j9九游会登录/ 统一身份认证服务 iam_统一身份认证服务(新版)/ 服务授权参考/ / / 统一身份认证服务 iam
更新时间:2025-12-02 gmt 08:00

统一身份认证服务 iam-j9九游会登录

云服务在iam预置了常用的权限,称为系统身份策略。如果iam系统身份策略无法满足授权要求,管理员可以根据各j9九游会登录的服务支持的授权项,创建iam自定义身份策略来进行精细的访问控制,iam自定义身份策略是对系统身份策略的扩展和补充。

除iam服务外,organizations服务中的服务控制策略(service control policy,以下简称scp)也可以使用这些授权项元素设置访问控制策略。

scp不直接进行授权,只划定权限边界。将scp绑定到组织单元或者成员账号时,并没有直接对组织单元或成员账号授予操作权限,而是规定了成员账号或组织单元包含的成员账号的授权范围。iam身份策略授予权限的有效性受scp限制,只有在scp允许范围内的权限才能生效。

iam服务与organizations服务在使用这些元素进行访问控制时,存在着一些区别,详情请参见:iam服务与organizations服务权限访问控制的区别

本章节介绍iam服务身份策略授权场景中自定义身份策略和组织服务中scp使用的元素,这些元素包含了操作(action)、资源(resource)和条件(condition)。

操作(action)

操作(action)即为身份策略中支持的授权项。

  • “访问级别”列描述如何对操作进行分类(list、read和write等)。此分类可帮助您了解在身份策略中相应操作对应的访问级别。
  • “资源类型”列指每个操作是否支持资源级权限。
    • 资源类型支持通配符号*表示所有。如果此列没有值(-),则必须在身份策略语句的resource元素中指定所有资源类型(“*”)。
    • 如果该列包含资源类型,则必须在具有该操作的语句中指定该资源的urn。
    • 资源类型列中必需资源在表中用星号(*)标识,表示使用此操作必须指定该资源类型。

    关于iam定义的资源类型的详细信息请参见资源类型(resource)

  • “条件键”列包括了可以在身份策略语句的condition元素中支持指定的键值。
    • 如果该授权项资源类型列存在值,则表示条件键仅对列举的资源类型生效。
    • 如果该授权项资源类型列没有值(-),则表示条件键对整个授权项生效。
    • 如果此列条件键没有值(-),表示此操作不支持指定条件键。

    关于iam定义的条件键的详细信息请参见条件(condition)

  • “别名”列包括了可以在身份策略中配置的策略授权项。通过这些授权项,可以控制支持策略授权的api访问。详细信息请参见身份策略兼容性说明

您可以在身份策略语句的action元素中指定以下iam的相关操作。

表1 iam支持的授权项

授权项

描述

访问级别

资源类型(*为必须)

