Product |
Abbreviation in CAM |
Console |
Authorization by Tag |
Authorization Granularity |
IP Restriction |
Secrets Manager |
ssm |
Supported |
Supported |
Resource level |
Supported |
Note:
The authorization granularity of cloud products is divided into three levels: service level, operation level, and resource level, based on the degree of granularity.
- Service level: It defines whether a user has the permission to access the service as a whole. A user can have either full access or no access to the service. For the authorization granularity of cloud products at service level, the authorization of specific APIs are not supported.
- Operation level: It defines whether a user has the permission to call a specific API of the service. For example, granting an account read-only access to the CVM service is an authorization at the operation level.
- Resource level: It is the finest authorization granularity which defines whether a user has the permission to access specific resources. For example, granting an account read/write access to a specific CVM instance is an authorization at the resource level.
API authorization granularity
Two authorization granularity levels of API are supported: resource level, and operation level.
- Resource level: It supports the authorization of a specific resource.
- Operation level: It does not support the authorization of a specific resource. If the policy syntax restricts a specific resource during authorization, CAM will determine that this API is not within the scope of authorization, and deem it as unauthorized.
Write operations
API |
API Description |
Authorization Granularity |
Six-segment Resource Description |
IP Restriction |
CreateAccessKeySecret |
Create AccessKey Secret |
Resource level |
qcs::ssm::uin/${uin}:secret/* |
Supported |
CreateProductSecret |
Create Product Secret |
Resource level |
qcs::ssm::uin/${uin}:secret/* |
Supported |
CreateSSHKeyPairSecret |
Create SSH Key Pair Secret |
Resource level |
qcs::ssm::uin/${uin}:secret/* |
Supported |
RotateProductSecret |
Rotate Product Secret |
Resource level |
qcs::ssm::uin/${uin}:secret/creatorUin/$creatorUin/$secretName |
Supported |
UpdateRotationStatus |
Update Rotation Status |
Resource level |
qcs::ssm::uin/${uin}:secret/creatorUin/$creatorUin/$secretName |
Supported |
Read operations
API |
API Description |
Authorization Granularity |
Six-segment Resource Description |
IP Restriction |
CreateSecret |
create secret |
Resource level |
qcs::ssm::uin/${uin}:secret/* |
Supported |
DeleteSecret |
Delete secret information |
Operation level |
* |
Supported |
DeleteSecretVersion |
Delete secret for a specified version |
Operation level |
* |
Supported |
DescribeAccessKeyRotateResult |
Describe AccessKey Rotate Result |
Resource level |
qcs::ssm:${region}:uin/${uin}:secret/creatorUin/$creatorUin/$secretName |
Supported |
DescribeAsyncRequestInfo |
Describe Async Request Info |
Operation level |
* |
Supported |
DescribeRotationDetail |
Describe Product Secret Rotation Detail |
Resource level |
qcs::ssm::uin/${uin}:secret/creatorUin/$creatorUin/$secretName |
Supported |
DescribeRotationHistory |
Describe Product Secret Rotation History |
Resource level |
qcs::ssm::uin/${uin}:secret/creatorUin/$creatorUin/$secretName |
Supported |
DescribeSecret |
get secret details |
Operation level |
* |
Supported |
DescribeSupportedProducts |
Describe Supported Products |
Operation level |
* |
Supported |
DisableSecret |
Disable secret |
Operation level |
* |
Supported |
EnableSecret |
EnableSecret |
Operation level |
* |
Supported |
GetSSHKeyPairValue |
Get SSH Key Pair Value |
Resource level |
qcs::ssm:${region}:uin/${uin}:secret/creatorUin/$creatorUin/$secretName |
Supported |
GetSecretValue |
get plain text of secret |
Operation level |
* |
Supported |
GetServiceStatus |
GetServiceStatus |
Operation level |
* |
Supported |
ListSecretVersionIds |
get version list information under specified secret |
Operation level |
* |
Supported |
ListSecrets |
get list of secret details |
Operation level |
* |
Supported |
PutSecretValue |
Add new version secret |
Operation level |
* |
Supported |
RestoreSecret |
Recover secret from scheduled deletion |
Operation level |
* |
Supported |
UpdateDescription |
Update secret Description |
Operation level |
* |
Supported |
UpdateSecret |
Update secret content |
Operation level |
* |
Supported |
List Operations
API |
API Description |
Authorization Granularity |
Six-segment Resource Description |
IP Restriction |
DescribeResourceIds |
Describe ResourceIds |
Operation level |
* |
Supported |
GetRegions |
Get region display list in console |
Operation level |
* |
Supported |
문제 해결에 도움이 되었나요?