訪問(wèn)控制(RAM)是阿里云提供的管理用戶身份與資源訪問(wèn)權(quán)限的服務(wù)。使用RAM可以讓您避免與其他用戶共享阿里云賬號(hào)密鑰,并可按需為用戶授予最小權(quán)限。RAM中使用權(quán)限策略描述授權(quán)的具體內(nèi)容。
本文為您介紹云服務(wù)器 ECS為RAM權(quán)限策略定義的操作(Action)、資源(Resource)和條件(Condition)。云服務(wù)器 ECS的RAM代碼(RamCode)為[{"popCode":"Ecs","ramCodes":["ecs","vpc"]},{"popCode":"ecs-workbench","ramCodes":["ecs-workbench"]}],支持的授權(quán)粒度為RESOURCE。
權(quán)限策略通用結(jié)構(gòu)
權(quán)限策略支持JSON格式,其通用結(jié)構(gòu)如下:
{
"Version": "1",
"Statement": [
{
"Effect": "<Effect>",
"Action": "<Action>",
"Resource": "<Resource>",
"Condition": {
"<Condition_operator>": {
"<Condition_key>": [
"<Condition_value>"
]
}
}
}
]
}- Effect:權(quán)限策略效果。取值:Allow(允許)、Deny(拒絕)。
- Action:授予允許或拒絕權(quán)限的具體操作。具體信息,請(qǐng)參見(jiàn)操作(Action)。
- Resource:受操作影響的具體對(duì)象,您可以使用資源ARN來(lái)描述指定資源。具體信息,請(qǐng)參見(jiàn)資源(Resource)。
- Condition:指授權(quán)生效的條件。可選字段。具體信息,請(qǐng)參見(jiàn)條件(Condition)。
- Condition_operator:條件運(yùn)算符,不同類型的條件對(duì)應(yīng)不同的條件運(yùn)算符。具體信息,請(qǐng)參見(jiàn)權(quán)限策略基本元素。
- Condition_key:條件關(guān)鍵字。
- Condition_value:條件關(guān)鍵字對(duì)應(yīng)的值。
操作(Action)
下表是云服務(wù)器 ECS定義的操作,這些操作可以在RAM權(quán)限策略語(yǔ)句的Action元素中使用,用來(lái)授予執(zhí)行該操作的權(quán)限。下面對(duì)表中的具體項(xiàng)提供說(shuō)明:- 操作:是指具體的權(quán)限點(diǎn)。
- API:是指操作對(duì)應(yīng)的API接口。
- 訪問(wèn)級(jí)別:是指每個(gè)操作的訪問(wèn)級(jí)別,取值為寫(xiě)入(Write)、讀取(Read)或列出(List)。
- 資源類型:是指操作中支持授權(quán)的資源類型。具體說(shuō)明如下:
- 對(duì)于必選的資源類型,用背景高亮的方式表示。
- 對(duì)于不支持資源級(jí)授權(quán)的操作,用
全部資源表示。
- 條件關(guān)鍵字:是指云產(chǎn)品自身定義的條件關(guān)鍵字。該列不體現(xiàn)適用于任何操作的通用條件關(guān)鍵字。
- 關(guān)聯(lián)操作:是指成功執(zhí)行操作所需要的其他權(quán)限。操作者必須同時(shí)具備關(guān)聯(lián)操作的權(quán)限,操作才能成功。
| 操作 | API | 訪問(wèn)級(jí)別 | 資源類型 | 條件關(guān)鍵字 | 關(guān)聯(lián)操作 |
|---|---|---|---|---|---|
| ecs:DescribeDedicatedHostClusters | DescribeDedicatedHostClusters | get | DedicatedHostCluster acs:ecs:{#regionId}:{#accountId}:ddhcluster/{#ddhclusterId}DedicatedHostCluster acs:ecs:{#regionId}:{#accountId}:ddhcluster/* | 無(wú) | 無(wú) |
| ecs:ModifyDedicatedHostAutoReleaseTime | ModifyDedicatedHostAutoReleaseTime | update | DedicatedHost acs:ecs:{#regionId}:{#accountId}:ddh/{#ddhId} | 無(wú) | 無(wú) |
| ecs:DescribeDedicatedHosts | DescribeDedicatedHosts | get | DedicatedHost acs:ecs:{#regionId}:{#accountId}:ddh/*DedicatedHost acs:ecs:{#regionId}:{#accountId}:ddh/{#ddhId} | 無(wú) | 無(wú) |
| ecs:RedeployDedicatedHost | RedeployDedicatedHost | update | DedicatedHost acs:ecs:{#regionId}:{#accountId}:ddh/{#ddhId} | 無(wú) | 無(wú) |
