Authentication rules for cross-account access using ECS APIs

Last Updated: Jul 27, 2017

When the user requests cross-account access to ECS resources using ECS Open APIs, ECS will send a request to RAM in the background to check access levels, to make sure that the resource owner indeed grants related access to relevant resources to the caller.

Each different ECS API check the access of the requested resources according to the involved resources and the definition of API. Specifically, the authentication rules for each API are displayed as in the following table.

Action Authentication Rules
AllocatePublicIpAddress acs:ecs:$regionid:$accountid:instance/$instanceid
AttachDisk acs:ecs:$regionid:$accountid:disk/$diskid
acs:ecs:$regionid:$accountid:instance/$instanceid
AttachKeyPair acs:ecs:$regionid:$accountid:keypair/$KeyPairName
acs:ecs:$regionid:$accountid:instance/$instanceid
AuthorizeSecurityGroup acs:ecs:$regionid:$accountid:securitygroup/$securitygroupid
[and acs:ecs:$regionid:$accountid:securitygroup/$sourcegroupid (if SourceGroupId is specified)]
CreateDisk acs:ecs:$regionid:$accountid:disk/*
[and acs:ecs:$regionid:$accountid:snapshot/$snapshotid (if SnapshotId is specified)]
CreateImage acs:ecs:$regionid:$accountid:image/*
acs:ecs:$regionid:$accountid:snapshot/$snapshotid
CreateInstance acs:ecs:$regionid:$accountid:instance/*
acs:ecs:$regionid:$accountid:securitygroup/$securitygroupid
acs:ecs:$regionid:$accountid:image/$imageid
[and acs:ecs:$regionid:$accountid:snapshot/$snapshotid (if DataDisk.n.SnapshotId is specified)]
If a key pair is allocated, acs:ecs:$regionid:$accountid:keypair/$KeyPairName
CreateKeyPair acs:ecs:$regionid:$accountid:keypair/
CreateSecurityGroup acs:ecs:$regionid:$accountid:securitygroup/\
CreateSnapshot acs:ecs:$regionid:$accountid:disk/$diskid
acs:ecs:$regionid:$accountid:snapshot/*
DeleteDisk acs:ecs:$regionid:$accountid:disk/$diskid
DeleteImage acs:ecs:$regionid:$accountid:image/$imageid
DeleteInstance acs:ecs:$regionid:$accountid:instance/$instanceid
DeleteKeyPairs acs:ecs:$regionid:$accountid:keypair/$KeyPairName
DeleteSecurityGroup acs:ecs:$regionid:$accountid:securitygroup/$securitygroupid
DeleteSnapshot acs:ecs:$regionid:$accountid:snapshot/$snapshotid
DescribeAutoSnapshotPolicyEx acs:ecs:*:$accountid:snapshot/*
DescribeDisks acs:ecs:$regionid:$accountid:disk/*
DescribeImages acs:ecs:$regionid:$accountid:image/*
DescribeInstanceAttribute acs:ecs:$regionid:$accountid:instance/$instanceid
DescribeInstanceMonitorData acs:ecs:$regionid:$accountid:instance/$instanceid
DescribeInstanceStatus acs:ecs:$regionid:$accountid:instance/*
DescribeInstanceTypes acs:ecs:*:$accountid:*
DescribeKeyPairs acs:ecs:$regionid:$accountid:keypair/
DescribeRegions acs:ecs:\:$accountid:*
DescribeSecurityGroupAttribute acs:ecs:$regionid:$accountid:securitygroup/$securitygroupid
DescribeSecurityGroups acs:ecs:$regionid:$accountid:securitygroup/*
DescribeSnapshots acs:ecs:$regionid:$accountid:snapshot/*
DescribeZones acs:ecs:*:$accountid:*
DetachDisk acs:ecs:$regionid:$accountid:disk/$diskid
acs:ecs:$regionid:$accountid:instance/$instanceid
