Docs
PackagesAlibaba Cloud v3.57.1 published on Wednesday, Jun 26, 2024 by Pulumi
alicloud.ram.getPolicyDocument
Explore with Pulumi AI
This data source Generates a RAM policy document of the current Alibaba Cloud user.
NOTE: Available since v1.184.0+.
Example Usage
Basic Example
import * as pulumi from "@pulumi/pulumi";
import * as alicloud from "@pulumi/alicloud";
const basicExample = alicloud.ram.getPolicyDocument({
version: "1",
statements: [{
effect: "Allow",
actions: ["oss:*"],
resources: [
"acs:oss:*:*:myphotos",
"acs:oss:*:*:myphotos/*",
],
}],
});
const _default = new alicloud.ram.Policy("default", {
policyName: "tf-example",
policyDocument: basicExample.then(basicExample => basicExample.document),
force: true,
});
import pulumi
import pulumi_alicloud as alicloud
basic_example = alicloud.ram.get_policy_document(version="1",
statements=[alicloud.ram.GetPolicyDocumentStatementArgs(
effect="Allow",
actions=["oss:*"],
resources=[
"acs:oss:*:*:myphotos",
"acs:oss:*:*:myphotos/*",
],
)])
default = alicloud.ram.Policy("default",
policy_name="tf-example",
policy_document=basic_example.document,
force=True)
package main
import (
"github.com/pulumi/pulumi-alicloud/sdk/v3/go/alicloud/ram"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
basicExample, err := ram.GetPolicyDocument(ctx, &ram.GetPolicyDocumentArgs{
Version: pulumi.StringRef("1"),
Statements: []ram.GetPolicyDocumentStatement{
{
Effect: pulumi.StringRef("Allow"),
Actions: []string{
"oss:*",
},
Resources: []string{
"acs:oss:*:*:myphotos",
"acs:oss:*:*:myphotos/*",
},
},
},
}, nil)
if err != nil {
return err
}
_, err = ram.NewPolicy(ctx, "default", &ram.PolicyArgs{
PolicyName: pulumi.String("tf-example"),
PolicyDocument: pulumi.String(basicExample.Document),
Force: pulumi.Bool(true),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AliCloud = Pulumi.AliCloud;
return await Deployment.RunAsync(() =>
{
var basicExample = AliCloud.Ram.GetPolicyDocument.Invoke(new()
{
Version = "1",
Statements = new[]
{
new AliCloud.Ram.Inputs.GetPolicyDocumentStatementInputArgs
{
Effect = "Allow",
Actions = new[]
{
"oss:*",
},
Resources = new[]
{
"acs:oss:*:*:myphotos",
"acs:oss:*:*:myphotos/*",
},
},
},
});
var @default = new AliCloud.Ram.Policy("default", new()
{
PolicyName = "tf-example",
PolicyDocument = basicExample.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Document),
Force = true,
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.alicloud.ram.RamFunctions;
import com.pulumi.alicloud.ram.inputs.GetPolicyDocumentArgs;
import com.pulumi.alicloud.ram.Policy;
import com.pulumi.alicloud.ram.PolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var basicExample = RamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.version("1")
.statements(GetPolicyDocumentStatementArgs.builder()
.effect("Allow")
.actions("oss:*")
.resources(
"acs:oss:*:*:myphotos",
"acs:oss:*:*:myphotos/*")
.build())
.build());
var default_ = new Policy("default", PolicyArgs.builder()
.policyName("tf-example")
.policyDocument(basicExample.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.document()))
.force(true)
.build());
}
}
resources:
default:
type: alicloud:ram:Policy
properties:
policyName: tf-example
policyDocument: ${basicExample.document}
force: true
variables:
basicExample:
fn::invoke:
Function: alicloud:ram:getPolicyDocument
Arguments:
version: '1'
statements:
- effect: Allow
actions:
- oss:*
resources:
- acs:oss:*:*:myphotos
- acs:oss:*:*:myphotos/*
data.alicloud_ram_policy_document.basic_example.document will evaluate to:
{
"Statement": [
{
"Effect": "Allow",
"Action": "oss:*",
"Resource": [
"acs:oss:*:*:myphotos",
"acs:oss:*:*:myphotos/*"
]
}
],
"Version": "1"
}
Example Multiple Condition Keys and Values
import * as pulumi from "@pulumi/pulumi";
import * as alicloud from "@pulumi/alicloud";
const multipleCondition = alicloud.ram.getPolicyDocument({
version: "1",
statements: [
{
effect: "Allow",
actions: [
"oss:ListBuckets",