条件键

别名

iam::listaccesskeys

授予列举永久访问密钥的权限。

list

-

-
  • iam:credentials:listcredentials

iam::createaccesskey

授予创建永久访问密钥的权限。

write

-

-
  • iam:credentials:createcredential

iam::getaccesskey

授予查询永久访问密钥的权限。

read

-

-
  • iam:credentials:getcredential

iam::updateaccesskey

授予修改永久访问密钥的权限。

write

-

-
  • iam:credentials:updatecredential

iam::deleteaccesskey

授予删除永久访问密钥的权限。

write

-

-
  • iam:credentials:deletecredential

iam:projects:list

授予列举项目的权限。

list

-

-
  • iam:projects:listprojects

iam:projects:create

授予创建项目的权限。

write

-

-
  • iam:projects:createproject

iam:projects:listforuser

授予列举指定用户项目的权限。

list

-

-
  • iam:projects:listprojectsforuser

iam:projects:update

授予修改项目的权限。

write

-

-
  • iam:projects:updateproject

iam:groups:list

授予列举用户组的权限。

list

-

-
  • iam:groups:listgroups

iam:groups:create

授予创建用户组的权限。

write

-

-
  • iam:groups:creategroup

iam:groups:get

授予查询用户组的权限。

read

-

-
  • iam:groups:getgroup

iam:groups:delete

授予删除用户组的权限。

write

-

-
  • iam:groups:deletegroup

iam:groups:update

授予修改用户组的权限。

write

-

-
  • iam:groups:updategroup

iam:groups:removeuser

授予从用户组中移除用户的权限。

write

-

-
  • iam:permissions:removeuserfromgroup

iam:groups:listusers

授予列举指定用户组中用户的权限。

list

-

-
  • iam:users:listusersforgroup

iam:groups:checkuser

授予查询用户是否在用户组中的权限。

read

-

-
  • iam:permissions:checkuseringroup

iam:groups:adduser

授予添加用户到用户组的权限。

write

-

-
  • iam:permissions:addusertogroup

iam:users:create

授予创建用户的权限。

write

-

-
  • iam:users:createuser

iam:users:get

授予查询用户的权限。

read

-

-
  • iam:users:getuser

iam:users:update

授予修改用户的权限。

write

-

-
  • iam:users:updateuser

iam:users:list

授予列举用户的权限。

list

-

-
  • iam:users:listusers

iam:users:delete

授予删除用户的权限。

write

-

-
  • iam:users:deleteuser

iam:users:listgroups

授予列举指定用户所属用户组的权限。

list

-

-
  • iam:groups:listgroupsforuser

iam:users:listvirtualmfadevices

授予列举指定用户所属虚拟mfa设备的权限。

list

-

-
  • iam:mfa:listvirtualmfadevices

iam:users:createvirtualmfadevice

授予创建虚拟mfa设备密钥的权限。

write

-

-
  • iam:mfa:createvirtualmfadevice

iam:users:deletevirtualmfadevice

授予删除虚拟mfa设备的权限。

write

-

-
  • iam:mfa:deletevirtualmfadevice

iam:users:getvirtualmfadevice

授予查询虚拟mfa设备的权限。

read

-

-
  • iam:mfa:getvirtualmfadevice

iam:users:bindvirtualmfadevice

授予绑定虚拟mfa设备的权限。

write

-

-
  • iam:mfa:bindmfadevice

iam:users:unbindvirtualmfadevice

授予解绑虚拟mfa设备的权限。

write

-

-
  • iam:mfa:unbindmfadevice

iam:identityproviders:list

授予列举身份提供商的权限。

list

-

-
  • iam:identityproviders:listidentityproviders

iam:identityproviders:get

授予查询身份提供商的权限。

read

-

-
  • iam:identityproviders:getidentityprovider

iam:identityproviders:create

授予创建身份提供商的权限。

write

-

-
  • iam:identityproviders:createidentityprovider

iam:identityproviders:delete

授予删除身份提供商的权限。

write

-

-
  • iam:identityproviders:deleteidentityprovider

iam:identityproviders:update

授予修改身份提供商的权限。

write

-

-
  • iam:identityproviders:updateidentityprovider

iam:identityproviders:listmappings

授予列举身份提供商映射关系的权限。

list

-

-

-

iam:identityproviders:getmapping

授予查询身份提供商映射关系的权限。

read

-

-

-

iam:identityproviders:createmapping

授予创建身份提供商映射关系的权限。

write

-

-

-

iam:identityproviders:deletemapping

授予删除身份提供商映射关系的权限。

write

-

-

-

iam:identityproviders:updatemapping

授予修改身份提供商映射关系的权限。

write

-

-

-

iam:identityproviders:listprotocols

授予列举身份提供商协议的权限。

list

-

-

-

iam:identityproviders:getprotocol

授予查询身份提供商协议的权限。

read

-

-

-

iam:identityproviders:createprotocol

授予创建身份提供商协议的权限。

write

-

-

-

iam:identityproviders:deleteprotocol

授予删除身份提供商协议的权限。

write

-

-

-

iam:identityproviders:updateprotocol

授予修改身份提供商协议的权限。

write

-

-

-

iam:identityproviders:getsamlmetadata

授予查询身份提供商saml metadata文件的权限。

read

-

-
  • iam:identityproviders:getidpmetadata

iam:identityproviders:createsamlmetadata

授予创建身份提供商saml metadata文件的权限。

write

-

-
  • iam:identityproviders:createidpmetadata

iam:identityproviders:getoidcconfig

授予查询身份提供商oidc配置的权限。

read

-

-
  • iam:identityproviders:getopenidconnectconfig

iam:identityproviders:createoidcconfig

授予创建身份提供商oidc配置的权限。

write

-

-
  • iam:identityproviders:createopenidconnectconfig

iam:identityproviders:updateoidcconfig

授予修改身份提供商oidc配置的权限。

write

-

-
  • iam:identityproviders:updateopenidconnectconfig

iam:securitypolicies:getprotectpolicy

授予查询操作保护策略的权限。

read

-

-

-

iam:securitypolicies:updateprotectpolicy

授予修改操作保护策略的权限。

write

-

-

-

iam:securitypolicies:getpasswordpolicy

