當您使用資源群組對資源進行分組管理時,可以結合存取控制(RAM),在單個阿里雲帳號內實現資源的隔離和精微調權限管理。本文總結了Object Storage Service對資源群組的支援情況,以及資源群組層級的授權操作步驟。
-
只有支援資源群組的資源類型和支援資源群組層級授權的操作,資源群組層級授權才會生效。
-
對於不支援資源群組的資源類型,授予資源群組範圍的許可權將無效。在選擇資源範圍時,請選擇帳號層級,進行帳號層級授權。具體操作,請參見不支援資源群組層級授權的操作。
資源群組授權的工作原理
您可以使用資源群組(Resource Group)對阿里雲帳號內的資源進行分組管理。例如,為不同的專案建立對應的資源群組,並將資源轉移到對應的組中,以便集中管理各專案的資源。更多資訊,請參見什麼是資源群組。
在完成資源分組後,您可以為不同的RAM授權主體(RAM使用者、RAM使用者組或RAM角色)授予指定資源群組範圍的許可權,從而限定這個授權主體只能管理該資源群組內的資源。更多資訊,請參見資源分組和授權。
這種授權方式的優點有:
-
許可權精細化:確保每個身份能獲得最準確的資源存取權限,避免帳號下的多重專案的資源混合管理。
-
良好的擴充性:後續新增資源時,只需將其加入該資源群組,RAM身份便會自動獲得新資源的相應許可權,無需再次授權。
為RAM使用者授予資源群組層級的許可權
下面以RAM使用者為例,介紹授予指定資源群組內Object Storage Service資源許可權的操作步驟。
1. 前置步驟
2. 進行資源群組層級授權
您可以通過以下任一方式進行資源群組層級授權。
方式一:在資源管理主控台中授權
通過資源群組的許可權管理功能為指定 RAM 使用者授權。詳情操作可參見為RAM身份授予資源群組範圍的許可權。
方式二:在 RAM 控制台中授權
通過RAM控制台為指定 RAM 使用者進行資源群組層級授權。詳細操作可參見為RAM使用者授權。
支援資源群組的資源類型
Object Storage Service支援資源群組的資源類型如下表所示:
|
雲端服務 |
雲端服務代碼 |
資源類型 |
|
Object Storage Service |
oss |
bucket : 儲存空間 |
對於暫不支援資源群組的資源類型,如有需要,您可以在資源群組控制台提交反饋。
不支援資源群組層級授權的操作
Object Storage Service中不支援資源群組層級授權的操作(Action)如下:
|
操作(Action) |
操作描述 |
|
oss:ActivateProduct |
- |
|
oss:AppendObject |
- |
|
oss:BatchDeleteMaliciousFileWhitelistConfig |
- |
|
oss:CancelStockOssCheckTask |
- |
|
oss:CheckMfdServiceOpen |
- |
|
oss:CompleteMultipartUpload |
- |
|
oss:CreateImportAddress |
- |
|
oss:CreateImportAgent |
- |
|
oss:CreateImportJob |
- |
|
oss:CreateImportReport |
- |
|
oss:CreateImportTunnel |
- |
|
oss:CreateJob |
- |
|
oss:CreateMaliciousFileWhitelistConfig |
- |
|
oss:CreateOrder |
- |
|
oss:CreateOssBucketScanTask |
- |
|
oss:CreateOssScanConfig |
- |
|
oss:CreatePreCheck |
- |
|
oss:CreateSddpDefaultTask |
- |
|
oss:CreateStockOssCheckTask |
- |
|
oss:DeleteBucketCacheConfiguration |
- |
|
oss:DeleteBucketCallbackPolicy |
- |
|
oss:DeleteCache |
- |
|
oss:DeleteImportAddress |
- |
|
oss:DeleteImportAgent |
- |
|
oss:DeleteImportJob |
- |
|
oss:DeleteImportTunnel |
- |
|
oss:DeletePublicAccessBlock |
- |
|
oss:DeleteResourcePoolBucketGroupQoSInfo |
- |
|
oss:DeleteResourcePoolPriorityQosConfiguration |
- |
|
oss:DeleteResourcePoolRequesterPriorityQosConfiguration |
- |
|
oss:DeleteResourcePoolRequesterQoSInfo |
- |
|
oss:DeleteSddpDefaultTask |
- |
|
oss:DeleteSystemNotification |
- |
|
oss:DescribeExportInfo |
- |
|
oss:DescribeJob |
- |
|
oss:DescribeRegions |
- |
|
oss:DescribeServiceLinkedRoleStatus |
- |
|
oss:DoLogicalDeleteResource |
- |
|
oss:DoPhysicalDeleteResource |
- |
|
oss:ExportRecord |
- |
|
oss:ExportResult |
- |
|
oss:GeneratePortraitForOss |
- |
|
oss:GetBucket |
- |
|
oss:GetCache |
- |
|
