当您使用资源组对资源进行分组管理时,可以结合访问控制(RAM),在单个阿里云账号内实现资源的隔离和精细化权限管理。本文总结了云服务器ECS对资源组的支持情况,以及资源组级别的授权操作步骤。
-
只有支持资源组的资源类型和支持资源组级别授权的操作,资源组级别授权才能生效。
-
对于不支持资源组的资源类型,授予资源组范围的权限将无效。在选择资源范围时,请选择账号级别,进行账号级别授权。具体操作,请参见不支持资源组级别授权的操作。
资源组授权的工作原理
您可以使用资源组(Resource Group)对阿里云账号内的资源进行分组管理。例如,为不同的项目创建对应的资源组,并将资源转移到对应的组中,以便集中管理各项目的资源。更多信息,请参见什么是资源组。
在完成资源分组后,您可以为不同的RAM授权主体(RAM用户、RAM用户组或RAM角色)授予指定资源组范围的权限,从而限定这个授权主体只能管理该资源组内的资源。更多信息,请参见资源分组和授权。
这种授权方式的优点有:
-
权限精细化:确保每个身份能获得最准确的资源访问权限,避免账号下的多个项目的资源混合管理。
-
良好的扩展性:后续新增资源时,只需将其加入该资源组,RAM身份便会自动获得新资源的相应权限,无需再次授权。
为RAM用户授予资源组级别的权限
下面以RAM用户为例,介绍授予指定资源组内云服务器ECS资源权限的操作步骤。
1. 前置步骤
2. 进行资源组级别授权
您可以通过以下任一方式进行资源组级别授权。
方式一:在资源管理控制台中授权
通过资源组的权限管理功能为指定 RAM 用户授权。详情操作可参见为RAM身份授予资源组范围的权限。
方式二:在 RAM 控制台中授权
通过RAM控制台为指定 RAM 用户进行资源组级别授权。详细操作可参见为RAM用户授权。
支持资源组的资源类型
云服务器ECS支持资源组的资源类型如下表所示:
|
云服务 |
云服务代码 |
资源类型 |
|
云服务器ECS |
ecs |
ddh : DDH |
|
云服务器ECS |
ecs |
disk : 磁盘 |
|
云服务器ECS |
ecs |
eni : 弹性网卡 |
|
云服务器ECS |
ecs |
image : 镜像 |
|
云服务器ECS |
ecs |
imagecomponent : 镜像组件 |
|
云服务器ECS |
ecs |
imagepipeline : 镜像模板 |
|
云服务器ECS |
ecs |
|
|
云服务器ECS |
ecs |
keypair : 密钥对 |
|
云服务器ECS |
ecs |
launchtemplate : 实例启动模板 |
|
云服务器ECS |
ecs |
securitygroup : 安全组 |
|
云服务器ECS |
ecs |
snapshot : 快照 |
|
云服务器ECS |
ecs |
snapshotpolicy : 快照策略 |
对于暂不支持资源组的资源类型,如有需要,您可以在资源组控制台提交反馈。
不支持资源组级别授权的操作
云服务器ECS中不支持资源组级别授权的操作(Action)如下:
|
操作(Action) |
操作描述 |
|
ecs:AddInstancesToCarePlan |
稳定性保障包添加实例 |
|
ecs:AddInvisibleChecks |
增加不可见指标 |
|
ecs:AllocateEipAddress |
|
|
ecs:ApplySecurityGroupSnapshot |
从安全组快照恢复规则 |
|
ecs:AssociateEipAddress |
|
|
ecs:AssociateSecurityGroupSnapshotPolicy |
关联安全组快照策略 |
|
ecs:CancelMigrationPlan |
取消迁移计划 |
|
ecs:CancelTask |
调用CancelTask取消一件正在运行的任务。目前,您能取消正在运行的导入镜像任务(ImportImage)和导出镜像任务(ExportImage)。 |
|
ecs:CheckOpenSnapshotService |
检查用户快照服务开通情况 |
|
ecs:ConfirmCarePlanBill |
稳定性保障包立即出账 |
|
ecs:CreateCarePlan |
保障包创建 |
|
ecs:CreateClassicToVpcRollbackTask |
回滚C2v迁移任务 |
|
ecs:CreateDeploymentSet |
在指定的地域内创建一个部署集。 |
|
ecs:CreateDiagnosisOperateRecords |
新增诊断分析中操作历史接口 |
|
ecs:CreateDiagnosticMetricSet |
调用CreateDiagnosticMetricSet创建资源诊断指标集合。您可以根据需要,灵活组合诊断指标。 |
|
ecs:CreateFunctionFeedback |
创建用户反馈 |
|
ecs:CreateHpcCluster |
调用CreateHpcCluster创建一个HPC集群。 |
|
ecs:CreateIssueCategoryReportRelation |
保存问题分类和诊断报告的关系 |
|
ecs:CreateNetworkInsightsPath |
创建连通性分析基础路径 |
|
ecs:CreatePlanMaintenanceWindow |