授予查询密码策略的权限。

read

-

-

-

iam:securitypolicies:updatepasswordpolicy

授予修改密码策略的权限。

write

-

-

-

iam:securitypolicies:getloginpolicy

授予查询登录策略的权限。

read

-

-

-

iam:securitypolicies:updateloginpolicy

授予修改登录策略的权限。

write

-

-

-

iam:securitypolicies:getconsoleaclpolicy

授予查询控制台访问策略的权限。

read

-

-

-

iam:securitypolicies:updateconsoleaclpolicy

授予修改控制台访问策略的权限。

write

-

-

-

iam:securitypolicies:getapiaclpolicy

授予查询接口访问策略的权限。

read

-

-

-

iam:securitypolicies:updateapiaclpolicy

授予修改接口访问策略的权限。

write

-

-

-

iam:securitypolicies:getprivacytransferpolicy

授予查询账号信息跨境传输策略的权限。

read

-

-

-

iam:securitypolicies:updateprivacytransferpolicy

授予修改账号信息跨境传输策略的权限。

write

-

-

-

iam:users:listloginprotectsettings

授予列举租户下用户登录保护设置的权限。

list

-

-
  • iam:users:listuserloginprotects

iam:users:getloginprotectsetting

授予查询登录保护设置的权限。

read

-

-
  • iam:users:getuserloginprotect

iam:users:updateloginprotectsetting

授予修改登录保护设置的权限。

write

-

-
  • iam:users:setuserloginprotect

iam:quotas:list

授予列举配额的权限。

list

-

-
  • iam:quotas:listquotas

iam:quotas:listforproject

授予查询项目配额的权限。

list

-

-
  • iam:quotas:listquotasforproject

iam:agencies:pass

授予向云服务传递委托的权限。

permission_management

agency *

-

-

iam:roles:list

授予查询权限列表的权限。

list

-

-
  • iam:roles:listroles

iam:roles:get

授予查询权限详情的权限。

read

-

-
  • iam:roles:getrole

iam::listroleassignments

授予查询租户授权记录的权限。

list

-

-
  • iam:permissions:listroleassignments

iam:groups:listrolesondomain

授予查询全局服务中用户组权限的权限。

list

-

-
  • iam:permissions:listrolesforgroupondomain

iam:groups:listrolesonproject

授予查询项目服务中用户组权限的权限。

list

-

-
  • iam:permissions:listrolesforgrouponproject

iam:groups:grantroleondomain

授予为用户组授予全局服务权限的权限。

write

-

-
  • iam:permissions:grantroletogroupondomain

iam:groups:grantroleonproject

授予为用户组授予项目级服务权限的权限。

write

-

-
  • iam:permissions:grantroletogrouponproject

iam:groups:checkroleondomain

授予查询用户组是否拥有全局服务权限的权限。

read

-

-
  • iam:permissions:checkroleforgroupondomain

iam:groups:checkroleonproject

授予查询用户组是否拥有项目服务权限的权限。

read

-

-
  • iam:permissions:checkroleforgrouponproject

iam:groups:listroles

授予查询用户组的所有权限的权限。

list

-

-
  • iam:permissions:listrolesforgroup

iam:groups:checkrole

授予查询用户组是否拥有指定权限的权限。

read

-

-
  • iam:permissions:checkroleforgroup

iam:groups:revokerole

授予移除用户组指定权限的权限。

write

-

-
  • iam:permissions:revokerolefromgroup

iam:groups:revokeroleondomain

授予移除用户组的全局服务权限的权限。

write

-

-
  • iam:permissions:revokerolefromgroupondomain

iam:groups:revokeroleonproject

授予移除用户组的项目服务权限的权限。

write

-

-
  • iam:permissions:revokerolefromgrouponproject

iam:groups:grantrole

授予为用户组授予指定权限的权限。

write

-

-
  • iam:permissions:grantroletogroup

iam:roles:create

授予创建自定义策略的权限。

write

-

-
  • iam:roles:createrole

iam:roles:update

授予修改自定义策略的权限。

write

-

-
  • iam:roles:updaterole

iam:roles:delete

授予删除自定义策略的权限。

write

-

-
  • iam:roles:deleterole

iam:agencies:list

授予列出委托的权限。

list

-

-
  • iam:agencies:listagencies

iam:agencies:listswitchagencyhistories

授予列出切换委托历史的权限。

list

-

-

-

iam:agencies:get

授予查询指定委托详情的权限。

read

-

-
  • iam:agencies:getagency

iam:agencies:create

授予创建委托的权限。

write

-

-
  • iam:agencies:createagency

iam:agencies:update

授予修改委托的权限。

write

-

-
  • iam:agencies:updateagency

iam:agencies:delete

授予删除委托的权限。

write

-

-
  • iam:agencies:deleteagency

iam:agencies:listrolesondomain

授予查询委托拥有的全局服务权限的权限。

list

-

-
  • iam:permissions:listrolesforagencyondomain

iam:agencies:listrolesonproject

授予查询委托拥有的指定项目权限的权限。

list

-

-
  • iam:permissions:listrolesforagencyonproject

iam:agencies:grantroleondomain

授予为委托授予全局服务权限的权限。

write

-

-
  • iam:permissions:grantroletoagencyondomain

iam:agencies:grantroleonproject

授予为委托授予项目服务权限的权限。

write

-

-
  • iam:permissions:grantroletoagencyonproject

iam:agencies:checkroleondomain

授予查询委托是否拥有全局服务权限的权限。

read

-

-
  • iam:permissions:checkroleforagencyondomain

iam:agencies:checkroleonproject

授予查询委托是否拥有项目服务权限的权限。

read

-

-
  • iam:permissions:checkroleforagencyonproject

iam:agencies:revokeroleondomain

授予移除委托的全局服务权限的权限。

write

-

-
  • iam:permissions:revokerolefromagencyondomain

iam:agencies:revokeroleonproject

授予移除委托的项目服务权限的权限。

write

-

-
  • iam:permissions:revokerolefromagencyonproject

iam:agencies:listroles

授予查询委托的所有权限的权限。

list

-

-
  • iam:permissions:listrolesforagency

iam:agencies:grantrole

授予为委托授予指定权限的权限。

write

-

-
  • iam:permissions:grantroletoagency

iam:agencies:checkrole

