Gunakan ALIYUN::RAM::Role untuk membuat RAM role - Resource Orchestration Service

Resource ALIYUN::RAM::Role digunakan untuk membuat RAM role.

Sintaks

{
  "Type": "ALIYUN::RAM::Role",
  "Properties": {
    "RoleName": String,
    "Description": String,
    "AssumeRolePolicyDocument": Map,
    "MaxSessionDuration": Integer,
    "Policies": List,
    "IgnoreExisting": Boolean,
    "DeletionForce": Boolean,
    "PolicyAttachments": Map
  }
}

Properti

Property Name	Type	Required	Updatable	Description	Constraints
AssumeRolePolicyDocument	Map	Yes	Yes	Identitas yang dapat mengasumsikan RAM role ini.	Trust policy. Tentukan satu atau beberapa entitas tepercaya yang dapat mengasumsikan RAM role ini. Entitas tersebut dapat berupa Akun Alibaba Cloud, layanan Alibaba Cloud, atau penyedia identitas.
RoleName	String	Yes	No	Nama RAM role.	Panjang: 1 hingga 64 karakter. Dapat berisi huruf Inggris, angka, titik (.), dan tanda hubung (-).
Description	String	No	No	Deskripsi RAM role.	Panjang maksimum: 1024 karakter.
MaxSessionDuration	Integer	No	Yes	Durasi sesi maksimum untuk RAM role.	Rentang nilai: 3600 detik hingga 43200 detik. Nilai default: 3600 detik.
Policies	List	No	Yes	Kebijakan yang berlaku untuk RAM role.	Untuk informasi selengkapnya, lihat Ikhtisar Kebijakan Akses.
IgnoreExisting	Boolean	No	No	Apakah akan mengabaikan peran yang sudah ada?	Nilai: false: ROS melakukan pemeriksaan keunikan. Jika role dengan nama yang sama sudah ada, ROS melaporkan error saat pembuatan. true: ROS tidak melakukan pemeriksaan keunikan. Jika role dengan nama yang sama sudah ada, ROS melewati proses pembuatan role. Catatan Jika ROS tidak membuat role tersebut, role tersebut diabaikan selama pembaruan dan penghapusan.
DeletionForce	Boolean	No	Yes	Apakah akan memutuskan secara paksa kebijakan yang terkait dengan role.	Nilai default: false.
PolicyAttachments	Map	No	Yes	Nama kebijakan sistem dan kustom yang akan disambungkan.	Untuk informasi selengkapnya, lihat properti PolicyAttachments.

Sintaks AssumeRolePolicyDocument

"AssumeRolePolicyDocument": {
  "Version": String,
  "Statement": List
}

Properti AssumeRolePolicyDocument

Property Name	Type	Required	Allow Updates	Description	Constraints
Version	String	Yes	No	Versi kebijakan.	Tidak ada
Statement	List	Yes	No	Aturan spesifik dari kebijakan.	Untuk informasi selengkapnya, lihat properti Statement.

Sintaks Statement

"Statement": [
  {
    "Condition": Map,
    "Action": String,
    "Effect": String,
    "Principal": Map
  }
]

Properti Pernyataan

Property Name	Type	Required	Updatable	Description	Constraints
Condition	Map	No	No	Kondisi.	Tidak ada
Action	String	No	No	Aksi spesifik yang ditargetkan oleh kebijakan.	Tidak ada
Effect	String	No	No	Efek izin.	Nilai: Allow: Mengizinkan aksi. Deny: Menolak.
Principal	Map	No	No	Jenis entitas tepercaya.	Untuk informasi selengkapnya, lihat properti Principal.

Sintaks Principal

"Principal": {
  "Service": List,
  "Federated": List,
  "RAM": List
}

Properti Principal

Property Name	Type	Required	Updatable	Description	Constraints
Service	List	No	No	Layanan Alibaba Cloud.	Tidak ada
Federated	List	No	No	Penyedia identitas	Tidak ada
RAM	List	No	No	Akun Alibaba Cloud.	Tidak ada

Sintaks Policies

"Policies": [
  {
    "Description": String,
    "PolicyName": String,
    "PolicyDocument": Map
  }
]

Properti Kebijakan

Property Name	Type	Required	Updatable	Description	Constraints
Description	String	No	No	Deskripsi.	Panjang: 1 hingga 1024 karakter.
PolicyName	String	Yes	No	Nama kebijakan akses.	Panjang: 1 hingga 128 karakter. Dapat berisi huruf Inggris, angka, dan tanda hubung (-).
PolicyDocument	Map	Yes	Yes	Dokumen kebijakan.	Panjang maksimum: 2048 karakter. Untuk informasi selengkapnya, lihat properti PolicyDocument.

