激活线下网关时RAM用户所需权限说明

激活线下网关时,填入的AccessKey IDAccessKey Secret对应的RAM用户需要有指定权限,激活后的网关才可以正常使用。本文介绍各功能所需的权限。

云存储网关相关

线下网关需要和控制台进行管控交互,需要给予系统权限AliyunHCSSGWFullAccess。

OSS相关

线下网关需要对文件进行上传下载等OSS Bucket管理,建议给予系统权限AliyunOSSFullAccess。

如需精确控制权限,参见如下OSS操作权限。如果您需要限制更加严格的权限,可以将resource指定到具体线下网关使用的Bucket上。

{
"Action": [
"oss:ListBuckets",
"oss:ListObjects",
"oss:GetObject",
"oss:PutObject",
"oss:DeleteObject",
"oss:HeadObject",
"oss:CopyObject",
"oss:InitiateMultipartUpload",
"oss:UploadPart",
"oss:UploadPartCopy",
"oss:CompleteMultipartUpload",
"oss:AbortMultipartUpload",
"oss:ListMultipartUploads",
"oss:ListParts",
"oss:GetBucketStat",
"oss:GetBucketWebsite",
"oss:GetBucketInfo",
"oss:GetBucketEncryption",
"oss:GetBucketVersioning",
"oss:PutBucketEncryption",
"oss:DeleteBucketEncryption",
"oss:RestoreObject",
"oss:PutObjectTagging",
"oss:GetObjectTagging",
"oss:DeleteObjectTagging"
],
"Resource":"*",
"Effect":"Allow"
}

MNS相关

云存储网关通过MNS消息队列产品来进行OSS增量变化秒级投递发现(极速同步功能),使用该功能建议给予系统权限AliyunMNSFullAccess。如需精确控制权限,参见如下MNS操作权限。

{
"Action": [
"mns:SendMessage",
"mns:ReceiveMessage",
"mns:PublishMessage",
"mns:DeleteMessage",
"mns:GetQueueAttributes",
"mns:GetTopicAttributes",
"mns:PutEventNotifications",
"mns:DeleteEventNotifications",
"mns:UpdateEventNotifications",
"mns:GetEvent",
"mns:Subscribe",
"mns:Unsubscribe"
],
"Resource":"*",
"Effect":"Allow"
}

KMS相关

云存储网关支持服务端加密(即OSS服务端加密)以及客户端加密(即网关侧加密)两种模式,使用该功能建议给予系统权限AliyunKMSFullAccess。如需精确控制权限,参见如下KMS操作权限。

{
"Action": [
"kms:DescribeKey",
"kms:Encrypt",
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Resource":"*",
"Effect":"Allow"
}