Authentication rules for cross-account access by using APIs

Last Updated: Feb 09, 2018

When the user requests cross-account access to ECS resources using ECS Open APIs, ECS sends a request to RAM in the background to check access levels, to make sure that the resource owner indeed grants related access to relevant resources to the caller.

Each different ECS API check the access of the requested resources according to the involved resources and the definition of API. Specifically, the authentication rules for each API are displayed as in the following table.

Action Authentication rules
AddTags acs:ecs:$regionid:$accountid:$resourceType/$resourceId
AllocatePublicIpAddress acs:ecs:$regionid:$accountid:instance/$instanceId
ApplyAutoSnapshotPolicy acs:ecs:*:$accountid:snapshot/*
AttachClassicLinkVpc acs:ecs:$regionid:$accountid:instance/$instanceId
AttachDisk acs:ecs:$regionid:$accountid:instance/$instanceId
acs:ecs:$regionid:$accountid:instance/$diskId
AttachKeyPair acs:ecs:$regionid:$accountid:instance/$instanceId
acs:ecs:$regionid:$accountid:keypair/$keypairName
AuthorizeSecurityGroup acs:ecs:$regionid:$accountid:securitygroup/$groupNo
AuthorizeSecurityGroupEgress acs:ecs:$regionid:$accountid:securitygroup/$groupNo
CancelAutoSnapshotPolicy acs:ecs:*:$accountid:snapshot/*
CancelCopyImage acs:ecs:$regionid:$accountid:image/$imageNo
CopyImage acs:ecs:$fromRegionid:$accountid:image/$imageNo
acs:ecs:$toRegionid:$accountid:image/*
ConvertNatPublicIpToEip acs:ecs:$regionid:$accountid:instance/$instanceId
CreateAutoSnapshotPolicy acs:ecs:*:$accountid:snapshot/*
CreateDisk acs:ecs:$regionid:$accountid:disk/*
acs:ecs:$regionid:$accountid:snapshot/$snapshotId
CreateImage acs:ecs:$regionid:$accountid:image/*
acs:ecs:$regionid:$accountid:snapshot/$snapshotId
acs:ecs:$regionid:$accountid:instance/$instanceId
CreateInstance acs:ecs:$regionid:$accountid:instance/*
acs:ecs:$regionid:$accountid:image/$imageNo
acs:ecs:$regionid:$accountid:resourcegroup/$groupNo
acs:ecs:$regionid:$accountid:snapshot/$snapshotId
(可选)acs:ecs:$regionid:$accountid:keypair/$keyPairName
CreateKeyPair acs:ecs:$regionid:$accountid:keypair/*
CreateSecurityGroup acs:ecs:$regionid:$accountid:resourcegroup/
CreateSnapshot acs:ecs:$regionid:$accountid:snapshot/\
acs:ecs:$regionid:$accountid:disk/$diskId
acs:ecs:$regionid:$accountid:volume/$volumeId
DeleteAutoSnapshotPolicy acs:ecs:*:$accountid:snapshot/*
DeleteDisk acs:ecs:$regionid:$accountid:disk/$diskId
DeleteImage acs:ecs:$regionid:$accountid:image/$imageNo
DeleteInstance acs:ecs:$regionid:$accountid:instance/$instanceId
DeleteKeyPairs acs:ecs:$regionid:$accountid:keypair/$keyPairName
DeleteSecurityGroup acs:ecs:$regionid:$accountid:resourcegroup/$groupNo
DeleteSnapshot acs:ecs:$regionid:$accountid:snapshot/$snapshotId
DescribeClassicLinkInstances acs:ecs:$regionid:$accountid:instance/*
DescribeDiskMonitorData acs:ecs:$regionid:$accountid:disk/$diskId
DescribeDisks acs:ecs:$regionid:$accountid:disk/$diskId
acs:ecs:$regionid:$accountid:disk/*
DescribeImages acs:ecs:$regionid:$accountid:image/$imageNo
acs:ecs:$regionid:$accountid:image/*
DescribeInstanceAttribute acs:ecs:$regionid:$accountid:instance/$instanceId
DescribeInstanceMonitorData acs:ecs:$regionid:$accountid:instance/$instanceId
DescribeInstances acs:ecs:$regionid:$accountid:instance/$instanceId
acs:ecs:$regionid:$accountid:instance/*
DescribeInstanceStatus acs:ecs:$regionid:$accountid:instance/*
DescribeInstanceVncPasswd acs:ecs:$regionid:$accountid:instance/$instanceId
DescribeInstanceVncUrl acs:ecs:$regionid:$accountid:instance/$instanceId
