身份策略授权参考
云服务在IAM预置了常用的权限,称为系统身份策略。如果IAM系统身份策略无法满足授权要求,管理员可以根据各服务支持的授权项,创建IAM自定义身份策略来进行精细的访问控制,IAM自定义身份策略是对系统身份策略的扩展和补充。
除IAM服务外,Organizations服务中的服务控制策略(Service Control Policy,以下简称SCP)也可以使用这些授权项元素设置访问控制策略。
SCP不直接进行授权,只划定权限边界。将SCP绑定到组织单元或者成员账号时,并没有直接对组织单元或成员账号授予操作权限,而是规定了成员账号或组织单元包含的成员账号的授权范围。IAM身份策略授予权限的有效性受SCP限制,只有在SCP允许范围内的权限才能生效。
IAM服务与Organizations服务在使用这些元素进行访问控制时,存在着一些区别,详情请参见:IAM服务与Organizations服务权限访问控制的区别。
本章节介绍IAM服务身份策略授权场景中自定义身份策略和组织服务中SCP使用的元素,这些元素包含了操作(Action)、资源(Resource)和条件(Condition)。
操作(Action)
操作(Action)即为身份策略中支持的授权项。
- “访问级别”列描述如何对操作进行分类(List、Read和Write等)。此分类可帮助您了解在身份策略中相应操作对应的访问级别。
- “资源类型”列指每个操作是否支持资源级权限。
- 资源类型支持通配符号*表示所有。如果此列没有值(-),则必须在身份策略语句的Resource元素中指定所有资源类型(“*”)。
- 如果该列包含资源类型,则必须在具有该操作的语句中指定该资源的URN。
- 资源类型列中必需资源在表中用星号(*)标识,表示使用此操作必须指定该资源类型。
关于IdentityCenter定义的资源类型的详细信息请参见资源类型(Resource)。
- “条件键”列包括了可以在身份策略语句的Condition元素中支持指定的键值。
- 如果该授权项资源类型列存在值,则表示条件键仅对列举的资源类型生效。
- 如果该授权项资源类型列没有值(-),则表示条件键对整个授权项生效。
- 如果此列条件键没有值(-),表示此操作不支持指定条件键。
关于IdentityCenter定义的条件键的详细信息请参见条件(Condition)。
- “别名”列包括了可以在身份策略中配置的策略授权项。通过这些授权项,可以控制支持策略授权的API访问。详细信息请参见身份策略兼容性说明。
您可以在身份策略语句的Action元素中指定以下IdentityCenter的相关操作。
授权项 | 描述 | 访问级别 | 资源类型(*为必须) | 条件键 | 别名 |
|---|---|---|---|---|---|
IdentityCenter:user:create | 授予创建用户的权限。 | Write | - | - | - |
IdentityCenter:user:list | 授予查询用户列表的权限。 | Read | - | - | - |
IdentityCenter:user:describe | 授予查询用户详情的权限。 | Read | - | - | - |
IdentityCenter:user:describeUsers | 授予批量获取用户详情的权限。 | Read | - | - | - |
IdentityCenter:user:update | 授予更新用户的权限。 | Write | - | - | - |
IdentityCenter:user:delete | 授予删除用户的权限。 | Write | - | - | - |
IdentityCenter:user:getUserId | 授予获取用户ID的权限。 | Read | - | - | - |
IdentityCenter:user:enableUser | 授予启用用户的权限。 | Write | - | - | - |
IdentityCenter:user:disableUser | 授予停用用户的权限。 | Write | - | - | - |
IdentityCenter:group:create | 授予创建用户组的权限。 | Write | - | - | - |
IdentityCenter:group:list | 授予查询用户组列表的权限。 | Read | - | - | - |
IdentityCenter:group:describe | 授予查询用户组详情的权限。 | Read | - | - | - |
IdentityCenter:group:describeGroups | 授予批量获取用户组详情的权限。 | Read | - | - | - |
IdentityCenter:group:update | 授予更新用户组的权限。 | Write | - | - | - |
IdentityCenter:group:delete | 授予删除用户组的权限。 | Write | - | - | - |
IdentityCenter:group:getGroupId | 授予获取用户组Id的权限。 | Read | - | - | - |
IdentityCenter:groupMembership:create | 授予绑定用户与用户组的权限。 | Write | - | - | - |
IdentityCenter:groupMemberships:list | 授予查询用户组的所有成员的权限。 | Read | - | - | - |
IdentityCenter:groupMembership:listForMember | 授予查询用户加入的所有用户组的权限。 | Read | - | - | - |
IdentityCenter:groupMembership:describe | 授予查询绑定关系详情的权限。 | Read | - | - | - |
IdentityCenter:groupMembership:delete | 授予解绑用户和用户组的权限。 | Write | - | - | - |
IdentityCenter:groupMembership:getGroupMembershipId | 授予查询绑定关系ID的权限。 | Read | - | - | - |
IdentityCenter:groupMembership:isMembershipInGroup | 授予查询用户是否绑定在用户组的权限。 | Read | - | - | - |
IdentityCenter:externalIdp:create | 授予创建外部身份提供商的权限。 | Write | - | - | - |
IdentityCenter:externalIdp:list | 授予获取外部身份提供商身份源配置的权限。 | Read | - | - | - |
IdentityCenter:externalIdp:enable | 授予启用外部身份提供商的权限。 | Write | - | - | - |
IdentityCenter:externalIdp:disable | 授予停用外部身份提供商的权限。 | Write | - | - | - |
IdentityCenter:externalIdp:getSpConfiguration | 授予获取IAM身份中心服务提供商配置的权限。 | Read | - | - | - |
IdentityCenter:externalIdp:update | 授予更新外部身份提供商配置的权限。 | Write | - | - | - |
IdentityCenter:externalIdp:delete | 授予删除外部身份提供商配置的权限。 | Write | - | - | - |
IdentityCenter:externalIdp:importCertificate | 授予导入证书的权限。 | Write | - | - | - |
IdentityCenter:externalIdp:deleteCertificate | 授予删除证书的权限。 | Write | - | - | - |
IdentityCenter:externalIdp:listCertificates | 授予获取证书列表的权限。 | Read | - | - | - |
IdentityCenter:externalIdp:createProvisioningTenant | 授予创建Tenant的权限。 | Write | - | - | - |
IdentityCenter:externalIdp:listProvisioningTenant | 授予查询Tenant列表的权限。 | Read | - | - | - |
IdentityCenter:externalIdp:deleteProvisioningTenant | 授予删除Tenant的权限。 | Write | - | - | - |
IdentityCenter:externalIdp:createBearerToken | 授予创建Bearer Token的权限。 | Write | - | - | - |
IdentityCenter:externalIdp:listBearerTokens | 授予查询Bearer Token列表的权限。 | Read | - | - | - |
