ALIYUN::RAM::ManagedPolicy类型用于创建RAM管理策略。
语法
{
"Type": "ALIYUN::RAM::ManagedPolicy",
"Properties": {
"PolicyName": String,
"Description": String,
"Roles": List,
"PolicyDocumentUnchecked": Map,
"PolicyDocument": Map,
"Groups": List,
"Users": List,
"IgnoreExisting": Boolean
}
}
属性
|
属性名称 |
类型 |
必须 |
允许更新 |
描述 |
约束 |
|
PolicyName |
String |
是 |
否 |
策略名称。 |
最长为128个字符。 |
|
Description |
String |
否 |
否 |
策略描述。 |
最长为1024个字符。 |
|
Groups |
List |
否 |
否 |
适用此策略的用户组。 |
无 |
|
IgnoreExisting |
Boolean |
否 |
否 |
是否忽略现有策略。 |
取值:
|
|
PolicyDocument |
Map |
否 |
是 |
策略详细定义。 |
更多信息,请参见PolicyDocument属性。 |
|
PolicyDocumentUnchecked |
Map |
否 |
是 |
描述允许在哪些资源上执行哪些操作的策略文档。 |
如果指定该参数,PolicyDocument将被忽略。 |
|
Roles |
List |
否 |
否 |
适用此策略的角色。 |
无 |
|
Users |
List |
否 |
否 |
适用此策略的用户。 |
无 |
PolicyDocument语法
"PolicyDocument": {
"Version": String,
"Statement": List
}
PolicyDocument属性
|
属性名称 |
类型 |
必须 |
允许更新 |
描述 |
约束 |
|
Statement |
List |
是 |
否 |
策略具体规则。 |
更多信息,请参见Statement属性。 |
|
Version |
String |
是 |
否 |
策略版本。 |
无 |
Statement语法
"Statement": [
{
"Condition": Map,
"Action": List,
"Resource": List,
"Effect": String,
"NotAction": List
}
]
Statement属性
|
属性名称 |
类型 |
必须 |
允许更新 |
描述 |
约束 |
|
Action |
List |
否 |
否 |
权限策略针对的具体操作。 |
无 |
|
Condition |
Map |
否 |
否 |
授权生效的限制条件。 |
无 |
|
Effect |
String |
否 |
否 |
授权效力。 |
取值:
|
|
NotAction |
List |
否 |
否 |
允许或拒绝时例外的指定操作。 |
无 |
|
Resource |
List |
否 |
否 |
权限策略针对的具体资源。 |
无 |
返回值
Fn::GetAtt
PolicyName:策略名称。
示例
场景 1 :创建OSS只读权限策略并授权给指定RAM用户。
ROSTemplateFormatVersion: '2015-09-01'
Description:
zh-cn: 创建OSS只读权限策略并授权给指定RAM用户。
en: Create an OSS read-only policy and attach it to specified RAM users.
Parameters:
PolicyName:
Type: String
Label:
zh-cn: 策略名称
en: Policy Name
Description:
zh-cn: RAM自定义策略名称,最长128个字符。
en: RAM custom policy name, up to 128 characters.
Default: oss-readonly-policy
OssBucketName:
Type: String
Label:
zh-cn: OSS存储桶名称
en: OSS Bucket Name
Description:
zh-cn: 允许只读访问的OSS存储桶名称。
en: The OSS bucket name to allow read-only access.
UserName:
Type: String
Label:
zh-cn: RAM用户
en: RAM User
Description:
zh-cn: 要授权的RAM用户名称。
en: The RAM user to attach this policy to.
