访问控制(RAM)是阿里云提供的管理用户身份与资源访问权限的服务。使用RAM可以让您避免与其他用户共享阿里云账号密钥,并可按需为用户授予最小权限。RAM中使用权限策略描述授权的具体内容。 本文为您介绍轻量应用服务器(SWAS-OPEN)为RAM权限策略定义的操作(Action)、资源(Resource)和条件(Condition)。轻量应用服务器(SWAS-OPEN)的RAM代码(RamCode)为 swas、swas-open,支持的授权粒度为资源级。
权限策略支持JSON格式,其通用结构如下: Effect:权限策略效果。取值:Allow(允许)、Deny(拒绝)。 Action:授予允许或拒绝权限的具体操作。具体信息,请参见操作(Action)。 Resource:受操作影响的具体对象,您可以使用资源ARN来描述指定资源。具体信息,请参见资源(Resource)。 Condition:指授权生效的条件。可选字段。具体信息,请参见条件(Condition)。 Condition_operator:条件运算符,不同类型的条件对应不同的条件运算符。具体信息,请参见权限策略基本元素。 Condition_key:条件关键字。 Condition_value:条件关键字对应的值。 操作:是指具体的权限点。 API:是指操作对应的API接口。 访问级别:是指每个操作的访问级别,取值为写入(Write)、读取(Read)或列出(List)。 资源类型:是指操作中支持授权的资源类型。具体说明如下: 对于必选的资源类型,用前面加 * 表示。 对于不支持资源级授权的操作,用 条件关键字:是指云产品自身定义的条件关键字。该列不体现适用于任何操作的通用条件关键字。 关联操作:是指成功执行操作所需要的其他权限。操作者必须同时具备关联操作的权限,操作才能成功。 *CustomImage *Instance *FirewallTemplate *Instance *全部资源 *Command *CustomImage *Instance *FirewallRule *全部资源 *FirewallTemplate *Instance *Instance *全部资源 *Snapshot *Command *CustomImage *CustomImage *FirewallRule *Instance *FirewallTemplate *FirewallTemplate *Instance *全部资源 *Snapshot *Snapshot *全部资源 *Instance *Instance *全部资源 *Command *Command *Instance *Instance *Instance *Instance *Instance *全部资源 *FirewallTemplate *Instance *全部资源 *Instance *Instance *Instance *Instance *Instance *Instance *Instance *全部资源 *FirewallRule *FirewallRule *全部资源 *Instance *Instance *全部资源 *CustomImage *CustomImage *CustomImage *Disk *Disk FirewallRule *全部资源 *全部资源 *Instance Instance *Instance *全部资源 *全部资源 *Snapshot *Snapshot *全部资源 *Instance *Instance *Instance *FirewallRule *FirewallTemplate *CustomImage *Instance *Instance *Instance *Instance *CustomImage *Instance *Instance *Instance *Instance *Instance *Command *Instance *Instance *Instance *全部资源 *Instance *Instance *Instance *全部资源 *全部资源 *Command *Instance *Instance *Snapshot *Instance *Instance acs:swas-open:{#regionId}:{#accountId}:{#CommandId} acs:swas-open:{#regionId}:{#accountId}:command/* acs:swas-open:{#regionId}:{#accountId}:command/{#CommandId} acs:simpleapplicationserver:{#regionId}:{#accountId}:command/{#CommandId} acs:swas-open:{#regionId}:{#accountId}:command/{#ResourceId} acs:swas-open:{#regionId}:{#accountId}:containerservice/{#ContainerServiceId} acs:swas-open:{#regionId}:{#accountId}:containerservice/* acs:swas-open:{#regionId}:{#accountId}:customimage/{#ImageId} acs:swas-open:{#regionId}:{#accountId}:customimage/{#ResourceId} acs:swas-open:{#regionId}:{#accountId}:customimage/* acs:swas-open:{#regionId}:{#accountId}:customimage/{#CustomImageId} acs:swas-open:{#regionId}:{#accountId}:customimage/{#ImageIds} acs:swas-open:{#regionId}:{#accountId}:disk/{#ResourceId} acs:swas-open:{#regionId}:{#accountId}:disk/* acs:swas-open:{#regionId}:{#accountId}:disk/{#DiskId} acs:swas-open:{#regionId}:{#accountId}:domain/* acs:swas-open:{#regionId}:{#accountId}:firewallrule/* acs:swas-open:{#regionId}:{#accountId}:firewallrule/{#RuleId} acs:swas-open:{#regionId}:{#accountId}:firewallrule/{#ResourceId} acs:swas-open:{#regionId}:{#accountId}:firewalltemplate/{#FirewallTemplateId} acs:swas-open:{#regionId}:{#accountId}:FirewallTemplate/* acs:swas-open:{#regionId}:{#accountId}:firewalltemplate/* acs:swas-open:{#regionId}:{#accountId}:FirewallTemplate/{#FirewallTempalteId} acs:swas-open:{#regionId}:{#accountId}:firewalltemplate/{#FirewallTemplatId} acs:swas-open:{#regionId}:{#accountId}:{#InstanceId} acs:swas-open:{#regionId}:{#accountId}:instance/{#InstanceId} acs:swas-open:{#regionId}:{#accountId}:Instance/{#InstanceId} acs:swas-open:{#regionId}:{#accountId}:instance/{#DatabaseInstanceId} acs:swas-open:{#regionId}:{#accountId}:instance/{#DiskId} acs:swas-open:{#regionId}:{#accountId}:instance/* acs:swas-open:{#regionId}:{#accountId}:instance/{#ResourceId} acs:swas-open:{#regionId}:{#accountId}:command/{#InstanceId} acs:swas-open:{#regionId}:{#accountId}:Keypair/* acs:swas-open:{#regionId}:{#accountId}:snapshot/{#SnapshotId} acs:swas-open:{#regionId}:{#accountId}:snapshot/{#ResourceId} acs:swas-open:{#regionId}:{#accountId}:snapshot/{#SnapshotIds} acs:swas-open:{#regionId}:{#accountId}:snapshot/* 轻量应用服务器(SWAS-OPEN)未定义产品级别的条件关键字。如需查看适用于所有云产品的通用条件关键字,请参见通用条件关键字。权限策略通用结构
{ "Version": "1", "Statement": [
{ "Effect": "<Effect>", "Action": "<Action>", "Resource": "<Resource>", "Condition": { "<Condition_operator>": { "<Condition_key>": [ "<Condition_value>"
]
}
}
}
]
}各字段含义如下:操作(Action)
下表是轻量应用服务器(SWAS-OPEN)定义的操作,这些操作可以在RAM权限策略语句的Action元素中使用,用来授予执行该操作的权限。下面对表中的具体项提供说明:全部资源表示。操作 API 访问级别 资源类型 条件关键字 关联操作 swas-open:AddCustomImageShareAccount AddCustomImageShareAccount none acs:swas-open:{#regionId}:{#accountId}:customimage/{#ImageId}无 无 swas-open:AllocatePublicConnection AllocatePublicConnection create acs:swas-open:{#regionId}:{#accountId}:instance/{#DatabaseInstanceId}无 无 swas-open:ApplyFirewallTemplate ApplyFirewallTemplate update acs:swas-open:{#regionId}:{#accountId}:firewalltemplate/{#FirewallTemplateId}acs:swas-open:{#regionId}:{#accountId}:instance/{#InstanceId}无 无 swas-open:AttachKeyPair AttachKeyPair update *无 无 swas-open:CreateCommand CreateCommand create acs:swas-open:{#regionId}:{#accountId}:command/*无 无 swas-open:CreateCustomImage CreateCustomImage create acs:swas-open:{#regionId}:{#accountId}:customimage/*无 无 swas-open:CreateFirewallRule CreateFirewallRule create acs:swas-open:{#regionId}:{#accountId}:instance/{#InstanceId}无 无 swas-open:CreateFirewallRules CreateFirewallRules create acs:swas-open:{#regionId}:{#accountId}:firewallrule/*无 无 swas-open:CreateFirewallTemplate CreateFirewallTemplate create *无 无 swas-open:CreateFirewallTemplateRules CreateFirewallTemplateRules create acs:swas-open:{#regionId}:{#accountId}:firewalltemplate/{#FirewallTemplatId}无 无 swas-open:CreateInstanceKeyPair CreateInstanceKeyPair create acs:swas-open:{#regionId}:{#accountId}:{#InstanceId}无 无 swas-open:CreateInstances CreateInstances create acs:swas-open:{#regionId}:{#accountId}:instance/*无 无 swas-open:CreateKeyPair CreateKeyPair create *无 无 swas-open:CreateSnapshot CreateSnapshot create acs:swas-open:{#regionId}:{#accountId}:snapshot/*无 无 swas-open:DeleteCommand DeleteCommand delete acs:swas-open:{#regionId}:{#accountId}:{#CommandId}无 无 swas-open:DeleteCustomImage DeleteCustomImage delete acs:swas-open:{#regionId}:{#accountId}:customimage/{#ImageId}无 无 swas-open:DeleteCustomImages DeleteCustomImages delete acs:swas-open:{#regionId}:{#accountId}:customimage/{#ImageIds}无 无 