oss:GetDataLakeStorageTransferJob |
- |
|
oss:GetFileDetectReport |
- |
|
oss:GetImageSceneLabelListConf |
- |
|
oss:GetImportAddress |
- |
|
oss:GetImportAgent |
- |
|
oss:GetImportJob |
- |
|
oss:GetImportJobResult |
- |
|
oss:GetImportReport |
- |
|
oss:GetImportTunnel |
- |
|
oss:GetJobNameList |
- |
|
oss:GetObjectMeta |
- |
|
oss:GetOssBucketScanStatistic |
- |
|
oss:GetOssCheckResultDetail |
- |
|
oss:GetOssCheckStatus |
- |
|
oss:GetOssScanConfig |
- |
|
oss:GetPublicAccessBlock |
- |
|
oss:GetReservedCapacity |
- |
|
oss:GetResourcePoolBucketGroupQoSInfo |
- |
|
oss:GetResourcePoolInfo |
- |
|
oss:GetResourcePoolPriorityQosConfiguration |
- |
|
oss:GetResourcePoolRequesterPriorityQosConfiguration |
- |
|
oss:GetResourcePoolRequesterQoSInfo |
- |
|
oss:GetScanNum |
- |
|
oss:GetScanResult |
- |
|
oss:GetSddpBucketIdentifyStat |
- |
|
oss:GetSddpBucketRuleTop |
- |
|
oss:GetSddpDefaultTask |
- |
|
oss:GetSddpObject |
- |
|
oss:GetSddpUserPortrait |
- |
|
oss:GetService |
- |
|
oss:GetServiceConfig |
- |
|
oss:GetServiceLabelConfig |
- |
|
oss:GetStatusList |
- |
|
oss:GetStockOssCheckTasksList |
- |
|
oss:GetSwitchRegionDetail |
- |
|
oss:GetSystemNotification |
- |
|
oss:GetUserAntiDDosInfo |
- |
|
oss:GetUserQoSInfo |
- |
|
oss:HandleObjectScanEvent |
- |
|
oss:HeadObject |
- |
|
oss:InitBucketAntiDDosInfo |
- |
|
oss:InitUserAntiDDosInfo |
- |
|
oss:InitiateMultipartUpload |
- |
|
oss:List |
- |
|
oss:ListAccessPointsForObjectProcess |
- |
|
oss:ListBucketAntiDDosInfo |
- |
|
oss:ListCache |
- |
|
oss:ListDataLakeStorageTransferJob |
- |
|
oss:ListDataLakeStorageTransferJobHistory |
- |
|
oss:ListDataRedundancyType |
- |
|
oss:ListImportAddress |
- |
|
oss:ListImportAgent |
- |
|
oss:ListImportJob |
- |
|
oss:ListImportJobHistory |
- |
|
oss:ListImportTunnel |
- |
|
oss:ListJobs |
- |
|
oss:ListMaliciousFileWhitelistConfigs |
- |
|
oss:ListObjectScanEvent |
- |
|
oss:ListObjectsV2 |
- |
|
oss:ListOssBucket |
- |
|
oss:ListOssBucketScanInfo |
- |
|
oss:ListReservedCapacity |
- |
|
oss:ListResourcePoolBucketGroupQoSInfos |
- |
|
oss:ListResourcePoolBucketGroups |
- |
|
oss:ListResourcePoolBuckets |
- |
|
oss:ListResourcePoolRequesterQoSInfos |
- |
|
oss:ListResourcePools |
- |
|
oss:ListSddpBuckets |
- |
|
oss:ListSddpFileCategorys |
- |
|
oss:ListSddpObjects |
- |
|
oss:ListSddpRegions |
- |
|
oss:ListSddpTasks |
- |
|
oss:ListSddpTemplateAllRules |
- |
|
oss:ListServiceConfigs |
- |
|
oss:ListSupportObjectSuffix |
- |
|
oss:ListUserDataRedundancyTransition |
- |
|
oss:ListVectorBuckets |
- |
|
oss:ModifySddpDefaultTask |
- |
|
oss:OpenOssService |
- |
|
