为子账号授权后,您就可以通过子账号来使用阿里云视觉智能开放平台的相关服务。
授权操作步骤
Policy策略
- 全部权限
- 方式一:直接授予用户系统权限策略AliyunVIAPIFullAccess(管理视觉智能API的权限)。
- 方式二:自定义权限。拥有智能视觉所有能力的全部权限,policy定义如下所示。
{ "Statement": [ { "Effect": "Allow", "Action": "viapi-imageenhan:*", "Resource": "acs:viapi-imageenhan:*:*:*" }, { "Effect": "Allow", "Action": "viapi-imagerecog:*", "Resource": "acs:viapi-imagerecog:*:*:*" }, { "Effect": "Allow", "Action": "viapi-imageseg:*", "Resource": "acs:viapi-imageseg:*:*:*" }, { "Effect": "Allow", "Action": "viapi-imageaudit:*", "Resource": "acs:viapi-imageaudit:*:*:*" }, { "Effect": "Allow", "Action": "viapi-ocr:*", "Resource": "acs:viapi-ocr:*:*:*" }, { "Effect": "Allow", "Action": "viapi-facebody:*", "Resource": "acs:viapi-facebody:*:*:*" }, { "Effect": "Allow", "Action": "viapi-objectdet:*", "Resource": "acs:viapi-objectdet:*:*:*" }, { "Effect": "Allow", "Action": "viapi-goodstech:*", "Resource": "acs:viapi-goodstech:*:*:*" } ], "Version": "1" }
- 支持带IP/SSL限制的授权
{ "Statement": [ { "Effect": "Allow", "Action": "viapi-imageenhan:*", "Resource": "acs:viapi-imageenhan:*:*:*", "Condition": { "IpAddress": { "acs:SourceIp": "42.120.99.0/24" }, "Bool": { "acs:SecureTransport": "true" } } }, { "Effect": "Allow", "Action": "viapi-imagerecog:*", "Resource": "acs:viapi-imagerecog:*:*:*", "Condition": { "IpAddress": { "acs:SourceIp": "42.120.99.0/24" }, "Bool": { "acs:SecureTransport": "true" } } }, { "Effect": "Allow", "Action": "viapi-imageseg:*", "Resource": "acs:viapi-imageseg:*:*:*", "Condition": { "IpAddress": { "acs:SourceIp": "42.120.99.0/24" }, "Bool": { "acs:SecureTransport": "true" } } }, { "Effect": "Allow", "Action": "viapi-imageaudit:*", "Resource": "acs:viapi-imageaudit:*:*:*", "Condition": { "IpAddress": { "acs:SourceIp": "42.120.99.0/24" }, "Bool": { "acs:SecureTransport": "true" } } }, { "Effect": "Allow", "Action": "viapi-ocr:*", "Resource": "acs:viapi-ocr:*:*:*", "Condition": { "IpAddress": { "acs:SourceIp": "42.120.99.0/24" }, "Bool": { "acs:SecureTransport": "true" } } }, { "Effect": "Allow", "Action": "viapi-facebody:*", "Resource": "acs:viapi-facebody:*:*:*", "Condition": { "IpAddress": { "acs:SourceIp": "42.120.99.0/24" }, "Bool": { "acs:SecureTransport": "true" } } }, { "Effect": "Allow", "Action": "viapi-objectdet:*", "Resource": "acs:viapi-objectdet:*:*:*", "Condition": { "IpAddress": { "acs:SourceIp": "42.120.99.0/24" }, "Bool": { "acs:SecureTransport": "true" } } }, { "Effect": "Allow", "Action": "viapi-goodstech:*", "Resource": "acs:viapi-goodstech:*:*:*", "Condition": { "IpAddress": { "acs:SourceIp": "42.120.99.0/24" }, "Bool": { "acs:SecureTransport": "true" } } } ], "Version": "1" }该授权策略在满足以下两个条件时可以访问所有资源。- 子用户当前的IP在42.120.99.0/24这个网段。
- 用户正在使用HTTPS访问阿里云控制台或OpenAPI。
- 时间限制
该授权策略的含义是:在北京时间2019年9月25日下午12:30之前,拥有IVPD的所有权限。
