Amazon Directory Service API 权限：操作、资源和条件参考

在设置访问控制和编写您可挂载到 IAM 身份的权限策略（基于身份的策略）时，可以使用下表作为参考。表以下内容：

各个 Amazon Directory Service API 操作
您可授予执行该操作的权限的对应操作
您可以授予权限的 Amazon 资源

您在策略的 Action 字段中指定操作，并在策略的 Resource 字段中指定资源值。

注意

一些 Amazon 应用程序可能需要在自身的策略中使用非公共 Amazon Directory Service API 操作 ds:AuthorizeApplication、ds:CheckAlias、ds:CreateIdentityPoolDirectory 和 ds:UnauthorizeApplication。

您可以在 Amazon Directory Service 策略中使用 Amazon 全局条件键来表示条件。有关Amazon密钥的完整列表，请参阅 IAM 用户指南中的可用全局条件密钥。

注意

要指定操作，请在 API 操作名称之前使用 ds: 前缀 (例如，ds:CreateDirectory)。

Amazon Directory Service API 和必需的操作权限
Amazon Directory Service API 操作	所需权限（API 操作）	资源
AcceptSharedDirectory	`ds:AcceptSharedDirectory`	*
AddIpRoutes	`ds:AddIpRoutes` `ec2:DescribeSecurityGroup` `ec2:AuthorizeSecurityGroupIngress` `ec2:AuthorizeSecurityGroupEgress`	*
AddTagsToResource	`ds:AddTagsToResource` `ec2:CreateTags`	*
CancelSchemaExtension	`ds:CancelSchemaExtension`	*
ConnectDirectory	`ds:ConnectDirectory` `ec2:DescribeSubnets` `ec2:DescribeVpcs` `ec2:CreateSecurityGroup` `ec2:CreateNetworkInterface` `ec2:DescribeNetworkInterfaces` `ec2:AuthorizeSecurityGroupIngress` `ec2:AuthorizeSecurityGroupEgress` `ec2:CreateTags`	*
CreateAlias	`ds:CreateAlias`	*
CreateComputer	`ds:CreateComputer`	*
CreateConditionalForwarder	`ds:CreateConditionalForwarder`	*
CreateDirectory	`ds:CreateDirectory` `ec2:DescribeSubnets` `ec2:DescribeVpcs` `ec2:CreateSecurityGroup` `ec2:CreateNetworkInterface` `ec2:DescribeNetworkInterfaces` `ec2:AuthorizeSecurityGroupIngress` `ec2:AuthorizeSecurityGroupEgress` `ec2:CreateTags`	*
CreateLogSubscription	`ds:CreateLogSubscription`	*
CreateMicrosoft广告	`ds:CreateMicrosoftAD` `ec2:DescribeSubnets` `ec2:DescribeVpcs` `ec2:CreateSecurityGroup` `ec2:CreateNetworkInterface` `ec2:DescribeNetworkInterfaces` `ec2:AuthorizeSecurityGroupIngress` `ec2:AuthorizeSecurityGroupEgress` `ec2:RevokeSecurityGroupEgress` `ec2:CreateTags`	*
CreateSnapshot	`ds:CreateSnapshot`	*
CreateTrust	`ds:CreateTrust`	*
DeleteConditionalForwarder	`ds:DeleteConditionalForwarder`	*
DeleteDirectory	`ds:DeleteDirectory` `ec2:DescribeNetworkInterfaces` `ec2:DeleteSecurityGroup` `ec2:DeleteNetworkInterface` `ec2:RevokeSecurityGroupIngress` `ec2:RevokeSecurityGroupEgress` `ec2:DeleteTags`	*
DeleteLogSubscription	`ds:DeleteLogSubscription`	*
DeleteSnapshot	`ds:DeleteSnapshot`	*
DeleteTrust	`ds:DeleteTrust`	*
DeregisterEventTopic	`ds:DeregisterEventTopic`	*
DescribeConditionalForwarders	`ds:DescribeConditionalForwarders`	*
DescribeDirectories	`ds:DescribeDirectories`	*
DescribeDomainControllers	`ds:DescribeDomainControllers`	*
DescribeEventTopics	`ds:DescribeEventTopics`	*
DescribeSharedDirectories	`ds:DescribeSharedDirectories`	*
DescribeSnapshots	`ds:DescribeSnapshots`	*
DescribeTrusts	`ds:DescribeTrusts`	*
DisableRadius	`ds:DisableRadius`	*
DisableSso	`ds:DisableSso`	*
EnableRadius	`ds:EnableRadius`	*
EnableSso	`ds:EnableSso`	*
GetDirectoryLimits	`ds:GetDirectoryLimits`	*
GetSnapshotLimits	`ds:GetSnapshotLimits`	*
ListIpRoutes	`ds:ListIpRoutes`	*
ListLogSubscriptions	`ds:ListLogSubscriptions`	*
ListSchemaExtensions	`ds:ListSchemaExtensions`	*
ListTagsForResource	`ds:ListTagsForResource`	*
RegisterEventTopic	`ds:RegisterEventTopic` `sns:GetTopicAttributes`	*
RejectSharedDirectory	`ds:RejectSharedDirectory`	*
RemoveIpRoutes	`ds:RemoveIpRoutes`	*
RemoveTagsFromResource	`ds:RemoveTagsFromResource` `ec2:DeleteTags`	*
ResetUserPassword	`ds:ResetUserPassword`	*
RestoreFromSnapshot	`ds:RestoreFromSnapshot`	*
ShareDirectory	`ds:ShareDirectory` `organizations:DescribeAccount` `organizations:DescribeOrganization` `organizations:ListAWSServiceAccessForOrganization`	*
StartSchemaExtension	`ds:StartSchemaExtension`	*
UnshareDirectory	`ds:UnshareDirectory`	*
UpdateConditionalForwarder	`ds:UpdateConditionalForwarder`	*
UpdateNumberOfDomainControllers	`ds:UpdateNumberOfDomainControllers` `ec2:DescribeSubnets` `ec2:DescribeVpcs` `ec2:CreateNetworkInterface` `ec2:DescribeNetworkInterfaces` `ec2:DeleteNetworkInterface`	*
UpdateRadius	`ds:UpdateRadius`	*
UpdateTrust	`ds:UpdateTrust`	*
VerifyTrust	`ds:VerifyTrust`	*

Amazon Directory Service API 权限：操作、资源和条件参考

注意

注意

相关主题