"oss:GetBucketStat",
"oss:GetBucketInfo",
"oss:GetBucketTagging",
"oss:GetBucketAcl",
],
resources: ["acs:oss:*:*:*"],
},
{
effect: "Allow",
actions: [
"oss:GetObject",
"oss:GetObjectAcl",
],
resources: ["acs:oss:*:*:myphotos/hangzhou/2015/*"],
},
{
effect: "Allow",
actions: ["oss:ListObjects"],
resources: ["acs:oss:*:*:myphotos"],
conditions: [
{
operator: "StringLike",
variable: "oss:Delimiter",
values: ["/"],
},
{
operator: "StringLike",
variable: "oss:Prefix",
values: [
"",
"hangzhou/",
"hangzhou/2015/*",
],
},
],
},
],
});
const policy = new alicloud.ram.Policy("policy", {
policyName: "tf-example-condition",
policyDocument: multipleCondition.then(multipleCondition => multipleCondition.document),
force: true,
});
import pulumi
import pulumi_alicloud as alicloud
multiple_condition = alicloud.ram.get_policy_document(version="1",
statements=[
alicloud.ram.GetPolicyDocumentStatementArgs(
effect="Allow",
actions=[
"oss:ListBuckets",
"oss:GetBucketStat",
"oss:GetBucketInfo",
"oss:GetBucketTagging",
"oss:GetBucketAcl",
],
resources=["acs:oss:*:*:*"],
),
alicloud.ram.GetPolicyDocumentStatementArgs(
effect="Allow",
actions=[
"oss:GetObject",
"oss:GetObjectAcl",
],
resources=["acs:oss:*:*:myphotos/hangzhou/2015/*"],
),
alicloud.ram.GetPolicyDocumentStatementArgs(
effect="Allow",
actions=["oss:ListObjects"],
resources=["acs:oss:*:*:myphotos"],
conditions=[
alicloud.ram.GetPolicyDocumentStatementConditionArgs(
operator="StringLike",
variable="oss:Delimiter",
values=["/"],
),
alicloud.ram.GetPolicyDocumentStatementConditionArgs(
operator="StringLike",
variable="oss:Prefix",
values=[
"",
"hangzhou/",
"hangzhou/2015/*",
],
),
],
),
])
policy = alicloud.ram.Policy("policy",
policy_name="tf-example-condition",
policy_document=multiple_condition.document,
force=True)
package main
import (
"github.com/pulumi/pulumi-alicloud/sdk/v3/go/alicloud/ram"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
multipleCondition, err := ram.GetPolicyDocument(ctx, &ram.GetPolicyDocumentArgs{
Version: pulumi.StringRef("1"),
Statements: pulumi.Array{
ram.GetPolicyDocumentStatement{
Effect: pulumi.StringRef("Allow"),
Actions: []string{
"oss:ListBuckets",
"oss:GetBucketStat",
"oss:GetBucketInfo",
"oss:GetBucketTagging",
"oss:GetBucketAcl",
},
Resources: []string{
"acs:oss:*:*:*",
},
},
ram.GetPolicyDocumentStatement{
Effect: pulumi.StringRef("Allow"),
Actions: []string{
"oss:GetObject",
"oss:GetObjectAcl",
},
Resources: []string{
"acs:oss:*:*:myphotos/hangzhou/2015/*",
},
},
ram.GetPolicyDocumentStatement{
Effect: pulumi.StringRef("Allow"),
Actions: []string{
"oss:ListObjects",
},
Resources: []string{
"acs:oss:*:*:myphotos",
},
Conditions: []ram.GetPolicyDocumentStatementCondition{
{
Operator: "StringLike",
Variable: "oss:Delimiter",
Values: []string{
"/",
},
},
{
Operator: "StringLike",
Variable: "oss:Prefix",
Values: []string{
"",
"hangzhou/",
"hangzhou/2015/*",
},
},
},
},
},
}, nil)
if err != nil {
return err
}
_, err = ram.NewPolicy(ctx, "policy", &ram.PolicyArgs{
PolicyName: pulumi.String("tf-example-condition"),
PolicyDocument: pulumi.String(multipleCondition.Document),
Force: pulumi.Bool(true),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AliCloud = Pulumi.AliCloud;
return await Deployment.RunAsync(() =>
{
var multipleCondition = AliCloud.Ram.GetPolicyDocument.Invoke(new()
{
Version = "1",
Statements = new[]
{
new AliCloud.Ram.Inputs.GetPolicyDocumentStatementInputArgs
{
Effect = "Allow",
Actions = new[]
{
"oss:ListBuckets",
"oss:GetBucketStat",
"oss:GetBucketInfo",
"oss:GetBucketTagging",
"oss:GetBucketAcl",
},
Resources = new[]
{
"acs:oss:*:*:*",
},
},
new AliCloud.Ram.Inputs.GetPolicyDocumentStatementInputArgs
{
Effect = "Allow",
Actions = new[]
{
"oss:GetObject",
"oss:GetObjectAcl",
},
Resources = new[]
{
"acs:oss:*:*:myphotos/hangzhou/2015/*",
},
},
new AliCloud.Ram.Inputs.GetPolicyDocumentStatementInputArgs
{
Effect = "Allow",
Actions = new[]
{
"oss:ListObjects",
},
Resources = new[]
{
"acs:oss:*:*:myphotos",
},
Conditions = new[]
{
new AliCloud.Ram.Inputs.GetPolicyDocumentStatementConditionInputArgs
{
Operator = "StringLike",
Variable = "oss:Delimiter",
Values = new[]
{
"/",
},
},
new AliCloud.Ram.Inputs.GetPolicyDocumentStatementConditionInputArgs
{
Operator = "StringLike",
Variable = "oss:Prefix",
Values = new[]
{
"",
"hangzhou/",
"hangzhou/2015/*",
},
},
},
},
},
});
var policy = new AliCloud.Ram.Policy("policy", new()
{
PolicyName = "tf-example-condition",
PolicyDocument = multipleCondition.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Document),
Force = true,
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.alicloud.ram.RamFunctions;
import com.pulumi.alicloud.ram.inputs.GetPolicyDocumentArgs;
import com.pulumi.alicloud.ram.Policy;
import com.pulumi.alicloud.ram.PolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var multipleCondition = RamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.version("1")
.statements(
GetPolicyDocumentStatementArgs.builder()
.effect("Allow")
.actions(
"oss:ListBuckets",
"oss:GetBucketStat",
"oss:GetBucketInfo",
"oss:GetBucketTagging",
"oss:GetBucketAcl")
.resources("acs:oss:*:*:*")
.build(),
GetPolicyDocumentStatementArgs.builder()
.effect("Allow")
.actions(
"oss:GetObject",
"oss:GetObjectAcl")
.resources("acs:oss:*:*:myphotos/hangzhou/2015/*")
.build(),
GetPolicyDocumentStatementArgs.builder()
.effect("Allow")
.actions("oss:ListObjects")
.resources("acs:oss:*:*:myphotos")
.conditions(
GetPolicyDocumentStatementConditionArgs.builder()
.operator("StringLike")
.variable("oss:Delimiter")
.values("/")
.build(),
GetPolicyDocumentStatementConditionArgs.builder()
.operator("StringLike")
.variable("oss:Prefix")
.values(
"",
"hangzhou/",
"hangzhou/2015/*")
.build())
.build())
.build());
var policy = new Policy("policy", PolicyArgs.builder()
.policyName("tf-example-condition")
.policyDocument(multipleCondition.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.document()))
.force(true)
.build());
}
}
resources:
policy:
type: alicloud:ram:Policy
properties:
policyName: tf-example-condition
policyDocument: ${multipleCondition.document}
force: true
variables:
multipleCondition:
fn::invoke:
Function: alicloud:ram:getPolicyDocument
Arguments:
version: '1'
statements:
- effect: Allow
actions:
- oss:ListBuckets
- oss:GetBucketStat
- oss:GetBucketInfo
- oss:GetBucketTagging
- oss:GetBucketAcl
resources:
- acs:oss:*:*:*
- effect: Allow
actions:
- oss:GetObject
- oss:GetObjectAcl
resources:
- acs:oss:*:*:myphotos/hangzhou/2015/*
- effect: Allow
actions:
- oss:ListObjects
resources:
- acs:oss:*:*:myphotos
conditions:
- operator: StringLike
variable: oss:Delimiter
values:
- /
- operator: StringLike
variable: oss:Prefix
values:
-
- hangzhou/
- hangzhou/2015/*
data.alicloud_ram_policy_document.multiple_condition.document will evaluate to:
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"oss:ListBuckets",
"oss:GetBucketStat",
"oss:GetBucketInfo",
"oss:GetBucketTagging",
"oss:GetBucketAcl"
],
"Resource": "acs:oss:*:*:*"
},
{
"Effect": "Allow",
"Action": [
"oss:GetObject",
"oss:GetObjectAcl"
],
"Resource": "acs:oss:*:*:myphotos/hangzhou/2015/*"
},
{
"Effect": "Allow",
"Action": "oss:ListObjects",
"Resource": "acs:oss:*:*:myphotos",
"Condition": {
"StringLike": {
"oss:Delimiter": "/",
"oss:Prefix": [
"",
"hangzhou/",
"hangzhou/2015/*"
]
}
}
}
],
"Version": "1"
}
Example Assume-Role Policy with RAM Principal
import * as pulumi from "@pulumi/pulumi";
import * as alicloud from "@pulumi/alicloud";
const ramExample = alicloud.ram.getPolicyDocument({
statements: [{
effect: "Allow",
actions: ["sts:AssumeRole"],
principals: [{
entity: "RAM",
identifiers: ["acs:ram::123456789012****:root"],
}],
}],
});
const role = new alicloud.ram.Role("role", {
name: "tf-example-role-ram",
document: ramExample.then(ramExample => ramExample.document),
force: true,
});
import pulumi
import pulumi_alicloud as alicloud
