描述
您通过云账号创建的RDS实例,都是该账号自己拥有的资源。默认情况下,账号对自己的资源拥有完整的操作权限。
通过使用阿里云的RAM(Resource Access Management)服务,您可以将您云账号下RDS资源的访问及管理权限授予RAM中的子用户。
目前,可以在RAM中进行授权的资源类型只有dbinstance。在通过RAM进行授权时,资源的描述方式如下:
请求参数
[tr=rgb(51, 205, 229)][td]资源类型
授权策略中的资源描述方式dbinstanceacs:rds:$regionid:$accountid:dbinstance/$dbinstanceid
acs:rds:$regionid:$accountid:dbinstance/
acs:rds:::dbinstance/
参数说明:
[tr=rgb(51, 205, 229)][td]参数名称
说明
$regionid地域的ID,可以用*代替。
$dbinstanceid实例的名称,可以用*代替。
$accountid云账号的数字ID,可以用*代替。
RDS API的鉴权规则
当子用户通过API访问RDS时,RDS后台会向RAM进行权限检查,以确保调用者拥有相应权限。每个API会根据涉及到的资源以及API的语义来确定需要检查哪些资源的权限。每个API的鉴权规则如下表所示:
[tr=rgb(51, 205, 229)][td]API
鉴权规则CreateDBInstanceacs:rds:$regionid:$accountid:dbinstance/$dbinstanceidDeleteDBInstanceacs:rds:$regionid:$accountid:dbinstance/$dbinstanceidDescribeDBInstancesacs:rds:$regionid:$accountid:dbinstance/$dbinstanceidSwitchDBInstanceNetTypeacs:rds:$regionid:$accountid:dbinstance/$dbinstanceidModifyDBInstanceDescriptionacs:rds:$regionid:$accountid:dbinstance/$dbinstanceidModifyDBInstanceMaintainTimeacs:rds:$regionid:$accountid:dbinstance/$dbinstanceidPurgeDBInstanceLogacs:rds:$regionid:$accountid:dbinstance/$dbinstanceidDeleteDatabaseacs:rds:$regionid:$accountid:dbinstance/$dbinstanceidModifyDBDescriptionacs:rds:$regionid:$accountid:dbinstance/$dbinstanceidDescribeFilesForSQLServeracs:rds:$regionid:$accountid:dbinstance/$dbinstanceidDescribeImportsForSQLServeracs:rds:$regionid:$accountid:dbinstance/$dbinstanceidCancelImportacs:rds:$regionid:$accountid:dbinstance/$dbinstanceidResetAccountPasswordacs:rds:$regionid:$accountid:dbinstance/$dbinstanceidRevokeAccountPrivilegeacs:rds:$regionid:$accountid:dbinstance/$dbinstanceidDeleteAccountacs:rds:$regionid:$accountid:dbinstance/$dbinstanceidCreateBackupacs:rds:$regionid:$accountid:dbinstance/$dbinstanceidCreateTempDBInstanceacs:rds:$regionid:$accountid:dbinstance/$dbinstanceidModifyBackupPolicyacs:rds:$regionid:$accountid:dbinstance/$dbinstanceidDescribeDBInstancePerformanceacs:rds:$regionid:$accountid:dbinstance/$dbinstanceidDescribeSlowLogRecordsacs:rds:$regionid:$accountid:dbinstance/$dbinstanceidDescribeBinlogFilesacs:rds:$regionid:$accountid:dbinstance/$dbinstanceidDescribeSQLLogRecordsacs:rds:$regionid:$accountid:dbinstance/$dbinstanceidDescribeOptimizeAdviceOnMissPKacs:rds:$regionid:$accountid:dbinstance/$dbinstanceidDescribeOptimizeAdviceOnMissIndexacs:rds:$regionid:$accountid:dbinstance/$dbinstanceidDescribeParametersacs:rds:$regionid:$accountid:dbinstance/$dbinstanceidCreatePrepaidDBInstanceForChannelacs:rds:$regionid:$accountid:dbinstance/$dbinstanceidModifyPrepaidDBInstanceSpecacs:rds:$regionid:$accountid:dbinstance/$dbinstanceidCreatePostpaidDBInstanceForChannelacs:rds:$regionid:$accountid:dbinstance/$dbinstanceidModifyPostpaidDBInstanceSpecacs:rds:$regionid:$accountid:dbinstance/$dbinstanceidDescribeDBInstanceAttributeacs:rds:$regionid:$accountid:dbinstance/$dbinstanceidRestartDBInstanceacs:rds:$regionid:$accountid:dbinstance/$dbinstanceidModifySecurityIpsacs:rds:$regionid:$accountid:dbinstance/$dbinstanceidUpgradeDBInstanceEngineVersionacs:rds:$regionid:$accountid:dbinstance/$dbinstanceidCreateDatabaseacs:rds:$regionid:$accountid:dbinstance/$dbinstanceidDescribeDatabasesacs:rds:$regionid:$accountid:dbinstance/$dbinstanceidCreateUploadPathForSQLServeracs:rds:$regionid:$accountid:dbinstance/$dbinstanceidImportDataBaseBetweenInstancesacs:rds:$regionid:$accountid:dbinstance/$dbinstanceidCreateAccountacs:rds:$regionid:$accountid:dbinstance/$dbinstanceidGrantAccountPrivilegeacs:rds:$regionid:$accountid:dbinstance/$dbinstanceidDescribeAccountsacs:rds:$regionid:$accountid:dbinstance/$dbinstanceidModifyAccountDescriptionacs:rds:$regionid:$accountid:dbinstance/$dbinstanceidDescribeBackupsacs:rds:$regionid:$accountid:dbinstance/$dbinstanceidDescribeBackupPolicyacs:rds:$regionid:$accountid:dbinstance/$dbinstanceidDescribeResourceUsageacs:rds:$regionid:$accountid:dbinstance/$dbinstanceidDescribeSlowLogsacs:rds:$regionid:$accountid:dbinstance/$dbinstanceidDescribeErrorLogsacs:rds:$regionid:$accountid:dbinstance/$dbinstanceidDescribeSQLLogReportsacs:rds:$regionid:$accountid:dbinstance/$dbinstanceidDescribeOptimizeAdviceOnStorageacs:rds:$regionid:$accountid:dbinstance/$dbinstanceidDescribeOptimizeAdviceOnExcessIndexacs:rds:$regionid:$accountid:dbinstance/$dbinstanceidDescribeOptimizeAdviceByDBAacs:rds:$regionid:$accountid:dbinstance/$dbinstanceid[tr=rgb(239, 251, 255)][td]ModifyeParameter
acs:rds:$regionid:$accountid:dbinstance/$dbinstanceid