Sintaks PolicyAttachments

"PolicyAttachments": {
  "System": List,
  "Custom": List
}

Properti PolicyAttachments

Property Name	Type	Required	Updatable	Description	Constraints
Custom	List	No	Yes	Daftar nama kebijakan kustom.	Jumlah kebijakan harus kurang dari atau sama dengan 5.
System	List	No	Yes	Daftar nama kebijakan sistem.	Jumlah kebijakan harus kurang dari atau sama dengan 20.

Sintaks PolicyDocument

"PolicyDocument": {
  "Version": String,
  "Statement": List
}

Properti PolicyDocument

Property Name	Type	Required	Updatable	Description	Constraints
Version	String	Yes	No	Versi kebijakan akses.	Tidak ada
Statement	List	Yes	No	Aturan spesifik dari kebijakan akses.	Tidak ada

Nilai Pengembalian

Fn::GetAtt

RoleId: ID role.
RoleName: Nama role.
Arn: Deskriptor resource dari role.

Contoh

Skenario 1: Membuat RAM role.

Buat cepat

YAML

ROSTemplateFormatVersion: '2015-09-01'
Description: Test RAM Role
Parameters: {}
Resources:
  Role:
    Type: ALIYUN::RAM::Role
    Properties:
      RoleName: TestRole
      AssumeRolePolicyDocument:
        Statement:
          - Action: sts:AssumeRole
            Effect: Allow
            Principal:
              Service:
                - actiontrail.aliyuncs.com
        Version: '1'
Outputs:
  RoleId:
    Description: Id of ram role.
    Value:
      Fn::GetAtt:
        - Role
        - RoleId
  Arn:
    Description: Name of alicloud resource.
    Value:
      Fn::GetAtt:
        - Role
        - Arn
  RoleName:
    Description: Name of ram role.
    Value:
      Fn::GetAtt:
        - Role
        - RoleName

JSON

{
  "ROSTemplateFormatVersion": "2015-09-01",
  "Description": "Test RAM Role",
  "Parameters": {
  },
  "Resources": {
    "Role": {
      "Type": "ALIYUN::RAM::Role",
      "Properties": {
        "RoleName": "TestRole",
        "AssumeRolePolicyDocument": {
          "Statement": [
            {
              "Action": "sts:AssumeRole",
              "Effect": "Allow",
              "Principal": {
                "Service": [
                  "actiontrail.aliyuncs.com"
                ]
              }
            }
          ],
          "Version": "1"
        }
      }
    }
  },
  "Outputs": {
    "RoleId": {
      "Description": "Id of ram role.",
      "Value": {
        "Fn::GetAtt": [
          "Role",
          "RoleId"
        ]
      }
    },
    "Arn": {
      "Description": "Name of alicloud resource.",
      "Value": {
        "Fn::GetAtt": [
          "Role",
          "Arn"
        ]
      }
    },
    "RoleName": {
      "Description": "Name of ram role.",
      "Value": {
        "Fn::GetAtt": [
          "Role",
          "RoleName"
        ]
      }
    }
  }
}

Skenario 2: Membuat RAM role, menyambungkan kebijakan kustom, dan mengizinkan layanan tertentu untuk mengasumsikan role serta menentukan operasi kebijakan.