| ecs:AllocateDedicatedHosts | AllocateDedicatedHosts | create | DedicatedHost acs:ecs:{#regionId}:{#accountId}:ddh/* | 無(wú) | 無(wú) |
| ecs:DescribeDedicatedHostAutoRenew | DescribeDedicatedHostAutoRenew | get | DedicatedHost acs:ecs:{#regionId}:{#accountId}:ddh/{#ddhId} | 無(wú) | 無(wú) |
| ecs:ModifyDedicatedHostClusterAttribute | ModifyDedicatedHostClusterAttribute | update | ddhcluster acs:ecs:{#regionId}:{#accountId}:ddhcluster/{#ddhclusterId} | 無(wú) | 無(wú) |
| ecs:RenewDedicatedHosts | RenewDedicatedHosts | update | DedicatedHost acs:ecs:{#regionId}:{#accountId}:ddh/{#ddhId} | 無(wú) | 無(wú) |
| ecs:ModifyDedicatedHostAttribute | ModifyDedicatedHostAttribute | update | DedicatedHost acs:ecs:{#regionId}:{#accountId}:ddh/{#ddhId}DedicatedHostCluster acs:ecs:{#regionId}:{#accountId}:ddhcluster/{#ddhclusterId} | 無(wú) | 無(wú) |
| ecs:ModifyInstanceDeployment | ModifyInstanceDeployment | update | DedicatedHost acs:ecs:{#regionId}:{#accountId}:ddh/{#ddhId}Instance acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId} | 無(wú) | 無(wú) |
| ecs:ReleaseDedicatedHost | ReleaseDedicatedHost | delete | DedicatedHost acs:ecs:{#regionId}:{#accountId}:ddh/{#ddhId} | 無(wú) | 無(wú) |
| ecs:ModifyDedicatedHostAutoRenewAttribute | ModifyDedicatedHostAutoRenewAttribute | update | DedicatedHost acs:ecs:{#regionId}:{#accountId}:ddh/{#ddhId} | 無(wú) | 無(wú) |
| ecs:DeleteDedicatedHostCluster | DeleteDedicatedHostCluster | delete | DedicatedHostCluster acs:ecs:{#regionId}:{#accountId}:ddhcluster/{#ddhclusterId} | 無(wú) | 無(wú) |
| ecs:ModifyDedicatedHostsChargeType | ModifyDedicatedHostsChargeType | update | 全部資源 * | 無(wú) | 無(wú) |
| ecs:CreateDedicatedHostCluster | CreateDedicatedHostCluster | create | 全部資源 * | 無(wú) | 無(wú) |
資源(Resource)
下表是云服務(wù)器 ECS定義的資源,這些資源可以在RAM權(quán)限策略語(yǔ)句的Resource元素中使用,用來(lái)授予對(duì)該資源執(zhí)行具體操作的權(quán)限。 其中,資源ARN是資源在阿里云上的唯一標(biāo)識(shí)。具體說(shuō)明如下:{#}為變量標(biāo)識(shí),需要您替換為實(shí)際值。例如:{#ramcode}需要您替換為實(shí)際的云服務(wù)RAM代碼。-
*表示全部。例如:{#resourceType}為*時(shí):表示全部資源。{#regionId}為*時(shí):表示全部地域。{#accountId}為*時(shí):表示全部阿里云賬號(hào)。
| 資源類型 | 資源ARN |
|---|---|
| PrefixList | acs:ecs:{#regionId}:{#accountId}:prefixlist/{#PrefixListId} |
| Snapshot | acs:ecs:{#regionId}:{#accountId}:snapshot/* |
| SnapshotGroup | acs:ecs:{#regionId}:{#accountId}:snapshotgroup/{#snapshotgroupId} |
| Instance | acs:ecs:{#regionId}:{#accountId}:instance/* |
| DedicatedHost | acs:ecs:{#regionId}:{#accountId}:ddh/{#ddhId} |
| Disk | acs:ecs:{#regionId}:{#accountId}:disk/* |
| Disk | acs:ecs:{#regionId}:{#accountId}:disk/{#diskId} |