ram_example = alicloud.ram.get_policy_document(statements=[alicloud.ram.GetPolicyDocumentStatementArgs(
effect="Allow",
actions=["sts:AssumeRole"],
principals=[alicloud.ram.GetPolicyDocumentStatementPrincipalArgs(
entity="RAM",
identifiers=["acs:ram::123456789012****:root"],
)],
)])
role = alicloud.ram.Role("role",
name="tf-example-role-ram",
document=ram_example.document,
force=True)
package main
import (
"github.com/pulumi/pulumi-alicloud/sdk/v3/go/alicloud/ram"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
ramExample, err := ram.GetPolicyDocument(ctx, &ram.GetPolicyDocumentArgs{
Statements: []ram.GetPolicyDocumentStatement{
{
Effect: pulumi.StringRef("Allow"),
Actions: []string{
"sts:AssumeRole",
},
Principals: []ram.GetPolicyDocumentStatementPrincipal{
{
Entity: "RAM",
Identifiers: []string{
"acs:ram::123456789012****:root",
},
},
},
},
},
}, nil)
if err != nil {
return err
}
_, err = ram.NewRole(ctx, "role", &ram.RoleArgs{
Name: pulumi.String("tf-example-role-ram"),
Document: pulumi.String(ramExample.Document),
Force: pulumi.Bool(true),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AliCloud = Pulumi.AliCloud;
return await Deployment.RunAsync(() =>
{
var ramExample = AliCloud.Ram.GetPolicyDocument.Invoke(new()
{
Statements = new[]
{
new AliCloud.Ram.Inputs.GetPolicyDocumentStatementInputArgs
{
Effect = "Allow",
Actions = new[]
{
"sts:AssumeRole",
},
Principals = new[]
{
new AliCloud.Ram.Inputs.GetPolicyDocumentStatementPrincipalInputArgs
{
Entity = "RAM",
Identifiers = new[]
{
"acs:ram::123456789012****:root",
},
},
},
},
},
});
var role = new AliCloud.Ram.Role("role", new()
{
Name = "tf-example-role-ram",
Document = ramExample.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Document),
Force = true,
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.alicloud.ram.RamFunctions;
import com.pulumi.alicloud.ram.inputs.GetPolicyDocumentArgs;
import com.pulumi.alicloud.ram.Role;
import com.pulumi.alicloud.ram.RoleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var ramExample = RamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.statements(GetPolicyDocumentStatementArgs.builder()
.effect("Allow")
.actions("sts:AssumeRole")
.principals(GetPolicyDocumentStatementPrincipalArgs.builder()
.entity("RAM")
.identifiers("acs:ram::123456789012****:root")
.build())
.build())
.build());
var role = new Role("role", RoleArgs.builder()
.name("tf-example-role-ram")
.document(ramExample.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.document()))
.force(true)
.build());
}
}
resources:
role:
type: alicloud:ram:Role
properties:
name: tf-example-role-ram
document: ${ramExample.document}
force: true
variables:
ramExample:
fn::invoke:
Function: alicloud:ram:getPolicyDocument
Arguments:
statements:
- effect: Allow
actions:
- sts:AssumeRole
principals:
- entity: RAM
identifiers:
- acs:ram::123456789012****:root
data.alicloud_ram_policy_document.ram_example.document will evaluate to:
{
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Principal": {
"RAM": [
"acs:ram::123456789012****:root"
]
}
}
],
"Version": "1"
}
Example Assume-Role Policy with Service Principal
import * as pulumi from "@pulumi/pulumi";
import * as alicloud from "@pulumi/alicloud";
const serviceExample = alicloud.ram.getPolicyDocument({
statements: [{
effect: "Allow",
actions: ["sts:AssumeRole"],
principals: [{
entity: "Service",
identifiers: ["ecs.aliyuncs.com"],
}],
}],
});
const role = new alicloud.ram.Role("role", {
name: "tf-example-role-service",
document: serviceExample.then(serviceExample => serviceExample.document),
force: true,
});
import pulumi
import pulumi_alicloud as alicloud
service_example = alicloud.ram.get_policy_document(statements=[alicloud.ram.GetPolicyDocumentStatementArgs(
effect="Allow",
actions=["sts:AssumeRole"],
principals=[alicloud.ram.GetPolicyDocumentStatementPrincipalArgs(
entity="Service",
identifiers=["ecs.aliyuncs.com"],
)],
)])
role = alicloud.ram.Role("role",