IdentityCenter:externalIdp:deleteBearerToken | 授予删除Bearer Token的权限。 | Write | - | - | - |
IdentityCenter:user:updatePassword | 授予通过电子邮件发送密码重置链接或者生成一次性密码的方式为用户更新密码的权限。 | Write | - | - | - |
IdentityCenter:user:deleteUserMfaDevice | 授予为指定用户删除MFA设备的权限。 | Write | - | - | - |
IdentityCenter:user:updateMfaDevice | 授予更新MFA设备信息的权限。 | Write | - | - | - |
IdentityCenter:user:listMfaDevice | 授予查询MFA设备列表的权限。 | Read | - | - | - |
IdentityCenter:user:registerVirtualMfaDevice | 授予开始虚拟MFA设备创建过程的权限。 | Write | - | - | - |
IdentityCenter:user:verifyEmail | 授予验证用户电子邮件地址的权限。 | Write | - | - | - |
IdentityCenter:user:batchDeleteSession | 授予批量删除所选的用户会话的权限。 | Write | - | - | - |
IdentityCenter:user:listSessions | 授予查询用户会话列表的权限。 | List | - | - | - |
IdentityCenter:serviceProvider:activeCertificate | 授予激活身份提供商证书权限。 | Write | - | - | - |
IdentityCenter:serviceProvider:deleteCertificate | 授予删除身份提供商证书权限。 | Write | - | - | - |
IdentityCenter:serviceProvider:createCertificate | 授予创建身份提供商证书权限。 | Write | - | - | - |
IdentityCenter:serviceProvider:listCertificates | 授予获取身份提供商证书列表权限。 | List | - | - | - |
IdentityCenter:permissionSet:create | 授予创建权限集的权限。 | Write | instance * | - | - |
permissionSet * | - | ||||
- | |||||
IdentityCenter:permissionSet:attachManagedPolicy | 授予将系统管理策略附加到权限集的权限。 | Permission_management | instance * | - | - |
permissionSet * | |||||
IdentityCenter:permissionSet:detachManagedPolicy | 授予从指定权限集中分离附加的系统管理策略的权限。 | Permission_management | instance * | - | - |
permissionSet * | |||||
IdentityCenter:permissionSet:update | 授予更新指定实例的权限集的权限。 | Permission_management | instance * | - | - |
permissionSet * | |||||
IdentityCenter:permissionSet:delete | 授予删除指定实例的权限集的权限。 | Write | instance * | - | - |
permissionSet * | |||||
IdentityCenter:permissionSet:list | 授予列出指定实例的权限集的权限。 | List | instance * | - | - |
IdentityCenter:permissionSet:listAccountsForProvisioned | 授予列出指定权限集已授权的所有账号的权限。 | List | permissionSet * | - | |
instance * | - | ||||
IdentityCenter:permissionSet:listProvisioningStatus | 授予列出指定实例的权限集授权请求的处理状态的权限。 | List | instance * | - | - |
IdentityCenter:permissionSet:listManagedPolicies | 授予列出附加到指定权限集的系统管理策略的权限。 | List | instance * | - | - |
permissionSet * | |||||
IdentityCenter:permissionSet:listProvisionedToAccount | 授予列出授权给指定账号的所有权限集的权限。 | List | account * | - | - |
instance * | - | ||||
IdentityCenter:permissionSet:describeProvisioningStatus | 授予获取权限集授权请求的处理状态详细信息的权限。 | Read | instance * | - | - |
IdentityCenter:permissionSet:describe | 授予获取指定实例的权限集详细信息的权限。 | Read | instance * | - | - |
permissionSet * | |||||
IdentityCenter:permissionSet:provision | 授予将指定权限集授权给指定目标的权限。 | Write | account * | - | - |
instance * | - | ||||
permissionSet * | |||||
IdentityCenter:instance:getIdentityCenterStatus | 授予查询IAM身份中心服务状态的权限。 | Read | - | - | - |
IdentityCenter:instance:registerRegion | 授予注册region的权限。 | Write | - | - | - |
IdentityCenter:instance:describeRegisteredRegions | 授予查询IAM身份中心已开通的region的权限。 | Read | - | - | - |
IdentityCenter:instance:startIdentityCenter | 授予开通IAM身份中心的权限。 | Write | - | - | - |
IdentityCenter:instance:deleteIdentityCenter | 授予关闭IAM身份中心的权限。 | Write | - | - | - |
IdentityCenter:instance:list | 授予查询IAM身份中心实例列表的权限。 | List | - | - | - |
IdentityCenter:instance:describeInstanceAccessControlAttributeConfiguration | 授予查询指定实例的访问控制属性配置的权限。 | Read | instance * | - | - |
IdentityCenter:instance:updateInstanceAccessControlAttributeConfiguration | 授予更新指定实例的访问控制属性配置的权限。 | Write | instance * | - | - |
IdentityCenter:instance:deleteInstanceAccessControlAttributeConfiguration | 授予删除指定实例的访问控制属性配置的权限。 | Write | instance * | - | - |
IdentityCenter:instance:createInstanceAccessControlAttributeConfiguration | 授予启用指定实例的访问控制功能的权限。 | Write | instance * | - | - |
IdentityCenter:tags:list | 授予查询绑定到指定资源的标签列表的权限。 | List | instance * | - | - |
permissionSet | |||||
IdentityCenter:resources:listTags | 授予查询指定资源类型标签列表的权限。 | List | instance * | - | - |
IdentityCenter:resources:tag | 授予为指定资源添加标签的权限。 | Tagging | instance * | - | - |
permissionSet | |||||
- | |||||
IdentityCenter:resources:untag | 授予从指定资源中删除标签的权限。 | Tagging | instance * | - | - |
