本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
Amazon WorkSpaces 主控台操作許可參考
有些 Amazon WorkSpaces APIs 只能透過 AWS 管理主控台呼叫。它們不是公有 APIs,因此無法以程式設計方式呼叫,而且不是由任何 SDK 提供。這些 API 操作包括:
workspaces:DirectoryAccessManagement
workspaces:CreateRootClientCertificate
workspaces:UpdateRootClientCertificate
workspaces:DeleteRootClientCertificate
workspaces:DescribeConsent
workspaces:UpdateConsent
WorkSpaces 主控台操作和動作所需的許可
主控台對其功能使用其他 API 動作,因此 WorkSpaces 公有 APIs的許可可能不足。例如,具有透過 CLI/SDK 使用 CreateWorkspaces API 許可的使用者可能會在嘗試在主控台上建立 WorkSpace 時遇到錯誤,因為他們缺少選取或建立使用者的特定許可。此資料表列出只能在 WorkSpaces 主控台上使用的功能,以及讓使用者能夠使用主控台這些特定部分所需的額外許可。
範例政策區段提供許可清單,以針對個人、集區和 BYOL WorkSpaces 執行所有 WorkSpaces 任務。
或者,您也可以使用精細許可來套用最低權限許可來執行任務。
此資料表列出依賴 SDK 未提供的 APIs 的 WorkSpaces 主控台功能,以及讓使用者能夠使用主控台這些特定部分的必要許可。除了 SDK 提供的 APIs 所需的其他動作之外,還應該新增這些許可。
| WorkSpaces 主控台操作 | 所需的許可 |
|---|---|
|
workspaces:DirectoryAccessManagement ds:* ec2:CreateVpc ec2:CreateSubnet ec2:CreateNetworkInterface ec2:CreateInternetGateway ec2:CreateRouteTable ec2:CreateRoute ec2:CreateTags ec2:CreateSecurityGroup ec2:DescribeInternetGateways ec2:DescribeSecurityGroups ec2:DescribeRouteTables ec2:DescribeVpcs ec2:DescribeSubnets ec2:DescribeNetworkInterfaces ec2:DescribeAvailabilityZones ec2:AttachInternetGateway ec2:AssociateRouteTable ec2:AuthorizeSecurityGroupIngress ec2:AuthorizeSecurityGroupEgress iam:CreateRole iam:GetRole iam:PutRolePolicy workspaces:DescribeAccount workspaces:DescribeWorkspaceDirectories workspaces:CreateWorkspaces workspaces:DescribeWorkspaces workspaces:RegisterWorkspaceDirectory workspaces:DescribeWorkspaceBundles workspaces:DescribeWorkspaces |
|
|
workspaces:CreateRootClientCertificate workspaces:UpdateRootClientCertificate workspaces:DeleteRootClientCertificate ds:DescribeDirectories ec2:DescribeSubnets ec2:DescribeSecurityGroups workspaces:DescribeAccount workspaces:DescribeWorkspaceDirectories workspaces:DescribeTags workspaces:DescribeClientProperties workspaces:DescribeConnectClientAddins workspaces:DirectoryAccessManagement |
|
|
在主控台的 WorkSpace WorkSpaces:create/search/describe Directory Service 目錄使用者 |
workspaces:DirectoryAccessManagement workspaces:DescribeAccount workspaces:CreateWorkspaces workspaces:DescribeWorkspaces workspaces:DescribeWorkspaceDirectories workspaces:DescribeWorkspaceBundles workspaces:DescribeTags workspaces:CreateTags workspaces:DescribeClientProperties kms:ListKeys kms:ListAliases kms:描述金鑰 ds:DescribeTrusts ds:DescribeDirectories ec2:DescribeSubnets ec2:DescribeSecurityGroups |
|
在 WorkSpaces Personal 中管理使用者 – 編輯使用者並傳送使用者邀請電子郵件 |
workspaces:DirectoryAccessManagement workspaces:DescribeAccount workspaces:DescribeWorkspaceDirectories workspaces:DescribeWorkspaces workspaces:DescribeTags workspaces:DescribeWorkspaceBundles workspaces:DescribeWorkspacesConnectionStatus workspaces:DescribeWorkspaceAssociations workspaces:DescribeWorkspaceSnapshots workspaces:DescribeWorkspaceImages workspaces:DescribeConnectionAliases |
|
workspaces:DirectoryAccessManagement ds:DescribeDirectories ds:UpdateDirectory ec2:DescribeSubnets ec2:DescribeSecurityGroups workspaces:DescribeAccount workspaces:DescribeWorkspaceDirectories workspaces:DescribeTags workspaces:DescribeClientProperties workspaces:DescribeConnectClientAddins |
|
|
workspaces:DirectoryAccessManagement ds:DescribeDirectories ec2:DescribeSubnets ec2:DescribeSecurityGroups workspaces:DescribeAccount workspaces:DescribeWorkspaceDirectories workspaces:DescribeTags workspaces:DescribeClientProperties workspaces:DescribeConnectClientAddins workspaces:ModifyWorkspaceCreationProperties |
|
|
啟用您的 BYOL 帳戶 – 確認了解使用 BYOL WorkSpaces 的要求 |
workspaces:DescribeConsent workspaces:UpdateConsent workspaces:DescribeAccount workspaces:ListAccountLinks workspaces:DescribeWorkspaceBundles workspaces:DescribeWorkspaceImages workspaces:DescribeWorkspaceDirectories |