oss:OperateBucketScanTask |
- |
|
oss:OssCheckResultList |
- |
|
oss:PostObject |
- |
|
oss:PublishRtmpStream |
- |
|
oss:PutBucketACL |
- |
|
oss:PutBucketTag |
- |
|
oss:PutCache |
- |
|
oss:PutDataLakeStorageTransferJob |
- |
|
oss:PutObjectACL |
- |
|
oss:PutPublicAccessBlock |
- |
|
oss:PutResourcePoolBucketGroupQoSInfo |
- |
|
oss:PutResourcePoolPriorityQosConfiguration |
- |
|
oss:PutResourcePoolRequesterPriorityQosConfiguration |
- |
|
oss:PutResourcePoolRequesterQoSInfo |
- |
|
oss:PutSystemNotification |
- |
|
oss:SddpCreateDataLimit |
- |
|
oss:SddpDescribeAllBucketInstances |
- |
|
oss:SddpDescribeBucketInstances |
- |
|
oss:StartDataLakeStorageTransferJob |
- |
|
oss:UpdateBucketAntiDDosInfo |
- |
|
oss:UpdateImportAddress |
- |
|
oss:UpdateImportJob |
- |
|
oss:UpdateImportTunnel |
- |
|
oss:UpdateJobPriority |
- |
|
oss:UpdateJobStatus |
- |
|
oss:UpdateMaliciousFileWhitelistConfig |
- |
|
oss:UpdateOssScanConfig |
- |
|
oss:UpdateReservedCapacity |
- |
|
oss:UpdateSddpTaskStatus |
- |
|
oss:UpdateServiceConfig |
- |
|
oss:UpdateUserAntiDDosInfo |
- |
|
oss:UpgradeSddpVersion |
- |
|
oss:UploadPart |
- |
|
oss:UploadPartCopy |
- |
|
oss:VerifyAgentTunnel |
- |
|
oss:VerifyImportAddress |
- |
|
oss:getObects |
- |
對於不支援資源群組授權的操作,授權時資源範圍選取資源群組層級將無效。如果仍需要RAM使用者有上述操作許可權,您需要建立自訂權限原則,授權時資源範圍選取帳號層級。
以下是兩個自訂權限原則樣本,您可以根據實際需要調整策略內容。
-
允許不支援資源群組層級授權的全部唯讀操作:
Action中列舉不支援資源群組層級授權的所有隻讀操作。{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "oss:CheckMfdServiceOpen", "oss:DescribeExportInfo", "oss:DescribeRegions", "oss:DescribeServiceLinkedRoleStatus", "oss:ExportResult", "oss:GetCache", "oss:GetDataLakeStorageTransferJob", "oss:GetFileDetectReport", "oss:GetImageSceneLabelListConf", "oss:GetJobNameList", "oss:GetOssBucketScanStatistic", "oss:GetOssCheckResultDetail", "oss:GetOssCheckStatus", "oss:GetOssScanConfig", "oss:GetPublicAccessBlock", "oss:GetReservedCapacity", "oss:GetResourcePoolInfo", "oss:GetResourcePoolRequesterQoSInfo", "oss:GetScanNum", "oss:GetSddpDefaultTask", "oss:GetStatusList", "oss:GetStockOssCheckTasksList", "oss:GetSwitchRegionDetail", "oss:GetUserAntiDDosInfo", "oss:GetUserQoSInfo", "oss:ListAccessPointsForObjectProcess", "oss:ListBucketAntiDDosInfo", "oss:ListCache", "oss:ListDataLakeStorageTransferJob", "oss:ListDataLakeStorageTransferJobHistory", "oss:ListMaliciousFileWhitelistConfigs", "oss:ListObjectScanEvent", "oss:ListOssBucket", "oss:ListOssBucketScanInfo", "oss:ListReservedCapacity", "oss:ListResourcePoolBuckets", "oss:ListResourcePoolRequesterQoSInfos", "oss:ListResourcePools", "oss:ListSddpFileCategorys", "oss:ListSddpObjects", "oss:ListSddpRegions", "oss:ListSddpTemplateAllRules", "oss:ListServiceConfigs", "oss:ListSupportObjectSuffix", "oss:OssCheckResultList" ], "Resource": "*" } ] } -
