可授权的资源类型

最后更新时间:2021-05-11 10:32:54

    资源级权限指的是能够指定用户对哪些资源具有执行操作的能力。云数据库部分支持资源级权限,即表示针对支持资源级权限的云数据库操作,您可以控制何时允许用户执行操作或是允许用户使用特定资源。访问管理 CAM 中可授权的资源类型如下:

    资源类型 授权策略中的资源描述方法
    云数据库实例相关 qcs::cdb:$region:$account:instanceId/*
    qcs::cdb:$region:$account:instanceId/$instanceId

    下表将介绍当前支持资源级权限的云数据库 API 操作,以及每个操作支持的资源和条件密钥。指定资源路径的时候,您可以在路径中使用 * 通配符。

    支持资源级授权的 API 列表

    API 操作 资源路径
    AddTimeWindow qcs::cdb:$region:$account:instanceId/*
    qcs::cdb:$region:$account:instanceId/$instanceId
    AssociateSecurityGroups qcs::cdb:$region:$account:instanceId/*
    qcs::cdb:$region:$account:instanceId/$instanceId
    CloseWanService qcs::cdb:$region:$account:instanceId/*
    qcs::cdb:$region:$account:instanceId/$instanceId
    CreateAccounts qcs::cdb:$region:$account:instanceId/*
    qcs::cdb:$region:$account:instanceId/$instanceId
    CreateBackup qcs::cdb:$region:$account:instanceId/*
    qcs::cdb:$region:$account:instanceId/$instanceId
    CreateDBImportJob qcs::cdb:$region:$account:instanceId/*
    qcs::cdb:$region:$account:instanceId/$instanceId
    DeleteAccounts qcs::cdb:$region:$account:instanceId/*
    qcs::cdb:$region:$account:instanceId/$instanceId
    DeleteBackup qcs::cdb:$region:$account:instanceId/*
    qcs::cdb:$region:$account:instanceId/$instanceId
    DeleteTimeWindow qcs::cdb:$region:$account:instanceId/*
    qcs::cdb:$region:$account:instanceId/$instanceId
    DescribeAccountPrivileges qcs::cdb:$region:$account:instanceId/*
    qcs::cdb:$region:$account:instanceId/$instanceId
    DescribeAccounts qcs::cdb:$region:$account:instanceId/*
    qcs::cdb:$region:$account:instanceId/$instanceId
    DescribeBackupConfig qcs::cdb:$region:$account:instanceId/*
    qcs::cdb:$region:$account:instanceId/$instanceId
    DescribeBackupDatabases qcs::cdb:$region:$account:instanceId/*
    qcs::cdb:$region:$account:instanceId/$instanceId
    DescribeBackupDownloadDbTableCode qcs::cdb:$region:$account:instanceId/*
    qcs::cdb:$region:$account:instanceId/$instanceId
    DescribeBackups qcs::cdb:$region:$account:instanceId/*
    qcs::cdb:$region:$account:instanceId/$instanceId
    DescribeBackupTables qcs::cdb:$region:$account:instanceId/*
    qcs::cdb:$region:$account:instanceId/$instanceId
    DescribeBinlogs qcs::cdb:$region:$account:instanceId/*
    qcs::cdb:$region:$account:instanceId/$instanceId
    DescribeDatabases qcs::cdb:$region:$account:instanceId/*
    qcs::cdb:$region:$account:instanceId/$instanceId
    DescribeDBImportRecords qcs::cdb:$region:$account:instanceId/*
    qcs::cdb:$region:$account:instanceId/$instanceId
    DescribeDBInstanceCharset qcs::cdb:$region:$account:instanceId/*
    qcs::cdb:$region:$account:instanceId/$instanceId
    DescribeDBInstanceConfig qcs::cdb:$region:$account:instanceId/*
    qcs::cdb:$region:$account:instanceId/$instanceId
    DescribeDBInstanceGTID qcs::cdb:$region:$account:instanceId/*
    qcs::cdb:$region:$account:instanceId/$instanceId
    DescribeDBInstanceRebootTime qcs::cdb:$region:$account:instanceId/*
    qcs::cdb:$region:$account:instanceId/$instanceId
    DescribeDBSwitchRecords qcs::cdb:$region:$account:instanceId/*
    qcs::cdb:$region:$account:instanceId/$instanceId
    DescribeDBSecurityGroups qcs::cdb:$region:$account:instanceId/*
    qcs::cdb:$region:$account:instanceId/$instanceId
    DescribeInstanceParamRecords qcs::cdb:$region:$account:instanceId/*
    qcs::cdb:$region:$account:instanceId/$instanceId
    DescribeInstanceParams qcs::cdb:$region:$account:instanceId/*
    qcs::cdb:$region:$account:instanceId/$instanceId
    DescribeRoGroups qcs::cdb:$region:$account:instanceId/*
    qcs::cdb:$region:$account:instanceId/$instanceId
    DescribeRollbackRangeTime qcs::cdb:$region:$account:instanceId/*
    qcs::cdb:$region:$account:instanceId/$instanceId
    DescribeSlowLogs qcs::cdb:$region:$account:instanceId/*
    qcs::cdb:$region:$account:instanceId/$instanceId
    DescribeSupportedPrivileges qcs::cdb:$region:$account:instanceId/*
    qcs::cdb:$region:$account:instanceId/$instanceId
    DescribeTables qcs::cdb:$region:$account:instanceId/*
    qcs::cdb:$region:$account:instanceId/$instanceId
    DescribeTimeWindow qcs::cdb:$region:$account:instanceId/*
    qcs::cdb:$region:$account:instanceId/$instanceId
    DescribeDatabasesForInstances qcs::cdb:$region:$account:instanceId/*
