forked from aliyun/ros-templates
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathuse-sts-to-access-OSS.yml
371 lines (366 loc) · 11.6 KB
/
use-sts-to-access-OSS.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
ROSTemplateFormatVersion: '2015-09-01'
Description:
zh-cn: 使用STS临时访问凭证访问OSS。
en: Use STS Temporary access credentials to access OSS.
Conditions:
CreateInstance:
Fn::Equals:
- Ref: SelectInstance
- false
Parameters:
UserName:
Type: String
Description:
zh-cn: 自定义RAM用户名称。
en: Customize the RAM user name.
Label:
zh-cn: RAM用户名称
en: RAM User Name
AssociationProperty: AutoCompleteInput
AssociationPropertyMetadata:
Length: 6
Prefix: RamOssTest-
CharacterClasses:
- Class: lowercase
min: 1
RoleName:
Type: String
Description:
zh-cn: 自定义RAM角色名称。
en: Customize the RAM role name.
Label:
zh-cn: RAM角色名称
en: RAM Rol Name
AssociationProperty: AutoCompleteInput
AssociationPropertyMetadata:
Length: 6
Prefix: RamOssTest-
CharacterClasses:
- Class: lowercase
min: 1
SelectInstance:
Type: Boolean
Label:
en: Whether to select an existing Bucket
zh-cn: 是否选择已有Bucket
Default: true
ExistBucketName:
Type: String
Label:
en: Existing Bucket
zh-cn: 已有Bucket
AssociationProperty: ALIYUN::OSS::Bucket::BucketName
AssociationPropertyMetadata:
Visible:
Condition:
Fn::Equals:
- ${SelectInstance}
- true
Default: ''
BucketName:
Type: String
Label:
zh-cn: 新建存储空间名称
en: NewBucketName
Description:
zh-cn: Bucket 名称在 OSS 范围内必须全局唯一。长度为3~63个字符。必须以小写英文字母或数字开头和结尾,可包含小写英文字母、数字和短划线(-)。
en: Bucket names must be globally unique within the scope of OSS. The length is 3~63 characters. Must start and end with a lowercase English letter or number, and can contain lowercase English letters, numbers, and dashes (-).
AssociationProperty: AutoCompleteInput
AssociationPropertyMetadata:
Length: 6
Prefix: my-bucketname-
CharacterClasses:
- Class: lowercase
min: 1
Visible:
Condition:
Fn::Equals:
- ${SelectInstance}
- false
AllowedPattern: ^[a-z0-9][a-z0-9-]{1,61}[a-z0-9]$
Default: null
AccessControl:
Type: String
Label:
en: Access Control
zh-cn: 读写权限
Description:
en: Set the access permission of the bucket
zh-cn: 设置Bucket读写权限
Default: private
AssociationPropertyMetadata:
Visible:
Condition:
Fn::Equals:
- ${SelectInstance}
- false
AllowedValues:
- private
- public-read
- public-read-write
Resources:
RamUser:
Type: ALIYUN::RAM::User
Properties:
UserName:
Ref: UserName
RamAK:
Type: ALIYUN::RAM::AccessKey
Properties:
UserName:
Fn::GetAtt:
- RamUser
- UserName
DependsOn: RamUser
AttachPolicyToUser:
Type: ALIYUN::RAM::AttachPolicyToUser
Properties:
PolicyType: System
UserName:
Fn::GetAtt:
- RamUser
- UserName
PolicyName: AliyunSTSAssumeRoleAccess
DependsOn: RamAK
MyBucket:
Condition: CreateInstance
Type: ALIYUN::OSS::Bucket
Properties:
AccessControl:
Ref: AccessControl
BucketName:
Ref: BucketName
Role:
Type: ALIYUN::RAM::Role
Properties:
RoleName:
Ref: RoleName
AssumeRolePolicyDocument:
Version: '1'
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
RAM:
- Fn::Sub: acs:ram::${ALIYUN::TenantId}:root
Service:
- fc.aliyuncs.com
- ram.aliyuncs.com
Policies:
- PolicyName:
Fn::Join:
- ''
- - Policy-
- Ref: ALIYUN::StackId
PolicyDocument:
Version: '1'
Statement:
- Effect: Allow
Action:
- oss:*
Resource:
- 'Fn::Sub':
- 'acs:oss:*:*:${BucketName}/*'
- BucketName:
Fn::If:
- CreateInstance
- Ref: BucketName
- Ref: ExistBucketName
FCRamRole:
Type: ALIYUN::RAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
Service:
- fc.aliyuncs.com
- ram.aliyuncs.com
Version: '1'
Policies:
- PolicyDocument:
Statement:
- Action:
- log:*
Effect: Allow
Resource:
- acs:log:*:*:*
- Action:
- fc:*
Effect: Allow
Resource:
- '*'
- Action:
- ram:*
Effect: Allow
Resource:
- '*'
Version: '1'
PolicyName:
Fn::Join:
- '-'
- - StackId
- Ref: ALIYUN::StackId
RoleName:
Fn::Join:
- '-'
- - StackId
- Ref: ALIYUN::StackId
FcService:
Type: ALIYUN::FC::Service
Properties:
ServiceName:
Fn::Join:
- '-'
- - StackId
- Ref: ALIYUN::StackId
- FC-Service
Role:
Fn::GetAtt:
- FCRamRole
- Arn
Function:
Type: ALIYUN::FC::Function
Properties:
ServiceName:
Fn::GetAtt:
- FcService
- ServiceName
FunctionName:
Fn::Join:
- '-'
- - AssumeRoleFunction
- Ref: ALIYUN::StackId
Handler: index.handler
Runtime: python3.9