DetachKeyPair acs:ecs:$regionid:$accountid:keypair/$KeyPairName
acs:ecs:$regionid:$accountid:instance/$instanceid
ImportKeyPair acs:ecs:$regionid:$accountid:keypair/
JoinSecurityGroup acs:ecs:$regionid:$accountid:instance/$instanceid
acs:ecs:$regionid:$accountid:securitygroup/$securitygroupid
LeaveSecurityGroup acs:ecs:$regionid:$accountid:instance/$instanceid
acs:ecs:$regionid:$accountid:securitygroup/$securitygroupid
ModifyAutoSnapshotPolicy acs:ecs:\:$accountid:snapshot/*
ModifyDiskAttribute acs:ecs:$regionid:$accountid:disk/$diskid
ModifyInstanceAttribute acs:ecs:$regionid:$accountid:instance/$instanceid
ModifyInstanceNetworkSpec acs:ecs:$regionid:$accountid:instance/$instanceid
RebootInstance acs:ecs:$regionid:$accountid:instance/$instanceid
ReplaceSystemDisk acs:ecs:$regionid:$accountid:instance/$instanceid
[and acs:ecs:$regionid:$accountid:image/$imageid (if a user-defined image or an image market image is used)]
ReInitDisk acs:ecs:$regionid:$accountid:disk/$diskid
ResetDisk acs:ecs:$regionid:$accountid:snapshot/$snapshotid
acs:ecs:$regionid:$accountid:disk/$diskid
RevokeSecurityGroup acs:ecs:$regionid:$accountid:securitygroup/$securitygroupid
[and acs:ecs:$regionid:$accountid:securitygroup/$sourcegroupid (if sourcegroupid is specified)]
StartInstance acs:ecs:$regionid:$accountid:instance/$instanceid
StopInstance acs:ecs:$regionid:$accountid:instance/$instanceid
DescribeInstances acs:ecs:$regionid:$accountid:instance/*
acs:ecs:$regionid:$accountid:keypair/
CreateVpc acs:ecs:$regionid:$accountid:vpc/\
ModifyVpcAttribute acs:ecs:$regionid:$accountid:vpc/$vpcid
DescribeVRouters acs:ecs:$regionid:$accountid:vrouter/*
CreateVSwitch acs:ecs:$regionid:$accountid:vswitch/*
CreateRouteTable acs:ecs:$regionid:$accountid:routetable/*
CreateRouteEntry acs:ecs:$regionid:$accountid:routetable/$routetableid
AllocateEipAddress acs:ecs:$regionid:$accountid:eip/*
AssociateEipAddress acs:ecs:$regionid:$accountid:eip/$allocationid acs:ecs:$regionid:$accountid:instance/$instanceid
ReleaseEipAddress acs:ecs:$regionid:$accountid:eip/$allocationid
DescribeVpcs acs:ecs:$regionid:$accountid:vpc/*
DeleteVpc acs:ecs:$regionid:$accountid:vpc/$vpcid
ModifyVRouterAttribute acs:ecs:$regionid:$accountid:vrouter/$vrouterid
DescribeVSwitches acs:ecs:$regionid:$accountid:vswitch/*
DeleteVSwitch acs:ecs:$regionid:$accountid:vswitch/$vswitchid
DescribeRouteTables acs:ecs:$regionid:$accountid:routetable/*
DeleteRouteEntry acs:ecs:$regionid:$accountid:routetable/$routetableid
DescribeEipAddresses acs:ecs:$regionid:$accountid:eip/*
UnassociateEipAddresses acs:ecs:$regionid:$accountid:eip/$eipid
acs:ecs:$regionid:$accountid:instance/$instanceid
ModifySecurityGroupAttribute acs:ecs:$regionid:$accountid:securitygroup/$securitygroupid
DescribeEipMonitorData acs:ecs:$regionid:$accountid:eip/$allocationid
ModifyVSwitchAttribute acs:ecs:$regionid:$accountid:vswitch/$vswitchid
ModifyInstanceVpcAttribute acs:ecs:$regionid:$accountid:instance/$instanceid
ModifyEipAddressAttribute acs:ecs:$regionid:$accountid:eip/$allocationid
DescribeDiskMonitorData acs:ecs:$regionid:$accountid:disk/$diskid
Thank you! We've received your feedback.