get
This data source Generates a RAM policy document of the current Alibaba Cloud user.
NOTE: Available since v1.184.0+.
Example Usage
Basic Example
import * as pulumi from "@pulumi/pulumi";
import * as alicloud from "@pulumi/alicloud";
const basicExample = alicloud.ram.getPolicyDocument({
version: "1",
statements: [{
effect: "Allow",
actions: ["oss:*"],
resources: [
"acs:oss:*:*:myphotos",
"acs:oss:*:*:myphotos/*",
],
}],
});
const _default = new alicloud.ram.Policy("default", {
policyName: "tf-example",
policyDocument: basicExample.then(basicExample => basicExample.document),
force: true,
});Content copied to clipboard
import pulumi
import pulumi_alicloud as alicloud
basic_example = alicloud.ram.get_policy_document(version="1",
statements=[{
"effect": "Allow",
"actions": ["oss:*"],
"resources": [
"acs:oss:*:*:myphotos",
"acs:oss:*:*:myphotos/*",
],
}])
default = alicloud.ram.Policy("default",
policy_name="tf-example",
policy_document=basic_example.document,
force=True)Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AliCloud = Pulumi.AliCloud;
return await Deployment.RunAsync(() =>
{
var basicExample = AliCloud.Ram.GetPolicyDocument.Invoke(new()
{
Version = "1",
Statements = new[]
{
new AliCloud.Ram.Inputs.GetPolicyDocumentStatementInputArgs
{
Effect = "Allow",
Actions = new[]
{
"oss:*",
},
Resources = new[]
{
"acs:oss:*:*:myphotos",
"acs:oss:*:*:myphotos/*",
},
},
},
});
var @default = new AliCloud.Ram.Policy("default", new()
{
PolicyName = "tf-example",
PolicyDocument = basicExample.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Document),
Force = true,
});
});Content copied to clipboard
package main
import (
"github.com/pulumi/pulumi-alicloud/sdk/v3/go/alicloud/ram"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
basicExample, err := ram.GetPolicyDocument(ctx, &ram.GetPolicyDocumentArgs{
Version: pulumi.StringRef("1"),
Statements: []ram.GetPolicyDocumentStatement{
{
Effect: pulumi.StringRef("Allow"),
Actions: []string{
"oss:*",
},
Resources: []string{
"acs:oss:*:*:myphotos",
"acs:oss:*:*:myphotos/*",
},
},
},
}, nil)
if err != nil {
return err
}
_, err = ram.NewPolicy(ctx, "default", &ram.PolicyArgs{
PolicyName: pulumi.String("tf-example"),
PolicyDocument: pulumi.String(basicExample.Document),
Force: pulumi.Bool(true),
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.alicloud.ram.RamFunctions;
import com.pulumi.alicloud.ram.inputs.GetPolicyDocumentArgs;
import com.pulumi.alicloud.ram.Policy;
import com.pulumi.alicloud.ram.PolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var basicExample = RamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.version("1")
.statements(GetPolicyDocumentStatementArgs.builder()
.effect("Allow")
.actions("oss:*")
.resources(
"acs:oss:*:*:myphotos",
"acs:oss:*:*:myphotos/*")
.build())
.build());
var default_ = new Policy("default", PolicyArgs.builder()
.policyName("tf-example")
.policyDocument(basicExample.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.document()))
.force(true)
.build());
}
}Content copied to clipboard
resources:
default:
type: alicloud:ram:Policy
properties:
policyName: tf-example
policyDocument: ${basicExample.document}
force: true
variables:
basicExample:
fn::invoke:
function: alicloud:ram:getPolicyDocument
arguments:
version: '1'
statements:
- effect: Allow
actions:
- oss:*
resources:
- acs:oss:*:*:myphotos
- acs:oss:*:*:myphotos/*Content copied to clipboard
data.alicloud_ram_policy_document.basic_example.document will evaluate to:
{
"Statement": [
{