permissionSet | |||||
- | |||||
IdentityCenter:resources:listByTag | 授予查询指定资源类型及标签的资源列表的权限。 | List | instance * | - | - |
- | |||||
IdentityCenter:resources:countByTag | 授予查询指定资源类型及标签的资源数量的权限。 | Read | instance * | - | - |
- | |||||
IdentityCenter:accountAssignment:create | 授予使用指定权限集为指定账号分配对主体的访问权限的权限。 | Write | instance * | - | - |
account * | - | ||||
permissionSet * | |||||
IdentityCenter:accountAssignment:delete | 授予使用指定权限集从指定账号删除主体访问权限的权限。 | Write | instance * | - | - |
account * | - | ||||
permissionSet * | |||||
IdentityCenter:accountAssignment:list | 授予列出具有指定权限集的指定账号的受让人的权限。 | List | instance * | - | - |
account * | - | ||||
permissionSet * | |||||
IdentityCenter:accountAssignment:describeDeletionStatus | 授予获取分配删除请求的处理状态详细信息的权限。 | Read | instance * | - | - |
IdentityCenter:accountAssignment:describeCreationStatus | 授予获取分配创建请求的处理状态详细信息的权限。 | Read | instance * | - | - |
IdentityCenter:accountAssignment:listCreationStatus | 授予列出指定IAM身份中心实例的账号分配创建请求的处理状态的权限。 | List | instance * | - | - |
IdentityCenter:accountAssignment:listDeletionStatus | 授予列出指定IAM身份中心实例的账号分配删除请求的处理状态的权限。 | List | instance * | - | - |
IdentityCenter:accountAssignment:listProfileAssociation | 授予查询账号、权限集关联的所有用户或用户组的权限。 | Read | - | - | - |
IdentityCenter:accountAssignment:disassociationProfile | 授予解除用户或用户组绑定的所有授权的权限。 | Write | - | - | - |
IdentityCenter:instance:listIdentityStoreAssociations | 授予查询关联到IAM身份中心的身份源详细信息的权限。 | Read | - | - | - |
IdentityCenter:ssoConfiguration:update | 授予更新当前IAM身份中心实例配置的权限。 | Write | - | - | - |
IdentityCenter:ssoConfiguration:describe | 授予获取当前IAM身份中心实例配置的权限。 | Read | - | - | - |
IdentityCenter:mfaDevices:describeManagementSettings | 授予获取MFA管理设置信息的权限。 | Read | - | - | - |
IdentityCenter:mfaDevices:updateManagementSettings | 授予更新MFA管理设置信息的权限。 | Write | - | - | - |
IdentityCenter:instance:createAlias | 授予为指定的身份源创建别名的权限。 | Write | - | - | - |
IdentityCenter:permissionSet:attachCustomRole | 授予为指定权限集附加自定义角色的权限。 | Permission_management | instance * | - | - |
permissionSet * | |||||
IdentityCenter:permissionSet:attachCustomPolicy | 授予为指定权限集附加自定义策略的权限。 | Permission_management | instance * | - | - |
permissionSet * | |||||
IdentityCenter:permissionSet:getCustomRole | 授予获取分配给指定权限集的自定义角色的权限。 | Read | instance * | - | - |
permissionSet * | |||||
IdentityCenter:permissionSet:getCustomPolicy | 授予获取分配给指定权限集的自定义策略的权限。 | Read | instance * | - | - |
permissionSet * | |||||
IdentityCenter:permissionSet:detachCustomRole | 授予删除指定权限集中的自定义角色的权限。 | Permission_management | instance * | - | - |
permissionSet * | |||||
IdentityCenter:permissionSet:detachCustomPolicy | 授予删除指定权限集中的自定义策略的权限。 | Permission_management | instance * | - | - |
permissionSet * | |||||
IdentityCenter:application:createApplicationInstance | 授予在IAM身份中心中添加应用程序实例的权限。 | Write | - | - | - |
IdentityCenter:application:createApplicationInstanceCertificate | 授予为应用程序实例添加新证书的权限。 | Write | - | - | - |
IdentityCenter:application:deleteApplicationInstance | 授予删除应用程序实例的权限。 | Write | - | - | - |
IdentityCenter:application:deleteApplicationInstanceCertificate | 授予删除应用程序实例的未激活或过期证书的权限。 | Write | - | - | - |
IdentityCenter:application:deleteProfile | 授予删除应用程序实例与用户或用户组关联关系的权限。 | Write | - | - | - |
IdentityCenter:application:describeApplication | 授予获取应用程序信息的权限。 | Read | application * | - | - |
IdentityCenter:application:getApplicationAssignmentConfiguration | 授予读取应用程序分配设置的权限。 | Read | application * | - | - |
IdentityCenter:application:getApplicationInstance | 授予检索应用程序实例详细信息的权限。 | Read | - | - | - |
IdentityCenter:application:importApplicationInstanceServiceProviderMetadata | 授予通过上传服务提供商提供的应用程序SAML元数据文件来更新应用程序实例的权限。 | Write | - | - | - |
IdentityCenter:application:listApplicationInstanceCertificates | 授予查询应用程序实例下的所有证书列表的权限。 | List | - | - | - |
IdentityCenter:application:listApplicationInstances | 授予查询所有应用程序实例列表的权限。 | List | - | - | - |
IdentityCenter:application:listApplicationTemplates | 授予查询所有支持的应用程序模板列表的权限。 | List | - | - | - |
IdentityCenter:application:listApplications | 授予查询与IAM身份中心实例关联的所有应用程序列表的权限。 | List | - | - | - |