swas-open:DeleteFirewallRule DeleteFirewallRule delete acs:swas-open:{#regionId}:{#accountId}:firewallrule/{#RuleId}无 无 swas-open:DeleteFirewallRules DeleteFirewallRules delete acs:swas-open:{#regionId}:{#accountId}:instance/{#InstanceId}无 无 swas-open:DeleteFirewallTemplateRules DeleteFirewallTemplateRules delete acs:swas-open:{#regionId}:{#accountId}:firewalltemplate/{#FirewallTemplateId}无 无 swas-open:DeleteFirewallTemplates DeleteFirewallTemplates delete acs:swas-open:{#regionId}:{#accountId}:firewalltemplate/{#FirewallTemplateId}无 无 swas-open:DeleteInstanceKeyPair DeleteInstanceKeyPair delete acs:swas-open:{#regionId}:{#accountId}:instance/{#InstanceId}无 无 swas-open:DeleteKeyPairs DeleteKeyPairs delete *无 无 swas-open:DeleteSnapshot DeleteSnapshot delete acs:swas-open:{#regionId}:{#accountId}:snapshot/{#SnapshotId}无 无 swas-open:DeleteSnapshots DeleteSnapshots delete acs:swas-open:{#regionId}:{#accountId}:snapshot/{#SnapshotIds}无 无 swas-open:DescribeCloudAssistantAttributes DescribeCloudAssistantAttributes get *无 无 swas-open:DescribeCloudAssistantStatus DescribeCloudAssistantStatus get acs:swas-open:{#regionId}:{#accountId}:instance/{#InstanceId}无 无 swas-open:DescribeCloudMonitorAgentStatuses DescribeCloudMonitorAgentStatuses get acs:swas-open:{#regionId}:{#accountId}:{#InstanceId}无 无 swas-open:DescribeCommandInvocations DescribeCommandInvocations get *无 无 swas-open:DescribeCommands DescribeCommands get acs:swas-open:{#regionId}:{#accountId}:command/*acs:swas-open:{#regionId}:{#accountId}:command/{#CommandId}无 无 swas-open:DescribeDatabaseErrorLogs DescribeDatabaseErrorLogs get acs:swas-open:{#regionId}:{#accountId}:{#InstanceId}无 无 swas-open:DescribeDatabaseInstanceMetricData DescribeDatabaseInstanceMetricData get acs:swas-open:{#regionId}:{#accountId}:instance/{#DatabaseInstanceId}无 无 swas-open:DescribeDatabaseInstanceParameters DescribeDatabaseInstanceParameters get acs:swas-open:{#regionId}:{#accountId}:{#InstanceId}无 无 swas-open:DescribeDatabaseInstances DescribeDatabaseInstances get acs:swas-open:{#regionId}:{#accountId}:{#InstanceId}无 无 swas-open:DescribeDatabaseSlowLogRecords DescribeDatabaseSlowLogRecords get acs:swas-open:{#regionId}:{#accountId}:{#InstanceId}无 无 swas-open:DescribeFirewallTemplateApplyResults DescribeFirewallTemplateApplyResults list *无 无 swas-open:DescribeFirewallTemplateRulesApplyResult DescribeFirewallTemplateRulesApplyResult list acs:swas-open:{#regionId}:{#accountId}:firewalltemplate/{#FirewallTemplateId}acs:swas-open:{#regionId}:{#accountId}:instance/{#InstanceId}无 无 swas-open:DescribeFirewallTemplates DescribeFirewallTemplates list *无 无 swas-open:DescribeInstanceKeyPair DescribeInstanceKeyPair get acs:swas-open:{#regionId}:{#accountId}:instance/{#InstanceId}无 无 swas-open:DescribeInstancePasswordsSetting DescribeInstancePasswordsSetting get acs:swas-open:{#regionId}:{#accountId}:instance/{#InstanceId}无 无 swas-open:DescribeInstanceVncUrl DescribeInstanceVncUrl get acs:swas-open:{#regionId}:{#accountId}:instance/{#InstanceId}无 无 swas-open:DescribeInvocationResult DescribeInvocationResult get acs:swas-open:{#regionId}:{#accountId}:command/{#InstanceId}无 无 swas-open:DescribeInvocations DescribeInvocations get