name="tf-example-role-service",
document=service_example.document,
force=True)
package main
import (
"github.com/pulumi/pulumi-alicloud/sdk/v3/go/alicloud/ram"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
serviceExample, err := ram.GetPolicyDocument(ctx, &ram.GetPolicyDocumentArgs{
Statements: []ram.GetPolicyDocumentStatement{
{
Effect: pulumi.StringRef("Allow"),
Actions: []string{
"sts:AssumeRole",
},
Principals: []ram.GetPolicyDocumentStatementPrincipal{
{
Entity: "Service",
Identifiers: []string{
"ecs.aliyuncs.com",
},
},
},
},
},
}, nil)
if err != nil {
return err
}
_, err = ram.NewRole(ctx, "role", &ram.RoleArgs{
Name: pulumi.String("tf-example-role-service"),
Document: pulumi.String(serviceExample.Document),
Force: pulumi.Bool(true),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AliCloud = Pulumi.AliCloud;
return await Deployment.RunAsync(() =>
{
var serviceExample = AliCloud.Ram.GetPolicyDocument.Invoke(new()
{
Statements = new[]
{
new AliCloud.Ram.Inputs.GetPolicyDocumentStatementInputArgs
{
Effect = "Allow",
Actions = new[]
{
"sts:AssumeRole",
},
Principals = new[]
{
new AliCloud.Ram.Inputs.GetPolicyDocumentStatementPrincipalInputArgs
{
Entity = "Service",
Identifiers = new[]
{
"ecs.aliyuncs.com",
},
},
},
},
},
});
var role = new AliCloud.Ram.Role("role", new()
{
Name = "tf-example-role-service",
Document = serviceExample.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Document),
Force = true,
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.alicloud.ram.RamFunctions;
import com.pulumi.alicloud.ram.inputs.GetPolicyDocumentArgs;
import com.pulumi.alicloud.ram.Role;
import com.pulumi.alicloud.ram.RoleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var serviceExample = RamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.statements(GetPolicyDocumentStatementArgs.builder()
.effect("Allow")
.actions("sts:AssumeRole")
.principals(GetPolicyDocumentStatementPrincipalArgs.builder()
.entity("Service")
.identifiers("ecs.aliyuncs.com")
.build())
.build())
.build());
var role = new Role("role", RoleArgs.builder()
.name("tf-example-role-service")
.document(serviceExample.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.document()))
.force(true)
.build());
}
}
resources:
role:
type: alicloud:ram:Role
properties:
name: tf-example-role-service
document: ${serviceExample.document}
force: true
variables:
serviceExample:
fn::invoke:
Function: alicloud:ram:getPolicyDocument
Arguments:
statements:
- effect: Allow
actions:
- sts:AssumeRole
principals:
- entity: Service
identifiers:
- ecs.aliyuncs.com
data.alicloud_ram_policy_document.service_example.document will evaluate to:
{
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Principal": {
"Service": [
"ecs.aliyuncs.com"
]
}
}
],
"Version": "1"
}
Example Assume-Role Policy with Federated Principal
import * as pulumi from "@pulumi/pulumi";
import * as alicloud from "@pulumi/alicloud";
const federatedExample = alicloud.ram.getPolicyDocument({
statements: [{
effect: "Allow",
actions: ["sts:AssumeRole"],
principals: [{
entity: "Federated",
identifiers: ["acs:ram::123456789012****:saml-provider/testprovider"],
}],
conditions: [{
operator: "StringEquals",
variable: "saml:recipient",
values: ["https://signin.aliyun.com/saml-role/sso"],
}],
}],
});
const role = new alicloud.ram.Role("role", {
name: "tf-example-role-federated",
document: federatedExample.then(federatedExample => federatedExample.document),
force: true,
});
import pulumi
import pulumi_alicloud as alicloud
federated_example = alicloud.ram.get_policy_document(statements=[alicloud.ram.GetPolicyDocumentStatementArgs(
effect="Allow",
actions=["sts:AssumeRole"],
principals=[alicloud.ram.GetPolicyDocumentStatementPrincipalArgs(
entity="Federated",
identifiers=["acs:ram::123456789012****:saml-provider/testprovider"],
)],
conditions=[alicloud.ram.GetPolicyDocumentStatementConditionArgs(
operator="StringEquals",
variable="saml:recipient",