IdentityCenter:application:listProfiles | 授予查询应用程序实例是否存在与用户或用户组关联关系的权限。 | List | - | - | - |
IdentityCenter:application:updateApplicationInstanceActiveCertificate | 授予激活应用程序实例证书的权限。 | Write | - | - | - |
IdentityCenter:application:updateApplicationInstanceDisplayData | 授予更新应用程序实例显示详情的权限。 | Write | - | - | - |
IdentityCenter:application:updateApplicationInstanceResponseConfiguration | 授予更新应用程序实例的联邦配置的权限。 | Write | - | - | - |
IdentityCenter:application:updateApplicationInstanceResponseSchemaConfiguration | 授予更新应用程序实例的联邦Schema配置的权限。 | Write | - | - | - |
IdentityCenter:application:updateApplicationInstanceSecurityConfiguration | 授予更新应用程序实例的安全配置的权限。 | Write | - | - | - |
IdentityCenter:application:updateApplicationInstanceServiceProviderConfiguration | 授予更新应用程序实例的服务提供商相关配置的权限。 | Write | - | - | - |
IdentityCenter:application:updateApplicationInstanceStatus | 授予更新应用程序实例状态的权限。 | Write | - | - | - |
IdentityCenter:applicationProvider:describeApplicationProvider | 授予描述应用程序提供商的权限。 | Read | applicationProvider * | - | - |
IdentityCenter:applicationProvider:listApplicationProviders | 授予查询应用程序提供商列表的权限。 | List | applicationProvider | - | - |
IdentityCenter:applicationAssignment:create | 授予为应用程序分配用户或用户组的权限。 | Write | application * | - | - |
IdentityCenter:applicationAssignment:delete | 授予为应用程序解除已分配用户或用户组的权限。 | Write | application * | - | - |
IdentityCenter:applicationAssignment:list | 授予查询应用程序已分配的用户或用户组列表的权限。 | List | application * | - | - |
IdentityCenter:applicationAssignmentsForPrincipal:list | 授予查询分配给用户或组的应用程序列表的权限。 | List | instance * | - | - |
IdentityCenter的API通常对应着一个或多个授权项。表2展示了API与授权项的关系,以及该API需要依赖的授权项。
API | 对应的授权项 | 依赖的授权项 |
|---|---|---|
IdentityCenter:user:create | organizations:delegatedAdministrators:list | |
IdentityCenter:user:list | organizations:delegatedAdministrators:list | |
IdentityCenter:user:describe | organizations:delegatedAdministrators:list | |
POST /v1/identity-stores/{identity_store_id}/users/batch-query | IdentityCenter:user:describeUsers | organizations:delegatedAdministrators:list |
IdentityCenter:user:update | organizations:delegatedAdministrators:list | |
DELETE /v1/identity-stores/{identity_store_id}/users/{user_id} | IdentityCenter:user:delete | organizations:delegatedAdministrators:list |
POST /v1/identity-stores/{identity_store_id}/users/retrieve-user-id | IdentityCenter:user:getUserId | organizations:delegatedAdministrators:list |
POST /v1/identity-stores/{identity_store_id}/users/{user_id}/enable | IdentityCenter:user:enableUser | organizations:delegatedAdministrators:list |
POST /v1/identity-stores/{identity_store_id}/users/{user_id}/disable | IdentityCenter:user:disableUser | organizations:delegatedAdministrators:list |
IdentityCenter:group:create | organizations:delegatedAdministrators:list | |
IdentityCenter:group:list | organizations:delegatedAdministrators:list | |
GET /v1/identity-stores/{identity_store_id}/groups/{group_id} | IdentityCenter:group:describe | organizations:delegatedAdministrators:list |
POST /v1/identity-stores/{identity_store_id}/groups/batch-query | IdentityCenter:group:describeGroups | organizations:delegatedAdministrators:list |
PUT /v1/identity-stores/{identity_store_id}/groups/{group_id} | IdentityCenter:group:update | organizations:delegatedAdministrators:list |
DELETE /v1/identity-stores/{identity_store_id}/groups/{group_id} | IdentityCenter:group:delete | organizations:delegatedAdministrators:list |
POST /v1/identity-stores/{identity_store_id}/groups/retrieve-group-id | IdentityCenter:group:getGroupId | organizations:delegatedAdministrators:list |
POST /v1/identity-stores/{identity_store_id}/group-memberships | IdentityCenter:groupMembership:create | organizations:delegatedAdministrators:list |
GET /v1/identity-stores/{identity_store_id}/group-memberships | IdentityCenter:groupMemberships:list | organizations:delegatedAdministrators:list |
GET /v1/identity-stores/{identity_store_id}/group-memberships-for-member | IdentityCenter:groupMembership:listForMember | organizations:delegatedAdministrators:list |
