Resource-level permission refers to the ability to specify which resources users are allowed to operate on. Cloud Virtual Machine(CVM) has partial support for resource-level permission. This means that for certain CVMs, you can control when users are allowed to operate on them, and what specific resources users are allowed to use. For example, you authorize users to perform operations on specific CVMs in Guangzhou.
The types of resources can be authorized in Cloud Access Management (CAM) are as follows:
| Resource Type | Resource Description Method in Authorization Policy |
|---|---|
| CVM Instance | qcs::cvm:$region::instance/* |
| CVM Key | qcs::cvm:$region::keypair/* |
| CVM Image | qcs::cvm:$region:$account:image/* |
CVM Instance, CVM Key and CVM Image introduce CVM API operations that currently support resource-level permission, as well as resources and condition keys supported by these CVM API operations. When configuring the resource path, you need to change variable parameters such as $ region, $ account into your actual parameter information. You can also use wildcard * in the path. For more information, see Operation Examples.
CVM API operations not listed in the table do not support resource-level permission. You can still authorize a user to perform these operations, but you must specify * as the resource element in the policy statement.
| API Operation | Resource Path | Condition Key |
|---|---|---|
| DescribeInstanceInternetBandwidthConfigs | qcs::cvm:$region:$account:instance/*qcs::cvm:$region:$account:instance/$instanceId |
cvm:region cvm:zone cvm:instance_type |
| ModifyInstanceInternetChargeType | qcs::cvm:$region:$account:instance/*qcs::cvm:$region:$account:instance/$instanceId |
cvm:region cvm:zone cvm:instance_type |
| ModifyInstancesAttribute | qcs::cvm:$region:$account:instance/*qcs::cvm:$region:$account:instance/$instanceId |
cvm:region cvm:zone cvm:instance_type |
| ModifyInstancesProject | qcs::cvm:$region:$account:instance/*qcs::cvm:$region:$account:instance/$instanceId |
cvm:region cvm:zone cvm:instance_type |
| ModifyInstancesRenewFlag | qcs::cvm:$region:$account:instance/*qcs::cvm:$region:$account:instance/$instanceId |
cvm:region cvm:zone cvm:instance_type |
| RebootInstances | qcs::cvm:$region:$account:instance/*qcs::cvm:$region:$account:instance/$instanceId |
cvm:region cvm:zone cvm:instance_type |
| RenewInstances | qcs::cvm:$region:$account:instance/*qcs::cvm:$region:$account:instance/$instanceId |
cvm:region cvm:zone cvm:instance_type |
| ResetInstance | qcs::cvm:$region:$account:instance/*qcs::cvm:$region:$account:instance/$instanceIdqcs::cvm:$region:$account:image/*qcs::cvm:$region:$account:image/$imageIdqcs::cvm:$region:$account:keypair/*qcs::cvm:$region:$account:keypair/$keyIdqcs::cvm:$region:$account:systemdisk/* |
cvm:region cvm:zone cvm:instance_type |
| ResetInstancesInternetMaxBandwidth | qcs::cvm:$region:$account:instance/*qcs::cvm:$region:$account:instance/$instanceId |
cvm:region cvm:zone cvm:instance_type |
| ResetInstancesPassword | qcs::cvm:$region:$account:instance/*qcs::cvm:$region:$account:instance/$instanceId |
cvm:region cvm:zone cvm:instance_type |
| ResetInstancesType | qcs::cvm:$region:$account:instance/*qcs::cvm:$region:$account:instance/$instanceId |
cvm:region cvm:zone cvm:instance_type |
| ResizeInstanceDisks | qcs::cvm:$region:$account:instance/*qcs::cvm:$region:$account:instance/$instanceId |
cvm:region cvm:zone cvm:instance_type |
| RunInstances | qcs::cvm:$region:$account:instance/*qcs::cvm:$region:$account:image/*qcs::cvm:$region:$account:image/$imageIdqcs::cvm:$region:$account:keypair/*qcs::cvm:$region:$account:keypair/$keyIdqcs::cvm:$region:$account:sg/*qcs::cvm:$region:$account:sg/$sgIdqcs::vpc:$region:$account:subnet/*qcs::vpc:$region:$account:subnet/$subnetIdqcs::cvm:$region:$account:systemdisk/*qcs::cvm:$region:$account:datadisk/*qcs::vpc:$region:$account:vpc/*qcs::vpc:$region:$account:vpc/$vpcId |
cvm:region cvm:zone cvm:instance_type |
| StartInstances | qcs::cvm:$region:$account:instance/*qcs::cvm:$region:$account:instance/$instanceId |
cvm:region cvm:zone cvm:instance_type |
| StopInstances | qcs::cvm:$region:$account:instance/*qcs::cvm:$region:$account:instance/$instanceId |
cvm:region cvm:zone cvm:instance_type |
| TerminateInstances | qcs::cvm:$region:$account:instance/*qcs::cvm:$region:$account:instance/$instanceId |
cvm:region cvm:zone cvm:instance_type |
| API Operation | Resource Path | Condition Key |
|---|---|---|
| AssociateInstancesKeyPairs | qcs::cvm:$region:$account:instance/*qcs::cvm:$region:$account:instance/$instanceIdqcs::cvm:$region:$account:keypair/*qcs::cvm:$region:$account:keypair/$keyId |
- |
| CreateKeyPair | qcs::cvm:$region:$account:keypair/* |
- |
| DeleteKeyPairs | qcs::cvm:$region:$account:keypair/*qcs::cvm:$region:$account:keypair/$keyId |
- |
| DescribeKeyPairs | qcs::cvm:$region:$account:keypair/* |
- |
| DescribeKeyPairsAttribute | qcs::cvm:$region:$account:keypair/*qcs::cvm:$region:$account:keypair/$keyId |
- |
| DisassociateInstancesKeyPairs | qcs::cvm:$region:$account:instance/*qcs::cvm:$region:$account:instance/$instanceIdqcs::cvm:$region:$account:keypair/*qcs::cvm:$region:$account:keypair/$keyId |
- |
| ImportKeyPair | qcs::cvm:$region:$account:keypair/* |
- |
| ModifyKeyPairAttribute | qcs::cvm:$region:$account:keypair/*qcs::cvm:$region:$account:keypair/$keyId |
- |
| API Operation | Resource Path | Condition Key |
|---|---|---|
| CreateImage | qcs::cvm:$region:$account:instance/*qcs::cvm:$region:$account:instance/$instanceIdqcs::cvm:$region:$account:image/* |
cvm:region |
| DeleteImages | qcs::cvm:$region:$account:image/*qcs::cvm:$region:$account:image/$imageId |
cvm:region |
| DescribeImages | qcs::cvm:$region:$account:image/* |
cvm:region |
| DescribeImagesAttribute | qcs::cvm:$region:$account:image/*qcs::cvm:$region:$account:image/$imageId |
cvm:region |
| DescribeImageSharePermission | qcs::cvm:$region:$account:image/* |
cvm:region |
| ModifyImageAttribute | qcs::cvm:$region:$account:image/*qcs::cvm:$region:$account:image/$imageId |
cvm:region |
| ModifyImageSharePermission | qcs::cvm:$region:$account:image/*qcs::cvm:$region:$account:image/$imageId |
cvm:region |
| SyncImages | qcs::cvm:$region:$account:image/*qcs::cvm:$region:$account:image/$imageId |
cvm:region |
Was this page helpful?