AWS Directory Service API 权限：操作、资源和条件参考

在设置 访问控制 和编写您可附加到 IAM 身份的权限策略（基于身份的策略）时，可以使用 AWS Directory Service API 权限：操作、资源和条件参考 表作为参考。表中的每个 API 条目都包含以下内容：

• AWS Directory Service API 操作的名称

• 您可授予执行该操作的权限的对应操作

• 您可以为其授予权限的 AWS 资源

您在策略的 Action 字段中指定操作，并在策略的 Resource 字段中指定资源值。要指定操作，请在 API 操作名称之前使用 ds: 前缀（例如，ds:CreateDirectory）。某些 AWS 应用程序可能需要在其策略中使用非公共 AWS Directory Service API 操作，例如ds:AuthorizeApplicationds:CheckAliasds:CreateIdentityPoolDirectoryds:UpdateAuthorizedApplication、、、和ds:UnauthorizeApplication。

有些 AWS Directory Service API 只能通过调用 AWS Management Console。从某种意义上说，它们不是公共 API，因为它们不能以编程方式调用，也不是由任何 SDK 提供的。他们接受用户证书。这些 API 操作包括ds:DisableRoleAccessds:EnableRoleAccess、和ds:UpdateDirectory。

您可以在 AWS Directory Service 策略中使用 AWS 全局条件密钥来表达条件。有关 AWS 密钥的完整列表，请参阅 IAM 用户指南中的可用全局条件密钥。

AWS Directory Service API 和操作所需的权限
AWS Directory Service API 操作	所需权限（API 操作）	资源
AcceptSharedDirectory	ds:AcceptSharedDirectory	*
AddIpRoutes	ds:AddIpRoutes ec2:DescribeSecurityGroup ec2:AuthorizeSecurityGroupIngress ec2:AuthorizeSecurityGroupEgress	*
AddTagsToResource	ds:AddTagsToResource ec2:CreateTags	*
CancelSchemaExtension	ds:CancelSchemaExtension	*
ConnectDirectory	ds:ConnectDirectory ec2:DescribeSubnets ec2:DescribeVpcs ec2:CreateSecurityGroup ec2:CreateNetworkInterface ec2:DescribeNetworkInterfaces ec2:AuthorizeSecurityGroupIngress ec2:AuthorizeSecurityGroupEgress ec2:CreateTags	*
CreateAlias	ds:CreateAlias	*
CreateComputer	ds:CreateComputer	*
CreateConditionalForwarder	ds:CreateConditionalForwarder	*
CreateDirectory	ds:CreateDirectory ec2:DescribeSubnets ec2:DescribeVpcs ec2:CreateSecurityGroup ec2:CreateNetworkInterface ec2:DescribeNetworkInterfaces ec2:AuthorizeSecurityGroupIngress ec2:AuthorizeSecurityGroupEgress ec2:CreateTags	*
CreateLogSubscription	ds:CreateLogSubscription	*
CreateMicrosoft广告	ds:CreateMicrosoftAD ec2:DescribeSubnets ec2:DescribeVpcs ec2:CreateSecurityGroup ec2:CreateNetworkInterface ec2:DescribeNetworkInterfaces ec2:AuthorizeSecurityGroupIngress ec2:AuthorizeSecurityGroupEgress ec2:RevokeSecurityGroupEgress ec2:CreateTags	*
CreateSnapshot	ds:CreateSnapshot	*
CreateTrust	ds:CreateTrust	*
DeleteConditionalForwarder	ds:DeleteConditionalForwarder	*
DeleteDirectory	ds:DeleteDirectory ec2:DescribeNetworkInterfaces ec2:DeleteSecurityGroup ec2:DeleteNetworkInterface ec2:RevokeSecurityGroupIngress ec2:RevokeSecurityGroupEgress ec2:DeleteTags	*
DeleteLogSubscription	ds:DeleteLogSubscription	*
DeleteSnapshot	ds:DeleteSnapshot	*
DeleteTrust	ds:DeleteTrust	*
DeregisterEventTopic	ds:DeregisterEventTopic	*
DescribeConditionalForwarders	ds:DescribeConditionalForwarders	*
DescribeDirectories	ds:DescribeDirectories	*
DescribeDomainControllers	ds:DescribeDomainControllers	*
DescribeEventTopics	ds:DescribeEventTopics	*
DescribeSharedDirectories	ds:DescribeSharedDirectories	*
DescribeSnapshots	ds:DescribeSnapshots	*
DescribeTrusts	ds:DescribeTrusts	*
DisableRadius	ds:DisableRadius	*
DisableSso	ds:DisableSso	*
EnableRadius	ds:EnableRadius	*
EnableSso	ds:EnableSso	*
GetDirectoryLimits	ds:GetDirectoryLimits	*
GetSnapshotLimits	ds:GetSnapshotLimits	*
ListIpRoutes	ds:ListIpRoutes	*
ListLogSubscriptions	ds:ListLogSubscriptions	*
ListSchemaExtensions	ds:ListSchemaExtensions	*
ListTagsForResource	ds:ListTagsForResource	*
RegisterEventTopic	ds:RegisterEventTopic sns:GetTopicAttributes	*
RejectSharedDirectory	ds:RejectSharedDirectory	*
RemoveIpRoutes	ds:RemoveIpRoutes	*
RemoveTagsFromResource	ds:RemoveTagsFromResource ec2:DeleteTags	*
ResetUserPassword	ds:ResetUserPassword	*
RestoreFromSnapshot	ds:RestoreFromSnapshot	*
ShareDirectory	ds:ShareDirectory organizations:DescribeAccount organizations:DescribeOrganization organizations:ListAWSServiceAccessForOrganization	*
StartSchemaExtension	ds:StartSchemaExtension	*
UnshareDirectory	ds:UnshareDirectory	*
UpdateConditionalForwarder	ds:UpdateConditionalForwarder	*
UpdateNumberOfDomainControllers	ds:UpdateNumberOfDomainControllers ec2:DescribeSubnets ec2:DescribeVpcs ec2:CreateNetworkInterface ec2:DescribeNetworkInterfaces ec2:DeleteNetworkInterface	*
UpdateRadius	ds:UpdateRadius	*
UpdateTrust	ds:UpdateTrust	*
VerifyTrust	ds:VerifyTrust	*

相关主题

• 访问控制