{ "Statement": [ { "Effect": "Allow", "Action": "viapi-imageenhan:*", "Resource": "acs:viapi-imageenhan:*:*:*", "Condition": { "DateLessThan": { "acs:CurrentTime": "2019-09-25T12:30:00+08:00" } } }, { "Effect": "Allow", "Action": "viapi-imagerecog:*", "Resource": "acs:viapi-imagerecog:*:*:*", "Condition": { "DateLessThan": { "acs:CurrentTime": "2019-09-25T12:30:00+08:00" } } }, { "Effect": "Allow", "Action": "viapi-imageseg:*", "Resource": "acs:viapi-imageseg:*:*:*", "Condition": { "DateLessThan": { "acs:CurrentTime": "2019-09-25T12:30:00+08:00" } } }, { "Effect": "Allow", "Action": "viapi-imageaudit:*", "Resource": "acs:viapi-imageaudit:*:*:*", "Condition": { "DateLessThan": { "acs:CurrentTime": "2019-09-25T12:30:00+08:00" } } }, { "Effect": "Allow", "Action": "viapi-ocr:*", "Resource": "acs:viapi-ocr:*:*:*", "Condition": { "DateLessThan": { "acs:CurrentTime": "2019-09-25T12:30:00+08:00" } } }, { "Effect": "Allow", "Action": "viapi-facebody:*", "Resource": "acs:viapi-facebody:*:*:*", "Condition": { "DateLessThan": { "acs:CurrentTime": "2019-09-25T12:30:00+08:00" } } }, { "Effect": "Allow", "Action": "viapi-objectdet:*", "Resource": "acs:viapi-objectdet:*:*:*", "Condition": { "DateLessThan": { "acs:CurrentTime": "2019-09-25T12:30:00+08:00" } } }, { "Effect": "Allow", "Action": "viapi-goodstech:*", "Resource": "acs:viapi-goodstech:*:*:*", "Condition": { "DateLessThan": { "acs:CurrentTime": "2019-09-25T12:30:00+08:00" } } } ], "Version": "1" } - MFA
如果一个子用户仅被授予该授权策略,只有此子用户启用MFA并使用MFA登录时,才具有IVPD的权限。此用户的AK也没有权限,需要使用AK+正确的MFA六位Code调用STS服务获取一个临时AK(15分钟失效),此临时AK才具有相应的权限。
{ "Statement": [ { "Effect": "Allow", "Action": "viapi-imageenhan:*", "Resource": "acs:viapi-imageenhan:*:*:*", "Condition": { "Bool": { "acs:MFAPresent": "true" } } }, { "Effect": "Allow", "Action": "viapi-imagerecog:*", "Resource": "acs:viapi-imagerecog:*:*:*", "Condition": { "Bool": { "acs:MFAPresent": "true" } } }, { "Effect": "Allow", "Action": "viapi-imageseg:*", "Resource": "acs:viapi-imageseg:*:*:*", "Condition": { "Bool": { "acs:MFAPresent": "true" } } }, { "Effect": "Allow", "Action": "viapi-imageaudit:*", "Resource": "acs:viapi-imageaudit:*:*:*", "Condition": { "Bool": { "acs:MFAPresent": "true" } } }, { "Effect": "Allow", "Action": "viapi-ocr:*", "Resource": "acs:viapi-ocr:*:*:*", "Condition": { "Bool": { "acs:MFAPresent": "true" } } }, { "Effect": "Allow", "Action": "viapi-facebody:*", "Resource": "acs:viapi-facebody:*:*:*", "Condition": { "Bool": { "acs:MFAPresent": "true" } } }, { "Effect": "Allow", "Action": "viapi-objectdet:*", "Resource": "acs:viapi-objectdet:*:*:*", "Condition": { "Bool": { "acs:MFAPresent": "true" } } }, { "Effect": "Allow", "Action": "viapi-goodstech:*", "Resource": "acs:viapi-goodstech:*:*:*", "Condition": { "Bool": { "acs:MFAPresent": "true" } } } ], "Version": "1" } - 控制台角色STS
STS Token是一种临时身份,用来解决跨帐号及跨服务的资源访问的问题。STS Token由以下三部分组成:
- AccessKeyId
- AccessKeySecret
- SecurityToken
操作步骤如下:- 在RAM控制台创建本账户的用户角色,给角色授权(该产品的管理权限或者AdministratorAccess)。
- 创建一个子用户,给子用户授权AliyunSTSAssumeRoleAccess。
- 被创建出来的子用户登录到控制台,切换身份,输入1中创建的角色名和企业别名(如果没有别名,输入主账户Id)。
- 切换到角色后,在浏览器里输入产品控制台的地址。
- 在控制台使用这个产品。
在文档使用中是否遇到以下问题
更多建议
匿名提交