當子使用者通過 API 進行資源訪問時,後台向 RAM 進行許可權檢查,以確保調用者擁有響應許可權。
每個不同的 API 會根據涉及到的資源以及 API 的語義來確定需要檢查哪些資源的許可權。具體地,每個 API 的鑒權規則見下表。
Action | 鑒權規則 |
---|---|
CreateDBInstance | acs:kvstore:$regionid:$accountid:instance/$instanceid |
DeleteInstance | acs:kvstore:$regionid:$accountid:instance/$instanceid |
ModifyInstanceSpec | acs:kvstore:$regionid:$accountid:instance/$instanceid |
RenewInstance | acs:kvstore:$regionid:$accountid:instance/$instanceid |
RenewMultiInstance | acs:kvstore:$regionid:$accountid:instance/$instanceid |
ModifyInstanceAttribute | acs:kvstore:$regionid:$accountid:instance/$instanceid |
FlushInstance | acs:kvstore:$regionid:$accountid:instance/$instanceid |
DescribeInstances | acs:kvstore:$regionid:$accountid:instance/$instanceid |
DescribeInstanceAttribute | acs:kvstore:$regionid:$accountid:instance/$instanceid |
ModifyInstanceMaintainTime | acs:kvstore:$regionid:$accountid:instance/$instanceid |
ModifySecurityIps | acs:kvstore:$regionid:$accountid:instance/$instanceid |
SwitchNetwork | acs:kvstore:$regionid:$accountid:instance/$instanceid |
ModifyInstanceNetExpireTime | acs:kvstore:$regionid:$accountid:instance/$instanceid |
CreateBackup | acs:kvstore:$regionid:$accountid:instance/$instanceid |
ModifyBackupPolicy | acs:kvstore:$regionid:$accountid:instance/$instanceid |
DescribeBackupPolicy | acs:kvstore:$regionid:$accountid:instance/$instanceid |
DescribeBackups | acs:kvstore:$regionid:$accountid:instance/$instanceid |
RestoreInstance | acs:kvstore:$regionid:$accountid:instance/$instanceid |
DescribeHistoryMonitorValues | acs:kvstore:$regionid:$accountid:instance/$instanceid |
DescribeInstanceConfig | acs:kvstore:$regionid:$accountid:instance/$instanceid |
ModifyInstanceConfig | acs:kvstore:$regionid:$accountid:instance/$instanceid |