values=["https://signin.aliyun.com/saml-role/sso"],
)],
)])
role = alicloud.ram.Role("role",
name="tf-example-role-federated",
document=federated_example.document,
force=True)
package main
import (
"github.com/pulumi/pulumi-alicloud/sdk/v3/go/alicloud/ram"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
federatedExample, err := ram.GetPolicyDocument(ctx, &ram.GetPolicyDocumentArgs{
Statements: []ram.GetPolicyDocumentStatement{
{
Effect: pulumi.StringRef("Allow"),
Actions: []string{
"sts:AssumeRole",
},
Principals: []ram.GetPolicyDocumentStatementPrincipal{
{
Entity: "Federated",
Identifiers: []string{
"acs:ram::123456789012****:saml-provider/testprovider",
},
},
},
Conditions: []ram.GetPolicyDocumentStatementCondition{
{
Operator: "StringEquals",
Variable: "saml:recipient",
Values: []string{
"https://signin.aliyun.com/saml-role/sso",
},
},
},
},
},
}, nil)
if err != nil {
return err
}
_, err = ram.NewRole(ctx, "role", &ram.RoleArgs{
Name: pulumi.String("tf-example-role-federated"),
Document: pulumi.String(federatedExample.Document),
Force: pulumi.Bool(true),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AliCloud = Pulumi.AliCloud;
return await Deployment.RunAsync(() =>
{
var federatedExample = AliCloud.Ram.GetPolicyDocument.Invoke(new()
{
Statements = new[]
{
new AliCloud.Ram.Inputs.GetPolicyDocumentStatementInputArgs
{
Effect = "Allow",
Actions = new[]
{
"sts:AssumeRole",
},
Principals = new[]
{
new AliCloud.Ram.Inputs.GetPolicyDocumentStatementPrincipalInputArgs
{
Entity = "Federated",
Identifiers = new[]
{
"acs:ram::123456789012****:saml-provider/testprovider",
},
},
},
Conditions = new[]
{
new AliCloud.Ram.Inputs.GetPolicyDocumentStatementConditionInputArgs
{
Operator = "StringEquals",
Variable = "saml:recipient",
Values = new[]
{
"https://signin.aliyun.com/saml-role/sso",
},
},
},
},
},
});
var role = new AliCloud.Ram.Role("role", new()
{
Name = "tf-example-role-federated",
Document = federatedExample.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Document),
Force = true,
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.alicloud.ram.RamFunctions;
import com.pulumi.alicloud.ram.inputs.GetPolicyDocumentArgs;
import com.pulumi.alicloud.ram.Role;
import com.pulumi.alicloud.ram.RoleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var federatedExample = RamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.statements(GetPolicyDocumentStatementArgs.builder()
.effect("Allow")
.actions("sts:AssumeRole")
.principals(GetPolicyDocumentStatementPrincipalArgs.builder()
.entity("Federated")
.identifiers("acs:ram::123456789012****:saml-provider/testprovider")
.build())
.conditions(GetPolicyDocumentStatementConditionArgs.builder()
.operator("StringEquals")
.variable("saml:recipient")
.values("https://signin.aliyun.com/saml-role/sso")
.build())
.build())
.build());
var role = new Role("role", RoleArgs.builder()
.name("tf-example-role-federated")
.document(federatedExample.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.document()))
.force(true)
.build());
}
}
resources:
role:
type: alicloud:ram:Role
properties:
name: tf-example-role-federated
document: ${federatedExample.document}
force: true
variables:
federatedExample:
fn::invoke:
Function: alicloud:ram:getPolicyDocument
Arguments:
statements:
- effect: Allow
actions:
- sts:AssumeRole
principals:
- entity: Federated
identifiers:
- acs:ram::123456789012****:saml-provider/testprovider
conditions:
- operator: StringEquals
variable: saml:recipient
values:
- https://signin.aliyun.com/saml-role/sso
data.alicloud_ram_policy_document.federated_example.document will evaluate to:
{
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Principal": {
"Federated": [
"acs:ram::123456789012****:saml-provider/testprovider"
]
},
"Condition": {
"StringEquals": {
"saml:recipient": "https://signin.aliyun.com/saml-role/sso"
}
}
}
],
"Version": "1"
}
Using getPolicyDocument
Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.
