为子账号授权后,您就可以通过子账号来使用阿里云视觉智能开放平台的相关服务。

授权操作步骤

  1. 登录RAM控制台
  2. 新建用户。
    详细操作步骤请参见创建RAM用户
  3. 新建权限策略。
    新建权限策略时请使用脚本配置的配置模式。细粒度授权设置支持:IP段、时间、MFA、SecureTransport、角色STS,详情请参见Policy策略。关于新建权限策略操作请参见创建自定义策略
  4. 为用户进行授权。
    详细授权操作请参见为RAM用户授权

Policy策略

  • 全部权限
    • 方式一:直接授予用户系统权限策略AliyunVIAPIFullAccess(管理视觉智能API的权限)。
    • 方式二:自定义权限。拥有智能视觉所有能力的全部权限,policy定义如下所示。
      {
        "Statement": [
          {
            "Effect": "Allow",
            "Action": "viapi-imageenhan:*",
            "Resource": "acs:viapi-imageenhan:*:*:*"
          },
          {
            "Effect": "Allow",
            "Action": "viapi-imagerecog:*",
            "Resource": "acs:viapi-imagerecog:*:*:*"
          },
          {
            "Effect": "Allow",
            "Action": "viapi-imageseg:*",
            "Resource": "acs:viapi-imageseg:*:*:*"
          },
          {
            "Effect": "Allow",
            "Action": "viapi-imageaudit:*",
            "Resource": "acs:viapi-imageaudit:*:*:*"
          },
          {
            "Effect": "Allow",
            "Action": "viapi-ocr:*",
            "Resource": "acs:viapi-ocr:*:*:*"
          },
          {
            "Effect": "Allow",
            "Action": "viapi-facebody:*",
            "Resource": "acs:viapi-facebody:*:*:*"
          },
          {
            "Effect": "Allow",
            "Action": "viapi-objectdet:*",
            "Resource": "acs:viapi-objectdet:*:*:*"
          },
          {
            "Effect": "Allow",
            "Action": "viapi-goodstech:*",
            "Resource": "acs:viapi-goodstech:*:*:*"
          }
        ],
        "Version": "1"
      }
      							
  • 支持带IP/SSL限制的授权
    {
      "Statement": [
        {
          "Effect": "Allow",
          "Action": "viapi-imageenhan:*",
          "Resource": "acs:viapi-imageenhan:*:*:*",
          "Condition": {
            "IpAddress": {
              "acs:SourceIp": "42.120.99.0/24"
            },
            "Bool": {
              "acs:SecureTransport": "true"
            }
          }
        },
        {
          "Effect": "Allow",
          "Action": "viapi-imagerecog:*",
          "Resource": "acs:viapi-imagerecog:*:*:*",
          "Condition": {
            "IpAddress": {
              "acs:SourceIp": "42.120.99.0/24"
            },
            "Bool": {
              "acs:SecureTransport": "true"
            }
          }
        },
        {
          "Effect": "Allow",
          "Action": "viapi-imageseg:*",
          "Resource": "acs:viapi-imageseg:*:*:*",
          "Condition": {
            "IpAddress": {
              "acs:SourceIp": "42.120.99.0/24"
            },
            "Bool": {
              "acs:SecureTransport": "true"
            }
          }
        },
        {
          "Effect": "Allow",
          "Action": "viapi-imageaudit:*",
          "Resource": "acs:viapi-imageaudit:*:*:*",
          "Condition": {
            "IpAddress": {
              "acs:SourceIp": "42.120.99.0/24"
            },
            "Bool": {
              "acs:SecureTransport": "true"
            }
          }
        },
        {
          "Effect": "Allow",
          "Action": "viapi-ocr:*",
          "Resource": "acs:viapi-ocr:*:*:*",
          "Condition": {
            "IpAddress": {
              "acs:SourceIp": "42.120.99.0/24"
            },
            "Bool": {
              "acs:SecureTransport": "true"
            }
          }
        },
        {
          "Effect": "Allow",
          "Action": "viapi-facebody:*",
          "Resource": "acs:viapi-facebody:*:*:*",
          "Condition": {
            "IpAddress": {
              "acs:SourceIp": "42.120.99.0/24"
            },
            "Bool": {
              "acs:SecureTransport": "true"
            }
          }
        },
        {
          "Effect": "Allow",
          "Action": "viapi-objectdet:*",
          "Resource": "acs:viapi-objectdet:*:*:*",
          "Condition": {
            "IpAddress": {
              "acs:SourceIp": "42.120.99.0/24"
            },
            "Bool": {
              "acs:SecureTransport": "true"
            }
          }
        },
        {
          "Effect": "Allow",
          "Action": "viapi-goodstech:*",
          "Resource": "acs:viapi-goodstech:*:*:*",
          "Condition": {
            "IpAddress": {
              "acs:SourceIp": "42.120.99.0/24"
            },
            "Bool": {
              "acs:SecureTransport": "true"
            }
          }
        }
      ],
      "Version": "1"
    }
    					
    该授权策略在满足以下两个条件时可以访问所有资源。
    • 子用户当前的IP在42.120.99.0/24这个网段。
    • 用户正在使用HTTPS访问阿里云控制台或OpenAPI。
  • 时间限制

    该授权策略的含义是:在北京时间2019年9月25日下午12:30之前,拥有IVPD的所有权限。

    {
      "Statement": [
        {
          "Effect": "Allow",
          "Action": "viapi-imageenhan:*",
          "Resource": "acs:viapi-imageenhan:*:*:*",
          "Condition": {
            "DateLessThan": {
              "acs:CurrentTime": "2019-09-25T12:30:00+08:00"
            }
          }
        },
        {
          "Effect": "Allow",
          "Action": "viapi-imagerecog:*",
          "Resource": "acs:viapi-imagerecog:*:*:*",
          "Condition": {
            "DateLessThan": {
              "acs:CurrentTime": "2019-09-25T12:30:00+08:00"
            }
          }
        },
        {
          "Effect": "Allow",
          "Action": "viapi-imageseg:*",
          "Resource": "acs:viapi-imageseg:*:*:*",
          "Condition": {
            "DateLessThan": {
              "acs:CurrentTime": "2019-09-25T12:30:00+08:00"
            }
          }
        },
        {
          "Effect": "Allow",
          "Action": "viapi-imageaudit:*",
          "Resource": "acs:viapi-imageaudit:*:*:*",
          "Condition": {
            "DateLessThan": {
              "acs:CurrentTime": "2019-09-25T12:30:00+08:00"
            }
          }
        },
        {
          "Effect": "Allow",
          "Action": "viapi-ocr:*",
          "Resource": "acs:viapi-ocr:*:*:*",
          "Condition": {
            "DateLessThan": {
              "acs:CurrentTime": "2019-09-25T12:30:00+08:00"
            }
          }
        },
        {
          "Effect": "Allow",
          "Action": "viapi-facebody:*",
          "Resource": "acs:viapi-facebody:*:*:*",
          "Condition": {
            "DateLessThan": {
              "acs:CurrentTime": "2019-09-25T12:30:00+08:00"
            }
          }
        },
        {
          "Effect": "Allow",
          "Action": "viapi-objectdet:*",
          "Resource": "acs:viapi-objectdet:*:*:*",
          "Condition": {
            "DateLessThan": {
              "acs:CurrentTime": "2019-09-25T12:30:00+08:00"
            }
          }
        },
        {
          "Effect": "Allow",
          "Action": "viapi-goodstech:*",
          "Resource": "acs:viapi-goodstech:*:*:*",
          "Condition": {
            "DateLessThan": {
              "acs:CurrentTime": "2019-09-25T12:30:00+08:00"
            }
          }
        }
      ],
      "Version": "1"
    }
    					
  • MFA

    如果一个子用户仅被授予该授权策略,只有此子用户启用MFA并使用MFA登录时,才具有IVPD的权限。此用户的AK也没有权限,需要使用AK+正确的MFA六位Code调用STS服务获取一个临时AK(15分钟失效),此临时AK才具有相应的权限。

    {
      "Statement": [
        {
          "Effect": "Allow",
          "Action": "viapi-imageenhan:*",
          "Resource": "acs:viapi-imageenhan:*:*:*",
          "Condition": {
            "Bool": {
              "acs:MFAPresent": "true"
            }
          }
        },
        {
          "Effect": "Allow",
          "Action": "viapi-imagerecog:*",
          "Resource": "acs:viapi-imagerecog:*:*:*",
          "Condition": {
            "Bool": {
              "acs:MFAPresent": "true"
            }
          }
        },
        {
          "Effect": "Allow",
          "Action": "viapi-imageseg:*",
          "Resource": "acs:viapi-imageseg:*:*:*",
          "Condition": {
            "Bool": {
              "acs:MFAPresent": "true"
            }
          }
        },
        {
          "Effect": "Allow",
          "Action": "viapi-imageaudit:*",
          "Resource": "acs:viapi-imageaudit:*:*:*",
          "Condition": {
            "Bool": {
              "acs:MFAPresent": "true"
            }
          }
        },
        {
          "Effect": "Allow",
          "Action": "viapi-ocr:*",
          "Resource": "acs:viapi-ocr:*:*:*",
          "Condition": {
            "Bool": {
              "acs:MFAPresent": "true"
            }
          }
        },
        {
          "Effect": "Allow",
          "Action": "viapi-facebody:*",
          "Resource": "acs:viapi-facebody:*:*:*",
          "Condition": {
            "Bool": {
              "acs:MFAPresent": "true"
            }
          }
        },
        {
          "Effect": "Allow",
          "Action": "viapi-objectdet:*",
          "Resource": "acs:viapi-objectdet:*:*:*",
          "Condition": {
            "Bool": {
              "acs:MFAPresent": "true"
            }
          }
        },
        {
          "Effect": "Allow",
          "Action": "viapi-goodstech:*",
          "Resource": "acs:viapi-goodstech:*:*:*",
          "Condition": {
            "Bool": {
              "acs:MFAPresent": "true"
            }
          }
        }
      ],
      "Version": "1"
    }
    					
  • 控制台角色STS
    STS Token是一种临时身份,用来解决跨帐号及跨服务的资源访问的问题。STS Token由以下三部分组成:
    • AccessKeyId
    • AccessKeySecret
    • SecurityToken
    操作步骤如下:
    1. 在RAM控制台创建本账户的用户角色,给角色授权(该产品的管理权限或者AdministratorAccess)。
    2. 创建一个子用户,给子用户授权AliyunSTSAssumeRoleAccess。
    3. 被创建出来的子用户登录到控制台,切换身份,输入1中创建的角色名和企业别名(如果没有别名,输入主账户Id)。
    4. 切换到角色后,在浏览器里输入产品控制台的地址。
    5. 在控制台使用这个产品。