创建运维窗口 |
|
ecs:CreatePortRangeList |
创建端口列表,后续可关联资源(例如安全组)使用。 |
|
ecs:CreateSecurityGroupSnapshotPolicy |
创建安全组快照策略 |
|
ecs:DeleteCarePlan |
保障包删除 |
|
ecs:DeleteDeploymentSet |
删除一个部署集。 |
|
ecs:DeleteDiagnosticMetricSets |
调用DeleteDiagnosticMetricSets删除资源诊断指标集合。 |
|
ecs:DeleteDiagnosticReports |
调用DeleteDiagnosticReports删除资源诊断报告。 |
|
ecs:DeleteHpcCluster |
调用DeleteHpcCluster删除一个HPC集群。 |
|
ecs:DeleteNetworkInsightsAnalysis |
删除连通性分析 |
|
ecs:DeleteNetworkInsightsPath |
删除连通性分析路径 |
|
ecs:DeletePlanMaintenanceWindow |
删除运维窗口 |
|
ecs:DeletePortRangeList |
删除指定端口列表,同时端口列表下的端口列表条目都将被删除。 |
|
ecs:DeleteReservationDemand |
|
|
ecs:DeleteSecurityGroupSnapshotPolicy |
删除安全组快照策略 |
|
ecs:DeleteVolume |
删除指定的存储卷 |
|
ecs:DeleteWaitingOrders |
取消候补订单 |
|
ecs:DescribeAccountAttributes |
获取账号的属性信息 |
|
ecs:DescribeAccountCommonQuotas |
查询账号的common quota |
|
ecs:DescribeAccountLimits |
根据指定的业务资源类型,获取本账号下可以拥有的该类资源数量 |
|
ecs:DescribeAvailableResource |
|
|
ecs:DescribeBandwidthHistory |
查询 ECS 带宽变配历史 |
|
ecs:DescribeCarePlans |
保障包查询 |
|
ecs:DescribeChargeTypeModificationPrice |
|
|
ecs:DescribeClassicLinkInstances |
查询一台或多台与专有网络VPC建立了连接的经典网络类型实例。 |
|
ecs:DescribeCloudAssistantSettings |
查询云助手服务配置。 |
|
ecs:DescribeClusters |
|
|
ecs:DescribeCustomerIssueCategory |
|
|
ecs:DescribeDedicatedBlockStorageClusterDisks |
查询当前地域下专属存储集群的磁盘信息 |
|
ecs:DescribeDeploymentSetTopology |
查询 |
|
ecs:DescribeDeploymentSets |
查询一个或多个部署集的详细信息。 |
|
ecs:DescribeDiagnosisOperateRecords |
查询诊断分析中操作历史接口 |
|
ecs:DescribeDiagnosticMetrics |
调用DescribeDiagnosticMetrics查询诊断指标列表。 |
|
ecs:DescribeDiagnosticReportAttributes |
调用DescribeDiagnosticReportAttributes查询资源诊断详情。 |
|
ecs:DescribeDiskDefaultKMSKeyId |
查询块存储账号级默认加密使用的密钥。 |
|
ecs:DescribeDiskEncryptionByDefaultStatus |
查询指定地域块存储账号级默认加密的服务状态。 |
|
ecs:DescribeEcsScenarioFacade |
ECS内容推荐接口 |
|
ecs:DescribeEipAddresses |
|
|
ecs:DescribeEipPrice |
EIP 询价 |
|
ecs:DescribeFunctionFeedback |
控制台功能反馈 |
|
ecs:DescribeHpcClusters |
调用DescribeHpcClusters查询您可用的HPC集群。请求参数作为筛选器(Filter)使用,筛选关系为逻辑与关系,参数之间无依赖关系。 |
|
ecs:DescribeImageFromFamily |
查询指定镜像族系内最新创建的可用自定义镜像。 |
|
ecs:DescribeInsightCheckItems |
查询ECS使用成熟度评估与洞察检查的资源信息列表 |
|
ecs:DescribeInsightChecks |
查询ECS使用成熟度评估与洞察检查项列表 |
|
ecs:DescribeInsightStatus |
查询ECS使用成熟度评估与洞察的开通状态 |
|
ecs:DescribeInsightSummaries |
查询ECS使用成熟度评估与洞察检查的统计结果 |