    qcs::cdb:$region:$account:instanceId/$instanceId
    DescribeMonitorData qcs::cdb:$region:$account:instanceId/*
    qcs::cdb:$region:$account:instanceId/$instanceId
    DescribeTableColumns qcs::cdb:$region:$account:instanceId/*
    qcs::cdb:$region:$account:instanceId/$instanceId
    DropDatabaseTables qcs::cdb:$region:$account:instanceId/*
    qcs::cdb:$region:$account:instanceId/$instanceId
    InitDBInstances qcs::cdb:$region:$account:instanceId/*
    qcs::cdb:$region:$account:instanceId/$instanceId
    IsolateDBInstance qcs::cdb:$region:$account:instanceId/*
    qcs::cdb:$region:$account:instanceId/$instanceId
    ModifyAccountDescription qcs::cdb:$region:$account:instanceId/*
    qcs::cdb:$region:$account:instanceId/$instanceId
    ModifyAccountPassword qcs::cdb:$region:$account:instanceId/*
    qcs::cdb:$region:$account:instanceId/$instanceId
    ModifyAccountPrivileges qcs::cdb:$region:$account:instanceId/*
    qcs::cdb:$region:$account:instanceId/$instanceId
    ModifyAutoRenewFlag qcs::cdb:$region:$account:instanceId/*
    qcs::cdb:$region:$account:instanceId/$instanceId
    ModifyBackupConfig qcs::cdb:$region:$account:instanceId/*
    qcs::cdb:$region:$account:instanceId/$instanceId
    ModifyBackupInfo qcs::cdb:$region:$account:instanceId/*
    qcs::cdb:$region:$account:instanceId/$instanceId
    ModifyDBInstanceName qcs::cdb:$region:$account:instanceId/*
    qcs::cdb:$region:$account:instanceId/$instanceId
    ModifyDBInstanceProject qcs::cdb:$region:$account:instanceId/*
    qcs::cdb:$region:$account:instanceId/$instanceId
    ModifyDBInstanceSecurityGroups qcs::cdb:$region:$account:instanceId/*
    qcs::cdb:$region:$account:instanceId/$instanceId
    ModifyDBInstanceVipVport qcs::cdb:$region:$account:instanceId/*
    qcs::cdb:$region:$account:instanceId/$instanceId
    ModifyInstanceParam qcs::cdb:$region:$account:instanceId/*
    qcs::cdb:$region:$account:instanceId/$instanceId
    ModifyDBInstanceModes qcs::cdb:$region:$account:instanceId/*
    qcs::cdb:$region:$account:instanceId/$instanceId
    ModifyTimeWindow qcs::cdb:$region:$account:instanceId/*
    qcs::cdb:$region:$account:instanceId/$instanceId
    ModifyProtectMode qcs::cdb:$region:$account:instanceId/*
    qcs::cdb:$region:$account:instanceId/$instanceId
    OfflineDBInstances qcs::cdb:$region:$account:instanceId/*
    qcs::cdb:$region:$account:instanceId/$instanceId
    OpenDBInstanceGTID qcs::cdb:$region:$account:instanceId/*
    qcs::cdb:$region:$account:instanceId/$instanceId
    OpenWanService qcs::cdb:$region:$account:instanceId/*
    qcs::cdb:$region:$account:instanceId/$instanceId
    ReleaseIsolatedDBInstances qcs::cdb:$region:$account:instanceId/*
    qcs::cdb:$region:$account:instanceId/$instanceId
    RestartDBInstances qcs::cdb:$region:$account:instanceId/*
    qcs::cdb:$region:$account:instanceId/$instanceId
    StartBatchRollback qcs::cdb:$region:$account:instanceId/*
    qcs::cdb:$region:$account:instanceId/$instanceId
    SubmitBatchOperation qcs::cdb:$region:$account:instanceId/*
    qcs::cdb:$region:$account:instanceId/$instanceId
    SwitchDrInstanceToMaster qcs::cdb:$region:$account:instanceId/*
    qcs::cdb:$region:$account:instanceId/$instanceId
    SwitchForUpgrade qcs::cdb:$region:$account:instanceId/*
    qcs::cdb:$region:$account:instanceId/$instanceId
    DisassociateSecurityGroups qcs::cdb:$region:$account:instanceId/*
    qcs::cdb:$region:$account:instanceId/$instanceId
    UpgradeDBInstance qcs::cdb:$region:$account:instanceId/*
    qcs::cdb:$region:$account:instanceId/$instanceId
    UpgradeDBInstanceEngineVersion qcs::cdb:$region:$account:instanceId/*
    qcs::cdb:$region:$account:instanceId/$instanceId

    不支持资源级授权的 API 列表

    针对不支持资源级权限的云数据库 API 操作,您仍可以向用户授予使用该操作的权限,但策略语句的资源元素必须指定为 *。

    API 操作 API 描述
    CreateDBInstanceHour 创建云数据库实例(按量计费)
    CreateParamTemplate 创建参数模板
    DeleteParamTemplate 删除监控模板监控项
    DescribeProjectSecurityGroups 查询项目安全组信息
    DescribeDefaultParams 查询默认的可设置参数列表
    DescribeParamTemplateInfo 查询参数模板详情
    DescribeParamTemplates 查询参数模板列表
    DescribeAsyncRequestInfo 查询异步任务的执行结果
    DescribeTasks 查询云数据库实例任务列表
    DescribeUploadedFiles 查询导入 SQL 文件列表
    ModifyParamTemplate 修改参数模板
    RenewDBInstance 续费云数据库实例
    StopDBImportJob 终止数据导入任务
    DescribleRoMinScale 查询只读实例支持的最小规格
    DescribeRequestResult 查询任务详情
    DescribeRoMinScale 获取只读实例购买或升级的最小规格