edit-icon download-icon

Authorization Policies

Last Updated: Aug 02, 2018

Account Authorization by Using Custom Policies

The system provides two types of custom policies for account authorization.You can choose one of the following policies from the Available Policies list:

  • AliyunImagesearchReadOnlyAccess: Allows users to access to the Image Search service with read-only permission.
  • AliyunImagesearchFullAccess: Allows users to access to the Image Search service with administrator permission.

Note: If these two policies do not meet your requirements, you can create your own policy by referencing the following examples.

Authorization Examples

Example 1

In this example, a policy is bound to a subaccount of primary account 1234 to permit all Image Search instances in Shanghai to have full access to the console (excluding the clear and delete permissions). Additionally, only users logged on with the specified IP addresses are allowed to access the services. To perform this task, use the primary account to create a policy on the console and then use Resource Access Management (RAM) or RAM SDK to bind the policy to the subaccount.

  1. Create a policy.

    1. {
    2. "Statement": [
    3. {
    4. "Action": [
    5. "imagesearch:ListInstance",
    6. "imagesearch:DescribeInstance",
    7. "imagesearch:IncreaseInstance",
    8. "imagesearch:InitInstance",
    9. "imagesearch:ListIncrement"
    10. ],
    11. "Condition": {
    12. "IpAddress": {
    13. "acs:SourceIp": "xxx.xx.xxx.x/xx"
    14. }
    15. },
    16. "Effect": "Allow",
    17. "Resource": "acs:imagesearch:cn-shanghai:1234:instance/*"
    18. }
    19. ],
    20. "Version": "1"
    21. }
  2. Bind the policy to your specified subaccount.

Example 2

In this example, a policy is bound to a subaccount of primary account 1234 to permit all Image Search services to support regions and all image search instances to have full access to the console and API. To perform this task, use the primary account to create a policy on the console and then use RAM or RAM SDK to bind the policy to the subaccount.

  1. Create a policy.

    1. {
    2. "Statement": [
    3. {
    4. "Action": [
    5. "imagesearch:*"
    6. ],
    7. "Effect": "Allow",
    8. "Resource": "acs:imagesearch:*:1234:instance/*"
    9. }
    10. ],
    11. "Version": "1"
    12. }
  2. Bind the policy to the subaccount.

Example 3

In this example, a policy is bound to a subaccount of primary account 1234 to permit all Image Search services to support regions and instance 12138 to have full access to the console and API. To perform this task, use the primary account to create a policy on the console and then use RAM or RAM SDK to bind the policy to the subaccount.

  1. Create a policy.

    1. {
    2. "Statement": [
    3. {
    4. "Action": [
    5. "imagesearch:*",
    6. ],
    7. "Effect": "Allow",
    8. "Resource": "acs:imagesearch:*:1234:instance/instance12138"
    9. }
    10. ],
    11. "Version": "1"
    12. }
  2. Bind the policy to your specified subaccount.
Thank you! We've received your feedback.