Buat cepat

YAML

ROSTemplateFormatVersion: '2015-09-01'
Description:
  en: Buat Peran RAM, sambungkan kebijakan kustom yang mengizinkan layanan tertentu untuk mengasumsikan peran, dan definisikan operasi kebijakan.
Parameters:
  RoleName:
    Type: String
    Label:
      en: Nama Peran
    Description:
      en: Nama peran; ubah nama jika sudah ada,<br/>Terdiri dari huruf Inggris, angka, atau tanda hubung ('-'), maksimal 64 karakter.
<br/>    ConstraintDescription:
<br/>      en: Maksimal 64 karakter; huruf Inggris, angka, atau tanda hubung ('-') diperbolehkan.
<br/>    Default: test-role
<br/>    AllowedPattern: ^[a-zA-Z0-9\-]+$
<br/>    MinLength: 1
<br/>    MaxLength: 64
<br/>  AssumeRolePrincipalServices:
<br/>    Type: Json
<br/>    Label:
<br/>      en: Layanan Prinsipal
<br/>    Description:
<br/>      en: Layanan tepercaya peran yang dapat ditambahkan lebih dari sekali.
<br/>    Default:
<br/>      - ecs.aliyuncs.com
<br/>  PolicyName:
<br/>    Type: String
<br/>    Label:
<br/>      en: Nama Kebijakan
<br/>    Description:
<br/>      en: Nama kebijakan; ubah nama jika sudah ada,<br>Terdiri dari huruf Inggris, angka, atau tanda hubung ('-'), 5-128 karakter.
<br/>    ConstraintDescription:
<br/>      en: Terdiri dari huruf Inggris, angka, atau tanda hubung ('-'), 5-128 karakter.
<br/>    Default: test-policy-name
<br/>    AllowedPattern: ^[a-zA-Z0-9\-]+$
<br/>    MinLength: 5
<br/>    MaxLength: 128
<br/>  SpecificAction:
<br/>    Type: String
<br/>    Label:
<br/>      en: Aksi Spesifik
<br/>    Description:
<br/>      en: 'Aksi spesifik kebijakan, dipisahkan dengan koma bahasa Inggris; <a href=''https://www.alibabacloud.com/help/document_detail/93738.html'' target=''_blank''><b><font color=''blue''>Lihat elemen Kebijakan - Aksi</font></font></a><br>Contoh: <br>[oss.*,ecs.*: <font color=''green''>semua aksi oss dan ecs</font>]<br>[oss.*: <font color=''green''>semua aksi oss</font>]<br>[oss.GetObjectUrl: <font color=''green''>aksi adalah GetObjectUrl dari oss</font>]<br>.'
<br/>    Default: oss.*,ecs.*
<br/>Resources:
<br/>  RamManagedPolicy:
<br/>    Type: ALIYUN::RAM::ManagedPolicy
<br/>    Properties:
<br/>      PolicyDocument:
<br/>        Statement:
<br/>          - Action:
<br/>              Fn::Split:
<br/>                - ','
<br/>                - Ref: SpecificAction
<br/>            Effect: Allow
<br/>            Resource:
<br/>              - '*'
<br/>        Version: '1'
<br/>      PolicyName:
<br/>        Ref: PolicyName
<br/>  RamRole:
<br/>    Type: ALIYUN::RAM::Role
<br/>    Properties:
<br/>      AssumeRolePolicyDocument:
<br/>        Statement:
<br/>          - Action: sts:AssumeRole
<br/>            Effect: Allow
<br/>            Principal:
<br/>              Service:
<br/>                Ref: AssumeRolePrincipalServices
<br/>        Version: '1'
<br/>      Policies:
<br/>        - PolicyDocument:
<br/>            Statement:
<br/>              - Action:
<br/>                  - ros:*
<br/>                Effect: Allow
<br/>                Resource:
<br/>                  - '*'
<br/>            Version: '1'
<br/>          PolicyName:
<br/>            Fn::Join:
<br/>              - ''
<br/>              - - Policy-
<br/>                - Ref: ALIYUN::StackId
<br/>      RoleName:
<br/>        Ref: RoleName
<br/>  RamAttachPolicyToRole:
<br/>    Type: ALIYUN::RAM::AttachPolicyToRole
<br/>    Properties:
<br/>      PolicyName:
<br/>        Fn::GetAtt:
<br/>          - RamManagedPolicy
<br/>          - PolicyName
<br/>      PolicyType: Custom
<br/>      RoleName:
<br/>        Fn::GetAtt:
<br/>          - RamRole
<br/>          - RoleName
<br/>    DependsOn:
<br/>      - RamManagedPolicy
<br/>      - RamRole
<br/>Outputs:
<br/>  PolicyName:
<br/>    Value:
<br/>      Fn::GetAtt:
<br/>        - RamManagedPolicy
<br/>        - PolicyName
<br/>  RoleArn:
<br/>    Value:
<br/>      Fn::GetAtt:
<br/>        - RamRole
<br/>        - Arn
<br/>  RoleName:
<br/>    Value:
<br/>      Fn::GetAtt:
<br/>        - RamRole
<br/>        - RoleName
<br/>Metadata:
<br/>  ALIYUN::ROS::Interface:
<br/>    ParameterGroups:
<br/>      - Parameters:
<br/>          - RoleName
<br/>          - AssumeRolePrincipalServices
<br/>          - PolicyName
<br/>          - SpecificAction
<br/>        Label:
<br/>          default: RAM
<br/>

