子账号权限管理

可授权RDS Action 和对应资源

RDS资源描述格式形如: comb:rds:${region}:*:${resourceType}/${resourceId}。各元素说明如下:

Note

1.${region}: 表示分区名称,目前支持 * 、cn-east-1、cn-east-3,其中 * 表示所有分区,cn-east-1 表示华东1分区,cn-east-3 表示华东3分区

2.${resourceType}: 表示资源类型,目前支持 * 、instance,其中 * 表示所有类型,instance表示云数据库资源

3.${resourceId}: 表示资源id,对于云数据库(instance)资源id即该资源的名称,可以通过相关查询资源信息接口获得

ActionAction 描述资源
comb:rds:ChangeDBAccountPassword修改帐号密码comb:rds:${region}:*:instance/${instanceName}
comb:rds:CreateDatabase创建数据库comb:rds:${region}:*:instance/${instanceName}
comb:rds:CreateDBAccount创建帐号comb:rds:${region}:*:instance/${instanceName}
comb:rds:CreateDBSnapshot创建备份comb:rds:${region}:*:instance/${instanceName}
comb:rds:CreateOnlineSchemaChange创建在线修改表结构comb:rds:${region}:*:instance/${instanceName}
comb:rds:DeleteDatabase删除数据库comb:rds:${region}:*:instance/${instanceName}
comb:rds:DeleteDBAccount删除帐号comb:rds:${region}:*:instance/${instanceName}
comb:rds:DeleteDBInstance删除实例comb:rds:${region}:*:instance/${instanceName}
comb:rds:DescribeAccountPrivileges查询帐号权限comb:rds:${region}:*:instance/${instanceName}
comb:rds:DescribeDatabaseList查询数据库列表comb:rds:${region}:*:instance/${instanceName}
comb:rds:DescribeDBAccount查询数据库帐号comb:rds:${region}:*:instance/${instanceName}
comb:rds:DescribeDBParameters查询数据库参数comb:rds:${region}:*:instance/${instanceName}
comb:rds:DescribeDBSnapshots查询备份列表comb:rds:${region}:*:instance/${instanceName}
comb:rds:DescribeImportMigrateInfo查询实例迁移信息comb:rds:${region}:*:instance/${instanceName}
comb:rds:DescribeOnlineSchemaChange查询在线修改表结构comb:rds:${region}:*:instance/${instanceName}
comb:rds:DescribeOnlineSchemaChangeProgress查询在线修改表结构进度comb:rds:${region}:*:instance/${instanceName}
comb:rds:GrantPrivileges为数据库帐户授权comb:rds:${region}:*:instance/${instanceName}
comb:rds:ImportDBRetry外部实例迁移重试comb:rds:${region}:*:instance/${instanceName}
comb:rds:ImportGetMigrateInfo查询实例迁移信息comb:rds:${region}:*:instance/${instanceName}
comb:rds:ImportGetProgress查询实例迁移进度comb:rds:${region}:*:instance/${instanceName}
comb:rds:ModifyDBInstance修改实例配置comb:rds:${region}:*:instance/${instanceName}
comb:rds:ModifyDBInstanceIOPS修改实例iopscomb:rds:${region}:*:instance/${instanceName}
comb:rds:ModifyDBInstanceNetworkType修改实例网络类型comb:rds:${region}:*:instance/${instanceName}
comb:rds:PromoteReadReplica提升只读实例comb:rds:${region}:*:instance/${instanceName}
comb:rds:RebootDBInstance重启实例comb:rds:${region}:*:instance/${instanceName}
comb:rds:SetDBInstancePublicFloatingIp启停实例外网ipcomb:rds:${region}:*:instance/${instanceName}
comb:rds:StopImportDB停止迁移实例comb:rds:${region}:*:instance/${instanceName}

Attention

以上 Action 仅指一次功能操作,web页面某些操作实际是多种Action的集合,比如在 web 页面上修改帐号权限 ,实际需要执行查询数据库帐号(comb:rds::DescribeDBAccount)、查询数据库列表(comb:rds::DescribeDataBase)和为数据库帐号授权(comb:rds:GrantPrivileges)三个 Action。请注意赋予子账号合适的权限。

RDS API 接口和对应的RDS Action

Note

查询实例(GET /api/v1/rds/instances)、创建实例(POST /api/v1/rds/instances)接口和删除备份(DELETE /api/v1/rds/snapshots)接口目前没有接入SAM,默认对所有子账号开放。

APIAction 描述Action
DELETE /api/v1/rds/instances删除RDS实例comb:rds:DeleteDBInstance
POST /api/v1/rds/accounts创建帐号comb:rds:CreateDBAccount
GET /api/v1/rds/accounts获取帐号列表comb:rds:DescribeDBAccount
PUT /api/v1/rds/accounts修改帐号密码comb:rds:ChangeDBAccountPassword
GET /api/v1/rds/privileges查看帐号权限comb:rds:DescribeAccountPrivileges
PUT /api/v1/rds/privileges修改帐号权限comb:rds:GrantPrivileges
DELETE /api/v1/rds/accounts删除帐号DELETE /api/v1/rds/accounts
POST /api/v1/rds/databases创建数据库comb:rds:CreateDatabase
GET /api/v1/rds/databases获取数据库列表comb:rds:DescribeDatabaseList
DELETE /api/v1/rds/databases删除数据库comb:rds:DeleteDatabase
POST /api/v1/rds/snapshots创建备份comb:rds:CreateDBSnapshot
GET /api/v1/rds/snapshots查询备份comb:rds:DescribeDBSnapshots

策略管理

RDS 管理权限 (RdsFullAccess) 包括如下 Action:

  • comb:rds:ChangeDBAccountPassword
  • comb:rds:CreateDatabase
  • comb:rds:CreateDBAccount
  • comb:rds:AttachKeyPair
  • comb:rds:CreateDBSnapshot
  • comb:rds:CreateOnlineSchemaChange
  • comb:rds:DeleteDatabase
  • comb:rds:DeleteDBAccount
  • comb:rds:DeleteDBInstance
  • comb:rds:GrantPrivileges
  • comb:rds:ImportDBRetry
  • comb:rds:ModifyDBInstance
  • comb:rds:ModifyDBInstanceIOPS
  • comb:rds:ModifyDBInstanceNetWorkType
  • comb:rds:PromoteReadReplica
  • comb:rds:RebootDBInstance
  • comb:rds:SetDBInstancePublicFloatingIp
  • comb:rds:StopImportDB

RDS 只读权限 (RdsReadOnlyAccess) 包括如下 Action:

  • comb:rds:DescribeAccountPrivileges
  • comb:rds:DescribeDatabaseList
  • comb:rds:DescribeDBAccount
  • comb:rds:DescribeDBParameters
  • comb:nvm:DescribeInstances
  • comb:rds:DescribeDBSnapshots
  • comb:rds:DescribeImportMigrateInfo
  • comb:rds:DescribeOnlineSchemaChange
  • comb:rds:DescribeOnlineSchemaChangeProgress
  • comb:rds:ImportGetMigrateInfo
  • comb:rds:ImportGetProgress