Amazon WorkSpaces 控制台操作权限参考
某些 Amazon WorkSpaces API 只能通过 AWS 管理控制台进行调用。它们不是公共 API,无法以编程方式调用,也未由任何 SDK 提供。这些 API 操作包括:
workspaces:DirectoryAccessManagement
workspaces:CreateRootClientCertificate
workspaces:UpdateRootClientCertificate
workspaces:DeleteRootClientCertificate
workspaces:DescribeConsent
workspaces:UpdateConsent
WorkSpaces 控制台操作和必需的操作权限
控制台使用额外 API 操作实现其功能,因此 WorkSpaces 公共 API 可能没有足够的权限。例如,有权通过 CLI/SDK 使用 CreateWorkspaces API 的用户在尝试在控制台上创建 WorkSpace 时可能会遇到错误,因为他们缺少选择或创建用户的某些权限。下表列出了仅在 WorkSpaces 控制台上可用的功能,以及允许用户使用控制台的这些特定部分所需的额外权限。
策略示例部分提供了对 Personal、Pools 和 BYOL WorkSpaces 执行所有 WorkSpaces 任务所需的权限列表。
或者,您也可以使用精细许可,应用最低权限许可来执行某项任务。
下表列出了依赖于 SDK 未提供的 API 的 WorkSpaces 控制台功能,以及允许用户使用控制台的这些特定部分所需的权限。这些是除了 SDK 提供的 API 所需的其他操作外还应添加的权限。
| WorkSpaces 控制台操作 | 所需的权限 |
|---|---|
|
workspaces:DirectoryAccessManagement ds:* ec2:CreateVpc ec2:CreateSubnet ec2:CreateNetworkInterface ec2:CreateInternetGateway ec2:CreateRouteTable ec2:CreateRoute ec2:CreateTags ec2:CreateSecurityGroup ec2:DescribeInternetGateways ec2:DescribeSecurityGroups ec2:DescribeRouteTables ec2:DescribeVpcs ec2:DescribeSubnets ec2:DescribeNetworkInterfaces ec2:DescribeAvailabilityZones ec2:AttachInternetGateway ec2:AssociateRouteTable ec2:AuthorizeSecurityGroupIngress ec2:AuthorizeSecurityGroupEgress iam:CreateRole iam:GetRole iam:PutRolePolicy workspaces:DescribeAccount workspaces:DescribeWorkspaceDirectories workspaces:CreateWorkspaces workspaces:DescribeWorkspaces workspaces:RegisterWorkspaceDirectory workspaces:DescribeWorkspaceBundles workspaces:DescribeWorkspaces |
|
|
workspaces:CreateRootClientCertificate workspaces:UpdateRootClientCertificate workspaces:DeleteRootClientCertificate ds:DescribeDirectories ec2:DescribeSubnets ec2:DescribeSecurityGroups workspaces:DescribeAccount workspaces:DescribeWorkspaceDirectories workspaces:DescribeTags workspaces:DescribeClientProperties workspaces:DescribeConnectClientAddins workspaces:DirectoryAccessManagement |
|
|
在 WorkSpaces Personal 控制台中创建 WorkSpace – create/search/describe 目录服务目录用户 |
workspaces:DirectoryAccessManagement workspaces:DescribeAccount workspaces:CreateWorkspaces workspaces:DescribeWorkspaces workspaces:DescribeWorkspaceDirectories workspaces:DescribeWorkspaceBundles workspaces:DescribeTags workspaces:CreateTags workspaces:DescribeClientProperties kms:ListKeys kms:ListAliases kms:DescribeKey ds:DescribeTrusts ds:DescribeDirectories ec2:DescribeSubnets ec2:DescribeSecurityGroups |
|
在 WorkSpaces Personal 中管理用户 – 编辑用户并向用户发送邀请电子邮件 |
workspaces:DirectoryAccessManagement workspaces:DescribeAccount workspaces:DescribeWorkspaceDirectories workspaces:DescribeWorkspaces workspaces:DescribeTags workspaces:DescribeWorkspaceBundles workspaces:DescribeWorkspacesConnectionStatus workspaces:DescribeWorkspaceAssociations workspaces:DescribeWorkspaceSnapshots workspaces:DescribeWorkspaceImages workspaces:DescribeConnectionAliases |
|
workspaces:DirectoryAccessManagement ds:DescribeDirectories ds:UpdateDirectory ec2:DescribeSubnets ec2:DescribeSecurityGroups workspaces:DescribeAccount workspaces:DescribeWorkspaceDirectories workspaces:DescribeTags workspaces:DescribeClientProperties workspaces:DescribeConnectClientAddins |
|
|
workspaces:DirectoryAccessManagement ds:DescribeDirectories ec2:DescribeSubnets ec2:DescribeSecurityGroups workspaces:DescribeAccount workspaces:DescribeWorkspaceDirectories workspaces:DescribeTags workspaces:DescribeClientProperties workspaces:DescribeConnectClientAddins workspaces:ModifyWorkspaceCreationProperties |
|
|
启用 BYOL 账户 – 确认了解使用 BYOL WorkSpaces 的要求 |
workspaces:DescribeConsent workspaces:UpdateConsent workspaces:DescribeAccount workspaces:ListAccountLinks workspaces:DescribeWorkspaceBundles workspaces:DescribeWorkspaceImages workspaces:DescribeWorkspaceDirectories |