JSON

{
  "ROSTemplateFormatVersion": "2015-09-01",
  "Description": {
    "en": "Buat Peran RAM, menyambungkan kebijakan kustom yang memperbolehkan layanan tertentu mengasumsikan peran tersebut, dan definisikan operasi kebijakan."
  },
  "Parameters": {
    "RoleName": {
      "Type": "String",
      "Label": {
        "en": "Nama Peran"
      },
      "Description": {
        "en": "Nama peran, Ubah nama jika sudah ada,<br/>Terdiri dari huruf Inggris, angka, atau '-', maksimal 64 karakter."
<br/>      },
<br/>      "ConstraintDescription": {
<br/>        "en": "Maksimal 64 karakter, huruf Inggris, angka, atau '-' diperbolehkan."
<br/>      },
<br/>      "Default": "test-role",
<br/>      "AllowedPattern": "^[a-zA-Z0-9\\-]+$",
<br/>      "MinLength": 1,
<br/>      "MaxLength": 64
<br/>    },
<br/>    "AssumeRolePrincipalServices": {
<br/>      "Type": "Json",
<br/>      "Label": {
<br/>        "en": "Layanan Prinsipal"
<br/>      },
<br/>      "Description": {
<br/>        "en": "Layanan tepercaya peran yang ditentukan, dapat ditambahkan lebih dari sekali."
<br/>      },
<br/>      "Default": [
<br/>        "ecs.aliyuncs.com"
<br/>      ]
<br/>    },
<br/>    "PolicyName": {
<br/>      "Type": "String",
<br/>      "Label": {
<br/>        "en": "Nama Kebijakan"
<br/>      },
<br/>      "Description": {
<br/>        "en": "Nama kebijakan, Ubah nama jika sudah ada,<br>Terdiri dari huruf Inggris, angka, atau '-', 5-128 karakter."
<br/>      },
<br/>      "ConstraintDescription": {
<br/>        "en": "Terdiri dari huruf Inggris, angka, atau '-', 5-128 karakter."
<br/>      },
<br/>      "Default": "test-policy-name",
<br/>      "AllowedPattern": "^[a-zA-Z0-9\\-]+$",
<br/>      "MinLength": 5,
<br/>      "MaxLength": 128
<br/>    },
<br/>    "SpecificAction": {
<br/>      "Type": "String",
<br/>      "Label": {
<br/>        "en": "Aksi Spesifik"
<br/>      },
<br/>      "Description": {
<br/>        "en": "Aksi spesifik kebijakan, dipisahkan dengan koma bahasa Inggris; <a href='https://www.alibabacloud.com/help/document_detail/93738.html' target='_blank'><b><font color='blue'>Lihat Elemen Kebijakan - Aksi</font></font></a><br>Contoh: <br>[oss.*,ecs.*: <font color='green'>semua aksi oss dan ecs</font>]<br>[oss.*: <font color='green'>semua aksi oss</font>]<br>[oss.GetObjectUrl: <font color='green'>aksi adalah GetObjectUrl dari oss</font>]<br>."
<br/>      },
<br/>      "Default": "oss.*,ecs.*"
<br/>    }
<br/>  },
<br/>  "Resources": {
<br/>    "RamManagedPolicy": {
<br/>      "Type": "ALIYUN::RAM::ManagedPolicy",
<br/>      "Properties": {
<br/>        "PolicyDocument": {
<br/>          "Statement": [
<br/>            {
<br/>              "Action": {
<br/>                "Fn::Split": [
<br/>                  ",",
<br/>                  {
<br/>                    "Ref": "SpecificAction"
<br/>                  }
<br/>                ]
<br/>              },
<br/>              "Effect": "Allow",
<br/>              "Resource": [
<br/>                "*"
<br/>              ]
<br/>            }
<br/>          ],
<br/>          "Version": "1"
<br/>        },
<br/>        "PolicyName": {
<br/>          "Ref": "PolicyName"