GET /v1/identity-stores/{identity_store_id}/group-memberships/{membership_id} | IdentityCenter:groupMembership:describe | organizations:delegatedAdministrators:list |
DELETE /v1/identity-stores/{identity_store_id}/group-memberships/{membership_id} | IdentityCenter:groupMembership:delete | organizations:delegatedAdministrators:list |
POST /v1/identity-stores/{identity_store_id}/group-memberships/retrieve-group-membership-id | IdentityCenter:groupMembership:getGroupMembershipId | organizations:delegatedAdministrators:list |
POST /v1/identity-stores/{identity_store_id}/is-member-in-groups | IdentityCenter:groupMembership:isMembershipInGroup | organizations:delegatedAdministrators:list |
IdentityCenter:externalIdp:create | organizations:delegatedAdministrators:list | |
IdentityCenter:externalIdp:list | organizations:delegatedAdministrators:list | |
POST /v1/identity-stores/{identity_store_id}/external-idp/{idp_id}/enable | IdentityCenter:externalIdp:enable | organizations:delegatedAdministrators:list |
POST /v1/identity-stores/{identity_store_id}/external-idp/{idp_id}/disable | IdentityCenter:externalIdp:disable | organizations:delegatedAdministrators:list |
IdentityCenter:externalIdp:getSpConfiguration | organizations:delegatedAdministrators:list | |
PUT /v1/identity-stores/{identity_store_id}/external-idp/{idp_id} | IdentityCenter:externalIdp:update | organizations:delegatedAdministrators:list |
DELETE /v1/identity-stores/{identity_store_id}/external-idp/{idp_id} | IdentityCenter:externalIdp:delete | organizations:delegatedAdministrators:list |
POST /v1/identity-stores/{identity_store_id}/external-idp/{idp_id}/certificate | IdentityCenter:externalIdp:importCertificate | organizations:delegatedAdministrators:list |
DELETE /v1/identity-stores/{identity_store_id}/external-idp/{idp_id}/certificate/{certificate_id} | IdentityCenter:externalIdp:deleteCertificate | organizations:delegatedAdministrators:list |
GET /v1/identity-stores/{identity_store_id}/external-idp/{idp_id}/certificate | IdentityCenter:externalIdp:listCertificates | organizations:delegatedAdministrators:list |
POST /v1/identity-stores/{identity_store_id}/provision-tenant | IdentityCenter:externalIdp:createProvisioningTenant | organizations:delegatedAdministrators:list |
GET /v1/identity-stores/{identity_store_id}/provision-tenant | IdentityCenter:externalIdp:listProvisioningTenant | organizations:delegatedAdministrators:list |
DELETE /v1/identity-stores/{identity_store_id}/tenant/{tenant_id} | IdentityCenter:externalIdp:deleteProvisioningTenant | organizations:delegatedAdministrators:list |
POST /v1/identity-stores/{identity_store_id}/tenant/{tenant_id}/bearer-token | IdentityCenter:externalIdp:createBearerToken | organizations:delegatedAdministrators:list |
GET /v1/identity-stores/{identity_store_id}/tenant/{tenant_id}/bearer-token | IdentityCenter:externalIdp:listBearerTokens | organizations:delegatedAdministrators:list |
DELETE /v1/identity-stores/{identity_store_id}/tenant/{tenant_id}/bearer-token/{token_id} | IdentityCenter:externalIdp:deleteBearerToken | organizations:delegatedAdministrators:list |
POST /v1/identity-stores/{identity_store_id}/users/{user_id}/reset-password | IdentityCenter:user:updatePassword | organizations:delegatedAdministrators:list |
DELETE /v1/identity-stores/{identity_store_id}/users/{user_id}/mfa-devices/{device_id} | IdentityCenter:user:deleteUserMfaDevice | organizations:delegatedAdministrators:list |
PUT /v1/identity-stores/{identity_store_id}/users/{user_id}/mfa-devices/{device_id} | IdentityCenter:user:updateMfaDevice | organizations:delegatedAdministrators:list |
POST /v1/identity-stores/{identity_store_id}/users/retrieve-mfa-devices | IdentityCenter:user:listMfaDevice | organizations:delegatedAdministrators:list |
POST /v1/identity-stores/{identity_store_id}/users/{user_id}/mfa-devices/register-mfa-device | IdentityCenter:user:registerVirtualMfaDevice | organizations:delegatedAdministrators:list |
POST /v1/identity-stores/{identity_store_id}/users/{user_id}/verify-email | IdentityCenter:user:verifyEmail | organizations:delegatedAdministrators:list |
