Aliyun API when a child account access to the main account resources of the authentication rules

　　Authentication rule When the ECS API occurs when a child account accesses the primary account resource

When a child account accesses an ECS resource of a master account through the ECS Open API, ECS backstage checks the RAM for permissions to ensure that the resource owner does grant the caller the relevant permissions for the related resources.

Each of the different ECS APIs determines the permissions on which resources need to be checked based on the resources involved and the semantics of the API. Specifically, the authentication rules for each API are shown in the following table

Action authentication Rules

Allocatepublicipaddressacs:ecs: $regionid: $accountid: instance/$instanceid

Attachdiskacs:ecs: $regionid: $accountid:d isk/$diskid

Acs:ecs: $regionid: $accountid: instance/$instanceid

Authorizesecuritygroupacs:ecs: $regionid: $accountid: securitygroup/$securitygroupid

[And Acs:ecs: $regionid: $accountid: securitygroup/$sourcegroupid (if sourcegroupid specified)]

Creatediskacs:ecs: $regionid: $accountid:d isk/*

[And Acs:ecs: $regionid: $accountid: snapshot/$snapshotid (if Snapshotid specified)]

Createimageacs:ecs: $regionid: $accountid: image/*

Acs:ecs: $regionid: $accountid: snapshot/$snapshotid

Createinstanceacs:ecs: $regionid: $accountid: instance/*

Acs:ecs: $regionid: $accountid: securitygroup/$securitygroupid

Acs:ecs: $regionid: $accountid: image/$imageid

[And Acs:ecs: $regionid: $accountid: snapshot/$snapshotid (if Datadisk.n.snapshotid specified)]

Createsecuritygroupacs:ecs: $regionid: $accountid: securitygroup/*

Createsnapshotacs:ecs: $regionid: $accountid:d isk/$diskid

Acs:ecs: $regionid: $accountid: snapshot/*

Deletediskacs:ecs: $regionid: $accountid:d isk/$diskid

Deleteimageacs:ecs: $regionid: $accountid: image/$imageid

Deleteinstanceacs:ecs: $regionid: $accountid: instance/$instanceid

Deletesecuritygroupacs:ecs: $regionid: $accountid: securitygroup/$securitygroupid

Deletesnapshotacs:ecs: $regionid: $accountid: snapshot/$snapshotid

describeautosnapshotpolicyacs:ecs:*: $accountid: snapshot/*

Describedisksacs:ecs: $regionid: $accountid:d isk/*

Describeimagesacs:ecs: $regionid: $accountid: image/*

Describeinstancemonitordataacs:ecs: $regionid: $accountid: instance/$instanceid

Describeinstancestatusacs:ecs: $regionid: $accountid: instance/*

describeinstancetypesacs:ecs:*: $accountid:*

describeregionsacs:ecs:*: $accountid:*

Describesecuritygroupattributeacs:ecs: $regionid: $accountid: securitygroup/$securitygroupid

Describesecuritygroupsacs:ecs: $regionid: $accountid: securitygroup/*

Describesnapshotsacs:ecs: $regionid: $accountid: snapshot/*

describezonesacs:ecs:*: $accountid:*

Detachdiskacs:ecs: $regionid: $accountid:d isk/$diskid

Acs:ecs: $regionid: $accountid: instance/$instanceid

Joinsecuritygroupacs:ecs: $regionid: $accountid: instance/$instanceid

Acs:ecs: $regionid: $accountid: securitygroup/$securitygroupid

Leavesecuritygroupacs:ecs: $regionid: $accountid: instance/$instanceid

Acs:ecs: $regionid: $accountid: securitygroup/$securitygroupid

modifyautosnapshotpolicyacs:ecs:*: $accountid: snapshot/*

Modifydiskattributeacs:ecs: $regionid: $accountid:d isk/$diskid

Modifyinstanceattributeacs:ecs: $regionid: $accountid: instance/$instanceid

Modifyinstancenetworkspecacs:ecs: $regionid: $accountid: instance/$instanceid

Rebootinstanceacs:ecs: $regionid: $accountid: instance/$instanceid

Replacesystemdiskacs:ecs: $regionid: $accountid: instance/$instanceid

[And Acs:ecs: $regionid: $accountid: image/$imageid (if you are using a custom mirror or mirroring the mirror market)]

Reinitdiskacs:ecs: $regionid: $accountid:d isk/$diskid

Resetdiskacs:ecs: $regionid: $accountid: snapshot/$snapshotid

Acs:ecs: $regionid: $accountid:d isk/$diskid

Revokesecuritygroupacs:ecs: $regionid: $accountid: securitygroup/$securitygroupid

[And Acs:ecs: $regionid: $accountid: securitygroup/$sourcegroupid (if sourcegroupid specified)]

Startinstanceacs:ecs: $regionid: $accountid: instance/$instanceid

Stopinstanceacs:ecs: $regionid: $accountid: instance/$instanceid

Describeinstancesacs:ecs: $regionid: $accountid: instance/*

Createvpcacs:ecs: $regionid: $accountid: vpc/*

Modifyvpcattributeacs:ecs: $regionid: $accountid: vpc/$vpcid

Describevroutersacs:ecs: $regionid: $accountid: vrouter/*

Createvswitchacs:ecs: $regionid: $accountid: vswitch/*

Createroutetableacs:ecs: $regionid: $accountid: routetable/*

Createrouteentryacs:ecs: $regionid: $accountid: routetable/$routetableid

Allocateeipaddressacs:ecs: $regionid: $accountid: eip/*

Associateeipaddressacs:ecs: $regionid: $accountid: eip/$allocationid acs:ecs: $regionid: $accountid: instance/$ Instanceid

Releaseeipaddressacs:ecs: $regionid: $accountid: eip/$allocationid

Describevpcsacs:ecs: $regionid: $accountid: vpc/*

Deletevpcacs:ecs: $regionid: $accountid: vpc/$vpcid

Modifyvrouterattributeacs:ecs: $regionid: $accountid: vrouter/$vrouterid

Describevswitchesacs:ecs: $regionid: $accountid: vswitch/*

Deletevswitchacs:ecs: $regionid: $accountid: vswitch/$vswitchid

Describeroutetablesacs:ecs: $regionid: $accountid: routetable/*

Deleterouteentryacs:ecs: $regionid: $accountid: routetable/$routetableid

Describeeipaddressesacs:ecs: $regionid: $accountid: eip/*

Unassociateeipaddressesacs:ecs: $regionid: $accountid: eip/$eipid

Acs:ecs: $regionid: $accountid: instance/$instanceid

Modifysecuritygroupattributeacs:ecs: $regionid: $accountid: securitygroup/$securitygroupid

Describeeipmonitordataacs:ecs: $regionid: $accountid: eip/$allocationid

Modifyvswitchattributeacs:ecs: $regionid: $accountid: vswitch/$vswitchid

Describeinstancevncurlacs:ecs: $regionid: $accountid: instance/$instanceid

Modifysnapshotattributeacs:ecs: $regionid: $accountid: snapshot/$snapshotid

Modifyinstancevpcattributeacs:ecs: $regionid: $accountid: instance/$instanceid

Modifyeipaddressattributeacs:ecs: $regionid: $accountid: eip/$allocationid

Describediskmonitordataacs:ecs: $regionid: $accountid:d isk/$diskid