| NetworkInterface | acs:ecs:{#regionId}:{#accountId}:eni/* |
| NetworkInterface | acs:ecs:{#regionId}:{#accountId}:eni/{#eniId} |
| Image | acs:ecs:{#regionId}:{#accountId}:image/* |
| Image | acs:ecs:{#regionId}:{#accountId}:image/{#imageId} |
| Instance | acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId} |
| KeyPair | acs:ecs:{#regionId}:{#accountId}:keypair/* |
| KeyPair | acs:ecs:{#regionId}:{#accountId}:keypair/{#keypairId} |
| ReservedInstance | acs:ecs:{#regionId}:{#accountId}:reservedinstance/* |
| ReservedInstance | acs:ecs:{#regionId}:{#accountId}:reservedinstance/{#reservedinstanceId} |
| SecurityGroup | acs:ecs:{#regionId}:{#accountId}:securitygroup/* |
| SecurityGroup | acs:ecs:{#regionId}:{#accountId}:securitygroup/{#securitygroupId} |
| Snapshot | acs:ecs:{#regionId}:{#accountId}:snapshot/{#snapshotId} |
| DedicatedHost | acs:ecs:{#regionId}:{#accountId}:ddh/* |
| DedicatedHostCluster | acs:ecs:{#regionId}:{#accountId}:ddhcluster/{#ddhclusterId} |
| DedicatedHostCluster | acs:ecs:{#regionId}:{#accountId}:ddhcluster/* |
| ElasticityAssurance | acs:ecs:{#regionId}:{#accountId}:elasticityassurance/* |
| Command | acs:ecs:{#regionId}:{#accountId}:command/{#commandId} |
| ImagePipeline | acs:ecs:{#regionId}:{#accountId}:imagepipeline/* |
| ImagePipeline | acs:ecs:{#regionId}:{#accountId}:imagepipeline/{#imagepipelineId} |
| CapacityReservation | acs:ecs:{#regionId}:{#accountId}:capacityreservation/* |
| AutoSnapshotPolicy | acs:ecs:{#regionId}:{#accountId}:snapshotpolicy/* |
| StorageCapacityUnit | acs:ecs:{#regionId}:{#accountId}:scu/{#scuId} |
| DeploymentSet | acs:ecs:{#regionId}:{#accountId}:deploymentset/{#DeploymentSetId} |
| Volume | acs:ecs:{#regionId}:{#accountId}:volume/* |
| VSwitch | acs:vpc:{#regionId}:{#accountId}:vswitch/{#vswitchId} |
| LaunchTemplate | acs:ecs:{#regionId}:{#accountId}:launchtemplate/* |
| LaunchTemplate | acs:ecs:{#regionId}:{#accountId}:launchtemplate/{#launchtemplateId} |
| Volume | acs:ecs:{#regionId}:{#accountId}:volume/{#volumeId} |
| KeyPair | acs:ecs:{#regionId}:{#accountId}:keypair/{#keypairName} |
| Activation | acs:ecs:{#regionId}:{#accountId}:activation/{#ActivationId} |
| HpcCluster | acs:ecs:{#regionId}:{#accountId}:hpc/* |
| Fleet | acs:ecs:{#regionId}:{#accountId}:fleet/* |
| ddhcluster | acs:ecs:{#regionId}:{#accountId}:ddhcluster/{#ddhclusterId} |
| Command | acs:ecs:{#regionId}:{#accountId}:command/* |
| Demand | acs:ecs:*:{#accountId}:* |