"Effect": "Allow",
"Action": "oss:*",
"Resource": [
"acs:oss:*:*:myphotos",
"acs:oss:*:*:myphotos/*"
]
}
],
"Version": "1"
}Content copied to clipboard
Example Multiple Condition Keys and Values
import * as pulumi from "@pulumi/pulumi";
import * as alicloud from "@pulumi/alicloud";
const multipleCondition = alicloud.ram.getPolicyDocument({
version: "1",
statements: [
{
effect: "Allow",
actions: [
"oss:ListBuckets",
"oss:GetBucketStat",
"oss:GetBucketInfo",
"oss:GetBucketTagging",
"oss:GetBucketAcl",
],
resources: ["acs:oss:*:*:*"],
},
{
effect: "Allow",
actions: [
"oss:GetObject",
"oss:GetObjectAcl",
],
resources: ["acs:oss:*:*:myphotos/hangzhou/2015/*"],
},
{
effect: "Allow",
actions: ["oss:ListObjects"],
resources: ["acs:oss:*:*:myphotos"],
conditions: [
{
operator: "StringLike",
variable: "oss:Delimiter",
values: ["/"],
},
{
operator: "StringLike",
variable: "oss:Prefix",
values: [
"",
"hangzhou/",
"hangzhou/2015/*",
],
},
],
},
],
});
const policy = new alicloud.ram.Policy("policy", {
policyName: "tf-example-condition",
policyDocument: multipleCondition.then(multipleCondition => multipleCondition.document),
force: true,
});Content copied to clipboard
import pulumi
import pulumi_alicloud as alicloud
multiple_condition = alicloud.ram.get_policy_document(version="1",
statements=[
{
"effect": "Allow",
"actions": [
"oss:ListBuckets",
"oss:GetBucketStat",
"oss:GetBucketInfo",
"oss:GetBucketTagging",
"oss:GetBucketAcl",
],
"resources": ["acs:oss:*:*:*"],
},
{
"effect": "Allow",
"actions": [
"oss:GetObject",
"oss:GetObjectAcl",
],
"resources": ["acs:oss:*:*:myphotos/hangzhou/2015/*"],
},
{
"effect": "Allow",
"actions": ["oss:ListObjects"],
"resources": ["acs:oss:*:*:myphotos"],
"conditions": [
{
"operator": "StringLike",
"variable": "oss:Delimiter",
"values": ["/"],
},
{
"operator": "StringLike",
"variable": "oss:Prefix",
"values": [
"",
"hangzhou/",
"hangzhou/2015/*",
],
},
],
},
])
policy = alicloud.ram.Policy("policy",
policy_name="tf-example-condition",
policy_document=multiple_condition.document,
force=True)Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AliCloud = Pulumi.AliCloud;
return await Deployment.RunAsync(() =>
{
var multipleCondition = AliCloud.Ram.GetPolicyDocument.Invoke(new()
{
Version = "1",
Statements = new[]
{
new AliCloud.Ram.Inputs.GetPolicyDocumentStatementInputArgs
{
Effect = "Allow",
Actions = new[]
{
"oss:ListBuckets",
"oss:GetBucketStat",
"oss:GetBucketInfo",
"oss:GetBucketTagging",
"oss:GetBucketAcl",
},
Resources = new[]
{
"acs:oss:*:*:*",
},
},
new AliCloud.Ram.Inputs.GetPolicyDocumentStatementInputArgs
{
Effect = "Allow",
Actions = new[]
{
"oss:GetObject",
"oss:GetObjectAcl",
},
Resources = new[]
{
"acs:oss:*:*:myphotos/hangzhou/2015/*",
},
},
new AliCloud.Ram.Inputs.GetPolicyDocumentStatementInputArgs
{
Effect = "Allow",
Actions = new[]
{
"oss:ListObjects",
},
Resources = new[]
{
"acs:oss:*:*:myphotos",
},
Conditions = new[]
{
new AliCloud.Ram.Inputs.GetPolicyDocumentStatementConditionInputArgs
{
Operator = "StringLike",
Variable = "oss:Delimiter",
Values = new[]
{
"/",
},
},
new AliCloud.Ram.Inputs.GetPolicyDocumentStatementConditionInputArgs
{
Operator = "StringLike",
Variable = "oss:Prefix",
Values = new[]
{
"",
"hangzhou/",
"hangzhou/2015/*",
},
},
},
},
},
});
var policy = new AliCloud.Ram.Policy("policy", new()
{
PolicyName = "tf-example-condition",
PolicyDocument = multipleCondition.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Document),
Force = true,
});
});Content copied to clipboard
package main