acs:swas-open:{#regionId}:{#accountId}:{#InstanceId}无 无 swas-open:DescribeMonitorData DescribeMonitorData get acs:swas-open:{#regionId}:{#accountId}:instance/{#InstanceId}无 无 swas-open:DescribeSecurityAgentStatus DescribeSecurityAgentStatus get acs:swas-open:{#regionId}:{#accountId}:instance/{#InstanceId}无 无 swas-open:DetachKeyPair DetachKeyPair update *无 无 swas-open:DisableFirewallRule DisableFirewallRule update acs:swas-open:{#regionId}:{#accountId}:firewallrule/{#RuleId}无 无 swas-open:EnableFirewallRule EnableFirewallRule update acs:swas-open:{#regionId}:{#accountId}:firewallrule/{#RuleId}无 无 swas-open:ImportKeyPair ImportKeyPair create *无 无 swas-open:InstallCloudAssistant InstallCloudAssistant create acs:swas-open:{#regionId}:{#accountId}:instance/{#InstanceId}无 无 swas-open:InstallCloudMonitorAgent InstallCloudMonitorAgent create acs:swas-open:{#regionId}:{#accountId}:instance/{#InstanceId}无 无 swas-open:InvokeCommand InvokeCommand none *无 无 swas-open:ListCustomImageShareAccounts ListCustomImageShareAccounts none acs:swas-open:{#regionId}:{#accountId}:customimage/{#ImageId}无 无 swas-open:ListCustomImages ListCustomImages get acs:swas-open:{#regionId}:{#accountId}:customimage/*acs:swas-open:{#regionId}:{#accountId}:customimage/{#CustomImageId}无 无 swas-open:ListDisks ListDisks get acs:swas-open:{#regionId}:{#accountId}:disk/{#DiskId}acs:swas-open:{#regionId}:{#accountId}:disk/*无 无 swas-open:ListFirewallRules ListFirewallRules get acs:swas-open:{#regionId}:{#accountId}:firewallrule/*无 无 swas-open:ListImages ListImages get *无 无 swas-open:ListInstancePlansModification ListInstancePlansModification get *无 无 swas-open:ListInstanceStatus ListInstanceStatus get acs:swas-open:{#regionId}:{#accountId}:{#InstanceId}无 无 swas-open:ListInstances ListInstances get acs:swas-open:{#regionId}:{#accountId}:instance/*acs:swas-open:{#regionId}:{#accountId}:instance/{#InstanceId}无 无 swas-open:ListInstancesTrafficPackages ListInstancesTrafficPackages get *无 无 swas-open:ListKeyPairs ListKeyPairs get *无 无 swas-open:ListSnapshots ListSnapshots get acs:swas-open:{#regionId}:{#accountId}:snapshot/*acs:swas-open:{#regionId}:{#accountId}:snapshot/{#SnapshotId}无 无 swas-open:ListTagResources ListTagResources list *无 无 swas-open:LoginInstance LoginInstance none acs:swas-open:{#regionId}:{#accountId}:Instance/{#InstanceId}无 无 swas-open:ModifyDatabaseInstanceDescription ModifyDatabaseInstanceDescription update acs:swas-open:{#regionId}:{#accountId}:instance/{#DatabaseInstanceId}无 无 swas-open:ModifyDatabaseInstanceParameter ModifyDatabaseInstanceParameter update acs:swas-open:{#regionId}:{#accountId}:instance/{#DatabaseInstanceId}无 无 swas-open:ModifyFirewallRule ModifyFirewallRule update acs:swas-open:{#regionId}:{#accountId}:firewallrule/{#RuleId}无 无 swas-open:ModifyFirewallTemplate ModifyFirewallTemplate update acs:swas-open:{#regionId}:{#accountId}:firewalltemplate/{#FirewallTemplateId}无 无 swas-open:ModifyImageShareStatus ModifyImageShareStatus update acs:swas-open:{#regionId}:{#accountId}:customimage/{#ImageId}无 无 swas-open:ModifyInstanceVncPassword ModifyInstanceVncPassword update acs:swas-open:{#regionId}:{#accountId}:instance/{#InstanceId}无 无 swas-open:RebootInstance RebootInstance update acs:swas-open:{#regionId}:{#accountId}:instance/{#InstanceId}无 无 swas-open:RebootInstances RebootInstances update acs:swas-open:{#regionId}:{#accountId}:{#InstanceId}无 无 swas-open:ReleasePublicConnection ReleasePublicConnection delete acs:swas-open:{#regionId}:{#accountId}:instance/{#DatabaseInstanceId}无 无 swas-open:RemoveCustomImageShareAccount RemoveCustomImageShareAccount none acs:swas-open:{#regionId}:{#accountId}:customimage/{#ImageId}无 无 swas-open:RenewInstance RenewInstance update acs:swas-open:{#regionId}:{#accountId}:instance/{#InstanceId}无 无 swas-open:ResetDatabaseAccountPassword ResetDatabaseAccountPassword update acs:swas-open:{#regionId}:{#accountId}:instance/{#DatabaseInstanceId}无 无 swas-open:ResetDisk ResetDisk update acs:swas-open:{#regionId}:{#accountId}:instance/{#DiskId}无 无 swas-open:ResetSystem ResetSystem update acs:swas-open:{#regionId}:{#accountId}:instance/{#InstanceId}无 无 swas-open:RestartDatabaseInstance RestartDatabaseInstance update acs:swas-open:{#regionId}:{#accountId}:instance/{#DatabaseInstanceId}无 无 swas-open:RunCommand RunCommand create acs:swas-open:{#regionId}:{#accountId}:{#CommandId}无 无 swas-open:StartDatabaseInstance StartDatabaseInstance update acs:swas-open:{#regionId}:{#accountId}:instance/{#DatabaseInstanceId}无 无 swas-open:StartInstance StartInstance update acs:swas-open:{#regionId}:{#accountId}:instance/{#InstanceId}无 无 swas-open:StartInstances StartInstances update acs:swas-open:{#regionId}:{#accountId}:{#InstanceId}无 无 swas-open:StartTerminalSession StartTerminalSession none *无 无 swas-open:StopDatabaseInstance StopDatabaseInstance update acs:swas-open:{#regionId}:{#accountId}:instance/{#DatabaseInstanceId}无 无 swas-open:StopInstance StopInstance update acs:swas-open:{#regionId}:{#accountId}:instance/{#InstanceId}无 无 swas-open:StopInstances StopInstances update acs:swas-open:{#regionId}:{#accountId}:{#InstanceId}无 无 swas-open:TagResources TagResources none *无 无 swas-open:UntagResources UntagResources none *无 无 swas-open:UpdateCommandAttribute UpdateCommandAttribute update acs:swas-open:{#regionId}:{#accountId}:command/{#CommandId}无 无 swas-open:UpdateDiskAttribute UpdateDiskAttribute update acs:swas-open:{#regionId}:{#accountId}:instance/{#DiskId}无 无 swas-open:UpdateInstanceAttribute UpdateInstanceAttribute update acs:swas-open:{#regionId}:{#accountId}:instance/{#InstanceId}无 无 swas-open:UpdateSnapshotAttribute UpdateSnapshotAttribute update acs:swas-open:{#regionId}:{#accountId}:snapshot/{#SnapshotId}无 无 swas-open:UpgradeInstance UpgradeInstance update acs:swas-open:{#regionId}:{#accountId}:instance/{#InstanceId}无 无 swas-open:UploadInstanceKeyPair UploadInstanceKeyPair create acs:swas-open:{#regionId}:{#accountId}:instance/{#InstanceId}无 无 资源(Resource)
下表是轻量应用服务器(SWAS-OPEN)定义的资源,这些资源可以在RAM权限策略语句的Resource元素中使用,用来授予对该资源执行具体操作的权限。 其中,资源ARN是资源在阿里云上的唯一标识。具体说明如下:{#}为变量标识,需要您替换为实际值。例如:{#ramcode}需要您替换为实际的云服务RAM代码。*表示全部。例如:{#resourceType}为*时:表示全部资源。{#regionId}为*时:表示全部地域。{#accountId}为*时:表示全部阿里云账号。资源类型 资源ARN Command ContainerService CustomImage Disk Domain FirewallRule FirewallTemplate Instance KeyPair Snapshot 条件(Condition)
相关操作
您可以创建自定义权限策略,并将权限策略授予RAM用户、RAM用户组或RAM角色。具体操作如下:
