fn::GetAtt:
- RamUser
- UserName
DependsOn: RamUser
RamUser:
Type: ALIYUN::RAM::User
Properties:
UserName:
Ref: UserName
AttachPolicyToUser:
DependsOn:
- ManagedPolicy
- RamUser
Type: ALIYUN::RAM::AttachPolicyToUser
Properties:
PolicyType: Custom
UserName:
Fn::GetAtt:
- RamUser
- UserName
PolicyName:
Fn::GetAtt:
- ManagedPolicy
- PolicyName
Outputs:
AKSecret:
Value:
Fn::GetAtt:
- RamAK
- AccessKeySecret
AKId:
Value:
Fn::GetAtt:
- RamAK
- AccessKeyId
UserId:
Value:
Fn::GetAtt:
- RamUser
- UserId