POST /v1/identity-stores/{identity_store_id}/users/{user_id}/sessions/batch-delete | IdentityCenter:user:batchDeleteSession | organizations:delegatedAdministrators:list |
GET /v1/identity-stores/{identity_store_id}/users/{user_id}/sessions | IdentityCenter:user:listSessions | organizations:delegatedAdministrators:list |
POST /v1/identity-stores/{identity_store_id}/saml-certificates | IdentityCenter:serviceProvider:createCertificate | organizations:delegatedAdministrators:list |
DELETE /v1/identity-stores/{identity_store_id}/saml-certificates/{certificate_id} | IdentityCenter:serviceProvider:deleteCertificate | organizations:delegatedAdministrators:list |
GET /v1/identity-stores/{identity_store_id}/saml-certificates | IdentityCenter:serviceProvider:listCertificates | organizations:delegatedAdministrators:list |
POST /v1/identity-stores/{identity_store_id}/saml-certificates/{certificate_id}/active | IdentityCenter:serviceProvider:activeCertificate | organizations:delegatedAdministrators:list |
IdentityCenter:permissionSet:create | organizations:delegatedAdministrators:list | |
POST /v1/instances/{instance_id}/permission-sets/{permission_set_id}/attach-managed-policy | IdentityCenter:permissionSet:attachManagedPolicy |
|
POST /v1/instances/{instance_id}/permission-sets/{permission_set_id}/detach-managed-policy | IdentityCenter:permissionSet:detachManagedPolicy | organizations:delegatedAdministrators:list |
PUT /v1/instances/{instance_id}/permission-sets/{permission_set_id} | IdentityCenter:permissionSet:update | organizations:delegatedAdministrators:list |
DELETE /v1/instances/{instance_id}/permission-sets/{permission_set_id} | IdentityCenter:permissionSet:delete | organizations:delegatedAdministrators:list |
IdentityCenter:permissionSet:list | organizations:delegatedAdministrators:list | |
GET /v1/instances/{instance_id}/permission-sets/{permission_set_id}/accounts | IdentityCenter:permissionSet:listAccountsForProvisioned | organizations:delegatedAdministrators:list |
GET /v1/instances/{instance_id}/permission-sets/provisioning-statuses | IdentityCenter:permissionSet:listProvisioningStatus | organizations:delegatedAdministrators:list |
GET /v1/instances/{instance_id}/permission-sets/{permission_set_id}/managed-policies | IdentityCenter:permissionSet:listManagedPolicies | organizations:delegatedAdministrators:list |
GET /v1/instances/{instance_id}/permission-sets/provisioned-to-accounts | IdentityCenter:permissionSet:listProvisionedToAccount | organizations:delegatedAdministrators:list |
GET /v1/instances/{instance_id}/permission-sets/provisioning-status/{request_id} | IdentityCenter:permissionSet:describeProvisioningStatus | organizations:delegatedAdministrators:list |
GET /v1/instances/{instance_id}/permission-sets/{permission_set_id} | IdentityCenter:permissionSet:describe | organizations:delegatedAdministrators:list |
POST /v1/instances/{instance_id}/permission-sets/{permission_set_id}/provision | IdentityCenter:permissionSet:provision | organizations:delegatedAdministrators:list |
IdentityCenter:instance:getIdentityCenterStatus | organizations:delegatedAdministrators:list | |
IdentityCenter:instance:registerRegion | - | |
IdentityCenter:instance:describeRegisteredRegions | organizations:delegatedAdministrators:list | |
IdentityCenter:instance:startIdentityCenter |
| |
IdentityCenter:instance:deleteIdentityCenter | iam:agencies:deleteServiceLinkedAgency | |
IdentityCenter:instance:list | organizations:delegatedAdministrators:list | |
GET /v1/instances/{instance_id}/access-control-attribute-configuration | IdentityCenter:instance:describeInstanceAccessControlAttributeConfiguration | organizations:delegatedAdministrators:list |
PUT /v1/instances/{instance_id}/access-control-attribute-configuration | IdentityCenter:instance:updateInstanceAccessControlAttributeConfiguration | organizations:delegatedAdministrators:list |
DELETE /v1/instances/{instance_id}/access-control-attribute-configuration | IdentityCenter:instance:deleteInstanceAccessControlAttributeConfiguration | organizations:delegatedAdministrators:list |
