资源级权限指的是能够指定用户对哪些资源具有执行操作的能力。云数据库部分支持资源级权限,即表示针对支持资源级权限的云数据库操作,您可以控制何时允许用户执行操作或是允许用户使用特定资源。访问管理 CAM 中可授权的资源类型如下:
资源类型 | 授权策略中的资源描述方法 |
云数据库实例相关 | qcs::cdb:$region:$account:instanceId/*qcs::cdb:$region:$account:instanceId/$instanceId |
下表将介绍当前支持资源级权限的云数据库 API 操作,以及每个操作支持的资源和条件密钥。指定资源路径的时候,您可以在路径中使用 * 通配符。
支持资源级授权的 API 列表
API 操作 | 资源路径 |
AddTimeWindow | qcs::cdb:$region:$account:instanceId/*qcs::cdb:$region:$account:instanceId/$instanceId |
AssociateSecurityGroups | qcs::cdb:$region:$account:instanceId/*qcs::cdb:$region:$account:instanceId/$instanceId |
CloseWanService | qcs::cdb:$region:$account:instanceId/*qcs::cdb:$region:$account:instanceId/$instanceId |
CreateAccounts | qcs::cdb:$region:$account:instanceId/*qcs::cdb:$region:$account:instanceId/$instanceId |
CreateBackup | qcs::cdb:$region:$account:instanceId/*qcs::cdb:$region:$account:instanceId/$instanceId |
CreateDBImportJob | qcs::cdb:$region:$account:instanceId/*qcs::cdb:$region:$account:instanceId/$instanceId |
DeleteAccounts | qcs::cdb:$region:$account:instanceId/*qcs::cdb:$region:$account:instanceId/$instanceId |
DeleteBackup | qcs::cdb:$region:$account:instanceId/*qcs::cdb:$region:$account:instanceId/$instanceId |
DeleteTimeWindow | qcs::cdb:$region:$account:instanceId/*qcs::cdb:$region:$account:instanceId/$instanceId |
DescribeAccountPrivileges | qcs::cdb:$region:$account:instanceId/*qcs::cdb:$region:$account:instanceId/$instanceId |
DescribeAccounts | qcs::cdb:$region:$account:instanceId/*qcs::cdb:$region:$account:instanceId/$instanceId |
DescribeBackupConfig | qcs::cdb:$region:$account:instanceId/*qcs::cdb:$region:$account:instanceId/$instanceId |
DescribeBackupDatabases | qcs::cdb:$region:$account:instanceId/*qcs::cdb:$region:$account:instanceId/$instanceId |
DescribeBackupDownloadDbTableCode | qcs::cdb:$region:$account:instanceId/*qcs::cdb:$region:$account:instanceId/$instanceId |
DescribeBackups | qcs::cdb:$region:$account:instanceId/*qcs::cdb:$region:$account:instanceId/$instanceId |
DescribeBackupTables | qcs::cdb:$region:$account:instanceId/*qcs::cdb:$region:$account:instanceId/$instanceId |
DescribeBinlogs | qcs::cdb:$region:$account:instanceId/*qcs::cdb:$region:$account:instanceId/$instanceId |
DescribeDatabases | qcs::cdb:$region:$account:instanceId/*qcs::cdb:$region:$account:instanceId/$instanceId |
DescribeDBImportRecords | qcs::cdb:$region:$account:instanceId/*qcs::cdb:$region:$account:instanceId/$instanceId |
DescribeDBInstanceCharset | qcs::cdb:$region:$account:instanceId/*qcs::cdb:$region:$account:instanceId/$instanceId |
DescribeDBInstanceConfig | qcs::cdb:$region:$account:instanceId/*qcs::cdb:$region:$account:instanceId/$instanceId |
DescribeDBInstanceGTID | qcs::cdb:$region:$account:instanceId/*qcs::cdb:$region:$account:instanceId/$instanceId |
DescribeDBInstanceRebootTime | qcs::cdb:$region:$account:instanceId/*qcs::cdb:$region:$account:instanceId/$instanceId |
DescribeDBSwitchRecords | qcs::cdb:$region:$account:instanceId/*qcs::cdb:$region:$account:instanceId/$instanceId |
DescribeDBSecurityGroups | qcs::cdb:$region:$account:instanceId/*qcs::cdb:$region:$account:instanceId/$instanceId |
DescribeInstanceParamRecords | qcs::cdb:$region:$account:instanceId/*qcs::cdb:$region:$account:instanceId/$instanceId |
DescribeInstanceParams | qcs::cdb:$region:$account:instanceId/*qcs::cdb:$region:$account:instanceId/$instanceId |
DescribeRoGroups | qcs::cdb:$region:$account:instanceId/*qcs::cdb:$region:$account:instanceId/$instanceId |
DescribeRollbackRangeTime | qcs::cdb:$region:$account:instanceId/*qcs::cdb:$region:$account:instanceId/$instanceId |
DescribeSlowLogs | qcs::cdb:$region:$account:instanceId/*qcs::cdb:$region:$account:instanceId/$instanceId |
DescribeSupportedPrivileges | qcs::cdb:$region:$account:instanceId/*qcs::cdb:$region:$account:instanceId/$instanceId |
DescribeTables | qcs::cdb:$region:$account:instanceId/*qcs::cdb:$region:$account:instanceId/$instanceId |
DescribeTimeWindow | qcs::cdb:$region:$account:instanceId/*qcs::cdb:$region:$account:instanceId/$instanceId |
DescribeDatabasesForInstances | qcs::cdb:$region:$account:instanceId/*qcs::cdb:$region:$account:instanceId/$instanceId |
