-
Notifications
You must be signed in to change notification settings - Fork 35
/
stack-group-aliyun-ros-stack-group-execution-role.yml
72 lines (72 loc) · 2.18 KB
/
stack-group-aliyun-ros-stack-group-execution-role.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
ROSTemplateFormatVersion: '2015-09-01'
Description:
zh-cn: 创建角色AliyunROSStackGroupExecutionRole并绑定管理员权限,允许账户作为ROS资源栈组目标账户使用。
en: The action of creating the role named "AliyunROSStackGroupExecutionRole" and
binding it with administrative privileges is performed. This role, empowered with
administrator permissions, allows the account to act as the target account for
ROS resource stack groups, thereby enabling the usage of ROS resources within
the defined scope of operations.
Conditions:
CurrentAccount:
Fn::Equals:
- Ref: AdministrationAccountId
- ''
Parameters:
ExecutionRoleName:
Type: String
Description:
en: Execution role name of target account
zh-cn: 为目标账号创建执行角色的名称
Default: AliyunROSStackGroupExecutionRole
AdministrationAccountId:
Type: String
Description:
zh-cn: 管理员主账号ID,不填则授权给当前账号
en: Administration account ID. If not, authorize the current account
Default: ''
Resources:
AliyunROSStackGroupExecutionRole:
Type: ALIYUN::RAM::Role
Properties:
RoleName:
Ref: ExecutionRoleName
AssumeRolePolicyDocument:
Version: 1
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
RAM:
- Fn::Join:
- ''
- - 'acs:ram::'
- Fn::If:
- CurrentAccount
- Ref: ALIYUN::TenantId
- Ref: AdministrationAccountId
- :root
AttachPolicy:
Type: ALIYUN::RAM::AttachPolicyToRole
Properties:
PolicyName: AdministratorAccess
PolicyType: System
RoleName:
Fn::GetAtt:
- AliyunROSStackGroupExecutionRole
- RoleName
Outputs:
ExecutionRoleName:
Value:
Fn::GetAtt:
- AliyunROSStackGroupExecutionRole
- RoleName
Metadata:
ALIYUN::ROS::Interface:
ParameterGroups:
- Parameters:
- ExecutionRoleName
- AdministrationAccountId
Label:
default: RAM
TemplateTags:
- acs:example:安全:创建StackGroup目标账号权限