授予查询委托是否拥有指定权限的权限。

read

-

-
  • iam:permissions:checkroleforagency

iam:agencies:revokerole

授予移除委托的指定权限的权限。

write

-

-
  • iam:permissions:revokerolefromagency

iam::listgroupsassignedenterpriseproject

授予查询企业项目关联的用户组的权限。

list

-

-
  • iam:permissions:listgroupsonenterpriseproject

iam:groups:listrolesonenterpriseproject

授予查询企业项目已关联用户组的权限的权限。

list

-

-
  • iam:permissions:listrolesforgrouponenterpriseproject

iam:groups:grantroleonenterpriseproject

授予基于用户组为企业项目授权的权限。

write

-

-
  • iam:permissions:grantroletogrouponenterpriseproject

iam:groups:revokeroleonenterpriseproject

授予删除企业项目关联的用户组权限的权限。

write

-

-
  • iam:permissions:revokerolefromgrouponenterpriseproject

iam:groups:listassignedenterpriseprojects

授予查询用户组直接关联的企业项目的权限。

list

-

-
  • iam:permissions:listenterpriseprojectsforgroup

iam:users:listassignedenterpriseprojects

授予查询用户直接关联的企业项目的权限。

list

-

-
  • iam:permissions:listenterpriseprojectsforuser

iam::listusersassignedenterpriseproject

授予查询企业项目直接关联用户的权限。

list

-

-
  • iam:permissions:listusersforenterpriseproject

iam:users:listrolesonenterpriseproject

授予查询企业项目直接关联用户权限的权限。

list

-

-
  • iam:permissions:listrolesforuseronenterpriseproject

iam:users:grantroleonenterpriseproject

授予基于用户为企业项目授权的权限。

write

-

-
  • iam:permissions:grantroletouseronenterpriseproject

iam:users:revokeroleonenterpriseproject

授予删除企业项目直接关联用户的权限的权限。

write

-

-
  • iam:permissions:revokerolefromuseronenterpriseproject

iam:agencies:grantroleonenterpriseproject

授予基于委托为企业项目授权的权限。

write

-

-
  • iam:permissions:grantroletoagencyonenterpriseproject

iam:agencies:revokeroleonenterpriseproject

授予删除企业项目关联的委托的权限的权限。

write

-

-
  • iam:permissions:revokerolefromagencyonenterpriseproject

iam:mfa:listmfadevicesv5

授予列举mfa设备的权限。

list

mfa *

-

-

iam:mfa:createvirtualmfadevicev5

授予创建虚拟mfa设备的权限。

write

mfa *

-

-

iam:mfa:deletevirtualmfadevicev5

授予删除虚拟mfa设备的权限。

write

mfa *

-

-

iam:mfa:enablev5

授予启用mfa设备的权限。

write

mfa *

-

-

iam:mfa:disablev5

授予禁用mfa设备的权限。

write

mfa *

-

-

iam:securitypolicies:getpasswordpolicyv5

授予获取密码策略信息的权限。

read

-

-

-

iam:securitypolicies:updatepasswordpolicyv5

授予修改密码策略的权限。

write

-

-

-

iam:securitypolicies:getloginpolicyv5

授予获取登录策略信息的权限。

read

-

-

-

iam:securitypolicies:updateloginpolicyv5

授予修改登录策略的权限。

write

-

-

-

iam:credentials:listcredentialsv5

授予权限以列举iam用户的永久访问密钥。

list

user *

g:resourcetag/

-

iam:credentials:showaccesskeylastusedv5

授予获取指定永久访问密钥最后一次使用时间的权限。

read

user *

g:resourcetag/

-

iam:credentials:createcredentialv5

授予为iam用户创建永久访问密钥的权限。

write

user *

g:resourcetag/

-

iam:credentials:updatecredentialv5

授予为iam用户修改永久访问密钥的权限。

write

user *

g:resourcetag/

-

iam:credentials:deletecredentialv5

授予为iam用户删除永久访问密钥的权限。

write

user *

g:resourcetag/

-

iam:users:changepasswordv5

授予iam用户修改自己密码的权限。

write

user *

g:resourcetag/

-

iam:users:showloginprofilev5

授予获取iam用户登录信息的权限。

read

user *

g:resourcetag/

-

iam:users:createloginprofilev5

授予为iam用户创建登录信息的权限。

write

user *

g:resourcetag/

-

iam:users:updateloginprofilev5

授予为iam用户修改登录信息的权限。

write

user *

g:resourcetag/

-

iam:users:deleteloginprofilev5

授予为iam用户删除登录信息的权限。

write

user *

g:resourcetag/

-

iam:users:listusersv5

授予列举iam用户的权限。

list

user *

-

-

iam:users:getuserv5

授予获取iam用户信息的权限。

read

user *

g:resourcetag/

-

iam:users:showuserlastloginv5

授予获取iam用户最后一次登录时间的权限。

read

user *

g:resourcetag/

-

iam:users:createuserv5

授予创建iam用户的权限。

write

user *

-

-

iam:users:updateuserv5

授予修改iam用户的权限。

write

user *

g:resourcetag/

-

iam:users:deleteuserv5

授予删除iam用户的权限。

write

user *

g:resourcetag/

-

iam:groups:listgroupsv5

授予列举用户组的权限。

list

group *

-

-

iam:groups:getgroupv5

授予获取用户组信息的权限。

read

group *

-

-

iam:groups:creategroupv5

授予创建用户组的权限。

write

group *

-

-

iam:groups:updategroupv5

授予修改用户组的权限。

write

group *

-

-

iam:groups:deletegroupv5

授予删除用户组的权限。

write

group *

-

-

iam:permissions:addusertogroupv5

授予添加iam用户到用户组的权限。

write

group *

-

-

iam:permissions:removeuserfromgroupv5

授予从用户组中移除iam用户的权限。

write

group *

-

-

iam:policies:listv5

授予列举身份策略的权限。

list

policy *

-

-

iam:policies:getv5

授予获取身份策略信息的权限。

read

policy *

-

-

iam:policies:createv5

授予创建自定义身份策略的权限。

permission_management

policy *

-

-

iam:policies:deletev5

授予删除自定义身份策略的权限。

permission_management

policy *

-

-

iam:policies:listversionsv5

授予列举身份策略版本的权限。

list

policy *

-

-

iam:policies:getversionv5