允許不支援資源群組層級授權的全部操作:
Action中列舉不支援資源群組層級授權的全部操作。{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "oss:ActivateProduct", "oss:AppendObject", "oss:BatchDeleteMaliciousFileWhitelistConfig", "oss:CancelStockOssCheckTask", "oss:CheckMfdServiceOpen", "oss:CompleteMultipartUpload", "oss:CreateImportAddress", "oss:CreateImportAgent", "oss:CreateImportJob", "oss:CreateImportReport", "oss:CreateImportTunnel", "oss:CreateJob", "oss:CreateMaliciousFileWhitelistConfig", "oss:CreateOrder", "oss:CreateOssBucketScanTask", "oss:CreateOssScanConfig", "oss:CreatePreCheck", "oss:CreateSddpDefaultTask", "oss:CreateStockOssCheckTask", "oss:DeleteBucketCacheConfiguration", "oss:DeleteBucketCallbackPolicy", "oss:DeleteCache", "oss:DeleteImportAddress", "oss:DeleteImportAgent", "oss:DeleteImportJob", "oss:DeleteImportTunnel", "oss:DeletePublicAccessBlock", "oss:DeleteResourcePoolBucketGroupQoSInfo", "oss:DeleteResourcePoolPriorityQosConfiguration", "oss:DeleteResourcePoolRequesterPriorityQosConfiguration", "oss:DeleteResourcePoolRequesterQoSInfo", "oss:DeleteSddpDefaultTask", "oss:DeleteSystemNotification", "oss:DescribeExportInfo", "oss:DescribeJob", "oss:DescribeRegions", "oss:DescribeServiceLinkedRoleStatus", "oss:DoLogicalDeleteResource", "oss:DoPhysicalDeleteResource", "oss:ExportRecord", "oss:ExportResult", "oss:GeneratePortraitForOss", "oss:GetBucket", "oss:GetCache", "oss:GetDataLakeStorageTransferJob", "oss:GetFileDetectReport", "oss:GetImageSceneLabelListConf", "oss:GetImportAddress", "oss:GetImportAgent", "oss:GetImportJob", "oss:GetImportJobResult", "oss:GetImportReport", "oss:GetImportTunnel", "oss:GetJobNameList", "oss:GetObjectMeta", "oss:GetOssBucketScanStatistic", "oss:GetOssCheckResultDetail", "oss:GetOssCheckStatus", "oss:GetOssScanConfig", "oss:GetPublicAccessBlock", "oss:GetReservedCapacity", "oss:GetResourcePoolBucketGroupQoSInfo", "oss:GetResourcePoolInfo", "oss:GetResourcePoolPriorityQosConfiguration", "oss:GetResourcePoolRequesterPriorityQosConfiguration", "oss:GetResourcePoolRequesterQoSInfo", "oss:GetScanNum", "oss:GetScanResult", "oss:GetSddpBucketIdentifyStat", "oss:GetSddpBucketRuleTop", "oss:GetSddpDefaultTask", "oss:GetSddpObject", "oss:GetSddpUserPortrait", "oss:GetService", "oss:GetServiceConfig", "oss:GetServiceLabelConfig", "oss:GetStatusList", "oss:GetStockOssCheckTasksList", "oss:GetSwitchRegionDetail", "oss:GetSystemNotification", "oss:GetUserAntiDDosInfo", "oss:GetUserQoSInfo", "oss:HandleObjectScanEvent", "oss:HeadObject", "oss:InitBucketAntiDDosInfo", "oss:InitUserAntiDDosInfo", "oss:InitiateMultipartUpload", "oss:List", "oss:ListAccessPointsForObjectProcess", "oss:ListBucketAntiDDosInfo", "oss:ListCache", "oss:ListDataLakeStorageTransferJob", "oss:ListDataLakeStorageTransferJobHistory", "oss:ListDataRedundancyType", "oss:ListImportAddress", "oss:ListImportAgent", "oss:ListImportJob", "oss:ListImportJobHistory", "oss:ListImportTunnel", "oss:ListJobs", "oss:ListMaliciousFileWhitelistConfigs", "oss:ListObjectScanEvent", "oss:ListObjectsV2", "oss:ListOssBucket", "oss:ListOssBucketScanInfo", "oss:ListReservedCapacity", "oss:ListResourcePoolBucketGroupQoSInfos", "oss:ListResourcePoolBucketGroups", "oss:ListResourcePoolBuckets", "oss:ListResourcePoolRequesterQoSInfos", "oss:ListResourcePools", "oss:ListSddpBuckets", "oss:ListSddpFileCategorys", "oss:ListSddpObjects", "oss:ListSddpRegions", "oss:ListSddpTasks", "oss:ListSddpTemplateAllRules", "oss:ListServiceConfigs", "oss:ListSupportObjectSuffix", "oss:ListUserDataRedundancyTransition", "oss:ListVectorBuckets", "oss:ModifySddpDefaultTask", "oss:OpenOssService", "oss:OperateBucketScanTask", "oss:OssCheckResultList", "oss:PostObject", "oss:PublishRtmpStream", "oss:PutBucketACL", "oss:PutBucketTag", "oss:PutCache", "oss:PutDataLakeStorageTransferJob", "oss:PutObjectACL", "oss:PutPublicAccessBlock", "oss:PutResourcePoolBucketGroupQoSInfo", "oss:PutResourcePoolPriorityQosConfiguration", "oss:PutResourcePoolRequesterPriorityQosConfiguration", "oss:PutResourcePoolRequesterQoSInfo", "oss:PutSystemNotification", "oss:SddpCreateDataLimit", "oss:SddpDescribeAllBucketInstances", "oss:SddpDescribeBucketInstances", "oss:StartDataLakeStorageTransferJob", "oss:UpdateBucketAntiDDosInfo", "oss:UpdateImportAddress", "oss:UpdateImportJob", "oss:UpdateImportTunnel", "oss:UpdateJobPriority", "oss:UpdateJobStatus", "oss:UpdateMaliciousFileWhitelistConfig", "oss:UpdateOssScanConfig", "oss:UpdateReservedCapacity", "oss:UpdateSddpTaskStatus", "oss:UpdateServiceConfig", "oss:UpdateUserAntiDDosInfo", "oss:UpgradeSddpVersion", "oss:UploadPart", "oss:UploadPartCopy", "oss:VerifyAgentTunnel", "oss:VerifyImportAddress", "oss:getObects" ], "Resource": "*" } ] }
獲得帳號層級許可權的RAM使用者或RAM角色,能夠操作整個帳號範圍內的相關資源。請務必確認所授與權限是否符合預期,遵從最小授權原則謹慎分配許可權。
常見問題
如何查看當前資源屬於哪個資源群組?
-
方式一:單擊資源名稱,進入資源的詳情頁面,即可查看到當前資源的資源群組。
-
方式二:登入資源管理主控台,單擊,在左側選擇目標資源所屬帳號(預設為當前帳號),通過篩選條件定位目標資源,即可查看其所屬資源群組。
如何查看當前產品在某個資源群組下的所有資源?
如何批量修改多個資源的資源群組?
登入資源管理主控台,單擊,在目標資源群組所在行的操作列下,單擊資源管理以進入資源管理頁面。通過篩選條件定位多個目標資源,批量勾選第一列的複選框後單擊下方轉移資源群組,並按頁面提示完成資源群組修改。