預設情況下,您能使用 ECS API 完整操作自己建立的 ECS 資源。但子帳號剛建立時沒有許可權操作主帳號的資源,或者從其他服務訪問 ECS 時,會涉及到操作授權問題。所以當您操作某些具有許可權控制的 ECS 資源前,需要資源擁有者授權目標資源和目標 API 行為許可權。如果您不需要跨賬戶授權和訪問 ECS 執行個體資源,您可以跳過此章節。
在瞭解如何使用存取控制 RAM 授權和訪問 ECS 執行個體之前,確保您已閱讀了 RAM 產品文檔 和 API 文檔。
當其他帳號通過 ECS API 訪問主帳號的 ECS 資源時,我們首先向 RAM 發起許可權檢查,以確保資源擁有者的確將相關資源的相關許可權授予了調用者。不同的 ECS API 會根據涉及的資源以及 API 語義確定需要檢查哪些資源的許可權。具體地,部分 API 的鑒權規則如下表所示。
Action | 鑒權規則 |
---|---|
AddTags | acs:ecs:$regionid:$accountid:$resourceType/$resourceId |
AllocatePublicIpAddress | acs:ecs:$regionid:$accountid:instance/$instanceId |
ApplyAutoSnapshotPolicy | acs:ecs:*:$accountid:snapshot/* |
AttachClassicLinkVpc | acs:ecs:$regionid:$accountid:instance/$instanceId |
AttachDisk |
|
AttachKeyPair |
|
AuthorizeSecurityGroup | acs:ecs:$regionid:$accountid:securitygroup/$groupNo |
AuthorizeSecurityGroupEgress | acs:ecs:$regionid:$accountid:securitygroup/$groupNo |
CancelAutoSnapshotPolicy | acs:ecs:*:$accountid:snapshot/* |
CancelCopyImage | acs:ecs:$regionid:$accountid:image/$imageNo |
CopyImage |
|
ConvertNatPublicIpToEip | acs:ecs:$regionid:$accountid:instance/$instanceId |
CreateAutoSnapshotPolicy | acs:ecs:*:$accountid:snapshot/* |
CreateDisk |
|
CreateImage |
|
CreateInstance |
|
CreateKeyPair | acs:ecs:$regionid:$accountid:keypair/* |
CreateSecurityGroup | acs:ecs:$regionid:$accountid:securitygroup/* |
CreateSnapshot |
|
DeleteAutoSnapshotPolicy | acs:ecs:*:$accountid:snapshot/* |
DeleteDisk | acs:ecs:$regionid:$accountid:disk/$diskId |
DeleteImage | acs:ecs:$regionid:$accountid:image/$imageNo |
DeleteInstance | acs:ecs:$regionid:$accountid:instance/$instanceId |
DeleteKeyPairs | acs:ecs:$regionid:$accountid:keypair/$keyPairName |
DeleteSecurityGroup | acs:ecs:$regionid:$accountid:securitygroup/$groupNo |
DeleteSnapshot | acs:ecs:$regionid:$accountid:snapshot/$snapshotId |
DescribeClassicLinkInstances | acs:ecs:$regionid:$accountid:instance/* |
DescribeDiskMonitorData | acs:ecs:$regionid:$accountid:disk/$diskId |
DescribeDisks |
|
DescribeImages |
|
DescribeInstanceAttribute | acs:ecs:$regionid:$accountid:instance/$instanceId |
DescribeInstanceMonitorData | acs:ecs:$regionid:$accountid:instance/$instanceId |
DescribeInstances |
|
DescribeInstanceStatus | acs:ecs:$regionid:$accountid:instance/* |
DescribeInstanceVncPasswd | acs:ecs:$regionid:$accountid:instance/$instanceId |
DescribeInstanceVncUrl | acs:ecs:$regionid:$accountid:instance/$instanceId |
DescribeKeyPairs |
|
DescribePrice | acs:ecs:*:$accountid:* |
DescribeRenewalPrice | acs:ecs:$regionid:$accountid:instance/$instanceId |
DescribeSecurityGroupAttribute | acs:ecs:$regionid:$accountid:securitygroup/$groupNo |
DescribeSecurityGroups |
|
DescribeSnapshotAttribute | acs:ecs:$regionid:$accountid:snapshot/$snapshotId |
DescribeSnapshotLinks |
|
DescribeSnapshotMonitorData | acs:ecs:*:$accountid:snapshot/* |
DescribeSnapshots |
|
DescribeTags | acs:ecs:$regionid:$accountid:$resourceType/$resourceId |
DetachClassicLinkVpc | acs:ecs:$regionid:$accountid:instance/$instanceId |
DetachDisk |
|
DetachKeyPair |
|
ExportImage | acs:ecs:$regionid:$accountid:image/$imageNo |
ImportImage | acs:ecs:$regionid:$accountid:image/* |
ImportKeyPair | acs:ecs:$regionid:$accountid:keypair/* |
JoinSecurityGroup |
|
LeaveSecurityGroup |
|
ModifyAutoSnapshotPolicy | acs:ecs:*:$accountid:snapshot/* |
ModifyDiskAttribute | acs:ecs:$regionid:$accountid:disk/$diskId |
ModifyImageAttribute | acs:ecs:$regionid:$accountid:image/$imageNo |
ModifyInstanceAttribute | acs:ecs:$regionid:$accountid:instance/$instanceId |
ModifyInstanceAutoReleaseTime | acs:ecs:$regionid:$accountid:instance/$instanceId |
ModifyInstanceChargeType | acs:ecs:$regionid:$accountid:instance/$instanceId |
ModifyInstanceNetworkSpec | acs:ecs:$regionid:$accountid:instance/$instanceId |
ModifyInstanceVncPasswd | acs:ecs:$regionid:$accountid:instance/$instanceId |
ModifyInstanceVpcAttribute |
|
ModifySecurityGroupAttribute | acs:ecs:$regionid:$accountid:securitygroup/$groupNo |
ModifySecurityGroupEgressRule | acs:ecs:$regionid:$accountid:securitygroup/$groupNo |
ModifySecurityGroupRule | acs:ecs:$regionid:$accountid:securitygroup/$groupNo |
ModifyPrepayInstanceSpec | acs:ecs:$regionid:$accountid: |
ModifySnapshotAttribute | acs:ecs:$regionid:$accountid:snapshot/$snapshotId |
RebootInstance | acs:ecs:$regionid:$accountid:instance/$instanceId |
ReInitDisk | acs:ecs:$regionid:$accountid:disk/$diskId |
ReleasePublicIpAddress | acs:ecs:$regionid:$accountid:instance/$instanceId |
RemoveTags | acs:ecs:$regionid:$accountid:$resourceType/$resourceId |
ReplaceSystemDisk |
|
ResetDisk | acs:ecs:$regionid:$accountid:disk/$diskId |
ResizeDisk | acs:ecs:$regionid:$accountid:disk/$diskId |
RevokeSecurityGroup | acs:ecs:$regionid:$accountid:securitygroup/$groupNo |
RevokeSecurityGroupEgress | acs:ecs:$regionid:$accountid:securitygroup/$groupNo |
RunInstances |
|
StartInstance | acs:ecs:$regionid:$accountid:instance/$instanceId |
StopInstance | acs:ecs:$regionid:$accountid:instance/$instanceId |