forked from aliyun/ros-templates
-
Notifications
You must be signed in to change notification settings - Fork 0
/
single-role-add-policy.yml
150 lines (150 loc) · 4.72 KB
/
single-role-add-policy.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
ROSTemplateFormatVersion: '2015-09-01'
Description:
zh-cn: 创建RAM角色,附加自定义策略,允许指定服务假设角色及定义策略操作。
en: Create a RAM role, attach a custom policy allowing specified services to assume
the role, and define policy operations.
Parameters:
RoleName:
Type: String
Label:
en: Role Name
zh-cn: 角色的名称
Description:
en: The name of role, Change the name if it already exists,<br>Consist of english
letters, numbers or '-',not more than 64 characters.
zh-cn: 角色的名称,如果已经存在,请更改名称,<br>由英文字母、数字或'-'组成,不超过64个字符。
ConstraintDescription:
en: No more than 64 characters,English letters, Numbers, or '-' are allowed.
zh-cn: 不得超过 64 个字符、英文字母、数字或'-'。
Default: test-role
AllowedPattern: ^[a-zA-Z0-9\-]+$
MinLength: 1
MaxLength: 64
AssumeRolePrincipalServices:
Type: Json
Label:
en: Principal Services
zh-cn: 角色可信的服务
Description:
en: The specifies role-trusted services that can be added more than once.
zh-cn: 指定角色可信的服务,可以添加多个。
Default:
- ecs.aliyuncs.com
PolicyName:
Type: String
Label:
en: Policy Name
zh-cn: 策略名
Description:
en: The policy name, Change the name if it already exists,<br>Consist of english
letters, numbers or '-', 5-128 characters.
zh-cn: 策略名,改变名称如果它已经存在,<br>由英文字母,数字或'-',5-128个字符组成。
ConstraintDescription:
en: Consist of english letters, numbers or '-',5-128 characters.
zh-cn: 由英文字母、数字或'-',5-128个字符组成。
Default: test-policy-name
AllowedPattern: ^[a-zA-Z0-9\-]+$
MinLength: 5
MaxLength: 128
SpecificAction:
Type: String
Label:
en: Specific Action
zh-cn: 策略的操作
Description:
en: 'The specific action of the policy,Separated by English commas; <a href=''https://help.aliyun.com/document_detail/93738.html''
target=''_blank''><b><font color=''blue''>View Policy elements-Action</font></b></font></a><br>For
example: <br>[oss.*,ecs.*: <font color=''green''>all the action of oss and
ecs</font>]<br>[oss.*: <font color=''green''>all the action of oss</font>]<br>[oss.GetObjectUrl:
<font color=''green''>action is GetObjectUrl of oss</font>]<br>.'
zh-cn: '指定策略的操作,以英文逗号分隔;<a href=''https://help.aliyun.com/document_detail/93738.html''
target=''_blank''><b><font color=''blue''>查看策略元素-Action</font></b></font></a><br>例如:
<br>[oss.*,ecs.*: <font color=''green''>oss和ecs的所有操作</font>]<br>[oss.*: <font
color=''green''>oss的所有操作</font>]<br>[oss.GetObjectUrl: <font color=''green''>oss的GetObjectUrl操作</font>]<br>'
Default: oss.*,ecs.*
Resources:
RamManagedPolicy:
Type: ALIYUN::RAM::ManagedPolicy
Properties:
PolicyDocument:
Statement:
- Action:
Fn::Split:
- ','
- Ref: SpecificAction
Effect: Allow
Resource:
- '*'
Version: '1'
PolicyName:
Ref: PolicyName
RamRole:
Type: ALIYUN::RAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
Service:
Ref: AssumeRolePrincipalServices
Version: '1'
Policies:
- PolicyDocument:
Statement:
- Action:
- ros:*
Effect: Allow
Resource:
- '*'
Version: '1'
PolicyName:
Fn::Join:
- ''
- - Policy-
- Ref: ALIYUN::StackId
RoleName:
Ref: RoleName
RamAttachPolicyToRole:
Type: ALIYUN::RAM::AttachPolicyToRole
Properties:
PolicyName:
Fn::GetAtt:
- RamManagedPolicy
- PolicyName
PolicyType: Custom
RoleName:
Fn::GetAtt:
- RamRole
- RoleName
DependsOn:
- RamManagedPolicy
- RamRole
Outputs:
PolicyName:
Value:
Fn::GetAtt:
- RamManagedPolicy
- PolicyName
RoleArn:
Value:
Fn::GetAtt:
- RamRole
- Arn
RoleName:
Value:
Fn::GetAtt:
- RamRole
- RoleName
Metadata:
ALIYUN::ROS::Interface:
ParameterGroups:
- Parameters:
- RoleName
- AssumeRolePrincipalServices
- PolicyName
- SpecificAction
Label:
default: RAM
TemplateTags:
- acs:example:弹性计算:创建角色并添加策略动作