DescribeKeyPairs acs:ecs:$regionid:$accountid:keypair/$keyPairName
acs:ecs:$regionid:$accountid:keypair/*
DescribePrice acs:ecs:*:$accountid:*
DescribeRenewalPrice acs:ecs:$regionid:$accountid:instance/$instanceId
DescribeSecurityGroupAttribute acs:ecs:$regionid:$accountid:resourcegroup/$groupNo
DescribeSecurityGroups acs:ecs:$regionid:$accountid:resourcegroup/$groupNo
acs:ecs:$regionid:$accountid:resourcegroup/*
DescribeSnapshotAttribute acs:ecs:$regionid:$accountid:snapshot/$snapshotId
DescribeSnapshotLinks acs:ecs:$regionid:$accountid:disk/$diskId
acs:ecs:$regionid:$accountid:disk/*
DescribeSnapshotMonitorData acs:ecs::$accountid:snapshot/
DescribeSnapshots acs:ecs:$regionid:$accountid:snapshot/$snapshotId
acs:ecs:$regionid:$accountid:snapshot/*
DescribeTags acs:ecs:$regionid:$accountid:$resourceType/$resourceId
DetachClassicLinkVpc acs:ecs:$regionid:$accountid:instance/$instanceId
DetachDisk acs:ecs:$regionid:$accountid:instance/$instanceId
acs:ecs:$regionid:$accountid:instance/$diskId
DetachKeyPair acs:ecs:$regionid:$accountid:instance/$instanceId
acs:ecs:$regionid:$accountid:keypair/$keypairName
ExportImage acs:ecs:$regionid:$accountid:image/$imageNo
ImportImage acs:ecs:$regionid:$accountid:image/*
ImportKeyPair acs:ecs:$regionid:$accountid:keypair/*
JoinSecurityGroup acs:ecs:$regionid:$accountid:instance/$instanceId
acs:ecs:$regionid:$accountid:resourcegroup/$groupNo
LeaveSecurityGroup acs:ecs:$regionid:$accountid:instance/$instanceId
acs:ecs:$regionid:$accountid:resourcegroup/$groupNo
ModifyAutoSnapshotPolicy acs:ecs:*:$accountid:snapshot/*
ModifyDiskAttribute acs:ecs:$regionid:$accountid:disk/$diskId
ModifyImageAttribute acs:ecs:$regionid:$accountid:image/$imageNo
ModifyInstanceAttribute acs:ecs:$regionid:$accountid:instance/$instanceId
ModifyInstanceAutoReleaseTime acs:ecs:$regionid:$accountid:instance/$instanceId
ModifyInstanceChargeType acs:ecs:$regionid:$accountid:instance/$instanceId
ModifyInstanceNetworkSpec acs:ecs:$regionid:$accountid:instance/$instanceId
ModifyInstanceVncPasswd acs:ecs:$regionid:$accountid:instance/$instanceId
ModifyInstanceVpcAttribute acs:ecs:$regionid:$accountid:instance/$instanceId
acs:ecs:$regionid:$accountid:vswitch/$vSwitchId
ModifySecurityGroupAttribute acs:ecs:$regionid:$accountid:securitygroup/$groupNo
ModifySecurityGroupEgressRule acs:ecs:$regionid:$accountid:securitygroup/$groupNo
ModifySecurityGroupRule acs:ecs:$regionid:$accountid:securitygroup/$groupNo
ModifySnapshotAttribute acs:ecs:$regionid:$accountid:snapshot/$snapshotId
RebootInstance acs:ecs:$regionid:$accountid:instance/$instanceId
ReInitDisk acs:ecs:$regionid:$accountid:disk/$diskId
ReleasePublicIpAddress acs:ecs:$regionid:$accountid:instance/$instanceId
RemoveTags acs:ecs:$regionid:$accountid:$resourceType/$resourceId
RenewInstance acs:ecs:$regionid:$accountid:instance/$instanceId
ReplaceSystemDisk acs:ecs:$regionid:$accountid:instance/$instanceId
acs:ecs:$regionid:$accountid:image/$imageNo
ResetDisk acs:ecs:$regionid:$accountid:disk/$diskId
ResizeDisk acs:ecs:$regionid:$accountid:disk/$diskId
RevokeSecurityGroup acs:ecs:$regionid:$accountid:resourcegroup/$groupNo
RevokeSecurityGroupEgress acs:ecs:$regionid:$accountid:resourcegroup/$groupNo
RunInstances acs:ecs:$regionid:$accountid:instance/*
acs:ecs:$regionid:$accountid:image/$imageNo
acs:ecs:$regionid:$accountid:resourcegroup/$groupNo
acs:ecs:$regionid:$accountid:snapshot/$snapshotId
acs:ecs:$regionid:$accountid:keypair/$keyPairName
StartInstance acs:ecs:$regionid:$accountid:instance/$instanceId
StopInstance acs:ecs:$regionid:$accountid:instance/$instanceId
Thank you! We've received your feedback.