全部产品
专有网络 VPC

专有网络API的鉴权规则

更新时间:2017-08-01 11:33:30   分享:   

当子账号通过Open API 对主账号的专有网络资源进行访问时,专有网络后台向 RAM 进行权限检查,以确保资源拥有者的确将相关资源的相关权限授予了调用者。

每个不同的Open API 会根据涉及到的资源以及 API 的语义来确定需要检查哪些资源的权限。具体地,每个 API 的鉴权规则见下表:

Action Resource Condition
vpc:CreateVpc acs:vpc:$regionid:$accountid:vpc/*
vpc:DeleteVpc acs:vpc:$regionid:$accountid:vpc/$vpcid
vpc:DescribeVpcs acs:vpc:$regionid:$accountid:vpc/*
vpc:ModifyVpcAttribute acs:vpc:$regionid:$accountid:vpc/$vpcid
vpc:DescribeVRouters acs:vpc:$regionid:$accountid:vrouter/* 指定要查询的VRouterId:
“vpc:Vpc”:”acs:vpc:$regionid:$accountid:vpc/$vpcid”
未指定VRouterId:
“vpc:Vpc”:”acs:vpc:$regionid:$accountid:vpc/*”
vpc:ModifyVRouterAttribute acs:vpc:$regionid:$accountid:vrouter/$vrouterid
vpc:CreateVSwitch acs:vpc:$regionid:$accountid:vswitch/*
acs:vpc:$regionid:$accountid:vpc/$vpcid
vpc:DeleteVSwitch acs:vpc:$regionid:$accountid:vswitch/$vswitchid
vpc:DescribeVSwitches acs:vpc:$regionid:$accountid:vswitch/* “vpc:Vpc”:”acs:vpc:$regionid:$accountid:vpc/$vpcid”
vpc:ModifyVSwitchAttribute acs:vpc:$regionid:$accountid:vswitch/$vswitchid
vpc:CreateRouteEntry acs:vpc:$regionid:$accountid:routetable/$routetableid
vpc:DeleteRouteEntry acs:vpc:$regionid:$accountid:routetable/$routetableid
vpc:DescribeRouteTables acs:ecs:$regionid:$accountid:routetable/* VRouter中的路由表:
“vpc:VRouter”:”acs:vpc$regionid:$accountid:vrouter/$vrouterid”
vpc:CreateHaVip acs:vpc:$regionid:$accountid:havip/*
acs:vpc:$regionid:$accountid:vswitch/$vswitchid
vpc:DeleteHaVip acs:vpc:$regionid:$accountid:havip/$havipid
vpc:AssociateHaVip acs:vpc:$regionid:$accountid:havip/$havipid
acs:ecs:$regionid:$accountid:instance/$instanceid
vpc:UnassociateHaVip acs:vpc:$regionid:$accountid:havip/$havipid
acs:ecs:$regionid:$accountid:instance/$instanceid
vpc:DescribeHaVips acs:vpc:$regionid:$accountid:havip/*
vpc:AllocateEipAddress acs:vpc:$regionid:$accountid:eip/*
vpc:AssociateEipAddres InstanceType为EcsInstance:
acs:vpc:$regionid:$accountid:eip/$allocationid
acs:ecs:$regionid:$accountid:instance/$instanceid
InstanceType为HaVip:
acs:vpc:$regionid:$accountid:eip/$allocationid
acs:vpc:$regionid:$accountid:havip/$havipid
vpc:DescribeEipAddresses acs:vpc:$regionid:$accountid:eip/*
vpc:ModifyEipAddressAttribute acs:vpc:$regionid:$accountid:eip/$allocationid
vpc:UnassociateEipAddress InstanceType为EcsInstance:
acs:vpc:$regionid:$accountid:eip/$allocationid
acs:ecs:$regionid:$accountid:instance/$instanceid
InstanceType为HaVip:
acs:vpc:$regionid:$accountid:eip/$allocationid
acs:vpc:$regionid:$accountid:havip/$havipid
vpc:ReleaseEipAddress acs:vpc:$regionid:$accountid:eip/$allocationid
vpc:DescribeEipMonitorData acs:vpc:$regionid:$accountid:eip/$allocationid
CreaeNatGateway acs:vpc:$regionid:$accountid:natgateway/*
DescribeNatGateways 查询指定NAT网关:
acs:vpc:$regionid:$accountid:natgateway/$natgatewayid
查询NAT网关列表:
acs:vpc:$regionid:$accountid:natgateway/*
ModifyNatGatewaySpec acs:vpc:$regionid:$accountid:natgateway/$natgatewayid
ModifyNatGatewayAttribute acs:vpc:$regionid:$accountid:natgateway/$natgatewayid
DeleteNatGateway acs:vpc:$regionid:$accountid:natgateway/$natgatewayid
CreateBandwidthPackage acs:vpc:$regionid:$accountid:bandwidthpackage/*
DescribeBandwidthPackages 查询指定的共享带宽包信息:
acs:vpc:$regionid:$accountid:bandwidthpackage/$bandwidthpackageid
查询共享带宽包列表:
acs:vpc:$regionid:$accountid:bandwidthpackage/*
ModifyBandwidthPackageSpec acs:vpc:$regionid:$accountid:bandwidthpackage/$bandwidthpackageid
ModifyBandwidthPackageAttribute acs:vpc:$regionid:$accountid:bandwidthpackage/$bandwidthpackageid
AddBandwidthPackageIps acs:vpc:$regionid:$accountid:bandwidthpackage/$bandwidthpackageid
RemoveBandwidthPackageIps acs:vpc:$regionid:$accountid:bandwidthpackage/$bandwidthpackageid
DeleteBandwidthPackage acs:vpc:$regionid:$accountid:bandwidthpackage/$bandwidthpackageid
CreateForwardEntry acs:vpc:$regionid:$accountid:forwardtable/$forwardtableid
DeleteForwardEntry acs:vpc:$regionid:$accountid:forwardtable/$forwardtableid
ModifyForwardEntry acs:vpc:$regionid:$accountid:forwardtable/$forwardtableid
DescribeForwardTableEntries acs:vpc:$regionid:$accountid:forwardtable/$forwardtableid
CreateSnatEntry acs:vpc:$regionid:$accountid:snattable/*
ModifySnatEntry acs:vpc:$regionid:$accountid:snattable/$snattableid
DescribeSnatTableEntries acs:vpc:$regionid:$accountid:snattable/$snattableid
DeleteSnatEntry acs:vpc:$regionid:$accountid:snattable/$snattableid
vpc:CreateCustomerGateway acs:vpc:$regionid:$accountid:customergateway/*
vpc:DeleteCustomerGateway acs:vpc:$regionid:$accountid:customergateway/$customergatewayid
vpc:DescribeCustomerGateway acs:vpc:$regionid:$accountid:customergateway/$customergatewayid
vpc:DescribeCustomerGateways acs:vpc:$regionid:$accountid:customergateway/*
vpc:ModifyCustomerGatewayAttribute acs:vpc:$regionid:$accountid:customergateway/$customergatewayid
vpc:CreateVpnConnection acs:vpc:$regionid:$accountid:vpnconnection/*
vpc:DeleteVpnConnection acs:vpc:$regionid:$accountid:vpnconnection/$vpnconnectionid
vpc:DescribeVpnConnection acs:vpc:$regionid:$accountid:vpnconnection/$vpnconnectionid
vpc:DescribeVpnConnections acs:vpc:$regionid:$accountid:vpnconnection/*
vpc:ModifyVpnConnectionAttribute acs:vpc:$regionid:$accountid:vpnconnection/$vpnconnectionid
vpc:DownloadVpnConnectionConfig acs:vpc:$regionid:$accountid:vpnconnection/$vpnconnectionid
vpc:DeleteVpnGateway acs:vpc:$regionid:$accountid:vpngateway/$vpngatewayid
vpc:DescribeVpnGateway acs:vpc:$regionid:$accountid:vpngateway/$vpngatewayid
vpc:DescribeVpnGateways acs:vpc:$regionid:$accountid:vpngateway/*
vpc:ModifyVpnGatewayAttribute acs:vpc:$regionid:$accountid:vpngateway/$vpngatewayid
vpc:CreateGlobalAccelerationInstance acs:vpc:$regionid:$accountid:globalaccelerationinstance/*
vpc:AssociateGlobalAccelerationInstance acs:vpc:$regionid:$accountid:globalaccelerationinstance/$globalaccelerationinstanceid
acs:ecs:$regionid:$accountid:instance/$instanceid
vpc:UnassociateGlobalAccelerationInstance acs:vpc:$regionid:$accountid:globalaccelerationinstance/$globalaccelerationinstanceid
vpc:ModifyGlobalAccerlationInstanceSpec acs:vpc:$regionid:$accountid:globalaccelerationinstance/$globalaccelerationinstanceid
vpc:ModifyGlobalAccerlationInstanceAttributes acs:vpc:$regionid:$accountid:globalaccelerationinstance/$globalaccelerationinstanceid
vpc:DeleteGlobalAccelerationInstance acs:vpc:$regionid:$accountid:globalaccelerationinstance/$globalaccelerationinstanceid
vpc:DescribeGlobalAccelerationInstances acs:vpc:$regionid:$accountid:globalaccelerationinstance/*
vpc:DescribeServerRelatedGlobalAccelerationInstances acs:vpc:$regionid:$accountid:globalaccelerationinstance/*
acs:ecs:$regionid:$accountid:instance/$instanceid