DescribeMonitorData | qcs::cdb:$region:$account:instanceId/*qcs::cdb:$region:$account:instanceId/$instanceId |
DescribeTableColumns | qcs::cdb:$region:$account:instanceId/*qcs::cdb:$region:$account:instanceId/$instanceId |
DropDatabaseTables | qcs::cdb:$region:$account:instanceId/*qcs::cdb:$region:$account:instanceId/$instanceId |
InitDBInstances | qcs::cdb:$region:$account:instanceId/*qcs::cdb:$region:$account:instanceId/$instanceId |
IsolateDBInstance | qcs::cdb:$region:$account:instanceId/*qcs::cdb:$region:$account:instanceId/$instanceId |
ModifyAccountDescription | qcs::cdb:$region:$account:instanceId/*qcs::cdb:$region:$account:instanceId/$instanceId |
ModifyAccountPassword | qcs::cdb:$region:$account:instanceId/*qcs::cdb:$region:$account:instanceId/$instanceId |
ModifyAccountPrivileges | qcs::cdb:$region:$account:instanceId/*qcs::cdb:$region:$account:instanceId/$instanceId |
ModifyAutoRenewFlag | qcs::cdb:$region:$account:instanceId/*qcs::cdb:$region:$account:instanceId/$instanceId |
ModifyBackupConfig | qcs::cdb:$region:$account:instanceId/*qcs::cdb:$region:$account:instanceId/$instanceId |
ModifyBackupInfo | qcs::cdb:$region:$account:instanceId/*qcs::cdb:$region:$account:instanceId/$instanceId |
ModifyDBInstanceName | qcs::cdb:$region:$account:instanceId/*qcs::cdb:$region:$account:instanceId/$instanceId |
ModifyDBInstanceProject | qcs::cdb:$region:$account:instanceId/*qcs::cdb:$region:$account:instanceId/$instanceId |
ModifyDBInstanceSecurityGroups | qcs::cdb:$region:$account:instanceId/*qcs::cdb:$region:$account:instanceId/$instanceId |
ModifyDBInstanceVipVport | qcs::cdb:$region:$account:instanceId/*qcs::cdb:$region:$account:instanceId/$instanceId |
ModifyInstanceParam | qcs::cdb:$region:$account:instanceId/*qcs::cdb:$region:$account:instanceId/$instanceId |
ModifyDBInstanceModes | qcs::cdb:$region:$account:instanceId/*qcs::cdb:$region:$account:instanceId/$instanceId |
ModifyTimeWindow | qcs::cdb:$region:$account:instanceId/*qcs::cdb:$region:$account:instanceId/$instanceId |
ModifyProtectMode | qcs::cdb:$region:$account:instanceId/*qcs::cdb:$region:$account:instanceId/$instanceId |
OfflineDBInstances | qcs::cdb:$region:$account:instanceId/*qcs::cdb:$region:$account:instanceId/$instanceId |
OpenDBInstanceGTID | qcs::cdb:$region:$account:instanceId/*qcs::cdb:$region:$account:instanceId/$instanceId |
OpenWanService | qcs::cdb:$region:$account:instanceId/*qcs::cdb:$region:$account:instanceId/$instanceId |
ReleaseIsolatedDBInstances | qcs::cdb:$region:$account:instanceId/*qcs::cdb:$region:$account:instanceId/$instanceId |
RestartDBInstances | qcs::cdb:$region:$account:instanceId/*qcs::cdb:$region:$account:instanceId/$instanceId |
StartBatchRollback | qcs::cdb:$region:$account:instanceId/*qcs::cdb:$region:$account:instanceId/$instanceId |
SubmitBatchOperation | qcs::cdb:$region:$account:instanceId/*qcs::cdb:$region:$account:instanceId/$instanceId |
SwitchDrInstanceToMaster | qcs::cdb:$region:$account:instanceId/*qcs::cdb:$region:$account:instanceId/$instanceId |
SwitchForUpgrade | qcs::cdb:$region:$account:instanceId/*qcs::cdb:$region:$account:instanceId/$instanceId |
DisassociateSecurityGroups | qcs::cdb:$region:$account:instanceId/*qcs::cdb:$region:$account:instanceId/$instanceId |
UpgradeDBInstance | qcs::cdb:$region:$account:instanceId/*qcs::cdb:$region:$account:instanceId/$instanceId |
UpgradeDBInstanceEngineVersion | qcs::cdb:$region:$account:instanceId/*qcs::cdb:$region:$account:instanceId/$instanceId |
不支持资源级授权的 API 列表
针对不支持资源级权限的云数据库 API 操作,您仍可以向用户授予使用该操作的权限,但策略语句的资源元素必须指定为 *。
API 操作 | API 描述 |
CreateDBInstance | 创建云数据库实例(包年包月) |
CreateDBInstanceHour | 创建云数据库实例(按量计费) |
CreateParamTemplate | 创建参数模板 |
DeleteParamTemplate | 删除监控模板监控项 |
DescribeProjectSecurityGroups | 查询项目安全组信息 |
DescribeDefaultParams | 查询默认的可设置参数列表 |
DescribeParamTemplateInfo | 查询参数模板详情 |
DescribeParamTemplates | 查询参数模板列表 |
DescribeAsyncRequestInfo | 查询异步任务的执行结果 |
DescribeTasks | 查询云数据库实例任务列表 |
DescribeUploadedFiles | 查询导入 SQL 文件列表 |
ModifyParamTemplate | 修改参数模板 |
RenewDBInstance | 续费云数据库实例 |
StopDBImportJob | 终止数据导入任务 |
DescribleRoMinScale | 查询只读实例支持的最小规格 |
DescribeRequestResult | 查询任务详情 |
DescribeRoMinScale | 获取只读实例购买或升级的最小规格 |