|
ecs:DescribeInstanceCrossZoneModifyConstraint |
实例跨可用区迁移变配约束校验 |
|
ecs:DescribeInstanceMigrationLog |
查询实例迁移日志 |
|
ecs:DescribeInstanceStatus |
本接口主要用于查询一台或多台指定ECS实例的状态信息,同时支持查询指定条件下的实例列表。 |
|
ecs:DescribeInstanceTypeResource |
资源规划—规格查询 |
|
ecs:DescribeInstanceTypes |
|
|
ecs:DescribeKMSKeyAttribute |
查询指定密钥的属性信息 |
|
ecs:DescribeKMSKeys |
查询指定的密钥标识信息 |
|
ecs:DescribeLimitation |
查询账号限制 |
|
ecs:DescribeLinkedKMSKeys |
查询用户在当前地域下的密钥信息 |
|
ecs:DescribeMigrationInstancesTask |
查询迁移实例任务 |
|
ecs:DescribeMigrationPlans |
查询迁移计划列表 |
|
ecs:DescribeMigrationPreferences |
查询迁移首选项 |
|
ecs:DescribeNetworkInsightsAnalysisResult |
查询路径连通性分析详细结果 |
|
ecs:DescribeNetworkInsightsAnalysises |
查询路径分析 |
|
ecs:DescribeNetworkInsightsPaths |
查询联通性分析基础路径 |
|
ecs:DescribeOrderAutoRebootTime |
查询指定订单的重启时间 |
|
ecs:DescribePlanMaintenanceWindows |
查询运维窗口 |
|
ecs:DescribePortRangeListAssociations |
查询指定端口列表已关联的资源信息,例如,安全组。 |
|
ecs:DescribePortRangeListEntries |
查询指定端口列表的条目。 |
|
ecs:DescribePurchaseRecommendation |
|
|
ecs:DescribeRegions |
|
|
ecs:DescribeReservationDemandCommittedAmount |
计算最小承诺消费金额 |
|
ecs:DescribeReservationDemands |
查询需求单 |
|
ecs:DescribeReservedInstanceCategories |
查询可购买的预留实例券类别 |
|
ecs:DescribeResourceByTags |
调用DescribeResourceByTags根据标签检索资源。支持根据标签检索,也支持根据资源类型检索。 |
|
ecs:DescribeResourceDisplay |
查询套餐包资源 |
|
ecs:DescribeResourceStatusDiagnosis |
用户资源健康状态诊断查询接口 |
|
ecs:DescribeSecurityGroupSnapshotAttributes |
查询安全组快照详情 |
|
ecs:DescribeSecurityGroupSnapshotPolicies |
查询安全组快照策略 |
|
ecs:DescribeSecurityGroupSnapshots |
查询安全组快照 |
|
ecs:DescribeSnapshotBusinessStatus |
查询用户的快照商业化状态 |
|
ecs:DescribeSnapshotCampaign |
查询用户的快照运营活动信息,仅供ECS控制台调用。 |
|
ecs:DescribeSnapshotMonitorData |
查询一个地域下近30天内的快照容量变化监控数据。 |
|
ecs:DescribeSnapshotPackage |
调用DescribeSnapshotPackage查询您在一个阿里云地域下已经购买的OSS存储包。存储包可以用于抵扣标准快照存储容量,但不支持抵扣本地快照。 |
|
ecs:DescribeSnapshotPolicyAssociatedSecurityGroups |
查询安全组快照策略关联的安全组 |
|
ecs:DescribeSnapshotPrice |
|
|
ecs:DescribeSnapshotWarmups |
|
|
ecs:DescribeSnapshotsUsage |
查询您在一个地域下的快照数量以及快照容量。 |
|
ecs:DescribeSpotPriceHistory |
|
|
ecs:DescribeStorageCapacityUnitDeductFactor |
查询存储容量单位包的抵扣因子。 |
|
ecs:DescribeStorageSetDetails |
查询指定存储集的详情 |
|
ecs:DescribeTaskAttribute |
调用DescribeTaskAttribute查询异步任务的详细信息。目前,可以查询的异步任务有导入镜像(ImportImage)、导出镜像(ExportImage)及变更云盘类型(ModifyDiskSpec)。 |
