當子使用者通過 API 進行資源訪問時,後台向 RAM 進行許可權檢查,以確保調用者擁有響應許可權。
每個不同的 API 會根據涉及到的資源以及 API 的語義來確定需要檢查哪些資源的許可權。具體地,每個 API 的鑒權規則見下表。
| Action | 鑒權規則 |
|---|---|
| CreateDBInstance | acs:kvstore:$regionid:$accountid:instance/$instanceid |
| DeleteInstance | acs:kvstore:$regionid:$accountid:instance/$instanceid |
| ModifyInstanceSpec | acs:kvstore:$regionid:$accountid:instance/$instanceid |
| RenewInstance | acs:kvstore:$regionid:$accountid:instance/$instanceid |
| RenewMultiInstance | acs:kvstore:$regionid:$accountid:instance/$instanceid |
| ModifyInstanceAttribute | acs:kvstore:$regionid:$accountid:instance/$instanceid |
| FlushInstance | acs:kvstore:$regionid:$accountid:instance/$instanceid |
| DescribeInstances | acs:kvstore:$regionid:$accountid:instance/$instanceid |
| DescribeInstanceAttribute | acs:kvstore:$regionid:$accountid:instance/$instanceid |
| ModifyInstanceMaintainTime | acs:kvstore:$regionid:$accountid:instance/$instanceid |
| ModifySecurityIps | acs:kvstore:$regionid:$accountid:instance/$instanceid |
| SwitchNetwork | acs:kvstore:$regionid:$accountid:instance/$instanceid |
| ModifyInstanceNetExpireTime | acs:kvstore:$regionid:$accountid:instance/$instanceid |
| CreateBackup | acs:kvstore:$regionid:$accountid:instance/$instanceid |
| ModifyBackupPolicy | acs:kvstore:$regionid:$accountid:instance/$instanceid |
| DescribeBackupPolicy | acs:kvstore:$regionid:$accountid:instance/$instanceid |
| DescribeBackups | acs:kvstore:$regionid:$accountid:instance/$instanceid |
| RestoreInstance | acs:kvstore:$regionid:$accountid:instance/$instanceid |
| DescribeHistoryMonitorValues | acs:kvstore:$regionid:$accountid:instance/$instanceid |
| DescribeInstanceConfig | acs:kvstore:$regionid:$accountid:instance/$instanceid |
| ModifyInstanceConfig | acs:kvstore:$regionid:$accountid:instance/$instanceid |