<br/>        }
<br/>      }
<br/>    },
<br/>    "RamRole": {
<br/>      "Type": "ALIYUN::RAM::Role",
<br/>      "Properties": {
<br/>        "AssumeRolePolicyDocument": {
<br/>          "Statement": [
<br/>            {
<br/>              "Action": "sts:AssumeRole",
<br/>              "Effect": "Allow",
<br/>              "Principal": {
<br/>                "Service": {
<br/>                  "Ref": "AssumeRolePrincipalServices"
<br/>                }
<br/>              }
<br/>            }
<br/>          ],
<br/>          "Version": "1"
<br/>        },
<br/>        "Policies": [
<br/>          {
<br/>            "PolicyDocument": {
<br/>              "Statement": [
<br/>                {
<br/>                  "Action": [
<br/>                    "ros:*"
<br/>                  ],
<br/>                  "Effect": "Allow",
<br/>                  "Resource": [
<br/>                    "*"
<br/>                  ]
<br/>                }
<br/>              ],
<br/>              "Version": "1"
<br/>            },
<br/>            "PolicyName": {
<br/>              "Fn::Join": [
<br/>                "",
<br/>                [
<br/>                  "Policy-",
<br/>                  {
<br/>                    "Ref": "ALIYUN::StackId"
<br/>                  }
<br/>                ]
<br/>              ]
<br/>            }
<br/>          }
<br/>        ],
<br/>        "RoleName": {
<br/>          "Ref": "RoleName"
<br/>        }
<br/>      }
<br/>    },
<br/>    "RamAttachPolicyToRole": {
<br/>      "Type": "ALIYUN::RAM::AttachPolicyToRole",
<br/>      "Properties": {
<br/>        "PolicyName": {
<br/>          "Fn::GetAtt": [
<br/>            "RamManagedPolicy",
<br/>            "PolicyName"
<br/>          ]
<br/>        },
<br/>        "PolicyType": "Custom",
<br/>        "RoleName": {
<br/>          "Fn::GetAtt": [
<br/>            "RamRole",
<br/>            "RoleName"
<br/>          ]
<br/>        }
<br/>      },
<br/>      "DependsOn": [
<br/>        "RamManagedPolicy",
<br/>        "RamRole"
<br/>      ]
<br/>    }
<br/>  },
<br/>  "Outputs": {
<br/>    "PolicyName": {
<br/>      "Value": {
<br/>        "Fn::GetAtt": [
<br/>          "RamManagedPolicy",
<br/>          "PolicyName"
<br/>        ]
<br/>      }
<br/>    },
<br/>    "RoleArn": {
<br/>      "Value": {
<br/>        "Fn::GetAtt": [
<br/>          "RamRole",
<br/>          "Arn"
<br/>        ]
<br/>      }
<br/>    },
<br/>    "RoleName": {
<br/>      "Value": {
<br/>        "Fn::GetAtt": [
<br/>          "RamRole",
<br/>          "RoleName"
<br/>        ]
<br/>      }
<br/>    }
<br/>  },
<br/>  "Metadata": {
<br/>    "ALIYUN::ROS::Interface": {
<br/>      "ParameterGroups": [
<br/>        {
<br/>          "Parameters": [
<br/>            "RoleName",
<br/>            "AssumeRolePrincipalServices",
<br/>            "PolicyName",
<br/>            "SpecificAction"
<br/>          ],
<br/>          "Label": {
<br/>            "default": "RAM"
<br/>          }
<br/>        }
<br/>      ]
<br/>    }
<br/>  }
<br/>}

Skenario 3: Membuat RAM role untuk mengelola ActionTrail, menyimpan log audit ke Bucket OSS tertentu, dan mengonfigurasi proyek SLS.