AssociationProperty: ALIYUN::RAM::User
Resources:
ManagedPolicy:
Type: ALIYUN::RAM::ManagedPolicy
Properties:
PolicyName:
Ref: PolicyName
Description:
Fn::Sub: 允许对OSS存储桶${OssBucketName}进行只读访问
PolicyDocument:
Version: '1'
Statement:
- Effect: Allow
Action:
- oss:GetObject
- oss:GetObjectAcl
- oss:ListObjects
- oss:GetBucket
- oss:GetBucketInfo
- oss:ListBuckets
Resource:
- Fn::Sub: acs:oss:*:*:${OssBucketName}
- Fn::Sub: acs:oss:*:*:${OssBucketName}/*
Users:
- Ref: UserName
Outputs:
PolicyName:
Label:
zh-cn: 策略名称
en: Policy Name
Description:
zh-cn: 创建成功的RAM自定义策略名称。
en: The name of the created RAM custom policy.
Value:
Fn::GetAtt:
- ManagedPolicy
- PolicyName{
"ROSTemplateFormatVersion": "2015-09-01",
"Description": {
"zh-cn": "创建OSS只读权限策略并授权给指定RAM用户。",
"en": "Create an OSS read-only policy and attach it to specified RAM users."
},
"Parameters": {
"PolicyName": {
"Type": "String",
"Label": {
"zh-cn": "策略名称",
"en": "Policy Name"
},
"Description": {
"zh-cn": "RAM自定义策略名称,最长128个字符。",
"en": "RAM custom policy name, up to 128 characters."
},
"Default": "oss-readonly-policy"
},
"OssBucketName": {
"Type": "String",
"Label": {
"zh-cn": "OSS存储桶名称",
"en": "OSS Bucket Name"
},
"Description": {
"zh-cn": "允许只读访问的OSS存储桶名称。",
"en": "The OSS bucket name to allow read-only access."
}
},
"UserName": {
"Type": "String",
"Label": {
"zh-cn": "RAM用户",
"en": "RAM User"
},
"Description": {
"zh-cn": "要授权的RAM用户名称。",
"en": "The RAM user to attach this policy to."
},
"AssociationProperty": "ALIYUN::RAM::User"
}
},
"Resources": {
"ManagedPolicy": {
"Type": "ALIYUN::RAM::ManagedPolicy",
"Properties": {
"PolicyName": {
"Ref": "PolicyName"
},
"Description": {
"Fn::Sub": "允许对OSS存储桶${OssBucketName}进行只读访问"
},
"PolicyDocument": {
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"oss:GetObject",
"oss:GetObjectAcl",
"oss:ListObjects",
"oss:GetBucket",
"oss:GetBucketInfo",
"oss:ListBuckets"
],
"Resource": [
{
"Fn::Sub": "acs:oss:*:*:${OssBucketName}"
},
{
"Fn::Sub": "acs:oss:*:*:${OssBucketName}/*"
}
]
}
]
},
"Users": [
{
"Ref": "UserName"
}
]
}
}
},
"Outputs": {
"PolicyName": {
"Label": {
"zh-cn": "策略名称",
"en": "Policy Name"
},
"Description": {
"zh-cn": "创建成功的RAM自定义策略名称。",
"en": "The name of the created RAM custom policy."
},
"Value": {
"Fn::GetAtt": [
"ManagedPolicy",
"PolicyName"
]
}
}
}
}场景 2 :创建ECS管理权限策略并附加IP条件限制,授权给用户组和角色。
ROSTemplateFormatVersion: '2015-09-01'
Description:
zh-cn: 创建ECS管理权限策略并附加IP条件限制,授权给用户组和角色。
en: Create an ECS management policy with IP condition and attach to groups and roles.
Parameters:
PolicyName:
Type: String
Label:
zh-cn: 策略名称
en: Policy Name
Default: ecs-manage-ip-restricted
AllowedCidrBlock:
Type: String
Label:
zh-cn: 允许的源IP网段
en: Allowed Source CIDR
Description:
zh-cn: >-
允许发起请求的源IP网段,
例如10.0.0.0/8或192.168.1.0/24。
en: >-
Allowed source IP CIDR block,
e.g. 10.0.0.0/8 or 192.168.1.0/24.
Default: 10.0.0.0/8
GroupName:
Type: String
Label:
zh-cn: RAM用户组
en: RAM Group
Description:
zh-cn: 要授权的RAM用户组名称。
en: The RAM group to attach this policy to.
