AWS Directory Service API 權限：動作、資源和條件參考

當您在設定 存取控制 並撰寫可連接到 IAM 身分 (以身分為基礎的政策) 的許可政策時，可以使用 AWS Directory Service API 權限：動作、資源和條件參考 資料表作為參考。資料表中的每個 API 項目包含以下內容：

• AWS Directory Service API 作業的名稱

• 可由您授予執行此動作之許可的相對應動作。

• 您可以授與權限的 AWS 資源

您要在政策的 Action 欄位中指定動作，並在政策的 Resource 欄位中指定資源值。若要指定動作，請使用後接 API 操作名稱的 ds: 字首 (例如，ds:CreateDirectory)。某些 AWS 應用程式可能需要ds:UnauthorizeApplication在其政策中使用非公開 AWS Directory Service API 作業 ds:AuthorizeApplication ds:CheckAlias ds:CreateIdentityPoolDirectory ds:GetAuthorizedApplicationDetailsds:UpdateAuthorizedApplication，例如、、、和。

某些 AWS Directory Service API 只能透過 AWS Management Console. 它們不是公共 API，從某種意義上說它們不能以編程方式調用，並且它們不是由任何 SDK 提供的。他們接受用戶憑據。這些 API 作業包括ds:DisableRoleAccessds:EnableRoleAccess、和ds:UpdateDirectory。

您可以在 AWS Directory Service 原則中使用 AWS 全域條件金鑰來表示條件。如需完整 AWS 金鑰清單，請參閱 IAM 使用者指南中的可用全域條件金鑰。

AWS Directory Service API 和動作所需的權限
AWS Directory Service API 作業	所需許可 (API 動作)	資源
AcceptSharedDirectory	ds:AcceptSharedDirectory	*
AddIpRoutes	ds:AddIpRoutes ec2:DescribeSecurityGroup ec2:AuthorizeSecurityGroupIngress ec2:AuthorizeSecurityGroupEgress	*
AddTagsToResource	ds:AddTagsToResource ec2:CreateTags	*
CancelSchemaExtension	ds:CancelSchemaExtension	*
ConnectDirectory	ds:ConnectDirectory ec2:DescribeSubnets ec2:DescribeVpcs ec2:CreateSecurityGroup ec2:CreateNetworkInterface ec2:DescribeNetworkInterfaces ec2:AuthorizeSecurityGroupIngress ec2:AuthorizeSecurityGroupEgress ec2:CreateTags	*
CreateAlias	ds:CreateAlias	*
CreateComputer	ds:CreateComputer	*
CreateConditionalForwarder	ds:CreateConditionalForwarder	*
CreateDirectory	ds:CreateDirectory ec2:DescribeSubnets ec2:DescribeVpcs ec2:CreateSecurityGroup ec2:CreateNetworkInterface ec2:DescribeNetworkInterfaces ec2:AuthorizeSecurityGroupIngress ec2:AuthorizeSecurityGroupEgress ec2:CreateTags	*
CreateLogSubscription	ds:CreateLogSubscription	*
CreateMicrosoft廣告	ds:CreateMicrosoftAD ec2:DescribeSubnets ec2:DescribeVpcs ec2:CreateSecurityGroup ec2:CreateNetworkInterface ec2:DescribeNetworkInterfaces ec2:AuthorizeSecurityGroupIngress ec2:AuthorizeSecurityGroupEgress ec2:RevokeSecurityGroupEgress ec2:CreateTags	*
CreateSnapshot	ds:CreateSnapshot	*
CreateTrust	ds:CreateTrust	*
DeleteConditionalForwarder	ds:DeleteConditionalForwarder	*
DeleteDirectory	ds:DeleteDirectory ec2:DescribeNetworkInterfaces ec2:DeleteSecurityGroup ec2:DeleteNetworkInterface ec2:RevokeSecurityGroupIngress ec2:RevokeSecurityGroupEgress ec2:DeleteTags	*
DeleteLogSubscription	ds:DeleteLogSubscription	*
DeleteSnapshot	ds:DeleteSnapshot	*
DeleteTrust	ds:DeleteTrust	*
DeregisterEventTopic	ds:DeregisterEventTopic	*
DescribeConditionalForwarders	ds:DescribeConditionalForwarders	*
DescribeDirectories	ds:DescribeDirectories	*
DescribeDomainControllers	ds:DescribeDomainControllers	*
DescribeEventTopics	ds:DescribeEventTopics	*
DescribeSharedDirectories	ds:DescribeSharedDirectories	*
DescribeSnapshots	ds:DescribeSnapshots	*
DescribeTrusts	ds:DescribeTrusts	*
DisableRadius	ds:DisableRadius	*
DisableSso	ds:DisableSso	*
EnableRadius	ds:EnableRadius	*
EnableSso	ds:EnableSso	*
GetDirectoryLimits	ds:GetDirectoryLimits	*
GetSnapshotLimits	ds:GetSnapshotLimits	*
ListIpRoutes	ds:ListIpRoutes	*
ListLogSubscriptions	ds:ListLogSubscriptions	*
ListSchemaExtensions	ds:ListSchemaExtensions	*
ListTagsForResource	ds:ListTagsForResource	*
RegisterEventTopic	ds:RegisterEventTopic sns:GetTopicAttributes	*
RejectSharedDirectory	ds:RejectSharedDirectory	*
RemoveIpRoutes	ds:RemoveIpRoutes	*
RemoveTagsFromResource	ds:RemoveTagsFromResource ec2:DeleteTags	*
ResetUserPassword	ds:ResetUserPassword	*
RestoreFromSnapshot	ds:RestoreFromSnapshot	*
ShareDirectory	ds:ShareDirectory organizations:DescribeAccount organizations:DescribeOrganization organizations:ListAWSServiceAccessForOrganization	*
StartSchemaExtension	ds:StartSchemaExtension	*
UnshareDirectory	ds:UnshareDirectory	*
UpdateConditionalForwarder	ds:UpdateConditionalForwarder	*
UpdateNumberOfDomainControllers	ds:UpdateNumberOfDomainControllers ec2:DescribeSubnets ec2:DescribeVpcs ec2:CreateNetworkInterface ec2:DescribeNetworkInterfaces ec2:DeleteNetworkInterface	*
UpdateRadius	ds:UpdateRadius	*
UpdateTrust	ds:UpdateTrust	*
VerifyTrust	ds:VerifyTrust	*

相關主題

• 存取控制