POST /v1/instances/{instance_id}/access-control-attribute-configuration | IdentityCenter:instance:createInstanceAccessControlAttributeConfiguration | organizations:delegatedAdministrators:list |
IdentityCenter:tags:list | organizations:delegatedAdministrators:list | |
POST /v1/instances/{resource_type}/{resource_id}/tags/create | IdentityCenter:resources:tag | organizations:delegatedAdministrators:list |
POST /v1/instances/{resource_type}/{resource_id}/tags/delete | IdentityCenter:resources:untag | organizations:delegatedAdministrators:list |
IdentityCenter:accountAssignment:create | organizations:delegatedAdministrators:list | |
IdentityCenter:accountAssignment:delete | organizations:delegatedAdministrators:list | |
IdentityCenter:accountAssignment:list | organizations:delegatedAdministrators:list | |
GET /v1/instances/{instance_id}/account-assignments/deletion-status/{request_id} | IdentityCenter:accountAssignment:describeDeletionStatus | organizations:delegatedAdministrators:list |
GET /v1/instances/{instance_id}/account-assignments/creation-status/{request_id} | IdentityCenter:accountAssignment:describeCreationStatus | organizations:delegatedAdministrators:list |
GET /v1/instances/{instance_id}/account-assignments/creation-statuses | IdentityCenter:accountAssignment:listCreationStatus | organizations:delegatedAdministrators:list |
GET /v1/instances/{instance_id}/account-assignments/deletion-statuses | IdentityCenter:accountAssignment:listDeletionStatus | organizations:delegatedAdministrators:list |
IdentityCenter:accountAssignment:disassociationProfile | organizations:delegatedAdministrators:list | |
IdentityCenter:instance:listIdentityStoreAssociations | organizations:delegatedAdministrators:list | |
IdentityCenter:ssoConfiguration:update | organizations:delegatedAdministrators:list | |
IdentityCenter:ssoConfiguration:describe | organizations:delegatedAdministrators:list | |
GET /v1/instances/{instance_id}/mfa-devices/management-settings | IdentityCenter:mfaDevices:describeManagementSettings | organizations:delegatedAdministrators:list |
POST /v1/instances/{instance_id}/mfa-devices/management-settings | IdentityCenter:mfaDevices:updateManagementSettings | organizations:delegatedAdministrators:list |
IdentityCenter:instance:createAlias | organizations:delegatedAdministrators:list | |
DELETE /v1/instances/{instance_id}/permission-sets/{permission_set_id}/custom-policy | IdentityCenter:permissionSet:detachCustomPolicy | organizations:delegatedAdministrators:list |
DELETE /v1/instances/{instance_id}/permission-sets/{permission_set_id}/custom-role | IdentityCenter:permissionSet:detachCustomRole | organizations:delegatedAdministrators:list |
GET /v1/instances/{instance_id}/permission-sets/{permission_set_id}/custom-policy | IdentityCenter:permissionSet:getCustomPolicy | organizations:delegatedAdministrators:list |
GET /v1/instances/{instance_id}/permission-sets/{permission_set_id}/custom-role | IdentityCenter:permissionSet:getCustomRole | organizations:delegatedAdministrators:list |
PUT /v1/instances/{instance_id}/permission-sets/{permission_set_id}/custom-policy | IdentityCenter:permissionSet:attachCustomPolicy | organizations:delegatedAdministrators:list |
PUT /v1/instances/{instance_id}/permission-sets/{permission_set_id}/custom-role | IdentityCenter:permissionSet:attachCustomRole | organizations:delegatedAdministrators:list |
IdentityCenter:application:createApplicationInstance | organizations:delegatedAdministrators:list | |
POST /v1/instances/{instance_id}/application-instances/{application_instance_id}/certificates | IdentityCenter:application:createApplicationInstanceCertificate | organizations:delegatedAdministrators:list |
DELETE /v1/instances/{instance_id}/application-instances/{application_instance_id} | IdentityCenter:application:deleteApplicationInstance | organizations:delegatedAdministrators:list |
IdentityCenter:application:deleteApplicationInstanceCertificate | organizations:delegatedAdministrators:list | |
IdentityCenter:application:deleteProfile | organizations:delegatedAdministrators:list | |