AssociationProperty: ALIYUN::RAM::Group
RoleName:
Type: String
Label:
zh-cn: RAM角色
en: RAM Role
Description:
zh-cn: 要授权的RAM角色名称。
en: The RAM role to attach this policy to.
AssociationProperty: ALIYUN::RAM::Role
Resources:
ManagedPolicy:
Type: ALIYUN::RAM::ManagedPolicy
Properties:
PolicyName:
Ref: PolicyName
Description: ECS实例管理权限,限定源IP访问,禁止删除和释放操作
PolicyDocument:
Version: '1'
Statement:
- Effect: Allow
Action:
- ecs:DescribeInstances
- ecs:DescribeInstanceStatus
- ecs:DescribeInstanceAttribute
- ecs:StartInstance
- ecs:StopInstance
- ecs:RebootInstance
Resource:
- '*'
Condition:
IpAddress:
acs:SourceIp:
- Ref: AllowedCidrBlock
- Effect: Deny
Action:
- ecs:DeleteInstance
- ecs:ModifyInstanceAttribute
Resource:
- '*'
Groups:
- Ref: GroupName
Roles:
- Ref: RoleName
Outputs:
PolicyName:
Label:
zh-cn: 策略名称
en: Policy Name
Description:
zh-cn: 创建成功的RAM自定义策略名称。
en: The name of the created RAM custom policy.
Value:
Fn::GetAtt:
- ManagedPolicy
- PolicyName{
"ROSTemplateFormatVersion": "2015-09-01",
"Description": {
"zh-cn": "创建ECS管理权限策略并附加IP条件限制,授权给用户组和角色。",
"en": "Create an ECS management policy with IP condition and attach to groups and roles."
},
"Parameters": {
"PolicyName": {
"Type": "String",
"Label": {
"zh-cn": "策略名称",
"en": "Policy Name"
},
"Default": "ecs-manage-ip-restricted"
},
"AllowedCidrBlock": {
"Type": "String",
"Label": {
"zh-cn": "允许的源IP网段",
"en": "Allowed Source CIDR"
},
"Description": {
"zh-cn": "允许发起请求的源IP网段,例如10.0.0.0/8或192.168.1.0/24。",
"en": "Allowed source IP CIDR block, e.g. 10.0.0.0/8 or 192.168.1.0/24."
},
"Default": "10.0.0.0/8"
},
"GroupName": {
"Type": "String",
"Label": {
"zh-cn": "RAM用户组",
"en": "RAM Group"
},
"Description": {
"zh-cn": "要授权的RAM用户组名称。",
"en": "The RAM group to attach this policy to."
},
"AssociationProperty": "ALIYUN::RAM::Group"
},
"RoleName": {
"Type": "String",
"Label": {
"zh-cn": "RAM角色",
"en": "RAM Role"
},
"Description": {
"zh-cn": "要授权的RAM角色名称。",
"en": "The RAM role to attach this policy to."
},
"AssociationProperty": "ALIYUN::RAM::Role"
}
},
"Resources": {
"ManagedPolicy": {
"Type": "ALIYUN::RAM::ManagedPolicy",
"Properties": {
"PolicyName": {
"Ref": "PolicyName"
},
"Description": "ECS实例管理权限,限定源IP访问,禁止删除和释放操作",
"PolicyDocument": {
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:DescribeInstances",
"ecs:DescribeInstanceStatus",
"ecs:DescribeInstanceAttribute",
"ecs:StartInstance",
"ecs:StopInstance",
"ecs:RebootInstance"
],
"Resource": [
"*"
],
"Condition": {
"IpAddress": {
"acs:SourceIp": [
{
"Ref": "AllowedCidrBlock"
}
]
}
}
},
{
"Effect": "Deny",
"Action": [
"ecs:DeleteInstance",
"ecs:ModifyInstanceAttribute"
],
"Resource": [
"*"
]
}
]
},
"Groups": [
{
"Ref": "GroupName"
}
],
"Roles": [
{
"Ref": "RoleName"
}
]
}
}
},
"Outputs": {
"PolicyName": {
"Label": {
"zh-cn": "策略名称",
"en": "Policy Name"
},
"Description": {
"zh-cn": "创建成功的RAM自定义策略名称。",
"en": "The name of the created RAM custom policy."