授予获取身份策略版本信息的权限。

read

policy *

-

-

iam:policies:createversionv5

授予为自定义身份策略创建新版本的权限。

permission_management

policy *

-

-

iam:policies:deleteversionv5

授予为自定义身份策略删除版本的权限。

permission_management

policy *

-

-

iam:policies:setdefaultversionv5

授予设置自定义身份策略默认版本的权限。

permission_management

policy *

-

-

iam:agencies:attachpolicyv5

授予为委托或信任委托附加身份策略的权限。

permission_management

agency *

g:resourcetag/

-

-

iam:policyurn

iam:groups:attachpolicyv5

授予为用户组附加身份策略的权限。

permission_management

group *

-

-

-

iam:policyurn

iam:users:attachpolicyv5

授予为iam用户附加身份策略的权限。

permission_management

user *

g:resourcetag/

-

-

iam:policyurn

iam:agencies:detachpolicyv5

授予为委托或信任委托分离身份策略的权限。

permission_management

agency *

g:resourcetag/

-

-

iam:policyurn

iam:groups:detachpolicyv5

授予为用户组分离身份策略的权限。

permission_management

group *

-

-

-

iam:policyurn

iam:users:detachpolicyv5

授予为iam用户分离身份策略的权限。

permission_management

user *

g:resourcetag/

-

-

iam:policyurn

iam:policies:listentitiesv5

授予权限以列举附加在身份策略上的所有实体。

list

policy *

-

-

iam:agencies:listattachedpoliciesv5

授予权限以列举委托或信任委托附加的身份策略。

list

agency *

g:resourcetag/

-

iam:groups:listattachedpoliciesv5

授予权限以列举用户组附加的身份策略。

list

group *

-

-

iam:users:listattachedpoliciesv5

授予权限以列举iam用户附加的身份策略。

list

user *

g:resourcetag/

-

iam:agencies:createservicelinkedagencyv5

授予创建服务关联委托的权限以允许云服务代表您执行操作。

write

agency *

-

-

-

iam:serviceprincipal

iam:agencies:deleteservicelinkedagencyv5

授予删除服务关联委托的权限。

write

agency *

g:resourcetag/

-

-

iam:serviceprincipal

iam:agencies:getservicelinkedagencydeletionstatusv5

授予获取服务关联委托删除状态的权限。

read

agency *

-

-

iam:agencies:listv5

授予列举委托及信任委托的权限。

list

agency *

-

-

iam:agencies:getv5

授予获取委托或信任委托信息的权限。

read

agency *

g:resourcetag/

-

iam:agencies:createv5

授予创建信任委托的权限。

write

agency *

-

-

iam:agencies:updatev5

授予修改信任委托的权限。

write

agency *

g:resourcetag/

-

iam:agencies:deletev5

授予删除信任委托的权限。

write

agency *

g:resourcetag/

-

iam:agencies:updatetrustpolicyv5

授予修改信任委托信任策略的权限。

write

agency *

g:resourcetag/

-

iam::listtagsforresourcev5

授予列举资源标签的权限。

list

agency

g:resourcetag/

-

user

g:resourcetag/

iam::tagforresourcev5

授予设置资源标签的权限。

tagging

agency

g:resourcetag/

-

user

g:resourcetag/

-

iam::untagforresourcev5

授予删除资源标签的权限。

tagging

agency

g:resourcetag/

-

user

g:resourcetag/

-

iam::getaccountsummaryv5

授予获取此账号中iam实体使用情况和iam配额的摘要信息的权限。

list

-

-

-

iam::getasymmetricsignatureswitchv5

授予获取临时令牌非对称签名开关状态的权限。

read

-

-

-

iam::setasymmetricsignatureswitchv5

授予设置临时令牌非对称签名开关状态的权限。

write

-

-

-

iam的api通常对应着一个或多个授权项。表2展示了api与授权项的关系,以及该api需要依赖的授权项。

表2 api与授权项的关系

api

对应的授权项

依赖的授权项

get /v3.0/os-credential/credentials

iam::listaccesskeys

-

post /v3.0/os-credential/credentials

iam::createaccesskey

-

get /v3.0/os-credential/credentials/{access_key}

iam::getaccesskey

-

put /v3.0/os-credential/credentials/{access_key}

iam::updateaccesskey

-

delete /v3.0/os-credential/credentials/{access_key}

iam::deleteaccesskey

-

get /v3.0/os-quota/domains/{domain_id}

iam:quotas:list

-

get /v3.0/os-quota/projects/{project_id}

iam:quotas:listforproject

-

get /v3/projects

iam:projects:list

-

post /v3/projects

iam:projects:create

-

get /v3/users/{user_id}/projects

iam:projects:listforuser

-

patch /v3/projects/{project_id}

iam:projects:update

-

put /v3-ext/projects/{project_id}

iam:projects:update

-

get /v3/groups

iam:groups:list

-

post /v3/groups

iam:groups:create

-

get /v3/groups/{group_id}

iam:groups:get

-

delete /v3/groups/{group_id}

iam:groups:delete

-

patch /v3/groups/{group_id}

iam:groups:update

-

get /v3/groups/{group_id}/users

iam:groups:listusers

-

head /v3/groups/{group_id}/users/{user_id}

iam:groups:checkuser

-

put /v3/groups/{group_id}/users/{user_id}

iam:groups:adduser

-

delete /v3/groups/{group_id}/users/{user_id}

iam:groups:removeuser

-

post /v3.0/os-user/users

iam:users:create

-

get /v3.0/os-user/users/{user_id}

iam:users:get

-

put /v3.0/os-user/users/{user_id}

iam:users:update

-

put /v3.0/os-user/users/{user_id}/info

iam:users:update

-

get /v3/users

iam:users:list

-

post /v3/users

iam:users:create

-

get /v3/users/{user_id}

iam:users:get

-

delete /v3/users/{user_id}

iam:users:delete

-

patch /v3/users/{user_id}

iam:users:update

-

get /v3/users/{user_id}/groups

iam:users:listgroups

-

get /v3.0/os-mfa/virtual-mfa-devices

iam:users:listvirtualmfadevices

