资源级权限指的是能够指定用户对哪些资源具有执行操作的能力。云服务器(Cloud Virtual Machine,CVM)部分支持资源级权限,即表示针对支持资源级权限的 CVM 操作,控制何时允许用户执行操作或是允许用户使用的特定资源。
例如,您 授权用户拥有广州地域的 CVM 操作权限。
在访问管理(Cloud Access Management,CAM)中可授权的资源类型如下:
| 资源类型 | 授权策略中的资源描述方法 |
| 云服务器实例相关 | `qcs::cvm:$region::instance/*` |
| 云服务器密钥相关 | `qcs::cvm:$region::keypair/*` |
| 云服务器镜像相关 | `qcs::cvm:$region:$account:image/*` |
云服务器实例相关、云服务器密钥相关 和 云服务器镜像相关 分别介绍了当前支持资源级权限的 CVM API 操作,以及每个操作支持的资源和条件密钥。**设置资源路径时,**您需要将$region、$account等变量参数修改为您实际的参数信息,同时您也可以在路径中使用 * 通配符。相关操作示例可参见 访问管理示例。
注意: 表中未列出的 CVM API 操作即表示该 CVM API 操作不支持资源级权限。针对不支持资源级权限的 CVM API 操作,您仍可以向用户授予使用该操作的权限,但是策略语句的资源元素必须指定为 *。
云服务器实例相关
| API 操作 | 资源路径 | 条件密钥 |
| DescribeInstanceInternetBandwidthConfigs | `qcs::cvm:$region:$account:instance/*` `qcs::cvm:$region:$account:instance/$instanceId` | cvm:region cvm:zone cvm:instance_type |
| ModifyInstancesAttribute | `qcs::cvm:$region:$account:instance/*` `qcs::cvm:$region:$account:instance/$instanceId` | cvm:region cvm:zone cvm:instance_type |
| ModifyInstancesProject | `qcs::cvm:$region:$account:instance/*` `qcs::cvm:$region:$account:instance/$instanceId` | cvm:region cvm:zone cvm:instance_type |
| ModifyInstancesRenewFlag | `qcs::cvm:$region:$account:instance/*` `qcs::cvm:$region:$account:instance/$instanceId` | cvm:region cvm:zone cvm:instance_type |
| RebootInstances | `qcs::cvm:$region:$account:instance/*` `qcs::cvm:$region:$account:instance/$instanceId` | cvm:region cvm:zone cvm:instance_type |
| RenewInstances | `qcs::cvm:$region:$account:instance/* ` `qcs::cvm:$region:$account:instance/$instanceId` | cvm:region cvm:zone cvm:instance_type |
| ResetInstance | `qcs::cvm:$region:$account:instance/*` `qcs::cvm:$region:$account:instance/$instanceId` `qcs::cvm:$region:$account:image/*` `qcs::cvm:$region:$account:image/$imageId` `qcs::cvm:$region:$account:keypair/*` `qcs::cvm:$region:$account:keypair/$keyId` `qcs:::cvm:$region:$account:systemdisk/*` | cvm:region cvm:zone cvm:instance_type |
| ResetInstancesInternetMaxBandwidth | `qcs::cvm:$region:$account:instance/*` `qcs::cvm:$region:$account:instance/$instanceId` | cvm:region cvm:zone cvm:instance_type |
| ResetInstancesPassword | `qcs::cvm:$region:$account:instance/*` `qcs::cvm:$region:$account:instance/$instanceId` | cvm:region cvm:zone cvm:instance_type |
| ResetInstancesType | `qcs::cvm:$region:$account:instance/* ` `qcs::cvm:$region:$account:instance/$instanceId` | cvm:region cvm:zone cvm:instance_type |
| ResizeInstanceDisks | `qcs::cvm:$region:$account:instance/*` `qcs::cvm:$region:$account:instance/$instanceId` | cvm:region cvm:zone cvm:instance_type |
| RunInstances | `qcs::cvm:$region:$account:instance/*` `qcs::cvm:$region:$account:image/*` `qcs::cvm:$region:$account:image/$imageId` `qcs::cvm:$region:$account:keypair/*` `qcs::cvm:$region:$account:keypair/$keyId` `qcs::cvm:$region:$account:sg/*` `qcs::cvm:$region:$account:sg/$sgId` `qcs::vpc:$region:$account:subnet/* ` `qcs::vpc:$region:$account:subnet/$subnetId` `qcs:::cvm:$region:$account:systemdisk/*` `qcs::cvm:$region:$account:datadisk/*` `qcs::vpc:$region:$account:vpc/* ` `qcs::vpc:$region:$account:vpc/$vpcId` | cvm:region cvm:zone cvm:instance_type |
| StartInstances | `qcs::cvm:$region:$account:instance/*` `qcs::cvm:$region:$account:instance/$instanceId` | cvm:region cvm:zone cvm:instance_type |
| StopInstances | `qcs::cvm:$region:$account:instance/*` `qcs::cvm:$region:$account:instance/$instanceId` | cvm:region cvm:zone cvm:instance_type |
| TerminateInstances | `qcs::cvm:$region:$account:instance/*` `qcs::cvm:$region:$account:instance/$instanceId` | cvm:region cvm:zone cvm:instance_type |
云服务器密钥相关
| API 操作 | 资源路径 | 条件密钥 |
| AssociateInstancesKeyPairs | `qcs::cvm:$region:$account:instance/*` `qcs::cvm:$region:$account:instance/$instanceId` `qcs::cvm:$region:$account:keypair/*` `qcs::cvm:$region:$account:keypair/$keyId` | - |
| CreateKeyPair | `qcs::cvm:$region:$account:keypair/*` | - |
| DeleteKeyPairs | `qcs::cvm:$region:$account:keypair/*` `qcs::cvm:$region:$account:keypair/$keyId` | - |
| DescribeKeyPairs | `qcs::cvm:$region:$account:keypair/*` | - |
| DisassociateInstancesKeyPairs | `qcs::cvm:$region:$account:instance/*` `qcs::cvm:$region:$account:instance/$instanceId` `qcs::cvm:$region:$account:keypair/*` `qcs::cvm:$region:$account:keypair/$keyId` | - |
| ImportKeyPair | `qcs::cvm:$region:$account:keypair/*` | - |
| ModifyKeyPairAttribute | `qcs::cvm:$region:$account:keypair/*` `qcs::cvm:$region:$account:keypair/$keyId` | - |
云服务器镜像相关
| API 操作 | 资源路径 | 条件密钥 |
| CreateImage | `qcs::cvm:$region:$account:instance/*` `qcs::cvm:$region:$account:instance/$instanceId` `qcs::cvm:$region:$account:image/*` | cvm:region |
| DeleteImages | `qcs::cvm:$region:$account:image/*` `qcs::cvm:$region:$account:image/$imageId` | cvm:region |
| DescribeImages | `qcs::cvm:$region:$account:image/*` | cvm:region |
| DescribeImageSharePermission | `qcs::cvm:$region:$account:image/*` | cvm:region |
| ModifyImageAttribute | `qcs::cvm:$region:$account:image/*` `qcs::cvm:$region:$account:image/$imageId` | cvm:region |
| ModifyImageSharePermission | `qcs::cvm:$region:$account:image/*` `qcs::cvm:$region:$account:image/$imageId` | cvm:region |
| SyncImages | `qcs::cvm:$region:$account:image/*` `qcs::cvm:$region:$account:image/$imageId` | cvm:region |