Code:
SourceCode: |
#!/usr/bin/env python
# coding=utf-8
import json, time, urllib.request
from aliyunsdkcore.client import AcsClient
from aliyunsdkcore.acs_exception.exceptions import ClientException
from aliyunsdkcore.acs_exception.exceptions import ServerException
from aliyunsdkcore.auth.credentials import AccessKeyCredential
from aliyunsdkcore.auth.credentials import StsTokenCredential
from aliyunsdksts.request.v20150401.AssumeRoleRequest import AssumeRoleRequest
def handler(event, context):
event = json.loads(event)
creds = context.credentials
r_ps = event['ResourceProperties']
credentials = StsTokenCredential(r_ps['AKId'], r_ps['AKSecret'], creds.security_token)
client = AcsClient(region_id=context.region, credential=credentials)
if event['RequestType'] != 'Delete':
request = AssumeRoleRequest()
request.set_accept_format('json')
request.set_DurationSeconds(3600)
request.set_Policy(r_ps['RolePolicy'])
request.set_RoleArn(r_ps['RoleArn'])
request.set_RoleSessionName("RoleSessionName")
response = client.do_action_with_exception(request)
print(str(response, encoding='utf-8'))
response = json.loads(response)
result = {
'RequestId': event['RequestId'],
'LogicalResourceId': event['LogicalResourceId'],
'StackId': event['StackId'],
'Status': 'SUCCESS',
'PhysicalResourceId': 'MyCustomResourceId',
'Data': {}
}
if event['RequestType'] != 'Delete':
result['Data'] = response.get('Credentials')
headers = {'Content-type': 'application/json', 'Accept': 'application/json','Date': time.strftime('%a, %d %b %Y %X GMT', time.gmtime()), 'User-Agent': 'MyCustomUserAgent'}
req = urllib.request.Request(event['ResponseURL'], data=json.dumps(result).encode('utf-8'), headers=headers)
urllib.request.urlopen(req)
AssumeRoleCredentials:
Type: Custom::AssumeRole
DeletionPolicy: Retain
Properties:
ServiceToken:
Fn::GetAtt:
- Function
- ARN
Parameters:
RolePolicy:
'Fn::Sub':
- "{\"Version\":\"1\",\"Statement\":[{\"Action\":[\"oss:PutObject\", \"oss:GetObject\"],\"Resource\":[\"acs:oss:*:*:${BucketName}/*\"],\"Effect\":\"Allow\"}]}"
- BucketName:
Fn::If:
- CreateInstance
- Ref: BucketName
- Ref: ExistBucketName
RoleArn:
Fn::GetAtt:
- Role
- Arn
AKId:
Fn::GetAtt:
- RamAK
- AccessKeyId
AKSecret:
Fn::GetAtt:
- RamAK
- AccessKeySecret
RoleSessionName:
Fn::Join:
- '-'
- - RoleSessionName
- Ref: ALIYUN::StackId
Timeout: 120
Outputs:
AccessKeyId:
Description:
zh-cn: 临时访问凭证包含的临时访问密钥AccessKey ID。
en: Temporary access certificate contains temporary access key AccessKey ID.
Value:
Fn::GetAtt:
- AssumeRoleCredentials
- AccessKeyId
SecurityToken:
Description:
zh-cn: SecurityToken为临时访问凭证包含的安全临牌。SecurityToken字符数较多,建议直接单击复制图标获取完整的SecurityToken。
en: SecurityToken is the security temporary card contained in the temporary access certificate. The SecurityToken contains a large number of characters. You are advised to click the Copy icon to obtain a complete SecurityToken..
Value:
Fn::GetAtt:
- AssumeRoleCredentials
- SecurityToken
AccessKeySecret:
Description:
zh-cn: 临时访问凭证包含的临时访问密钥AccessKey Secret。
en: Temporary access certificate contains temporary access key AccessKey Secret.
Value:
Fn::GetAtt:
- AssumeRoleCredentials
- AccessKeySecret
Expiration:
Description:
zh-cn: 临时访问凭证的过期时间,建议直接单击复制图标获取完整的Expiration。临时访问凭证过期时间格式是UTC,与北京时间有8小时的时差。例如,临时访问凭证过期时间是2024-04-18T11:33:40Z,说明临时访问凭证将在北京时间2024年4月18日19时33分40秒之前过期。
en: The Expiration time of the temporary access certificate. You are advised to click the copy icon to obtain the complete expiration. The temporary access certificate expiration time format is UTC, which is 8 hours behind Beijing Time. For example, the temporary access certificate expiration time is 2024-04-18T11:33:40Z, which means that the temporary access certificate will expire before 19:33 minutes and 40 seconds Beijing time on April 18, 2024.
Value:
Fn::GetAtt:
- AssumeRoleCredentials
- Expiration
Metadata:
ALIYUN::ROS::Interface:
Outputs:
- AccessKeyId
- AccessKeySecret
- SecurityToken
- Expiration
ParameterGroups:
- Parameters:
- SelectInstance
- ExistBucketName
- BucketName
- AccessControl
Label:
default: OSS
- Parameters:
- UserName
- RoleName
Label:
default: RAM
TemplateTags:
- acs:document-help:oss:使用STS临时访问凭证访问OSS