-

post /v3.0/os-mfa/virtual-mfa-devices

iam:users:createvirtualmfadevice

-

delete /v3.0/os-mfa/virtual-mfa-devices

iam:users:deletevirtualmfadevice

-

get /v3.0/os-mfa/users/{user_id}/virtual-mfa-device

iam:users:getvirtualmfadevice

-

put /v3.0/os-mfa/mfa-devices/bind

iam:users:bindvirtualmfadevice

-

put /v3.0/os-mfa/mfa-devices/unbind

iam:users:unbindvirtualmfadevice

-

get /v3.0/os-user/login-protects

iam:users:listloginprotectsettings

-

get /v3.0/os-user/users/{user_id}/login-protect

iam:users:getloginprotectsetting

-

put /v3.0/os-user/users/{user_id}/login-protect

iam:users:updateloginprotectsetting

-

get /v3/os-federation/identity_providers

iam:identityproviders:list

-

get /v3/os-federation/identity_providers/{id}

iam:identityproviders:get

-

put /v3/os-federation/identity_providers/{id}

iam:identityproviders:create

-

delete /v3/os-federation/identity_providers/{id}

iam:identityproviders:delete

-

patch /v3/os-federation/identity_providers/{id}

iam:identityproviders:update

-

get /v3/os-federation/mappings

iam:identityproviders:listmappings

-

get /v3/os-federation/mappings/{id}

iam:identityproviders:getmapping

-

put /v3/os-federation/mappings/{id}

iam:identityproviders:createmapping

-

delete /v3/os-federation/mappings/{id}

iam:identityproviders:deletemapping

-

patch /v3/os-federation/mappings/{id}

iam:identityproviders:updatemapping

-

get /v3/os-federation/identity_providers/{idp_id}/protocols

iam:identityproviders:listprotocols

-

get /v3/os-federation/identity_providers/{idp_id}/protocols/{protocol_id}

iam:identityproviders:getprotocol

-

put /v3/os-federation/identity_providers/{idp_id}/protocols/{protocol_id}

iam:identityproviders:createprotocol

-

delete /v3/os-federation/identity_providers/{idp_id}/protocols/{protocol_id}

iam:identityproviders:deleteprotocol

-

patch /v3/os-federation/identity_providers/{idp_id}/protocols/{protocol_id}

iam:identityproviders:updateprotocol

-

get /v3-ext/os-federation/identity_providers/{idp_id}/protocols/{protocol_id}/metadata

iam:identityproviders:getsamlmetadata

-

post /v3-ext/os-federation/identity_providers/{idp_id}/protocols/{protocol_id}/metadata

iam:identityproviders:createsamlmetadata

-

get /v3.0/os-federation/identity-providers/{idp_id}/openid-connect-config

iam:identityproviders:getoidcconfig

-

post /v3.0/os-federation/identity-providers/{idp_id}/openid-connect-config

iam:identityproviders:createoidcconfig

-

put /v3.0/os-federation/identity-providers/{idp_id}/openid-connect-config

iam:identityproviders:updateoidcconfig

-

get /v3.0/os-securitypolicy/domains/{domain_id}/protect-policy

iam:securitypolicies:getprotectpolicy

-

put /v3.0/os-securitypolicy/domains/{domain_id}/protect-policy

iam:securitypolicies:updateprotectpolicy

-

get /v3.0/os-securitypolicy/domains/{domain_id}/password-policy

iam:securitypolicies:getpasswordpolicy

-

put /v3.0/os-securitypolicy/domains/{domain_id}/password-policy

iam:securitypolicies:updatepasswordpolicy

-

get /v3.0/os-securitypolicy/domains/{domain_id}/login-policy

iam:securitypolicies:getloginpolicy

-

put /v3.0/os-securitypolicy/domains/{domain_id}/login-policy

iam:securitypolicies:updateloginpolicy

-

get /v3.0/os-securitypolicy/domains/{domain_id}/console-acl-policy

iam:securitypolicies:getconsoleaclpolicy

-

put /v3.0/os-securitypolicy/domains/{domain_id}/console-acl-policy

iam:securitypolicies:updateconsoleaclpolicy

-

get /v3.0/os-securitypolicy/domains/{domain_id}/api-acl-policy

iam:securitypolicies:getapiaclpolicy

-

put /v3.0/os-securitypolicy/domains/{domain_id}/api-acl-policy

iam:securitypolicies:updateapiaclpolicy

-

get /v3/roles

iam:roles:list

-

get /v3/roles/{role_id}

iam:roles:get

-

get /v3.0/os-permission/role-assignments

iam::listroleassignments

-

get /v3/domains/{domain_id}/groups/{group_id}/roles

iam:groups:listrolesondomain

-

get /v3/projects/{project_id}/groups/{group_id}/roles

iam:groups:listrolesonproject

-

put /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}

iam:groups:grantroleondomain

-

put /v3/projects/{project_id}/groups/{group_id}/roles/{role_id}

iam:groups:grantroleonproject

-

head /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}

iam:groups:checkroleondomain

-

head /v3/projects/{project_id}/groups/{group_id}/roles/{role_id}

iam:groups:checkroleonproject

-

get /v3/os-inherit/domains/{domain_id}/groups/{group_id}/roles/inherited_to_projects

