1
条回答
写回答
写回答
-
在使用RAM账号调用容器镜像服务企业版 API 前,需要主账号通过创建授权策略对 RAM 账号进行授权。在授权策略中,使用资源描述符(Alibaba Cloud Resource Name, ARN)指定授权资源。 镜像服务鉴权规则
资源描述 在通过RAM进行授权时,资源的描述方式如下表所示: 资源类型 授权策略中的资源描述 * acs:cr:$regionid:$accountid:* instance acs:cr:$regionid:$accountid:instance/$instanceid repository acs:cr:$regionid:$accountid:repository/$instanceid/* acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/* acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename chart acs:cr:$regionid:$accountid:chart/$instanceid/* acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/* acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/<br>$chartrepositoryname 参数说明,如下表所示: 参数名称 说明 $regionid 地域 ID,可用*代替。 $accountid 云账号数字 ID,可用 * 代替。 $instanceid 容器镜像服务企业版实例 ID $namespacename 命名空间名称。 $repositoryname 镜像仓库名称。 $chartnamespacename Chart 镜像命名空间名称。 $chartrepositoryname Chart 镜像仓库名称。 鉴权规则 子账号或者 STS 方式访问镜像服务 API 时,镜像服务会向 RAM 进行权限检查,以确保调用者拥有相应权限。每个 API 会根据涉及到的资源以及 API 的语义来确定需要检查哪些资源的权限。每个 API 的鉴权规则如下表所示: API 鉴权Action 鉴权Resource GetAuthorizationToken cr:GetAuthorizationToken * GetChartNamespace cr:GetNamespace acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename GetChartRepository cr:GetRepository acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/$chartrepositoryname GetInstance cr:GetInstance acs:cr:$regionid:$accountid:instance/$instanceid GetInstanceCount cr:ListInstance * GetInstanceEndpoint cr:GetInstanceEndpoint acs:cr:$regionid:$accountid:instance/$instanceid GetInstanceUsage cr:GetInstanceUsage acs:cr:$regionid:$accountid:instance/$instanceid GetInstanceVpcEndpoint cr:GetInstanceVpcEndpoint acs:cr:$regionid:$accountid:instance/$instanceid GetNamespace cr:GetNamespace acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename GetRepoBuildRecord cr:GetRepositoryBuildRecord acs:cr:$regionid:$accountid:repository/$instanceid GetRepoBuildRecordStatus cr:GetBuildRepositoryStatus acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname GetRepoSyncTask cr:GetRepositorySync acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname GetRepoTagLayers cr:GetRepositoryLayers acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname GetRepoTagManifest cr:GetRepositoryManifest acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname GetRepoTagScanTask cr:GetScan acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname GetRepository cr:GetRepository acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname ListChartNamespace cr:ListNamespace acs:cr:$regionid:$accountid:chart/$instanceid/* ListChartRelease cr:ListChartRelease acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/$chartrepositoryname ListChartRepository cr:ListRepository acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/* ListInstance cr:ListInstance * ListInstanceEndpoint cr:ListInstanceEndpoint acs:cr:$regionid:$accountid:repository/$instanceid ListNamespace cr:ListNamespace acs:cr:$regionid:$accountid:repository/$instanceid/* ListRepoBuildRecord cr:ListRepositoryBuild acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname ListRepoBuildRecordLog cr:GetRepositoryBuildLog acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname ListRepoBuildRule cr:ListRepositoryBuildRule acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname ListRepoSyncRule cr:ListSyncRule acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname ListRepoSyncTask cr:GetRepositorySync acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname ListRepoTag cr:ListRepositoryTag acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname ListRepoTrigger cr:ListWebHook acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname ListRepoTriggerLog cr:GetWebHookLog acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname ListRepoTriggerRecord cr:GetWebHookLog acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname ListRepository cr:ListRepository acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/* CancelRepoBuildRecord cr:CancelBuildRepository acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname CreateBuildRecordByRule cr:BuildRepositoryByRule acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname CreateChartNamespace cr:CreateNamespace acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename CreateInstanceEndpointAclPolicy cr:CreateInstanceEndpointAclPolicy acs:cr:$regionid:$accountid:instance/$instanceid CreateInstanceVpcEndpointLinkedVpc cr:CreateInstanceVpcEndpointLinkedVpc acs:cr:$regionid:$accountid:instance/$instanceid CreateNamespace cr:CreateNamespace acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename CreateRepoBuildRule cr:CreateRepositoryBuildRule acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname CreateRepoSyncRule cr:CreateSyncRule acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname CreateRepoSyncTaskByRule cr:CreateRepositorySync acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname CreateRepoTrigger cr:CreateWebHook acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname CreateRepository cr:CreateRepository acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename DeleteChartNamespace cr:DeleteNamespace acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename DeleteChartRelease cr:DeleteChartRelease acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/$chartrepositoryname DeleteChartRepository cr:DeleteRepository acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/$chartrepositoryname DeleteInstanceEndpointAclPolicy cr:DeleteInstanceEndpointAclPolicy acs:cr:$regionid:$accountid:instance/$instanceid DeleteInstanceVpcEndpointLinkedVpc cr:DeleteInstanceVpcEndpointLinkedVpc acs:cr:$regionid:$accountid:instance/$instanceid DeleteNamespace cr:DeleteNamespace acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename DeleteRepoBuildRule cr:DeleteRepositoryBuildRule acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname DeleteRepoSyncRule cr:DeleteSyncRule acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname DeleteRepoTag cr:DeleteRepositoryTag acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname DeleteRepoTrigger cr:DeleteWebHook acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname DeleteRepository cr:DeleteRepository acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname UpdateChartNamespace cr:UpdateNamespace acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename UpdateChartRepository cr:UpdateRepository acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename/$chartrepositoryname UpdateInstanceEndpointStatus cr:UpdateInstanceEndpointStatus acs:cr:$regionid:$accountid:instance/$instanceid UpdateNamespace cr:UpdateNamespace acs:cr:$regionid:$accountid:chart/$instanceid/$chartnamespacename UpdateRepoBuildRule cr:UpdateRepositoryBuildRule acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname UpdateRepoTrigger cr:UpdateWebHook acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname UpdateRepository cr:UpdateRepository acs:cr:$regionid:$accountid:repository/$instanceid/$namespacename/$repositoryname2020-03-25 14:54:56赞同 展开评论 打赏
版权声明:本文内容由阿里云实名注册用户自发贡献,版权归原作者所有,阿里云开发者社区不拥有其著作权,亦不承担相应法律责任。具体规则请查看《阿里云开发者社区用户服务协议》和《阿里云开发者社区知识产权保护指引》。如果您发现本社区中有涉嫌抄袭的内容,填写侵权投诉表单进行举报,一经查实,本社区将立刻删除涉嫌侵权内容。
相关问答
问答排行榜
最热
最新
推荐问答