},
"Value": {
"Fn::GetAtt": [
"ManagedPolicy",
"PolicyName"
]
}
}
}
}场景 3 :创建跨服务权限策略并同时授权给用户、用户组和角色,实现全面的权限分发
ROSTemplateFormatVersion: '2015-09-01'
Description:
zh-cn: 创建跨服务权限策略并同时授权给用户、用户组和角色,实现全面的权限分发。
en: Create a cross-service policy and attach to users, groups and roles for comprehensive authorization.
Parameters:
PolicyName:
Type: String
Label:
zh-cn: 策略名称
en: Policy Name
Description:
zh-cn: RAM自定义策略名称。
en: RAM custom policy name.
Default: cross-service-devops-policy
UserNames:
Type: Json
Label:
zh-cn: RAM用户列表
en: RAM User List
Description:
zh-cn: 要授权的RAM用户名称列表。
en: List of RAM user names to attach this policy to.
Default: []
AssociationProperty: List[Parameter]
AssociationPropertyMetadata:
Parameter:
Type: String
Required: false
AssociationProperty: ALIYUN::RAM::User
Label:
zh-cn: RAM用户
en: RAM User
GroupNames:
Type: Json
Label:
zh-cn: RAM用户组列表
en: RAM Group List
Description:
zh-cn: 要授权的RAM用户组名称列表。
en: List of RAM group names to attach this policy to.
Default: []
AssociationProperty: List[Parameter]
AssociationPropertyMetadata:
Parameter:
Type: String
Required: false
AssociationProperty: ALIYUN::RAM::Group
Label:
zh-cn: RAM用户组
en: RAM Group
RoleNames:
Type: Json
Label:
zh-cn: RAM角色列表
en: RAM Role List
Description:
zh-cn: 要授权的RAM角色名称列表。
en: List of RAM role names to attach this policy to.
Default: []
AssociationProperty: List[Parameter]
AssociationPropertyMetadata:
Parameter:
Type: String
Required: false
AssociationProperty: ALIYUN::RAM::Role
Label:
zh-cn: RAM角色
en: RAM Role
Resources:
ManagedPolicy:
Type: ALIYUN::RAM::ManagedPolicy
Properties:
PolicyName:
Ref: PolicyName
Description: 跨服务DevOps权限策略,覆盖ECS、RDS、SLB、VPC和CloudMonitor
PolicyDocumentUnchecked:
Version: '1'
Statement:
- Effect: Allow
Action:
- ecs:Describe*
- ecs:StartInstance
- ecs:StopInstance
- ecs:RebootInstance
Resource:
- '*'
- Effect: Allow
Action:
- rds:Describe*
- rds:ModifyDBInstanceSpec
- rds:SwitchDBInstanceHA
Resource:
- '*'
- Effect: Allow
Action:
- slb:Describe*
- slb:SetBackendServers
- slb:AddBackendServers
- slb:RemoveBackendServers
Resource:
- '*'
- Effect: Allow
Action:
- vpc:Describe*
Resource:
- '*'
- Effect: Allow
Action:
- cms:Describe*
- cms:QueryMetric*
Resource:
- '*'
- Effect: Deny
Action:
- ecs:DeleteInstance
- rds:DeleteDBInstance
- slb:DeleteLoadBalancer
Resource:
- '*'
Users:
Ref: UserNames
Groups:
Ref: GroupNames
Roles:
Ref: RoleNames
IgnoreExisting: true
Outputs:
PolicyName:
Label:
zh-cn: 策略名称
en: Policy Name
Description:
zh-cn: 创建成功的RAM自定义策略名称。
en: The name of the created RAM custom policy.