Buat cepat

YAML

ROSTemplateFormatVersion: '2015-09-01'
Description:
  en: Create RAM roles to manage operation auditing, with audit logs stored in a designated OSS bucket, and configure an SLS project for further log processing and analysis.
Parameters:
  RoleName:
    Type: String
    Label:
      en: Role Name
    Description:
      en: Ram role name, 1 to 64 characters in length, beginning with English letters or numbers, hyphens allowed, unique in the account.
    ConstraintDescription:
      en: 1 to 64 characters in length, beginning with English letters or numbers, hyphens allowed.
    Default: ActionTrailTestRole
    MinLength: 1
    MaxLength: 64
  TrailName:
    Type: String
    Label:
      en: Trail Name
    Description:
      en: Trail Name, 6 to 36 characters in length, must start with a letter, and can contain letters, numbers, dashes (-), and underscores (_), unique in the account
    Default: TestTrail
  EventRW:
    Type: String
    Label:
      en: Event RW
    Description:
      en: Read and write types of delivery events
    Default: Write
    AllowedValues:
      - Write
      - Read
      - All
  OssBucketName:
    Type: String
    Label:
      en: Bucket Name
    Description:
      en: Tracking OSS storage space written
    AssociationProperty: ALIYUN::OSS::Bucket::BucketName
    AssociationPropertyMetadata:
      RegionId: ${RegionId}
  OssKeyPrefix:
    Type: String
    Label:
      en: Key Prefix
    Description:
      en: Track the prefix of the OSS storage space file name written, can be empty. 6 to 32 characters in length, must start with a letter, and can contain letters, numbers, dashes (-), slashes (/), and underscores (_)
    Default: ''
  SlsProjectName:
    Type: String
    Label:
      en: Project Name
    Description:
      en: Log service items to track delivery targets
Resources:
  Role:
    Type: ALIYUN::RAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Statement:
          - Action: sts:AssumeRole
            Effect: Allow
            Principal:
              Service:
                - actiontrail.aliyuncs.com
        Version: '1'
      Policies:
        - PolicyDocument:
            Statement:
              - Action:
                  - oss:ListObjects
                  - oss:PutObject
                  - oss:GetBucketLocation
                Effect: Allow
                Resource:
                  - '*'
              - Action:
                  - log:PostLogStoreLogs
                  - log:CreateLogstore
                Effect: Allow
                Resource:
                  - '*'
              - Action:
                  - mns:PublishMessage
                Effect: Allow
                Resource:
                  - '*'
            Version: '1'
          PolicyName:
            Fn::Sub: ActionTrailPolicy-${ALIYUN::StackId}
      RoleName:
        Ref: RoleName
  Trail:
    Type: ALIYUN::ACTIONTRAIL::Trail
    Properties:
      EventRW:
        Ref: EventRW
      Name:
        Ref: TrailName
      OssBucketName:
        Ref: OssBucketName
      OssKeyPrefix:
        Ref: OssKeyPrefix
      RoleName:
        Fn::GetAtt:
          - Role
          - RoleName
      SlsProjectArn:
        Fn::Sub: acs:log:${ALIYUN::Region}::project/${SlsProjectName}
      SlsWriteRoleArn:
        Fn::Sub: acs:ram::${ALIYUN::TenantId}:role/${Role.RoleName}
    DependsOn: Role
Metadata:
  ALIYUN::ROS::Interface:
    ParameterGroups:
      - Parameters:
          - RoleName
        Label:
          default: RAM
      - Parameters:
          - TrailName
          - EventRW
        Label:
          default: Trail
      - Parameters:
          - OssBucketName
          - OssKeyPrefix
        Label:
          default: OSS
      - Parameters:
          - SlsProjectName
        Label:
          default: SLS