import (
"github.com/pulumi/pulumi-alicloud/sdk/v3/go/alicloud/ram"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
multipleCondition, err := ram.GetPolicyDocument(ctx, &ram.GetPolicyDocumentArgs{
Version: pulumi.StringRef("1"),
Statements: []ram.GetPolicyDocumentStatement{
{
Effect: pulumi.StringRef("Allow"),
Actions: []string{
"oss:ListBuckets",
"oss:GetBucketStat",
"oss:GetBucketInfo",
"oss:GetBucketTagging",
"oss:GetBucketAcl",
},
Resources: []string{
"acs:oss:*:*:*",
},
},
{
Effect: pulumi.StringRef("Allow"),
Actions: []string{
"oss:GetObject",
"oss:GetObjectAcl",
},
Resources: []string{
"acs:oss:*:*:myphotos/hangzhou/2015/*",
},
},
{
Effect: pulumi.StringRef("Allow"),
Actions: []string{
"oss:ListObjects",
},
Resources: []string{
"acs:oss:*:*:myphotos",
},
Conditions: []ram.GetPolicyDocumentStatementCondition{
{
Operator: "StringLike",
Variable: "oss:Delimiter",
Values: []string{
"/",
},
},
{
Operator: "StringLike",
Variable: "oss:Prefix",
Values: []string{
"",
"hangzhou/",
"hangzhou/2015/*",
},
},
},
},
},
}, nil)
if err != nil {
return err
}
_, err = ram.NewPolicy(ctx, "policy", &ram.PolicyArgs{
PolicyName: pulumi.String("tf-example-condition"),
PolicyDocument: pulumi.String(multipleCondition.Document),
Force: pulumi.Bool(true),
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.alicloud.ram.RamFunctions;
import com.pulumi.alicloud.ram.inputs.GetPolicyDocumentArgs;
import com.pulumi.alicloud.ram.Policy;
import com.pulumi.alicloud.ram.PolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var multipleCondition = RamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.version("1")
.statements(
GetPolicyDocumentStatementArgs.builder()
.effect("Allow")
.actions(
"oss:ListBuckets",
"oss:GetBucketStat",
"oss:GetBucketInfo",
"oss:GetBucketTagging",
"oss:GetBucketAcl")
.resources("acs:oss:*:*:*")
.build(),
GetPolicyDocumentStatementArgs.builder()
.effect("Allow")
.actions(
"oss:GetObject",
"oss:GetObjectAcl")
.resources("acs:oss:*:*:myphotos/hangzhou/2015/*")
.build(),
GetPolicyDocumentStatementArgs.builder()
.effect("Allow")
.actions("oss:ListObjects")
.resources("acs:oss:*:*:myphotos")
.conditions(
GetPolicyDocumentStatementConditionArgs.builder()
.operator("StringLike")
.variable("oss:Delimiter")
.values("/")
.build(),
GetPolicyDocumentStatementConditionArgs.builder()
.operator("StringLike")
.variable("oss:Prefix")
.values(
"",
"hangzhou/",
"hangzhou/2015/*")
.build())
.build())
.build());
var policy = new Policy("policy", PolicyArgs.builder()
.policyName("tf-example-condition")
.policyDocument(multipleCondition.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.document()))
.force(true)
.build());
}
}Content copied to clipboard
resources:
policy:
type: alicloud:ram:Policy
properties:
policyName: tf-example-condition
policyDocument: ${multipleCondition.document}
force: true
variables:
multipleCondition:
fn::invoke:
function: alicloud:ram:getPolicyDocument
arguments:
version: '1'
statements:
- effect: Allow
actions:
- oss:ListBuckets
- oss:GetBucketStat
- oss:GetBucketInfo
- oss:GetBucketTagging
- oss:GetBucketAcl
resources:
- acs:oss:*:*:*
- effect: Allow
actions:
- oss:GetObject
- oss:GetObjectAcl
resources:
- acs:oss:*:*:myphotos/hangzhou/2015/*
- effect: Allow
actions:
- oss:ListObjects
resources:
- acs:oss:*:*:myphotos
conditions:
- operator: StringLike
variable: oss:Delimiter
values:
- /
- operator: StringLike
variable: oss:Prefix
values:
- ""
- hangzhou/
- hangzhou/2015/*Content copied to clipboard