关于其他云产品与VPC相关操作的说明

其他云产品的使用涉及到对专有网络资源(VPC、VSwitch等)的操作,需要相应专有网络资源的操作权限。例如创建ECS到某个交换机中,需要创建ECS和该VSwitch的权限;而在修改实例VPC属性时,如果将ECS从一个交换机迁移到另一个交换机时,需要同时具有该ECS实例和两个交换机的授权。

例如ECS CreateInstance和ModifyInstanceVpcAttribute:

Action Resource
ecs:CreateInstance acs:ecs:$regionid:$accountid:instance/*
acs:ecs:$regionid:$accountid:securitygroup/$securitygroupid
acs:ecs:$regionid:$accountid:image/$imageid
[and acs:ecs:$regionid:$accountid:snapshot/$snapshotid(如果指定了 DataDisk.n.SnapshotId)]
[acs:vpc:$regionid:$accountid:vswitch/$vswitchid(如果指定了VSwitchId)]
ecs:ModifyInstanceVpcAttribute acs:ecs:$regionid:$accountid:instance/$instanceid
acs:vpc:$regionid:$accountid:vswitch/$vswitchid(当前ECS所在的VSwitchId)
acs:vpc:$regionid:$accountid:vswitch/$vswitchid(如果更换VSwitch,指定迁移到的VSwitchId)
本文导读目录
本文导读目录
以上内容是否对您有帮助?