|
ecs:DescribeTasks |
调用DescribeTasks查询一个或多个异步请求的进度。 |
|
ecs:DescribeUserBusinessBehavior |
获取用户级别默认属性 |
|
ecs:DescribeVSwitches |
|
|
ecs:DescribeVolumes |
查询用户在当前地域的存储卷信息 |
|
ecs:DescribeVpcHavsInstances |
|
|
ecs:DescribeVpcs |
|
|
ecs:DescribeWaitingOrders |
查询候补订单 |
|
ecs:DescribeZones |
|
|
ecs:DisableDiskEncryptionByDefault |
关闭指定地域块存储账号级默认加密。 |
|
ecs:DiskDefaultEncryptionQueryByParam |
账号云盘默认加密查询接口 |
|
ecs:EnableDiskEncryptionByDefault |
开启指定地域块存储账号级默认加密。 |
|
ecs:EnableInsight |
开通ECS使用成熟度评估与洞察 |
|
ecs:GetSnapshotBlock |
快照数据类 API,获取快照指定索引对应的数据块 |
|
ecs:GetSnapshotInfo |
快照数据API运维接口 |
|
ecs:InnerCreateDiagnosticReport |
|
|
ecs:InnerOpenSnapShotService |
|
|
ecs:InnerReleaseDedicatedHost |
|
|
ecs:InnerReleaseElasticAssurance |
|
|
ecs:JoinSnapshotCampaign |
加入快照运营活动,仅供ECS控制台调用。 |
|
ecs:KeepUsing |
签署协议使用已下线版本的镜像 |
|
ecs:ListAccountEcsQuotas |
查询用户配额数据 |
|
ecs:ListBandwidthHistory |
|
|
ecs:ListChangedBlocks |
快照数据类 API,计算两个快照数据差异,并返回差异数据块 BlockToken |
|
ecs:ListServiceSettings |
查询指定地域ECS下云产品的服务配置 |
|
ecs:ListSnapshotBlocks |
列出 EBS 快照的所有有效数据块信息 |
|
ecs:ModifyCarePlanAttribute |
保障包更改 |
|
ecs:ModifyCloudAssistantSettings |
修改云助手服务配置。 |
|
ecs:ModifyDeploymentSetAttribute |
修改一个部署集的名称和描述信息。 |
|
ecs:ModifyDiskDefaultKMSKeyId |
修改指定地域块存储账号级默认加密使用的KMS密钥ID。 |
|
ecs:ModifyHpcClusterAttribute |
调用ModifyHpcClusterAttribute修改一个HPC集群的描述信息。 |
|
ecs:ModifyOrderAutoRebootTime |
修改指定订单的重启时间 |
|
ecs:ModifyPlanMaintenanceWindow |
更新运维窗口 |
|
ecs:ModifyPortRangeList |
修改指定端口列表的名称、条目,支持增加、修改和删除条目。 |
|
ecs:ModifyReservationDemand |
|
|
ecs:ModifyResourceMeta |
修改资源meta |
|
ecs:ModifySecurityGroupSnapshotPolicy |
修改安全组快照策略 |
|
ecs:ModifySnapshotBusinessStatus |
修改用户的商业化状态 |
|
ecs:ModifyUserBusinessBehavior |
设置用户级别默认属性 |
|
ecs:ModifyVolumeAttribute |
修改卷的属性 |
|
ecs:OpenSnapShotService |
|
|
ecs:OpenSnapshotService |
用户开通快照服务 |
|
ecs:PurchaseSavingPlanOffering |
购买节省计划。 |
|
ecs:PurchaseStorageCapacityUnit |
购买一个或多个存储容量单位包SCU(Storage Capacity Unit)。 |
|
ecs:QueryConstraints |
|
|
ecs:QueryCopyImageSupportRegions |
|
|
ecs:QueryNeedKeepUsing |
查询签署协议使用已下线版本的镜像 |
|
ecs:QueryUsableSnapshots |
查询用户可用的快照 |
|
ecs:QueryUserInfo |
copied from Ecsinc |
|
ecs:ReAddMigrationTaskInPlan |
|
|
ecs:ReInitVolume |
初始化指定的存储卷数据 |
|
ecs:ReinitDisk |
|
|
ecs:ReleaseCapacityReservation |
调用ReleaseCapacityReservation释放容量预定服务。 |