function getPolicyDocument(args: GetPolicyDocumentArgs, opts?: InvokeOptions): Promise<GetPolicyDocumentResult>
function getPolicyDocumentOutput(args: GetPolicyDocumentOutputArgs, opts?: InvokeOptions): Output<GetPolicyDocumentResult>def get_policy_document(output_file: Optional[str] = None,
statements: Optional[Sequence[GetPolicyDocumentStatement]] = None,
version: Optional[str] = None,
opts: Optional[InvokeOptions] = None) -> GetPolicyDocumentResult
def get_policy_document_output(output_file: Optional[pulumi.Input[str]] = None,
statements: Optional[pulumi.Input[Sequence[pulumi.Input[GetPolicyDocumentStatementArgs]]]] = None,
version: Optional[pulumi.Input[str]] = None,
opts: Optional[InvokeOptions] = None) -> Output[GetPolicyDocumentResult]func GetPolicyDocument(ctx *Context, args *GetPolicyDocumentArgs, opts ...InvokeOption) (*GetPolicyDocumentResult, error)
func GetPolicyDocumentOutput(ctx *Context, args *GetPolicyDocumentOutputArgs, opts ...InvokeOption) GetPolicyDocumentResultOutput> Note: This function is named GetPolicyDocument in the Go SDK.
public static class GetPolicyDocument
{
public static Task<GetPolicyDocumentResult> InvokeAsync(GetPolicyDocumentArgs args, InvokeOptions? opts = null)
public static Output<GetPolicyDocumentResult> Invoke(GetPolicyDocumentInvokeArgs args, InvokeOptions? opts = null)
}public static CompletableFuture<GetPolicyDocumentResult> getPolicyDocument(GetPolicyDocumentArgs args, InvokeOptions options)
// Output-based functions aren't available in Java yet
fn::invoke:
function: alicloud:ram/getPolicyDocument:getPolicyDocument
arguments:
# arguments dictionaryThe following arguments are supported:
- Output
File string - File name where to save data source results (after running
pulumi preview). - Statements
List<Pulumi.
Ali Cloud. Ram. Inputs. Get Policy Document Statement> - Statement of the RAM policy document. See the following
Block statement. Seestatementbelow. - Version string
- Version of the RAM policy document. Valid value is
1. Default value is1.
- Output
File string - File name where to save data source results (after running
pulumi preview). - Statements
[]Get
Policy Document Statement - Statement of the RAM policy document. See the following
Block statement. Seestatementbelow. - Version string
- Version of the RAM policy document. Valid value is
1. Default value is1.
- output
File String - File name where to save data source results (after running
pulumi preview). - statements
List<Get
Policy Document Statement> - Statement of the RAM policy document. See the following
Block statement. Seestatementbelow. - version String
- Version of the RAM policy document. Valid value is
1. Default value is1.
- output
File string - File name where to save data source results (after running
pulumi preview). - statements
Get
Policy Document Statement[] - Statement of the RAM policy document. See the following
Block statement. Seestatementbelow. - version string
- Version of the RAM policy document. Valid value is
1. Default value is1.
- output_
file str - File name where to save data source results (after running
pulumi preview). - statements
Sequence[Get
Policy Document Statement] - Statement of the RAM policy document. See the following
Block statement. Seestatementbelow. - version str
- Version of the RAM policy document. Valid value is
1. Default value is1.
- output
File String - File name where to save data source results (after running
pulumi preview). - statements List<Property Map>
- Statement of the RAM policy document. See the following
Block statement. Seestatementbelow. - version String
- Version of the RAM policy document. Valid value is
1. Default value is1.
getPolicyDocument Result
The following output properties are available:
- Document string
- Standard policy document rendered based on the arguments above.
- Id string
- The provider-assigned unique ID for this managed resource.
- Output
File string - Statements
List<Pulumi.
Ali Cloud. Ram. Outputs. Get Policy Document Statement> - Version string
- Document string
- Standard policy document rendered based on the arguments above.
- Id string
- The provider-assigned unique ID for this managed resource.
- Output
File string - Statements
[]Get
Policy Document Statement - Version string
- document String
- Standard policy document rendered based on the arguments above.
- id String
- The provider-assigned unique ID for this managed resource.
- output
File String - statements
List<Get
Policy Document Statement> - version String
- document string
- Standard policy document rendered based on the arguments above.
- id string
- The provider-assigned unique ID for this managed resource.
- output
File string - statements
Get
Policy Document Statement[] - version string
- document str
- Standard policy document rendered based on the arguments above.
- id str
- The provider-assigned unique ID for this managed resource.
- output_
file str - statements
Sequence[Get
Policy Document Statement] - version str
- document String
- Standard policy document rendered based on the arguments above.
- id String
- The provider-assigned unique ID for this managed resource.
- output
File String - statements List<Property Map>
- version String
Supporting Types
GetPolicyDocumentStatement
- Actions List<string>
- Action of the RAM policy document. If you want to create a RAM role policy document, it must be
["sts:AssumeRole"]. - Conditions
List<Pulumi.
Ali Cloud. Ram. Inputs. Get Policy Document Statement Condition> - Specifies the condition that are required for a policy to take effect. See
conditionbelow. - Effect string
- This parameter indicates whether or not the
actionis allowed. Valid values areAllowandDeny. Default value isAllow. If you want to create a RAM role policy document, it must beAllow. - Principals
List<Pulumi.
Ali Cloud. Ram. Inputs. Get Policy Document Statement Principal> - Principal of the RAM policy document. If you want to create a RAM role policy document, it must be set. See
principalbelow. - Resources List<string>
- List of specific objects which will be authorized. If you want to create a RAM policy document, it must be set.
- Actions []string
- Action of the RAM policy document. If you want to create a RAM role policy document, it must be
["sts:AssumeRole"]. - Conditions
[]Get
Policy Document Statement Condition - Specifies the condition that are required for a policy to take effect. See
conditionbelow. - Effect string
- This parameter indicates whether or not the
actionis allowed. Valid values areAllowandDeny. Default value isAllow. If you want to create a RAM role policy document, it must beAllow. - Principals
[]Get
Policy Document Statement Principal - Principal of the RAM policy document. If you want to create a RAM role policy document, it must be set. See
principalbelow. - Resources []string
- List of specific objects which will be authorized. If you want to create a RAM policy document, it must be set.
- actions List<String>
- Action of the RAM policy document. If you want to create a RAM role policy document, it must be
["sts:AssumeRole"]. - conditions
List<Get
Policy Document Statement Condition> - Specifies the condition that are required for a policy to take effect. See
conditionbelow. - effect String
- This parameter indicates whether or not the
actionis allowed. Valid values areAllowandDeny. Default value isAllow. If you want to create a RAM role policy document, it must beAllow. - principals
List<Get
Policy Document Statement Principal> - Principal of the RAM policy document. If you want to create a RAM role policy document, it must be set. See
principalbelow. - resources List<String>
- List of specific objects which will be authorized. If you want to create a RAM policy document, it must be set.
- actions string[]
- Action of the RAM policy document. If you want to create a RAM role policy document, it must be
["sts:AssumeRole"]. - conditions
Get
Policy Document Statement Condition[] - Specifies the condition that are required for a policy to take effect. See
conditionbelow. - effect string
- This parameter indicates whether or not the
actionis allowed. Valid values areAllowandDeny. Default value isAllow. If you want to create a RAM role policy document, it must beAllow. - principals
Get
Policy Document Statement Principal[] - Principal of the RAM policy document. If you want to create a RAM role policy document, it must be set. See
principalbelow. - resources string[]
- List of specific objects which will be authorized. If you want to create a RAM policy document, it must be set.
- actions Sequence[str]
- Action of the RAM policy document. If you want to create a RAM role policy document, it must be
["sts:AssumeRole"]. - conditions
Sequence[Get
Policy Document Statement Condition] - Specifies the condition that are required for a policy to take effect. See
conditionbelow. - effect str
- This parameter indicates whether or not the
actionis allowed. Valid values areAllowandDeny. Default value isAllow. If you want to create a RAM role policy document, it must beAllow. - principals
Sequence[Get
Policy Document Statement Principal] - Principal of the RAM policy document. If you want to create a RAM role policy document, it must be set. See
principalbelow. - resources Sequence[str]
- List of specific objects which will be authorized. If you want to create a RAM policy document, it must be set.
- actions List<String>
- Action of the RAM policy document. If you want to create a RAM role policy document, it must be
["sts:AssumeRole"]. - conditions List<Property Map>
- Specifies the condition that are required for a policy to take effect. See
conditionbelow. - effect String
- This parameter indicates whether or not the
actionis allowed. Valid values areAllowandDeny. Default value isAllow. If you want to create a RAM role policy document, it must beAllow. - principals List<Property Map>
- Principal of the RAM policy document. If you want to create a RAM role policy document, it must be set. See
principalbelow. - resources List<String>
- List of specific objects which will be authorized. If you want to create a RAM policy document, it must be set.
GetPolicyDocumentStatementCondition
GetPolicyDocumentStatementPrincipal
- Entity string
- Identifiers List<string>
- Entity string
- Identifiers []string
- entity String
- identifiers List<String>
- entity string
- identifiers string[]
- entity str
- identifiers Sequence[str]
- entity String
- identifiers List<String>
Package Details
- Repository
- Alibaba Cloud pulumi/pulumi-alicloud
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
alicloudTerraform Provider.