JSON

{
  "ROSTemplateFormatVersion": "2015-09-01",
  "Description": {
    "en": "Create RAM roles to manage operation auditing, with audit logs stored in a designated OSS bucket, and configure an SLS project for further log processing and analysis."
  },
  "Parameters": {
    "RoleName": {
      "Type": "String",
      "Label": {
        "en": "Role Name"
      },
      "Description": {
        "en": "Ram role name, 1 to 64 characters in length, beginning with English letters or numbers, hyphens allowed, unique in the account."
      },
      "ConstraintDescription": {
        "en": "1 to 64 characters in length, beginning with English letters or numbers, hyphens allowed."
      },
      "Default": "ActionTrailTestRole",
      "MinLength": 1,
      "MaxLength": 64
    },
    "TrailName": {
      "Type": "String",
      "Label": {
        "en": "Trail Name"
      },
      "Description": {
        "en": "Trail Name, 6 to 36 characters in length, must start with a letter, and can contain letters, numbers, dashes (-), and underscores (_), unique in the account"
      },
      "Default": "TestTrail"
    },
    "EventRW": {
      "Type": "String",
      "Label": {
        "en": "Event RW"
      },
      "Description": {
        "en": "Read and write types of delivery events"
      },
      "Default": "Write",
      "AllowedValues": [
        "Write",
        "Read",
        "All"
      ]
    },
    "OssBucketName": {
      "Type": "String",
      "Label": {
        "en": "Bucket Name"
      },
      "Description": {
        "en": "Tracking OSS storage space written"
      },
      "AssociationProperty": "ALIYUN::OSS::Bucket::BucketName",
      "AssociationPropertyMetadata": {
        "RegionId": "${RegionId}"
      }
    },
    "OssKeyPrefix": {
      "Type": "String",
      "Label": {
        "en": "Key Prefix"
      },
      "Description": {
        "en": "Track the prefix of the OSS storage space file name written, can be empty. 6 to 32 characters in length, must start with a letter, and can contain letters, numbers, dashes (-), slashes (/), and underscores (_)"
      },
      "Default": ""
    },
    "SlsProjectName": {
      "Type": "String",
      "Label": {
        "en": "Project Name"
      },
      "Description": {
        "en": "Log service items to track delivery targets"
      }
    }
  },
  "Resources": {
    "Role": {
      "Type": "ALIYUN::RAM::Role",
      "Properties": {
        "AssumeRolePolicyDocument": {
          "Statement": [
            {
              "Action": "sts:AssumeRole",
              "Effect": "Allow",
              "Principal": {
                "Service": [
                  "actiontrail.aliyuncs.com"
                ]
              }
            }
          ],
          "Version": "1"
        },
        "Policies": [
          {
            "PolicyDocument": {
              "Statement": [
                {
                  "Action": [
                    "oss:ListObjects",
                    "oss:PutObject",
                    "oss:GetBucketLocation"
                  ],
                  "Effect": "Allow",
                  "Resource": [
                    "*"
                  ]
                },
                {
                  "Action": [
                    "log:PostLogStoreLogs",
                    "log:CreateLogstore"
                  ],
                  "Effect": "Allow",
                  "Resource": [
                    "*"
                  ]
                },
                {
                  "Action": [
                    "mns:PublishMessage"
                  ],
                  "Effect": "Allow",
                  "Resource": [
                    "*"
                  ]
                }
              ],
              "Version": "1"
            },
            "PolicyName": {
              "Fn::Sub": "ActionTrailPolicy-${ALIYUN::StackId}"
            }
          }
        ],
        "RoleName": {
          "Ref": "RoleName"
        }
      }
    },
    "Trail": {
      "Type": "ALIYUN::ACTIONTRAIL::Trail",
      "Properties": {
        "EventRW": {
          "Ref": "EventRW"
        },
        "Name": {
          "Ref": "TrailName"
        },
        "OssBucketName": {
          "Ref": "OssBucketName"
        },
        "OssKeyPrefix": {
          "Ref": "OssKeyPrefix"
        },
        "RoleName": {
          "Fn::GetAtt": [
            "Role",
            "RoleName"
          ]
        },
        "SlsProjectArn": {
          "Fn::Sub": "acs:log:${ALIYUN::Region}::project/${SlsProjectName}"
        },
        "SlsWriteRoleArn": {
          "Fn::Sub": "acs:ram::${ALIYUN::TenantId}:role/${Role.RoleName}"
        }
      },
      "DependsOn": "Role"
    }
  },
  "Metadata": {
    "ALIYUN::ROS::Interface": {
      "ParameterGroups": [
        {
          "Parameters": [
            "RoleName"
          ],
          "Label": {
            "default": "RAM"
          }
        },
        {
          "Parameters": [
            "TrailName",
            "EventRW"
          ],
          "Label": {
            "default": "Trail"
          }
        },
        {
          "Parameters": [
            "OssBucketName",
            "OssKeyPrefix"
          ],
          "Label": {
            "default": "OSS"
          }
        },
        {
          "Parameters": [
            "SlsProjectName"
          ],
          "Label": {
            "default": "SLS"
          }
        }
      ]
    }
  }
}

Untuk contoh lainnya, lihat templat publik yang mencakup resource ini.