GET /v1/instances/{instance_id}/applications/{application_instance_id} | IdentityCenter:application:describeApplication | organizations:delegatedAdministrators:list |
GET /v1/instances/{instance_id}/applications/{application_instance_id}/assignments-configuration | IdentityCenter:application:getApplicationAssignmentConfiguration | organizations:delegatedAdministrators:list |
GET /v1/instances/{instance_id}/application-instances/{application_instance_id} | IdentityCenter:application:getApplicationInstance | organizations:delegatedAdministrators:list |
POST /v1/instances/{instance_id}/application-instances/{application_instance_id}/metadata | IdentityCenter:application:importApplicationInstanceServiceProviderMetadata | organizations:delegatedAdministrators:list |
GET /v1/instances/{instance_id}/application-instances/{application_instance_id}/certificates | IdentityCenter:application:listApplicationInstanceCertificates | organizations:delegatedAdministrators:list |
IdentityCenter:application:listApplicationInstances |
| |
IdentityCenter:application:listApplicationTemplates | organizations:delegatedAdministrators:list | |
IdentityCenter:application:listApplications | organizations:delegatedAdministrators:list | |
GET /v1/instances/{instance_id}/application-instances/{application_instance_id}/profiles | IdentityCenter:application:listProfiles | organizations:delegatedAdministrators:list |
IdentityCenter:application:updateApplicationInstanceActiveCertificate | organizations:delegatedAdministrators:list | |
PUT /v1/instances/{instance_id}/application-instances/{application_instance_id}/display-data | IdentityCenter:application:updateApplicationInstanceDisplayData | organizations:delegatedAdministrators:list |
IdentityCenter:application:updateApplicationInstanceResponseConfiguration | organizations:delegatedAdministrators:list | |
IdentityCenter:application:updateApplicationInstanceResponseSchemaConfiguration | organizations:delegatedAdministrators:list | |
IdentityCenter:application:updateApplicationInstanceSecurityConfiguration | organizations:delegatedAdministrators:list | |
IdentityCenter:application:updateApplicationInstanceServiceProviderConfiguration | organizations:delegatedAdministrators:list | |
PUT /v1/instances/{instance_id}/application-instances/{application_instance_id}/status | IdentityCenter:application:updateApplicationInstanceStatus | organizations:delegatedAdministrators:list |
IdentityCenter:applicationProvider:describeApplicationProvider | organizations:delegatedAdministrators:list | |
IdentityCenter:applicationProvider:listApplicationProviders | organizations:delegatedAdministrators:list | |
POST /v1/instances/{instance_id}/applications/{application_instance_id}/assignments/create | IdentityCenter:applicationAssignment:create | organizations:delegatedAdministrators:list |
POST /v1/instances/{instance_id}/applications/{application_instance_id}/assignments/delete | IdentityCenter:applicationAssignment:delete | organizations:delegatedAdministrators:list |
GET /v1/instances/{instance_id}/applications/{application_instance_id}/assignments | IdentityCenter:applicationAssignment:list | organizations:delegatedAdministrators:list |
GET /v1/instances/{instance_id}/application-assignments-for-principals | IdentityCenter:applicationAssignmentsForPrincipal:list | organizations:delegatedAdministrators:list |
资源类型(Resource)
资源类型(Resource)表示身份策略所作用的资源。如表3中的某些操作指定了可以在该操作指定的资源类型,则必须在具有该操作的身份策略语句中指定该资源的URN,身份策略仅作用于此资源;如未指定,Resource默认为“*”,则身份策略将应用到所有资源。您也可以在身份策略中设置条件,从而指定资源类型。
IdentityCenter定义了以下可以在自定义身份策略的Resource元素中使用的资源类型。
资源类型 | URN |
|---|---|
application | IdentityCenter::<management-account-id>:application:<instance-id>/<application-instance-id> |
account | IdentityCenter::<management-account-id>:account:<account-id> |
instance | IdentityCenter::<management-account-id>:instance:<instance-id> |
permissionSet | IdentityCenter::<management-account-id>:permissionSet:<instance-id>/<permission-set-id> |
applicationProvider | IdentityCenter:::applicationProvider:<application-provider-name> |
