Help & Documentation

Help & Documentation Cloud Virtual Machine CVM Introduction Access Control Authorizable Resource Type

Authorizable Resource Type

Last updated: 2018-06-22 16:04:42

Resource-level permissions can be used to specify which resources users can work with. CVM supports part of the resource-level permissions. This means that for some CVM operations, you can control the time when users are allowed to perform operations (condition must be met) or to use specified resources. The following table describes the types of resource that can be authorized in CVM.

The type of resource that can be authorized in CAM:

Resource type	Resource description method in authorization policy
CVM instance related	`qcs::cvm:$region::instance/*`
CVM key related	`qcs::cvm:$region::keypair/*`
CVM image related	`qcs:t:cvm:$region:$account:image/*`

The following table describes the API operations of CVM (Cloud Virtual Machine) that support resource-level permissions, and the resources and condition keys supported for each operation. You can use wildcard "*" in the path when specifying resource path.

Note:
Any CVM API operation not listed here does not support resource-level permission. If any CVM API operation does not support resource-level permission, you can still authorize the permission of this operation to users, but you must specify * for the resource element of policy statement.

API Operation	Resource Path	Condition Key
DescribeInstanceInternetBandwidthConfigs	`qcs::cvm:$region:$account:instance/*` `qcs::cvm:$region:$account:instance/$instanceId`	cvm:region cvm:zone cvm:instance_type
ModifyInstanceInternetChargeType	`qcs::cvm:$region:$account:instance/*` `qcs::cvm:$region:$account:instance/$instanceId`	cvm:region cvm:zone cvm:instance_type
ModifyInstancesAttribute	`qcs::cvm:$region:$account:instance/*` `qcs::cvm:$region:$account:instance/$instanceId`	cvm:region cvm:zone cvm:instance_type
ModifyInstancesProject	`qcs::cvm:$region:$account:instance/*` `qcs::cvm:$region:$account:instance/$instanceId`	cvm:region cvm:zone cvm:instance_type
ModifyInstancesRenewFlag	`qcs::cvm:$region:$account:instance/*` `qcs::cvm:$region:$account:instance/$instanceId`	cvm:region cvm:zone cvm:instance_type
RebootInstances	`qcs::cvm:$region:$account:instance/*` `qcs::cvm:$region:$account:instance/$instanceId`	cvm:region cvm:zone cvm:instance_type
RenewInstances	`qcs::cvm:$region:$account:instance/*` `qcs::cvm:$region:$account:instance/$instanceId`	cvm:region cvm:zone cvm:instance_type
ResetInstance	`qcs::cvm:$region:$account:instance/` `qcs::cvm:$region:$account:instance/$instanceId` `qcs::cvm:$region:$account:image/` `qcs::cvm:$region:$account:image/$imageId` `qcs::cvm:$region:$account:keypair/` `qcs::cvm:$region:$account:keypair/$keyId` `qcs:::cvm:$region:$account:systemdisk/`	cvm:region cvm:zone cvm:instance_type
ResetInstancesInternetMaxBandwidth	`qcs::cvm:$region:$account:instance/*` `qcs::cvm:$region:$account:instance/$instanceId`	cvm:region cvm:zone cvm:instance_type
ResetInstancesPassword	`qcs::cvm:$region:$account:instance/*` `qcs::cvm:$region:$account:instance/$instanceId`	cvm:region cvm:zone cvm:instance_type
ResetInstancesType	`qcs::cvm:$region:$account:instance/*` `qcs::cvm:$region:$account:instance/$instanceId`	cvm:region cvm:zone cvm:instance_type
ResizeInstanceDisks	`qcs::cvm:$region:$account:instance/*` `qcs::cvm:$region:$account:instance/$instanceId`	cvm:region cvm:zone cvm:instance_type
RunInstances	`qcs::cvm:$region:$account:instance/` `qcs::cvm:$region:$account:image/` `qcs::cvm:$region:$account:image/$imageId` `qcs::cvm:$region:$account:keypair/` `qcs::cvm:$region:$account:keypair/$keyId` `qcs::cvm:$region:$account:sg/` `qcs::cvm:$region:$account:sg/$sgId` `qcs::vpc:$region:$account:subnet/` `qcs::vpc:$region:$account:subnet/$subnetId` `qcs:::cvm:$region:$account:systemdisk/` `qcs::cvm:$region:$account:datadisk/` `qcs::vpc:$region:$account:vpc/` `qcs::vpc:$region:$account:vpc/$vpcId`	cvm:region cvm:zone cvm:instance_type
StartInstances	`qcs::cvm:$region:$account:instance/*` `qcs::cvm:$region:$account:instance/$instanceId`	cvm:region cvm:zone cvm:instance_type
StopInstances	`qcs::cvm:$region:$account:instance/*` `qcs::cvm:$region:$account:instance/$instanceId`	cvm:region cvm:zone cvm:instance_type
TerminateInstances	`qcs::cvm:$region:$account:instance/*` `qcs::cvm:$region:$account:instance/$instanceId`	cvm:region cvm:zone cvm:instance_type

API Operation	Resource Path	Condition Key
AssociateInstancesKeyPairs	`qcs::cvm:$region:$account:instance/` `qcs::cvm:$region:$account:instance/$instanceId` `qcs::cvm:$region:$account:keypair/` `qcs::cvm:$region:$account:keypair/$keyId`	-
CreateKeyPair	`qcs::cvm:$region:$account:keypair/*`	-
DeleteKeyPairs	`qcs::cvm:$region:$account:keypair/*` `qcs::cvm:$region:$account:keypair/$keyId`	-
DescribeKeyPairs	`qcs::cvm:$region:$account:keypair/*`	-
DescribeKeyPairsAttribute	`qcs::cvm:$region:$account:keypair/*` `qcs::cvm:$region:$account:keypair/$keyId`	-
DisassociateInstancesKeyPairs	`qcs::cvm:$region:$account:instance/` `qcs::cvm:$region:$account:instance/$instanceId` `qcs::cvm:$region:$account:keypair/` `qcs::cvm:$region:$account:keypair/$keyId`	-
ImportKeyPair	`qcs::cvm:$region:$account:keypair/*`	-
ModifyKeyPairAttribute	`qcs::cvm:$region:$account:keypair/*` `qcs::cvm:$region:$account:keypair/$keyId`	-

API Operation	Resource Path	Condition Key
CreateImage	`qcs::cvm:$region:$account:instance/` `qcs::cvm:$region:$account:instance/$instanceId` `qcs::cvm:$region:$account:image/`	cvm:region
DeleteImages	`qcs::cvm:$region:$account:image/*` `qcs::cvm:$region:$account:image/$imageId`	cvm:region
DescribeImages	`qcs::cvm:$region:$account:image/*`	cvm:region
DescribeImagesAttribute	`qcs::cvm:$region:$account:image/*` `qcs::cvm:$region:$account:image/$imageId`	cvm:region
DescribeImageSharePermission	`qcs::cvm:$region:$account:image/*`	cvm:region
ModifyImageAttribute	`qcs::cvm:$region:$account:image/*` `qcs::cvm:$region:$account:image/$imageId`	cvm:region
ModifyImageSharePermission	`qcs::cvm:$region:$account:image/*` `qcs::cvm:$region:$account:image/$imageId`	cvm:region
SyncImages	`qcs::cvm:$region:$account:image/*` `qcs::cvm:$region:$account:image/$imageId`	cvm:region

Previous: Access Control Overview Next: Authorization Policy Syntax

Help & Documentation

Authorizable Resource Type

CVM Instance Related:

CVM Key Related:

CVM Image Related: