专有网络相关API的鉴权规则

更新时间:2017-06-07 13:26:11

专有网络API的鉴权规则

当子账号通过Open API 对主账号的专有网络资源进行访问时,专有网络后台向 RAM 进行权限检查,以确保资源拥有者的确将相关资源的相关权限授予了调用者。

每个不同的Open API 会根据涉及到的资源以及 API 的语义来确定需要检查哪些资源的权限。具体地,每个 API 的鉴权规则见下表:

Action Resource Condition
vpc:CreateVpc acs:vpc:$regionid:$accountid:vpc/*
vpc:DeleteVpc acs:vpc:$regionid:$accountid:vpc/$vpcid
vpc:DescribeVpcs acs:vpc:$regionid:$accountid:vpc/*
vpc:ModifyVpcAttribute acs:vpc:$regionid:$accountid:vpc/$vpcid
vpc:DescribeVRouters acs:vpc:$regionid:$accountid:vrouter/* 指定要查询的VRouterId:
“vpc:Vpc”:”acs:vpc:$regionid:$accountid:vpc/$vpcid”
未指定VRouterId:
“vpc:Vpc”:”acs:vpc:$regionid:$accountid:vpc/*”
vpc:ModifyVRouterAttribute acs:vpc:$regionid:$accountid:vrouter/$vrouterid
vpc:CreateVSwitch acs:vpc:$regionid:$accountid:vswitch/*
acs:vpc:$regionid:$accountid:vpc/$vpcid
vpc:DeleteVSwitch acs:vpc:$regionid:$accountid:vswitch/$vswitchid
vpc:DescribeVSwitches acs:vpc:$regionid:$accountid:vswitch/* “vpc:Vpc”:”acs:vpc:$regionid:$accountid:vpc/$vpcid”
vpc:ModifyVSwitchAttribute acs:vpc:$regionid:$accountid:vswitch/$vswitchid
vpc:CreateRouteEntry acs:vpc:$regionid:$accountid:routetable/$routetableid
vpc:DeleteRouteEntry acs:vpc:$regionid:$accountid:routetable/$routetableid
vpc:DescribeRouteTables acs:ecs:$regionid:$accountid:routetable/* VRouter中的路由表:
“vpc:VRouter”:”acs:vpc$regionid:$accountid:vrouter/$vrouterid”
vpc:CreateHaVip acs:vpc:$regionid:$accountid:havip/*
acs:vpc:$regionid:$accountid:vswitch/$vswitchid
vpc:DeleteHaVip acs:vpc:$regionid:$accountid:havip/$havipid
vpc:AssociateHaVip acs:vpc:$regionid:$accountid:havip/$havipid
acs:ecs:$regionid:$accountid:instance/$instanceid
vpc:UnassociateHaVip acs:vpc:$regionid:$accountid:havip/$havipid
acs:ecs:$regionid:$accountid:instance/$instanceid
vpc:DescribeHaVips acs:vpc:$regionid:$accountid:havip/*
vpc:AllocateEipAddress acs:vpc:$regionid:$accountid:eip/*
vpc:AssociateEipAddress InstanceType为EcsInstance:
acs:vpc:$regionid:$accountid:eip/$allocationid
acs:ecs:$regionid:$accountid:instance/$instanceid
InstanceType为HaVip:
acs:vpc:$regionid:$accountid:eip/$allocationid
acs:vpc:$regionid:$accountid:havip/$havipid
vpc:DescribeEipAddresses acs:vpc:$regionid:$accountid:eip/*
vpc:ModifyEipAddressAttribute acs:vpc:$regionid:$accountid:eip/$allocationid
vpc:UnassociateEipAddress InstanceType为EcsInstance:
acs:vpc:$regionid:$accountid:eip/$allocationid
acs:ecs:$regionid:$accountid:instance/$instanceid
InstanceType为HaVip:
acs:vpc:$regionid:$accountid:eip/$allocationid
acs:vpc:$regionid:$accountid:havip/$havipid
vpc:ReleaseEipAddress acs:vpc:$regionid:$accountid:eip/$allocationid
vpc:DescribeEipMonitorData acs:vpc:$regionid:$accountid:eip/$allocationid

关于其他云产品与VPC相关操作的说明

其他云产品的使用涉及到对专有网络资源(VPC、VSwitch等)的操作,需要相应专有网络资源的操作权限。例如创建ECS到某个交换机中,需要创建ECS和该VSwitch的权限;而在修改实例VPC属性时,如果将ECS从一个交换机迁移到另一个交换机时,需要同时具有该ECS实例和两个交换机的授权。

例如ECS CreateInstance和ModifyInstanceVpcAttribute:

Action Resource
ecs:CreateInstance acs:ecs:$regionid:$accountid:instance/*
acs:ecs:$regionid:$accountid:securitygroup/$securitygroupid
acs:ecs:$regionid:$accountid:image/$imageid
[and acs:ecs:$regionid:$accountid:snapshot/$snapshotid(如果指定了 DataDisk.n.SnapshotId)]
[acs:vpc:$regionid:$accountid:vswitch/$vswitchid(如果指定了VSwitchId)]
ecs:ModifyInstanceVpcAttribute acs:ecs:$regionid:$accountid:instance/$instanceid
acs:vpc:$regionid:$accountid:vswitch/$vswitchid(当前ECS所在的VSwitchId)
acs:vpc:$regionid:$accountid:vswitch/$vswitchid(如果更换VSwitch,指定迁移到的VSwitchId)