默认情况下,您能使用 ECS API 完整操作自己创建的 ECS 资源。但子账号刚创建时没有权限操作主账号的资源,或者从其他服务访问 ECS 时,会涉及到操作授权问题。所以当您操作某些具有权限控制的 ECS 资源前,需要资源拥有者授权目标资源和目标 API 行为权限。如果您不需要跨账户授权和访问 ECS 实例资源,您可以跳过此章节。
在了解如何使用访问控制 RAM 授权和访问 ECS 实例之前,确保您已阅读了 RAM 产品文档 和 API 文档。
当其他账号通过 ECS API 访问主账号的 ECS 资源时,我们首先向 RAM 发起权限检查,以确保资源拥有者的确将相关资源的相关权限授予了调用者。不同的 ECS API 会根据涉及的资源以及 API 语义确定需要检查哪些资源的权限。具体地,部分 API 的鉴权规则如下表所示。
| Action | 鉴权规则 |
|---|---|
| AddTags | acs:ecs:$regionid:$accountid:$resourceType/$resourceId |
| AllocatePublicIpAddress | acs:ecs:$regionid:$accountid:instance/$instanceId |
| ApplyAutoSnapshotPolicy | acs:ecs:*:$accountid:snapshot/* |
| AttachClassicLinkVpc | acs:ecs:$regionid:$accountid:instance/$instanceId |
| AttachDisk |
|
| AttachKeyPair |
|
| AuthorizeSecurityGroup | acs:ecs:$regionid:$accountid:securitygroup/$groupNo |
| AuthorizeSecurityGroupEgress | acs:ecs:$regionid:$accountid:securitygroup/$groupNo |
| CancelAutoSnapshotPolicy | acs:ecs:*:$accountid:snapshot/* |
| CancelCopyImage | acs:ecs:$regionid:$accountid:image/$imageNo |
| CopyImage |
|
| ConvertNatPublicIpToEip | acs:ecs:$regionid:$accountid:instance/$instanceId |
| CreateAutoSnapshotPolicy | acs:ecs:*:$accountid:snapshot/* |
| CreateDisk |
|
| CreateImage |
|
| CreateInstance |
|
| CreateKeyPair | acs:ecs:$regionid:$accountid:keypair/* |
| CreateSecurityGroup | acs:ecs:$regionid:$accountid:securitygroup/* |
| CreateSnapshot |
|
| DeleteAutoSnapshotPolicy | acs:ecs:*:$accountid:snapshot/* |
| DeleteDisk | acs:ecs:$regionid:$accountid:disk/$diskId |
| DeleteImage | acs:ecs:$regionid:$accountid:image/$imageNo |
| DeleteInstance | acs:ecs:$regionid:$accountid:instance/$instanceId |
| DeleteKeyPairs | acs:ecs:$regionid:$accountid:keypair/$keyPairName |
| DeleteSecurityGroup | acs:ecs:$regionid:$accountid:securitygroup/$groupNo |
| DeleteSnapshot | acs:ecs:$regionid:$accountid:snapshot/$snapshotId |
| DescribeClassicLinkInstances | acs:ecs:$regionid:$accountid:instance/* |
| DescribeDiskMonitorData | acs:ecs:$regionid:$accountid:disk/$diskId |
| DescribeDisks |
|
| DescribeImages |
|
| DescribeInstanceAttribute | acs:ecs:$regionid:$accountid:instance/$instanceId |
| DescribeInstanceMonitorData | acs:ecs:$regionid:$accountid:instance/$instanceId |
| DescribeInstances |
|
| DescribeInstanceStatus | acs:ecs:$regionid:$accountid:instance/* |
| DescribeInstanceVncPasswd | acs:ecs:$regionid:$accountid:instance/$instanceId |
| DescribeInstanceVncUrl | acs:ecs:$regionid:$accountid:instance/$instanceId |
| DescribeKeyPairs |
|
| DescribePrice | acs:ecs:*:$accountid:* |
| DescribeRenewalPrice | acs:ecs:$regionid:$accountid:instance/$instanceId |
| DescribeSecurityGroupAttribute | acs:ecs:$regionid:$accountid:securitygroup/$groupNo |
| DescribeSecurityGroups |
|
| DescribeSnapshotAttribute | acs:ecs:$regionid:$accountid:snapshot/$snapshotId |
| DescribeSnapshotLinks |
|
| DescribeSnapshotMonitorData | acs:ecs:*:$accountid:snapshot/* |
| DescribeSnapshots |
|
| DescribeTags | acs:ecs:$regionid:$accountid:$resourceType/$resourceId |
| DetachClassicLinkVpc | acs:ecs:$regionid:$accountid:instance/$instanceId |
| DetachDisk |
|
| DetachKeyPair |
|
| ExportImage | acs:ecs:$regionid:$accountid:image/$imageNo |
| ImportImage | acs:ecs:$regionid:$accountid:image/* |
| ImportKeyPair | acs:ecs:$regionid:$accountid:keypair/* |
| JoinSecurityGroup |
|
| LeaveSecurityGroup |
|
| ModifyAutoSnapshotPolicy | acs:ecs:*:$accountid:snapshot/* |
| ModifyDiskAttribute | acs:ecs:$regionid:$accountid:disk/$diskId |
| ModifyImageAttribute | acs:ecs:$regionid:$accountid:image/$imageNo |
| ModifyInstanceAttribute | acs:ecs:$regionid:$accountid:instance/$instanceId |
| ModifyInstanceAutoReleaseTime | acs:ecs:$regionid:$accountid:instance/$instanceId |
| ModifyInstanceChargeType | acs:ecs:$regionid:$accountid:instance/$instanceId |
| ModifyInstanceNetworkSpec | acs:ecs:$regionid:$accountid:instance/$instanceId |
| ModifyInstanceVncPasswd | acs:ecs:$regionid:$accountid:instance/$instanceId |
| ModifyInstanceVpcAttribute |
|
| ModifySecurityGroupAttribute | acs:ecs:$regionid:$accountid:securitygroup/$groupNo |
| ModifySecurityGroupEgressRule | acs:ecs:$regionid:$accountid:securitygroup/$groupNo |
| ModifySecurityGroupRule | acs:ecs:$regionid:$accountid:securitygroup/$groupNo |
| ModifyPrepayInstanceSpec | acs:ecs:$regionid:$accountid: |
| ModifySnapshotAttribute | acs:ecs:$regionid:$accountid:snapshot/$snapshotId |
| RebootInstance | acs:ecs:$regionid:$accountid:instance/$instanceId |
| ReInitDisk | acs:ecs:$regionid:$accountid:disk/$diskId |
| ReleasePublicIpAddress | acs:ecs:$regionid:$accountid:instance/$instanceId |
| RemoveTags | acs:ecs:$regionid:$accountid:$resourceType/$resourceId |
| RenewInstance | acs:ecs:$regionid:$accountid:instance/$instanceId |
| ReplaceSystemDisk |
|
| ResetDisk | acs:ecs:$regionid:$accountid:disk/$diskId |
| ResizeDisk | acs:ecs:$regionid:$accountid:disk/$diskId |
| RevokeSecurityGroup | acs:ecs:$regionid:$accountid:securitygroup/$groupNo |
| RevokeSecurityGroupEgress | acs:ecs:$regionid:$accountid:securitygroup/$groupNo |
| RunInstances |
|
| StartInstance | acs:ecs:$regionid:$accountid:instance/$instanceId |
| StopInstance | acs:ecs:$regionid:$accountid:instance/$instanceId |