data.alicloud_ram_policy_document.multiple_condition.document will evaluate to:
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"oss:ListBuckets",
"oss:GetBucketStat",
"oss:GetBucketInfo",
"oss:GetBucketTagging",
"oss:GetBucketAcl"
],
"Resource": "acs:oss:*:*:*"
},
{
"Effect": "Allow",
"Action": [
"oss:GetObject",
"oss:GetObjectAcl"
],
"Resource": "acs:oss:*:*:myphotos/hangzhou/2015/*"
},
{
"Effect": "Allow",
"Action": "oss:ListObjects",
"Resource": "acs:oss:*:*:myphotos",
"Condition": {
"StringLike": {
"oss:Delimiter": "/",
"oss:Prefix": [
"",
"hangzhou/",
"hangzhou/2015/*"
]
}
}
}
],
"Version": "1"
}Content copied to clipboard
Example Assume-Role Policy with RAM Principal
import * as pulumi from "@pulumi/pulumi";
import * as alicloud from "@pulumi/alicloud";
const ramExample = alicloud.ram.getPolicyDocument({
statements: [{
effect: "Allow",
actions: ["sts:AssumeRole"],
principals: [{
entity: "RAM",
identifiers: ["acs:ram::123456789012****:root"],
}],
}],
});
const role = new alicloud.ram.Role("role", {
name: "tf-example-role-ram",
document: ramExample.then(ramExample => ramExample.document),
force: true,
});Content copied to clipboard
import pulumi
import pulumi_alicloud as alicloud
ram_example = alicloud.ram.get_policy_document(statements=[{
"effect": "Allow",
"actions": ["sts:AssumeRole"],
"principals": [{
"entity": "RAM",
"identifiers": ["acs:ram::123456789012****:root"],
}],
}])
role = alicloud.ram.Role("role",
name="tf-example-role-ram",
document=ram_example.document,
force=True)Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AliCloud = Pulumi.AliCloud;
return await Deployment.RunAsync(() =>
{
var ramExample = AliCloud.Ram.GetPolicyDocument.Invoke(new()
{
Statements = new[]
{
new AliCloud.Ram.Inputs.GetPolicyDocumentStatementInputArgs
{
Effect = "Allow",
Actions = new[]
{
"sts:AssumeRole",
},
Principals = new[]
{
new AliCloud.Ram.Inputs.GetPolicyDocumentStatementPrincipalInputArgs
{
Entity = "RAM",
Identifiers = new[]
{
"acs:ram::123456789012****:root",
},
},
},
},
},
});
var role = new AliCloud.Ram.Role("role", new()
{
Name = "tf-example-role-ram",
Document = ramExample.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Document),
Force = true,
});
});Content copied to clipboard
package main
import (
"github.com/pulumi/pulumi-alicloud/sdk/v3/go/alicloud/ram"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
ramExample, err := ram.GetPolicyDocument(ctx, &ram.GetPolicyDocumentArgs{
Statements: []ram.GetPolicyDocumentStatement{
{
Effect: pulumi.StringRef("Allow"),
Actions: []string{
"sts:AssumeRole",
},
Principals: []ram.GetPolicyDocumentStatementPrincipal{
{
Entity: "RAM",
Identifiers: []string{
"acs:ram::123456789012****:root",
},
},
},
},
},
}, nil)
if err != nil {
return err
}
_, err = ram.NewRole(ctx, "role", &ram.RoleArgs{
Name: pulumi.String("tf-example-role-ram"),
Document: pulumi.String(ramExample.Document),
Force: pulumi.Bool(true),
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.alicloud.ram.RamFunctions;
import com.pulumi.alicloud.ram.inputs.GetPolicyDocumentArgs;
import com.pulumi.alicloud.ram.Role;
import com.pulumi.alicloud.ram.RoleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var ramExample = RamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.statements(GetPolicyDocumentStatementArgs.builder()
.effect("Allow")
.actions("sts:AssumeRole")
.principals(GetPolicyDocumentStatementPrincipalArgs.builder()
.entity("RAM")
.identifiers("acs:ram::123456789012****:root")
.build())
.build())
.build());