iam:groups:listroles

-

head /v3/os-inherit/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects

iam:groups:checkrole

-

delete /v3/os-inherit/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects

iam:groups:revokerole

-

delete /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}

iam:groups:revokeroleondomain

-

delete /v3/projects/{project_id}/groups/{group_id}/roles/{role_id}

iam:groups:revokeroleonproject

-

put /v3/os-inherit/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects

iam:groups:grantrole

-

get /v3.0/os-role/roles

iam:roles:list

-

get /v3.0/os-role/roles/{role_id}

iam:roles:get

-

post /v3.0/os-role/roles

iam:roles:create

-

post /v3.0/os-role/roles

iam:roles:create

-

patch /v3.0/os-role/roles/{role_id}

iam:roles:update

-

patch /v3.0/os-role/roles/{role_id}

iam:roles:update

-

delete /v3.0/os-role/roles/{role_id}

iam:roles:delete

-

get /v3.0/os-agency/agencies

iam:agencies:list

-

get /v3.0/os-agency/agencies/{agency_id}

iam:agencies:get

-

post /v3.0/os-agency/agencies

iam:agencies:create

-

put /v3.0/os-agency/agencies/{agency_id}

iam:agencies:update

-

delete /v3.0/os-agency/agencies/{agency_id}

iam:agencies:delete

-

get /v3.0/os-agency/domains/{domain_id}/agencies/{agency_id}/roles

iam:agencies:listrolesondomain

-

get /v3.0/os-agency/projects/{project_id}/agencies/{agency_id}/roles

iam:agencies:listrolesonproject

-

put /v3.0/os-agency/domains/{domain_id}/agencies/{agency_id}/roles/{role_id}

iam:agencies:grantroleondomain

-

put /v3.0/os-agency/projects/{project_id}/agencies/{agency_id}/roles/{role_id}

iam:agencies:grantroleonproject

-

head /v3.0/os-agency/domains/{domain_id}/agencies/{agency_id}/roles/{role_id}

iam:agencies:checkroleondomain

-

head /v3.0/os-agency/projects/{project_id}/agencies/{agency_id}/roles/{role_id}

iam:agencies:checkroleonproject

-

delete /v3.0/os-agency/domains/{domain_id}/agencies/{agency_id}/roles/{role_id}

iam:agencies:revokeroleondomain

-

delete /v3.0/os-agency/projects/{project_id}/agencies/{agency_id}/roles/{role_id}

iam:agencies:revokeroleonproject

-

get /v3.0/os-inherit/domains/{domain_id}/agencies/{agency_id}/roles/inherited_to_projects

iam:agencies:listroles

-

put /v3.0/os-inherit/domains/{domain_id}/agencies/{agency_id}/roles/{role_id}/inherited_to_projects

iam:agencies:grantrole

-

head /v3.0/os-inherit/domains/{domain_id}/agencies/{agency_id}/roles/{role_id}/inherited_to_projects

iam:agencies:checkrole

-

delete /v3.0/os-inherit/domains/{domain_id}/agencies/{agency_id}/roles/{role_id}/inherited_to_projects

iam:agencies:revokerole

-

get /v3.0/os-permission/enterprise-projects/{enterprise_project_id}/groups

iam::listgroupsassignedenterpriseproject

-

get /v3.0/os-permission/enterprise-projects/{enterprise_project_id}/groups/{group_id}/roles

iam:groups:listrolesonenterpriseproject

-

put /v3.0/os-permission/enterprise-projects/{enterprise_project_id}/groups/{group_id}/roles/{role_id}

iam:groups:grantroleonenterpriseproject

-

delete /v3.0/os-permission/enterprise-projects/{enterprise_project_id}/groups/{group_id}/roles/{role_id}

iam:groups:revokeroleonenterpriseproject

-

get /v3.0/os-permission/groups/{group_id}/enterprise-projects

iam:groups:listassignedenterpriseprojects

-

get /v3.0/os-permission/users/{user_id}/enterprise-projects

iam:users:listassignedenterpriseprojects

-

get /v3.0/os-permission/enterprise-projects/{enterprise_project_id}/users

iam::listusersassignedenterpriseproject

-

get /v3.0/os-permission/enterprise-projects/{enterprise_project_id}/users/{user_id}/roles

iam:users:listrolesonenterpriseproject

-

put /v3.0/os-permission/enterprise-projects/{enterprise_project_id}/users/{user_id}/roles/{role_id}

iam:users:grantroleonenterpriseproject

-

delete /v3.0/os-permission/enterprise-projects/{enterprise_project_id}/users/{user_id}/roles/{role_id}

iam:users:revokeroleonenterpriseproject

-

put /v3.0/os-permission/subjects/agency/scopes/enterprise-project/role-assignments

iam:agencies:grantroleonenterpriseproject

-

delete /v3.0/os-permission/subjects/agency/scopes/enterprise-project/role-assignments