|
ecs:ReleaseEipAddress |
|
|
ecs:RemoveInvisibleChecks |
删除不可见指标 |
|
ecs:ResetDiskDefaultKMSKeyId |
将指定地域块存储账号级默认加密使用的 KMS 密钥 ID 重置为服务密钥的接口。 |
|
ecs:ResizeVolume |
扩容指定卷的容量大小 |
|
ecs:RollbackVolume |
回滚指定的存储卷数据 |
|
ecs:RunInstance |
|
|
ecs:StartNetworkInsightsAnalysis |
开始路径连通性分析 |
|
ecs:UnassociateEipAddress |
|
|
ecs:UnassociateSecurityGroupSnapshotPolicy |
解除安全组快照策略关联 |
|
ecs:UpdateServiceSettings |
修改指定地域ECS下云产品的服务配置 |
|
ecs:WithdrawCarePlan |
保障包撤回 |
|
ecs:describeImageFromFamily |
|
|
ecs:describeInstances |
|
|
ecs:runInstances |
|
|
ecs:unmountPEDisk |
对于不支持资源组授权的操作,授权时资源范围选择资源组级别将无效。如果仍需要RAM用户有上述操作权限,您需要创建自定义权限策略,授权时资源范围选择账号级别。
以下是两个自定义权限策略示例,您可以根据实际需要调整策略内容。
-
允许不支持资源组级别授权的全部只读操作:
Action中列举不支持资源组级别授权的所有只读操作。{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:CheckOpenSnapshotService", "ecs:DescribeAccountAttributes", "ecs:DescribeAccountCommonQuotas", "ecs:DescribeAccountLimits", "ecs:DescribeBandwidthHistory", "ecs:DescribeClassicLinkInstances", "ecs:DescribeCloudAssistantSettings", "ecs:DescribeDedicatedBlockStorageClusterDisks", "ecs:DescribeDeploymentSetTopology", "ecs:DescribeDeploymentSets", "ecs:DescribeDiagnosisOperateRecords", "ecs:DescribeDiagnosticMetrics", "ecs:DescribeDiagnosticReportAttributes", "ecs:DescribeDiskDefaultKMSKeyId", "ecs:DescribeDiskEncryptionByDefaultStatus", "ecs:DescribeEcsScenarioFacade", "ecs:DescribeEipPrice", "ecs:DescribeFunctionFeedback", "ecs:DescribeHpcClusters", "ecs:DescribeImageFromFamily", "ecs:DescribeInsightCheckItems", "ecs:DescribeInsightChecks", "ecs:DescribeInsightStatus", "ecs:DescribeInsightSummaries", "ecs:DescribeInstanceCrossZoneModifyConstraint", "ecs:DescribeInstanceMigrationLog", "ecs:DescribeInstanceStatus", "ecs:DescribeInstanceTypeResource", "ecs:DescribeKMSKeyAttribute", "ecs:DescribeKMSKeys", "ecs:DescribeLimitation", "ecs:DescribeLinkedKMSKeys", "ecs:DescribeMigrationInstancesTask", "ecs:DescribeMigrationPlans", "ecs:DescribeMigrationPreferences", "ecs:DescribeNetworkInsightsAnalysisResult", "ecs:DescribeNetworkInsightsAnalysises", "ecs:DescribeNetworkInsightsPaths", "ecs:DescribeOrderAutoRebootTime", "ecs:DescribePlanMaintenanceWindows", "ecs:DescribePortRangeListAssociations", "ecs:DescribePortRangeListEntries", "ecs:DescribeReservationDemandCommittedAmount", "ecs:DescribeReservationDemands", "ecs:DescribeReservedInstanceCategories", "ecs:DescribeResourceByTags", "ecs:DescribeResourceDisplay", "ecs:DescribeResourceStatusDiagnosis", "ecs:DescribeSecurityGroupSnapshotAttributes", "ecs:DescribeSecurityGroupSnapshotPolicies", "ecs:DescribeSecurityGroupSnapshots", "ecs:DescribeSnapshotBusinessStatus", "ecs:DescribeSnapshotCampaign", "ecs:DescribeSnapshotMonitorData", "ecs:DescribeSnapshotPackage", "ecs:DescribeSnapshotPolicyAssociatedSecurityGroups", "ecs:DescribeSnapshotsUsage", "ecs:DescribeStorageCapacityUnitDeductFactor", "ecs:DescribeStorageSetDetails", "ecs:DescribeTaskAttribute", "ecs:DescribeTasks", "ecs:DescribeUserBusinessBehavior", "ecs:DescribeVolumes", "ecs:DescribeVpcHavsInstances", "ecs:DescribeWaitingOrders", "ecs:DiskDefaultEncryptionQueryByParam", "ecs:GetSnapshotBlock", "ecs:GetSnapshotInfo", "ecs:ListAccountEcsQuotas", "ecs:ListChangedBlocks", "ecs:ListServiceSettings", "ecs:ListSnapshotBlocks", "ecs:QueryNeedKeepUsing", "ecs:QueryUsableSnapshots", "ecs:QueryUserInfo" ], "Resource": "*" } ] } -
允许不支持资源组级别授权的全部操作:
Action中列举不支持资源组级别授权的全部操作。{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:AddInstancesToCarePlan", "ecs:AddInvisibleChecks", "ecs:AllocateEipAddress", "ecs:ApplySecurityGroupSnapshot", "ecs:AssociateEipAddress", "ecs:AssociateSecurityGroupSnapshotPolicy", "ecs:CancelMigrationPlan", "ecs:CancelTask", "ecs:CheckOpenSnapshotService", "ecs:ConfirmCarePlanBill", "ecs:CreateCarePlan", "ecs:CreateClassicToVpcRollbackTask", "ecs:CreateDeploymentSet", "ecs:CreateDiagnosisOperateRecords", "ecs:CreateDiagnosticMetricSet", "ecs:CreateFunctionFeedback", "ecs:CreateHpcCluster", "ecs:CreateIssueCategoryReportRelation", "ecs:CreateNetworkInsightsPath", "ecs:CreatePlanMaintenanceWindow", "ecs:CreatePortRangeList", "ecs:CreateSecurityGroupSnapshotPolicy", "ecs:DeleteCarePlan", "ecs:DeleteDeploymentSet", "ecs:DeleteDiagnosticMetricSets", "ecs:DeleteDiagnosticReports", "ecs:DeleteHpcCluster", "ecs:DeleteNetworkInsightsAnalysis", "ecs:DeleteNetworkInsightsPath", "ecs:DeletePlanMaintenanceWindow", "ecs:DeletePortRangeList", "ecs:DeleteReservationDemand", "ecs:DeleteSecurityGroupSnapshotPolicy", "ecs:DeleteVolume", "ecs:DeleteWaitingOrders", "ecs:DescribeAccountAttributes", "ecs:DescribeAccountCommonQuotas", "ecs:DescribeAccountLimits", "ecs:DescribeAvailableResource", "ecs:DescribeBandwidthHistory", "ecs:DescribeCarePlans", "ecs:DescribeChargeTypeModificationPrice", "ecs:DescribeClassicLinkInstances", "ecs:DescribeCloudAssistantSettings", "ecs:DescribeClusters", "ecs:DescribeCustomerIssueCategory", "ecs:DescribeDedicatedBlockStorageClusterDisks", "ecs:DescribeDeploymentSetTopology", "ecs:DescribeDeploymentSets", "ecs:DescribeDiagnosisOperateRecords", "ecs:DescribeDiagnosticMetrics", "ecs:DescribeDiagnosticReportAttributes", "ecs:DescribeDiskDefaultKMSKeyId", "ecs:DescribeDiskEncryptionByDefaultStatus", "ecs:DescribeEcsScenarioFacade", "ecs:DescribeEipAddresses", "ecs:DescribeEipPrice", "ecs:DescribeFunctionFeedback", "ecs:DescribeHpcClusters", "ecs:DescribeImageFromFamily", "ecs:DescribeInsightCheckItems", "ecs:DescribeInsightChecks", "ecs:DescribeInsightStatus", "ecs:DescribeInsightSummaries", "ecs:DescribeInstanceCrossZoneModifyConstraint", "ecs:DescribeInstanceMigrationLog", "ecs:DescribeInstanceStatus", "ecs:DescribeInstanceTypeResource", "ecs:DescribeInstanceTypes", "ecs:DescribeKMSKeyAttribute", "ecs:DescribeKMSKeys", "ecs:DescribeLimitation", "ecs:DescribeLinkedKMSKeys", "ecs:DescribeMigrationInstancesTask", "ecs:DescribeMigrationPlans", "ecs:DescribeMigrationPreferences", "ecs:DescribeNetworkInsightsAnalysisResult", "ecs:DescribeNetworkInsightsAnalysises", "ecs:DescribeNetworkInsightsPaths", "ecs:DescribeOrderAutoRebootTime", "ecs:DescribePlanMaintenanceWindows", "ecs:DescribePortRangeListAssociations", "ecs:DescribePortRangeListEntries", "ecs:DescribePurchaseRecommendation", "ecs:DescribeRegions", "ecs:DescribeReservationDemandCommittedAmount", "ecs:DescribeReservationDemands", "ecs:DescribeReservedInstanceCategories", "ecs:DescribeResourceByTags", "ecs:DescribeResourceDisplay", "ecs:DescribeResourceStatusDiagnosis", "ecs:DescribeSecurityGroupSnapshotAttributes", "ecs:DescribeSecurityGroupSnapshotPolicies", "ecs:DescribeSecurityGroupSnapshots", "ecs:DescribeSnapshotBusinessStatus", "ecs:DescribeSnapshotCampaign", "ecs:DescribeSnapshotMonitorData", "ecs:DescribeSnapshotPackage", "ecs:DescribeSnapshotPolicyAssociatedSecurityGroups", "ecs:DescribeSnapshotPrice", "ecs:DescribeSnapshotWarmups", "ecs:DescribeSnapshotsUsage", "ecs:DescribeSpotPriceHistory", "ecs:DescribeStorageCapacityUnitDeductFactor", "ecs:DescribeStorageSetDetails", "ecs:DescribeTaskAttribute", "ecs:DescribeTasks", "ecs:DescribeUserBusinessBehavior", "ecs:DescribeVSwitches", "ecs:DescribeVolumes", "ecs:DescribeVpcHavsInstances", "ecs:DescribeVpcs", "ecs:DescribeWaitingOrders", "ecs:DescribeZones", "ecs:DisableDiskEncryptionByDefault", "ecs:DiskDefaultEncryptionQueryByParam", "ecs:EnableDiskEncryptionByDefault", "ecs:EnableInsight", "ecs:GetSnapshotBlock", "ecs:GetSnapshotInfo", "ecs:InnerCreateDiagnosticReport", "ecs:InnerOpenSnapShotService", "ecs:InnerReleaseDedicatedHost", "ecs:InnerReleaseElasticAssurance", "ecs:JoinSnapshotCampaign", "ecs:KeepUsing", "ecs:ListAccountEcsQuotas", "ecs:ListBandwidthHistory", "ecs:ListChangedBlocks", "ecs:ListServiceSettings", "ecs:ListSnapshotBlocks", "ecs:ModifyCarePlanAttribute", "ecs:ModifyCloudAssistantSettings", "ecs:ModifyDeploymentSetAttribute", "ecs:ModifyDiskDefaultKMSKeyId", "ecs:ModifyHpcClusterAttribute", "ecs:ModifyOrderAutoRebootTime", "ecs:ModifyPlanMaintenanceWindow", "ecs:ModifyPortRangeList", "ecs:ModifyReservationDemand", "ecs:ModifyResourceMeta", "ecs:ModifySecurityGroupSnapshotPolicy", "ecs:ModifySnapshotBusinessStatus", "ecs:ModifyUserBusinessBehavior", "ecs:ModifyVolumeAttribute", "ecs:OpenSnapShotService", "ecs:OpenSnapshotService", "ecs:PurchaseSavingPlanOffering", "ecs:PurchaseStorageCapacityUnit", "ecs:QueryConstraints", "ecs:QueryCopyImageSupportRegions", "ecs:QueryNeedKeepUsing", "ecs:QueryUsableSnapshots", "ecs:QueryUserInfo", "ecs:ReAddMigrationTaskInPlan", "ecs:ReInitVolume", "ecs:ReinitDisk", "ecs:ReleaseCapacityReservation", "ecs:ReleaseEipAddress", "ecs:RemoveInvisibleChecks", "ecs:ResetDiskDefaultKMSKeyId", "ecs:ResizeVolume", "ecs:RollbackVolume", "ecs:RunInstance", "ecs:StartNetworkInsightsAnalysis", "ecs:UnassociateEipAddress", "ecs:UnassociateSecurityGroupSnapshotPolicy", "ecs:UpdateServiceSettings", "ecs:WithdrawCarePlan", "ecs:describeImageFromFamily", "ecs:describeInstances", "ecs:runInstances", "ecs:unmountPEDisk" ], "Resource": "*" } ] }
获得账号级别权限的RAM用户或RAM角色,能够操作整个账号范围内的相关资源。请务必确认所授予的权限是否符合预期,遵从最小授权原则谨慎分配权限。
常见问题
如何查看当前资源属于哪个资源组?
-
方式一:单击资源名称,进入资源的详情页面,即可查看到当前资源的资源组。
-
方式二:登录资源管理控制台,单击,在左侧选择目标资源所属账号(默认为当前账号),通过筛选条件定位目标资源,即可查看其所属资源组。
如何查看当前产品在某个资源组下的所有资源?
如何批量修改多个资源的资源组?
登录资源管理控制台,单击,在目标资源组所在行的操作列下,单击资源管理以进入资源管理页面。通过筛选条件定位多个目标资源,批量勾选第一列的复选框后单击下方转移资源组,并按页面提示完成资源组修改。