Resource-level permission refers to the ability to specify which resources users are allowed to operate on. Cloud Virtual Machine(CVM) has partial support for resource-level permission. This means that for certain CVMs, you can control when users are allowed to operate on them, and what specific resources users are allowed to use. For example, you authorize users to perform operations on specific CVMs in Guangzhou.
The types of resources can be authorized in Cloud Access Management (CAM) are as follows:
Resource Type | Resource Description Method in Authorization Policy |
---|---|
CVM Instance | qcs::cvm:$region::instance/* |
CVM Key | qcs::cvm:$region::keypair/* |
CVM Image | qcs::cvm:$region:$account:image/* |
CVM Instance, CVM Key and CVM Image introduce CVM API operations that currently support resource-level permission, as well as resources and condition keys supported by these CVM API operations. When configuring the resource path, you need to change variable parameters such as $ region
, $ account
into your actual parameter information. You can also use wildcard * in the path. For more information, see Operation Examples.
CVM API operations not listed in the table do not support resource-level permission. You can still authorize a user to perform these operations, but you must specify * as the resource element in the policy statement.
API Operation | Resource Path | Condition Key |
---|---|---|
DescribeInstanceInternetBandwidthConfigs | qcs::cvm:$region:$account:instance/* qcs::cvm:$region:$account:instance/$instanceId |
cvm:region cvm:zone cvm:instance_type |
ModifyInstanceInternetChargeType | qcs::cvm:$region:$account:instance/* qcs::cvm:$region:$account:instance/$instanceId |
cvm:region cvm:zone cvm:instance_type |
ModifyInstancesAttribute | qcs::cvm:$region:$account:instance/* qcs::cvm:$region:$account:instance/$instanceId |
cvm:region cvm:zone cvm:instance_type |
ModifyInstancesProject | qcs::cvm:$region:$account:instance/* qcs::cvm:$region:$account:instance/$instanceId |
cvm:region cvm:zone cvm:instance_type |
ModifyInstancesRenewFlag | qcs::cvm:$region:$account:instance/* qcs::cvm:$region:$account:instance/$instanceId |
cvm:region cvm:zone cvm:instance_type |
RebootInstances | qcs::cvm:$region:$account:instance/* qcs::cvm:$region:$account:instance/$instanceId |
cvm:region cvm:zone cvm:instance_type |
RenewInstances | qcs::cvm:$region:$account:instance/* qcs::cvm:$region:$account:instance/$instanceId |
cvm:region cvm:zone cvm:instance_type |
ResetInstance | qcs::cvm:$region:$account:instance/* qcs::cvm:$region:$account:instance/$instanceId qcs::cvm:$region:$account:image/* qcs::cvm:$region:$account:image/$imageId qcs::cvm:$region:$account:keypair/* qcs::cvm:$region:$account:keypair/$keyId qcs::cvm:$region:$account:systemdisk/* |
cvm:region cvm:zone cvm:instance_type |
ResetInstancesInternetMaxBandwidth | qcs::cvm:$region:$account:instance/* qcs::cvm:$region:$account:instance/$instanceId |
cvm:region cvm:zone cvm:instance_type |
ResetInstancesPassword | qcs::cvm:$region:$account:instance/* qcs::cvm:$region:$account:instance/$instanceId |
cvm:region cvm:zone cvm:instance_type |
ResetInstancesType | qcs::cvm:$region:$account:instance/* qcs::cvm:$region:$account:instance/$instanceId |
cvm:region cvm:zone cvm:instance_type |
ResizeInstanceDisks | qcs::cvm:$region:$account:instance/* qcs::cvm:$region:$account:instance/$instanceId |
cvm:region cvm:zone cvm:instance_type |
RunInstances | qcs::cvm:$region:$account:instance/* qcs::cvm:$region:$account:image/* qcs::cvm:$region:$account:image/$imageId qcs::cvm:$region:$account:keypair/* qcs::cvm:$region:$account:keypair/$keyId qcs::cvm:$region:$account:sg/* qcs::cvm:$region:$account:sg/$sgId qcs::vpc:$region:$account:subnet/* qcs::vpc:$region:$account:subnet/$subnetId qcs::cvm:$region:$account:systemdisk/* qcs::cvm:$region:$account:datadisk/* qcs::vpc:$region:$account:vpc/* qcs::vpc:$region:$account:vpc/$vpcId |
cvm:region cvm:zone cvm:instance_type |
StartInstances | qcs::cvm:$region:$account:instance/* qcs::cvm:$region:$account:instance/$instanceId |
cvm:region cvm:zone cvm:instance_type |
StopInstances | qcs::cvm:$region:$account:instance/* qcs::cvm:$region:$account:instance/$instanceId |
cvm:region cvm:zone cvm:instance_type |
TerminateInstances | qcs::cvm:$region:$account:instance/* qcs::cvm:$region:$account:instance/$instanceId |
cvm:region cvm:zone cvm:instance_type |
API Operation | Resource Path | Condition Key |
---|---|---|
AssociateInstancesKeyPairs | qcs::cvm:$region:$account:instance/* qcs::cvm:$region:$account:instance/$instanceId qcs::cvm:$region:$account:keypair/* qcs::cvm:$region:$account:keypair/$keyId |
- |
CreateKeyPair | qcs::cvm:$region:$account:keypair/* |
- |
DeleteKeyPairs | qcs::cvm:$region:$account:keypair/* qcs::cvm:$region:$account:keypair/$keyId |
- |
DescribeKeyPairs | qcs::cvm:$region:$account:keypair/* |
- |
DescribeKeyPairsAttribute | qcs::cvm:$region:$account:keypair/* qcs::cvm:$region:$account:keypair/$keyId |
- |
DisassociateInstancesKeyPairs | qcs::cvm:$region:$account:instance/* qcs::cvm:$region:$account:instance/$instanceId qcs::cvm:$region:$account:keypair/* qcs::cvm:$region:$account:keypair/$keyId |
- |
ImportKeyPair | qcs::cvm:$region:$account:keypair/* |
- |
ModifyKeyPairAttribute | qcs::cvm:$region:$account:keypair/* qcs::cvm:$region:$account:keypair/$keyId |
- |
API Operation | Resource Path | Condition Key |
---|---|---|
CreateImage | qcs::cvm:$region:$account:instance/* qcs::cvm:$region:$account:instance/$instanceId qcs::cvm:$region:$account:image/* |
cvm:region |
DeleteImages | qcs::cvm:$region:$account:image/* qcs::cvm:$region:$account:image/$imageId |
cvm:region |
DescribeImages | qcs::cvm:$region:$account:image/* |
cvm:region |
DescribeImagesAttribute | qcs::cvm:$region:$account:image/* qcs::cvm:$region:$account:image/$imageId |
cvm:region |
DescribeImageSharePermission | qcs::cvm:$region:$account:image/* |
cvm:region |
ModifyImageAttribute | qcs::cvm:$region:$account:image/* qcs::cvm:$region:$account:image/$imageId |
cvm:region |
ModifyImageSharePermission | qcs::cvm:$region:$account:image/* qcs::cvm:$region:$account:image/$imageId |
cvm:region |
SyncImages | qcs::cvm:$region:$account:image/* qcs::cvm:$region:$account:image/$imageId |
cvm:region |
Was this page helpful?