| StorageCapacityUnit | acs:ecs:{#regionId}:{#accountId}:scu/* |
| AutoProvisioningGroup | acs:ecs:{#regionId}:{#accountId}:autoprovisioninggroup/{#autoprovisioninggroupId} |
| Activation | acs:ecs:{#regionId}:{#accountId}:activation/* |
| AutoSnapshotPolicy | acs:ecs:{#regionId}:{#accountId}:snapshotpolicy/{#snapshotpolicyId} |
| VPC | acs:vpc:{#regionId}:{#accountId}:vpc/{#vpcId} |
| ElasticityAssurance | acs:ecs:{#regionId}:{#accountId}:elasticityassurance/{#ElasticityAssuranceId} |
| AutoSnapshotPolicy | acs:ecs:{#regionId}:{#accountId}:autosnapshotpolicy/* |
| snapshotpolicy | acs:ecs:{#regionId}:{#accountId}:snapshotpolicy/{#snapshotpolicyId} |
| Snapshot | acs:ecs:{#regionId}:{#accountId}:snapshotpolicy/{#autoSnapshotPolicyId} |
| AutoProvisioningGroup | acs:ecs:{#regionId}:{#accountId}:autoprovisioninggroup/* |
| ImageComponent | acs:ecs:{#regionId}:{#accountId}:imagecomponent/* |
| VSwitch | acs:vpc:{#regionId}:{#accountId}:vswitch/* |
| Demand | acs:ecs:{#regionId}:{#accountId}:ecsdemand/* |
| SnapshotGroup | acs:ecs:{#regionId}:{#accountId}:snapshotgroup/* |
| ServiceSettings | acs:ecs:{#regionId}:{#accountId}:servicesettings/{#servicesettingId} |
| activation | acs:ecs:{#regionId}:{#accountId}:activation/{#activationId} |
| ImageComponent | acs:ecs:{#regionId}:{#accountId}:imagecomponent/{#imagecomponentId} |
| Role | acs:ram:*:{#accountId}:role/{#roleName} |
| DeploymentSet | acs:ecs:{#regionId}:{#accountId}:deploymentset/* |
| Invocation | acs:ecs:{#regionId}:{#accountId}:invocation/{#invocationId} |
| autoprovisioninggroup | acs:ecs:{#regionId}:{#accountId}:autoprovisioninggroup/{#autoprovisioninggroupId} |
| ddhcluster | acs:ecs:{#regionId}:{#accountId}:ddhcluster/* |
| RouteTable | acs:vpc:{#regionId}:{#accountId}:routetable/{#RouteTableId} |
| HaVip | acs:vpc:{#regionId}:{#accountId}:havip/{#HaVipId} |
| Address | acs:vpc:{#regionId}:{#accountId}:eip/{#AllocationId} |
| VirtualBorderRouter | acs:vpc:{#regionId}:{#accountId}:virtualborderrouter/{#VbrId} |
| RouterInterface | acs:vpc:{#regionId}:{#accountId}:routerinterface/* |
| Address | acs:vpc:{#regionId}:{#accountId}:eip/* |
| NatGateway | acs:vpc:{#regionId}:{#accountId}:natgateway/* |
| PhysicalConnection | acs:vpc:{#regionId}:{#accountId}:physicalconnection/{#PhysicalConnectionId} |
| ForwardTable | acs:vpc:{#regionId}:{#accountId}:forwardtable/{#ForwardTableId} |
| NatGateway | acs:vpc:{#regionId}:{#accountId}:natgateway/{#natgatewayid} |
| VirtualBorderRouter | acs:vpc:{#regionId}:{#accountId}:virtualborderrouter/{#VirtualBorderRouterId} |
| BandwidthPackage | acs:vpc:{#regionId}:{#accountId}:bandwidthpackage/{#BandwidthPackageId} |
| RouterInterface | acs:vpc:{#regionId}:{#accountId}:routerinterface/{#RouterInterfaceId} |
| Instance | acs:vpc:{#regionId}:{#accountId}:instance/{#InstanceId} |
| BandwidthPackage | acs:vpc:{#regionId}:{#accountId}:bandwidthpackage/* |
| Association | acs:vpc:{#regionId}:{#accountId}:havip/{#HaVipId} |
| VPC | acs:vpc:{#regionId}:{#accountId}:vpc/* |
| HaVip | acs:vpc:{#regionId}:{#accountId}:havip/* |
| PhysicalConnection | acs:vpc:{#regionId}:{#accountId}:physicalconnection/* |
| VRouter | acs:vpc:{#regionId}:{#accountId}:vrouter/* |
| VRouter | acs:vpc:{#regionId}:{#accountId}:vrouter/{#VRouterId} |
| VirtualBorderRouter | acs:vpc:{#regionId}:{#AccountId}:virtualborderrouter/* |
條件(Condition)
下表是云服務(wù)器 ECS定義的產(chǎn)品級(jí)條件關(guān)鍵字,這些條件關(guān)鍵字可以在RAM權(quán)限策略語(yǔ)句的
Condition元素中使用,用來(lái)描述授予權(quán)限的條件。以下僅列舉產(chǎn)品級(jí)的條件關(guān)鍵字,阿里云定義的通用條件關(guān)鍵字也同樣適用云服務(wù)器 ECS。其中,數(shù)據(jù)類型決定了您可以使用哪些條件運(yùn)算符將請(qǐng)求中的值與權(quán)限策略語(yǔ)句中的值進(jìn)行比較。您必須使用與數(shù)據(jù)類型匹配的條件運(yùn)算符,否則無(wú)法匹配策略語(yǔ)句,授權(quán)行為無(wú)效。數(shù)據(jù)類型與條件運(yùn)算符的對(duì)應(yīng)關(guān)系,請(qǐng)參見(jiàn)條件操作類型。
| 條件關(guān)鍵字 | 描述 | 類型 |
|---|---|---|
| vpc:VPC | VPC信息 | String |
| vpc:IsDefaultVSwitch | 是否為默認(rèn)VSwitch,是否可以使用默認(rèn)VSwitch | Boolean |
| vpc:IsDefaultVpc | 是否為默認(rèn)VPC | Boolean |
| ecs:IsDiskEncrypted | 是否為加密數(shù)據(jù)盤(pán) | String |
| ecs:InstanceType | 實(shí)例規(guī)格 | String |
| ecs:InstanceTypeFamily | 實(shí)例規(guī)格族 | String |
| ecs:ImagePlatform | 鏡像的操作系統(tǒng)類型 | String |
| ecs:ImageSource | 鏡像來(lái)源 | String |
| ecs:CommandRunAs | 執(zhí)行云助手命令的操作系統(tǒng)內(nèi)用戶 | String |
| ecs:IsSystemDiskEncrypted | 是否為加密系統(tǒng)盤(pán) | String |
| ecs:ImageOwnerId | 鏡像的所有者UID。 | String |
| ecs:AssociatePublicIpAddress | 是否支持資源在創(chuàng)建和變配過(guò)程中進(jìn)行公網(wǎng)IP分配,即是否允許操作資源使公網(wǎng)帶寬大于0。 | Boolean |
| ecs:PasswordCustomized | 是否使用了自定義密碼 | Boolean |
| ecs:PasswordInherit | 實(shí)例是否繼承鏡像密碼 | Boolean |
| ecs:SecurityEnhancementStrategy | 是否開(kāi)啟安全加固。 | String |
| ecs:SecurityHardeningMode | 訪問(wèn)實(shí)例元數(shù)據(jù)時(shí)是否強(qiáng)制使用加固模式(IMDSv2) | Boolean |
| vpc:CreateDefaultVpc | 是否可以創(chuàng)建默認(rèn)VPC | Boolean |
| ecs:SecurityGroupIpProtocols | 安全組開(kāi)放的傳輸層協(xié)議 | String |
| ecs:SecurityGroupSourceCidrIps | 安全組設(shè)置訪問(wèn)權(quán)限的源端IPv4 CIDR地址段 | String |
| ecs:NotSpecifySecurityGroupId | 是否沒(méi)有指定安全組ID | Boolean |