var role = new Role("role", RoleArgs.builder()
.name("tf-example-role-ram")
.document(ramExample.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.document()))
.force(true)
.build());
}
}Content copied to clipboard
resources:
role:
type: alicloud:ram:Role
properties:
name: tf-example-role-ram
document: ${ramExample.document}
force: true
variables:
ramExample:
fn::invoke:
function: alicloud:ram:getPolicyDocument
arguments:
statements:
- effect: Allow
actions:
- sts:AssumeRole
principals:
- entity: RAM
identifiers:
- acs:ram::123456789012****:rootContent copied to clipboard
data.alicloud_ram_policy_document.ram_example.document will evaluate to:
{
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Principal": {
"RAM": [
"acs:ram::123456789012****:root"
]
}
}
],
"Version": "1"
}Content copied to clipboard
Example Assume-Role Policy with Service Principal
import * as pulumi from "@pulumi/pulumi";
import * as alicloud from "@pulumi/alicloud";
const serviceExample = alicloud.ram.getPolicyDocument({
statements: [{
effect: "Allow",
actions: ["sts:AssumeRole"],
principals: [{
entity: "Service",
identifiers: ["ecs.aliyuncs.com"],
}],
}],
});
const role = new alicloud.ram.Role("role", {
name: "tf-example-role-service",
document: serviceExample.then(serviceExample => serviceExample.document),
force: true,
});Content copied to clipboard
import pulumi
import pulumi_alicloud as alicloud
service_example = alicloud.ram.get_policy_document(statements=[{
"effect": "Allow",
"actions": ["sts:AssumeRole"],
"principals": [{
"entity": "Service",
"identifiers": ["ecs.aliyuncs.com"],
}],
}])
role = alicloud.ram.Role("role",
name="tf-example-role-service",
document=service_example.document,
force=True)Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AliCloud = Pulumi.AliCloud;
return await Deployment.RunAsync(() =>
{
var serviceExample = AliCloud.Ram.GetPolicyDocument.Invoke(new()
{
Statements = new[]
{
new AliCloud.Ram.Inputs.GetPolicyDocumentStatementInputArgs
{
Effect = "Allow",
Actions = new[]
{
"sts:AssumeRole",
},
Principals = new[]
{
new AliCloud.Ram.Inputs.GetPolicyDocumentStatementPrincipalInputArgs
{
Entity = "Service",
Identifiers = new[]
{
"ecs.aliyuncs.com",
},
},
},
},
},
});
var role = new AliCloud.Ram.Role("role", new()
{
Name = "tf-example-role-service",
Document = serviceExample.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Document),
Force = true,
});
});Content copied to clipboard
package main
import (
"github.com/pulumi/pulumi-alicloud/sdk/v3/go/alicloud/ram"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
serviceExample, err := ram.GetPolicyDocument(ctx, &ram.GetPolicyDocumentArgs{
Statements: []ram.GetPolicyDocumentStatement{
{
Effect: pulumi.StringRef("Allow"),
Actions: []string{
"sts:AssumeRole",
},
Principals: []ram.GetPolicyDocumentStatementPrincipal{
{
Entity: "Service",
Identifiers: []string{
"ecs.aliyuncs.com",
},
},
},
},
},
}, nil)
if err != nil {
return err
}
_, err = ram.NewRole(ctx, "role", &ram.RoleArgs{
Name: pulumi.String("tf-example-role-service"),
Document: pulumi.String(serviceExample.Document),
Force: pulumi.Bool(true),
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.alicloud.ram.RamFunctions;
import com.pulumi.alicloud.ram.inputs.GetPolicyDocumentArgs;
import com.pulumi.alicloud.ram.Role;
import com.pulumi.alicloud.ram.RoleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var serviceExample = RamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.statements(GetPolicyDocumentStatementArgs.builder()
.effect("Allow")