iam:agencies:revokeroleonenterpriseproject

-

get /v5/asymmetric-signature-switch

iam::getasymmetricsignatureswitchv5

-

put /v5/asymmetric-signature-switch

iam::setasymmetricsignatureswitchv5

-

get /v5/mfa-devices

iam:mfa:listmfadevicesv5

-

post /v5/virtual-mfa-devices

iam:mfa:createvirtualmfadevicev5

-

delete /v5/virtual-mfa-devices

iam:mfa:deletevirtualmfadevicev5

-

post /v5/mfa-devices/enable

iam:mfa:enablev5

-

post /v5/mfa-devices/disable

iam:mfa:disablev5

-

get /v5/password-policy

iam:securitypolicies:getpasswordpolicyv5

-

put /v5/password-policy

iam:securitypolicies:updatepasswordpolicyv5

-

get /v5/login-policy

iam:securitypolicies:getloginpolicyv5

-

put /v5/login-policy

iam:securitypolicies:updateloginpolicyv5

-

get /v5/users/{user_id}/access-keys

iam:credentials:listcredentialsv5

-

get /v5/users/{user_id}/access-keys/{access_key_id}/last-used

iam:credentials:showaccesskeylastusedv5

-

post /v5/users/{user_id}/access-keys

iam:credentials:createcredentialv5

-

put /v5/users/{user_id}/access-keys/{access_key_id}

iam:credentials:updatecredentialv5

-

delete /v5/users/{user_id}/access-keys/{access_key_id}

iam:credentials:deletecredentialv5

-

post /v5/caller-password

iam:users:changepasswordv5

-

get /v5/users/{user_id}/login-profile

iam:users:showloginprofilev5

-

post /v5/users/{user_id}/login-profile

iam:users:createloginprofilev5

-

put /v5/users/{user_id}/login-profile

iam:users:updateloginprofilev5

-

delete /v5/users/{user_id}/login-profile

iam:users:deleteloginprofilev5

-

get /v5/users

iam:users:listusersv5

-

get /v5/users/{user_id}

iam:users:getuserv5

-

get /v5/users/{user_id}/last-login

iam:users:showuserlastloginv5

-

post /v5/users

iam:users:createuserv5

-

put /v5/users/{user_id}

iam:users:updateuserv5

-

delete /v5/users/{user_id}

iam:users:deleteuserv5

-

get /v5/groups

iam:groups:listgroupsv5

-

get /v5/groups/{group_id}

iam:groups:getgroupv5

-

post /v5/groups

iam:groups:creategroupv5

-

put /v5/groups/{group_id}

iam:groups:updategroupv5

-

delete /v5/groups/{group_id}

iam:groups:deletegroupv5

-

post /v5/groups/{group_id}/add-user

iam:permissions:addusertogroupv5

-

post /v5/groups/{group_id}/remove-user

iam:permissions:removeuserfromgroupv5

-

get /v5/policies

iam:policies:listv5

-

get /v5/policies/{policy_id}

iam:policies:getv5

-

post /v5/policies

iam:policies:createv5

-

delete /v5/policies/{policy_id}

iam:policies:deletev5

-

get /v5/policies/{policy_id}/versions

iam:policies:listversionsv5

-

get /v5/policies/{policy_id}/versions/{version_id}

iam:policies:getversionv5

-

post /v5/policies/{policy_id}/versions

iam:policies:createversionv5

-

delete /v5/policies/{policy_id}/versions/{version_id}

iam:policies:deleteversionv5

-

post /v5/policies/{policy_id}/versions/{version_id}/set-default

iam:policies:setdefaultversionv5

-

post /v5/policies/{policy_id}/attach-agency

iam:agencies:attachpolicyv5

-

post /v5/policies/{policy_id}/attach-group

iam:groups:attachpolicyv5

-

post /v5/policies/{policy_id}/attach-user

iam:users:attachpolicyv5

-

post /v5/policies/{policy_id}/detach-agency

iam:agencies:detachpolicyv5

-

post /v5/policies/{policy_id}/detach-group

iam:groups:detachpolicyv5

-

post /v5/policies/{policy_id}/detach-user

iam:users:detachpolicyv5

-

get /v5/policies/{policy_id}/attached-entities

iam:policies:listentitiesv5

-

get /v5/agencies/{agency_id}/attached-policies

iam:agencies:listattachedpoliciesv5

-

get /v5/groups/{group_id}/attached-policies

iam:groups:listattachedpoliciesv5

-

get /v5/users/{user_id}/attached-policies

iam:users:listattachedpoliciesv5

-

put /v5/service-linked-agencies

iam:agencies:createservicelinkedagencyv5

-

delete /v5/service-linked-agencies/{agency_id}

iam:agencies:deleteservicelinkedagencyv5

-

get /v5/service-linked-agencies/deletion-task/{deletion_task_id}

iam:agencies:getservicelinkedagencydeletionstatusv5

-

get /v5/agencies

iam:agencies:listv5

-

get /v5/agencies/{agency_id}

iam:agencies:getv5

-

post /v5/agencies

iam:agencies:createv5

-

put /v5/agencies/{agency_id}

iam:agencies:updatev5

-

delete /v5/agencies/{agency_id}

iam:agencies:deletev5

-

put /v5/agencies/{agency_id}/trust-policy

iam:agencies:updatetrustpolicyv5

-

get /v5/{resource_type}/{resource_id}/tags

iam::listtagsforresourcev5

-

post /v5/{resource_type}/{resource_id}/tags/create

iam::tagforresourcev5

-

delete /v5/{resource_type}/{resource_id}/tags/delete

iam::untagforresourcev5

-

get /v5/account-summary

iam::getaccountsummaryv5

-

资源类型(resource)

资源类型(resource)表示身份策略所作用的资源。如表3中的某些操作指定了可以在该操作指定的资源类型,则必须在具有该操作的身份策略语句中指定该资源的urn,身份策略仅作用于此资源;如未指定,resource默认为“*”,则身份策略将应用到所有资源。您也可以在身份策略中设置条件,从而指定资源类型。

iam定义了以下可以在自定义身份策略的resource元素中使用的资源类型。

表3 iam支持的资源类型

资源类型

urn

agency

iam:::agency:

policy

iam:::policy:

mfa

iam:::mfa:

user

iam:::user:

group

iam:::group:

条件(condition)

条件键概述

条件(condition)是身份策略生效的特定条件,包括条件键运算符

  • 条件键表示身份策略语句的condition元素中的键值。根据适用范围,分为全局级条件键和服务级条件键。
    • 全局级条件键(前缀为g:)适用于所有操作,在鉴权过程中,云服务不需要提供用户身份信息,系统将自动获取并鉴权。详情请参见:全局条件键
    • 服务级条件键(前缀通常为服务缩写,如iam:)仅适用于对应服务的操作,详情请参见表4
    • 单值/多值表示api调用时请求中与条件关联的值数。单值条件键在api调用时的请求中最多包含一个值,多值条件键在api调用时请求可以包含多个值。例如:g:sourcevpce是单值条件键,表示仅允许通过某个vpc终端节点发起请求访问某资源,一个请求最多包含一个vpc终端节点id值。g:tagkeys是多值条件键,表示请求中携带的所有标签的key组成的列表,当用户在调用api请求时传入标签可以传入多个值。
  • 运算符与条件键、条件值一起构成完整的条件判断语句,当请求信息满足该条件时,身份策略才能生效。支持的运算符请参见:运算符

iam支持的服务级条件键

iam定义了以下可以在自定义身份策略的condition元素中使用的条件键,您可以使用这些条件键进一步细化身份策略语句应用的条件。

表4 iam支持的服务级条件键

服务级条件键

类型

单值/多值

说明

iam:policyurn

string

单值

按照身份策略的urn筛选访问权限。

iam:serviceprincipal

string

单值

按照服务关联委托传递的云服务对应的服务标识筛选访问权限。
父主题:

相关文档

网站地图