本文介绍如何使用Terraform创建角色并绑定权限策略。

操作步骤

  1. 创建RAM角色。
    1. 创建terraform.tf文件,输入以下内容,并保存在当前的执行目录中。
      resource "alicloud_ram_role" "role" {
        name = "testRole"
        document = <<EOF
          {
            "Statement": [
              {
                "Action": "sts:AssumeRole",
                "Effect": "Allow",
                "Principal": {
                  "Service": [
                    "apigateway.aliyuncs.com",
                    "ecs.aliyuncs.com"
                  ]
                }
              }
            ],
            "Version": "1"
          }
      EOF
        description = "this is a role test."
        force       = true
      }
    2. 运行terraform apply开始创建。
    3. 运行terraform show查看创建的角色,您也可以登录RAM控制台查看创建的角色。
  2. 创建自定义权限策略。
    1. terraform.tf文件中增加以下内容。
      resource "alicloud_ram_policy" "policy" {
        name = "testPolicy"
        document = <<EOF
          {
            "Statement": [
              {
                "Action": [
                  "oss:ListObjects",
                  "oss:GetObject"
                ],
                "Effect": "Deny",
                "Resource": [
                  "acs:oss:*:*:mybucket",
                  "acs:oss:*:*:mybucket/*"
                ]
              }
            ],
              "Version": "1"
          }
      EOF
        description = "this is a policy test"
        force       = true
      }
    2. 运行terraform apply开始创建。
    3. 运行terraform show查看创建的自定义权限策略。您也可以登录RAM控制台查看自定义权限策略。
  3. 为角色绑定权限策略。
    1. terraform.tf文件中增加以下内容。
      resource "alicloud_ram_role_policy_attachment" "attach" {
        policy_name = "${alicloud_ram_policy.policy.name}"
        role_name   = "${alicloud_ram_role.role.name}"
        policy_type = "${alicloud_ram_policy.policy.type}"
      }
    2. 运行terraform apply开始创建。
    3. 运行terraform show查看角色拥有的自定义权限,您也可以登录RAM控制台查看角色拥有的权限。

操作样例

provider "alicloud" {
}

resource "alicloud_ram_role" "role" {
  name = "testRole"
  document = <<EOF
    {
      "Statement": [
        {
          "Action": "sts:AssumeRole",
          "Effect": "Allow",
          "Principal": {
            "Service": [
              "apigateway.aliyuncs.com",
              "ecs.aliyuncs.com"
            ]
          }
        }
      ],
      "Version": "1"
    }
EOF
  description = "this is a role test."
  force       = true
}

resource "alicloud_ram_policy" "policy" {
  name = "testPolicy"
  document = <<EOF
    {
      "Statement": [
        {
          "Action": [
            "oss:ListObjects",
            "oss:GetObject"
          ],
          "Effect": "Deny",
          "Resource": [
            "acs:oss:*:*:mybucket",
            "acs:oss:*:*:mybucket/*"
          ]
        }
      ],
        "Version": "1"
    }
EOF
  description = "this is a policy test"
  force       = true
}

resource "alicloud_ram_role_policy_attachment" "attach" {
  policy_name = "${alicloud_ram_policy.policy.name}"
  role_name   = "${alicloud_ram_role.role.name}"
  policy_type = "${alicloud_ram_policy.policy.type}"
}