.actions("sts:AssumeRole")
.principals(GetPolicyDocumentStatementPrincipalArgs.builder()
.entity("Service")
.identifiers("ecs.aliyuncs.com")
.build())
.build())
.build());
var role = new Role("role", RoleArgs.builder()
.name("tf-example-role-service")
.document(serviceExample.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.document()))
.force(true)
.build());
}
}Content copied to clipboard
resources:
role:
type: alicloud:ram:Role
properties:
name: tf-example-role-service
document: ${serviceExample.document}
force: true
variables:
serviceExample:
fn::invoke:
function: alicloud:ram:getPolicyDocument
arguments:
statements:
- effect: Allow
actions:
- sts:AssumeRole
principals:
- entity: Service
identifiers:
- ecs.aliyuncs.comContent copied to clipboard
data.alicloud_ram_policy_document.service_example.document will evaluate to:
{
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Principal": {
"Service": [
"ecs.aliyuncs.com"
]
}
}
],
"Version": "1"
}Content copied to clipboard
Example Assume-Role Policy with Federated Principal
import * as pulumi from "@pulumi/pulumi";
import * as alicloud from "@pulumi/alicloud";
const federatedExample = alicloud.ram.getPolicyDocument({
statements: [{
effect: "Allow",
actions: ["sts:AssumeRole"],
principals: [{
entity: "Federated",
identifiers: ["acs:ram::123456789012****:saml-provider/testprovider"],
}],
conditions: [{
operator: "StringEquals",
variable: "saml:recipient",
values: ["https://signin.aliyun.com/saml-role/sso"],
}],
}],
});
const role = new alicloud.ram.Role("role", {
name: "tf-example-role-federated",
document: federatedExample.then(federatedExample => federatedExample.document),
force: true,
});Content copied to clipboard
import pulumi
import pulumi_alicloud as alicloud
federated_example = alicloud.ram.get_policy_document(statements=[{
"effect": "Allow",
"actions": ["sts:AssumeRole"],
"principals": [{
"entity": "Federated",
"identifiers": ["acs:ram::123456789012****:saml-provider/testprovider"],
}],
"conditions": [{
"operator": "StringEquals",
"variable": "saml:recipient",
"values": ["https://signin.aliyun.com/saml-role/sso"],
}],
}])
role = alicloud.ram.Role("role",
name="tf-example-role-federated",
document=federated_example.document,
force=True)Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AliCloud = Pulumi.AliCloud;
return await Deployment.RunAsync(() =>
{
var federatedExample = AliCloud.Ram.GetPolicyDocument.Invoke(new()
{
Statements = new[]
{
new AliCloud.Ram.Inputs.GetPolicyDocumentStatementInputArgs
{
Effect = "Allow",
Actions = new[]
{
"sts:AssumeRole",
},
Principals = new[]
{
new AliCloud.Ram.Inputs.GetPolicyDocumentStatementPrincipalInputArgs
{
Entity = "Federated",
Identifiers = new[]
{
"acs:ram::123456789012****:saml-provider/testprovider",
},
},
},
Conditions = new[]
{
new AliCloud.Ram.Inputs.GetPolicyDocumentStatementConditionInputArgs
{
Operator = "StringEquals",
Variable = "saml:recipient",
Values = new[]
{
"https://signin.aliyun.com/saml-role/sso",
},
},
},
},
},
});
var role = new AliCloud.Ram.Role("role", new()
{
Name = "tf-example-role-federated",
Document = federatedExample.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Document),
Force = true,
});
});Content copied to clipboard
package main
import (
"github.com/pulumi/pulumi-alicloud/sdk/v3/go/alicloud/ram"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
federatedExample, err := ram.GetPolicyDocument(ctx, &ram.GetPolicyDocumentArgs{
Statements: []ram.GetPolicyDocumentStatement{
{