Value:
Fn::GetAtt:
- ManagedPolicy
- PolicyName{
"ROSTemplateFormatVersion": "2015-09-01",
"Description": {
"zh-cn": "创建跨服务权限策略并同时授权给用户、用户组和角色,实现全面的权限分发。",
"en": "Create a cross-service policy and attach to users, groups and roles for comprehensive authorization."
},
"Parameters": {
"PolicyName": {
"Type": "String",
"Label": {
"zh-cn": "策略名称",
"en": "Policy Name"
},
"Description": {
"zh-cn": "RAM自定义策略名称。",
"en": "RAM custom policy name."
},
"Default": "cross-service-devops-policy"
},
"UserNames": {
"Type": "Json",
"Label": {
"zh-cn": "RAM用户列表",
"en": "RAM User List"
},
"Description": {
"zh-cn": "要授权的RAM用户名称列表。",
"en": "List of RAM user names to attach this policy to."
},
"Default": [],
"AssociationProperty": "List[Parameter]",
"AssociationPropertyMetadata": {
"Parameter": {
"Type": "String",
"Required": false,
"AssociationProperty": "ALIYUN::RAM::User",
"Label": {
"zh-cn": "RAM用户",
"en": "RAM User"
}
}
}
},
"GroupNames": {
"Type": "Json",
"Label": {
"zh-cn": "RAM用户组列表",
"en": "RAM Group List"
},
"Description": {
"zh-cn": "要授权的RAM用户组名称列表。",
"en": "List of RAM group names to attach this policy to."
},
"Default": [],
"AssociationProperty": "List[Parameter]",
"AssociationPropertyMetadata": {
"Parameter": {
"Type": "String",
"Required": false,
"AssociationProperty": "ALIYUN::RAM::Group",
"Label": {
"zh-cn": "RAM用户组",
"en": "RAM Group"
}
}
}
},
"RoleNames": {
"Type": "Json",
"Label": {
"zh-cn": "RAM角色列表",
"en": "RAM Role List"
},
"Description": {
"zh-cn": "要授权的RAM角色名称列表。",
"en": "List of RAM role names to attach this policy to."
},
"Default": [],
"AssociationProperty": "List[Parameter]",
"AssociationPropertyMetadata": {
"Parameter": {
"Type": "String",
"Required": false,
"AssociationProperty": "ALIYUN::RAM::Role",
"Label": {
"zh-cn": "RAM角色",
"en": "RAM Role"
}
}
}
}
},
"Resources": {
"ManagedPolicy": {
"Type": "ALIYUN::RAM::ManagedPolicy",
"Properties": {
"PolicyName": {
"Ref": "PolicyName"
},
"Description": "跨服务DevOps权限策略,覆盖ECS、RDS、SLB、VPC和CloudMonitor",
"PolicyDocumentUnchecked": {
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:Describe*",
"ecs:StartInstance",
"ecs:StopInstance",
"ecs:RebootInstance"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"rds:Describe*",
"rds:ModifyDBInstanceSpec",
"rds:SwitchDBInstanceHA"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"slb:Describe*",
"slb:SetBackendServers",
"slb:AddBackendServers",
"slb:RemoveBackendServers"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"vpc:Describe*"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"cms:Describe*",
"cms:QueryMetric*"
],
"Resource": [
"*"
]
},
{
"Effect": "Deny",
"Action": [
"ecs:DeleteInstance",
"rds:DeleteDBInstance",
"slb:DeleteLoadBalancer"
],
"Resource": [
"*"
]
}
]
},
"Users": {
"Ref": "UserNames"
},
"Groups": {
"Ref": "GroupNames"
},
"Roles": {
"Ref": "RoleNames"
},
"IgnoreExisting": true
}
}
},
"Outputs": {
"PolicyName": {
"Label": {
"zh-cn": "策略名称",
"en": "Policy Name"
},
"Description": {
"zh-cn": "创建成功的RAM自定义策略名称。",
"en": "The name of the created RAM custom policy."
},
"Value": {
"Fn::GetAtt": [
"ManagedPolicy",
"PolicyName"
]
}
}
}
}