Effect: pulumi.StringRef("Allow"),
Actions: []string{
"sts:AssumeRole",
},
Principals: []ram.GetPolicyDocumentStatementPrincipal{
{
Entity: "Federated",
Identifiers: []string{
"acs:ram::123456789012****:saml-provider/testprovider",
},
},
},
Conditions: []ram.GetPolicyDocumentStatementCondition{
{
Operator: "StringEquals",
Variable: "saml:recipient",
Values: []string{
"https://signin.aliyun.com/saml-role/sso",
},
},
},
},
},
}, nil)
if err != nil {
return err
}
_, err = ram.NewRole(ctx, "role", &ram.RoleArgs{
Name: pulumi.String("tf-example-role-federated"),
Document: pulumi.String(federatedExample.Document),
Force: pulumi.Bool(true),
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.alicloud.ram.RamFunctions;
import com.pulumi.alicloud.ram.inputs.GetPolicyDocumentArgs;
import com.pulumi.alicloud.ram.Role;
import com.pulumi.alicloud.ram.RoleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var federatedExample = RamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.statements(GetPolicyDocumentStatementArgs.builder()
.effect("Allow")
.actions("sts:AssumeRole")
.principals(GetPolicyDocumentStatementPrincipalArgs.builder()
.entity("Federated")
.identifiers("acs:ram::123456789012****:saml-provider/testprovider")
.build())
.conditions(GetPolicyDocumentStatementConditionArgs.builder()
.operator("StringEquals")
.variable("saml:recipient")
.values("https://signin.aliyun.com/saml-role/sso")
.build())
.build())
.build());
var role = new Role("role", RoleArgs.builder()
.name("tf-example-role-federated")
.document(federatedExample.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.document()))
.force(true)
.build());
}
}Content copied to clipboard
resources:
role:
type: alicloud:ram:Role
properties:
name: tf-example-role-federated
document: ${federatedExample.document}
force: true
variables:
federatedExample:
fn::invoke:
function: alicloud:ram:getPolicyDocument
arguments:
statements:
- effect: Allow
actions:
- sts:AssumeRole
principals:
- entity: Federated
identifiers:
- acs:ram::123456789012****:saml-provider/testprovider
conditions:
- operator: StringEquals
variable: saml:recipient
values:
- https://signin.aliyun.com/saml-role/ssoContent copied to clipboard
data.alicloud_ram_policy_document.federated_example.document will evaluate to:
{
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Principal": {
"Federated": [
"acs:ram::123456789012****:saml-provider/testprovider"
]
},
"Condition": {
"StringEquals": {
"saml:recipient": "https://signin.aliyun.com/saml-role/sso"
}
}
}
],
"Version": "1"
}Content copied to clipboard
Return
A collection of values returned by getPolicyDocument. ////////////////////*/
Parameters
argument
A collection of arguments for invoking getPolicyDocument.
suspend fun getPolicyDocument(outputFile: String? = null, statements: List<GetPolicyDocumentStatement>? = null, version: String? = null): GetPolicyDocumentResult
Return
A collection of values returned by getPolicyDocument.
Parameters
output
File name where to save data source results (after running pulumi preview).
statements
Statement of the RAM policy document. See the following Block statement. See statement below.
version
Version of the RAM policy document. Valid value is 1. Default value is 1.
See also
suspend fun getPolicyDocument(argument: suspend GetPolicyDocumentPlainArgsBuilder.() -> Unit): GetPolicyDocumentResult
Return
A collection of values returned by getPolicyDocument.
Parameters
argument
Builder for com.pulumi.alicloud.ram.kotlin.inputs.GetPolicyDocumentPlainArgs.