本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
# Directory Service API 許可:動作、資源和條件參考
當您在設定 [存取控制](iam_auth_access.md#access_control) 並撰寫可連接到 IAM 身分 (以身分為基礎的政策) 的許可政策時,可以使用 [Directory Service API 許可:動作、資源和條件參考](#UsingWithDS_IAM_ResourcePermissions) 資料表作為參考。資料表中的每個 API 項目包含以下內容:
+ 每個 API 操作的名稱
+ 每個 API 操作的對應動作或動作,您可以在其中授予執行動作的許可
+ 您可以在其中授予許可 AWS 的資源
您要在政策的 `Action` 欄位中指定動作,並在政策的 `Resource` 欄位中指定資源值。若要指定動作,請使用後接 API 操作名稱的 `ds:` 字首 (例如,`ds:CreateDirectory`)。有些 AWS 應用程式可能需要在其政策`ds:UnauthorizeApplication`中使用非公有 Directory Service API 操作,例如 `ds:AuthorizeApplication`、`ds:CheckAlias`、`ds:UpdateAuthorizedApplication`、、 `ds:CreateIdentityPoolDirectory` `ds:GetAuthorizedApplicationDetails`和 。
有些 Directory Service APIs只能透過 呼叫 AWS 管理主控台。它們不是公有 APIs,因此無法以程式設計方式呼叫,而且不是由任何 SDK 提供。他們接受使用者登入資料。這些 API 操作包括 `ds:DisableRoleAccess`、 `ds:EnableRoleAccess`和 `ds:UpdateDirectory`。
您可以在 Directory Service 和 Directory Service Data 政策中使用 AWS 全域條件金鑰來表達條件。如需 AWS 金鑰的完整清單,請參閱《*IAM 使用者指南*》中的[可用全域條件金鑰](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#AvailableKeys)。
## Directory Service 動作的 API 和必要許可
| Directory Service API 操作 | 所需許可 (API 動作) | Resources |
| --- | --- | --- |
| [AcceptSharedDirectory](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_AcceptSharedDirectory.html) | ds:AcceptSharedDirectory | \$1 |
| [AddIpRoutes](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_AddIpRoutes.html) | `ds:AddIpRoutes` `ec2:DescribeSecurityGroup` `ec2:AuthorizeSecurityGroupIngress` `ec2:AuthorizeSecurityGroupEgress` | \$1 |
| [AddTagsToResource](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_AddTagsToResource.html) | ds:AddTagsToResource`ec2:CreateTags` | \$1 |
| [CancelSchemaExtension](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_CancelSchemaExtension.html) | ds:CancelSchemaExtension | \$1 |
| [ConnectDirectory](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_ConnectDirectory.html) | `ds:ConnectDirectory` `ec2:DescribeSubnets` `ec2:DescribeVpcs` `ec2:CreateSecurityGroup` `ec2:CreateNetworkInterface` `ec2:DescribeNetworkInterfaces` `ec2:AuthorizeSecurityGroupIngress` `ec2:AuthorizeSecurityGroupEgress` `ec2:CreateTags` | \$1 |
| [CreateAlias](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_CreateAlias.html) | `ds:CreateAlias` | \$1 |
| [CreateComputer](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_CreateComputer.html) | `ds:CreateComputer` | \$1 |
| [CreateConditionalForwarder](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_CreateConditionalForwarder.html) | `ds:CreateConditionalForwarder` | \$1 |
| [CreateDirectory](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_CreateDirectory.html) | `ds:CreateDirectory` `ec2:DescribeSubnets` `ec2:DescribeVpcs` `ec2:CreateSecurityGroup` `ec2:CreateNetworkInterface` `ec2:DescribeNetworkInterfaces` `ec2:AuthorizeSecurityGroupIngress` `ec2:AuthorizeSecurityGroupEgress` `ec2:CreateTags` | \$1 |
| [CreateLogSubscription](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_CreateLogSubscription.html) | ds:CreateLogSubscription | \$1 |
| [CreateMicrosoftAD](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_CreateMicrosoftAD.html) | `ds:CreateMicrosoftAD` `ec2:DescribeSubnets` `ec2:DescribeVpcs` `ec2:CreateSecurityGroup` `ec2:CreateNetworkInterface` `ec2:DescribeNetworkInterfaces` `ec2:AuthorizeSecurityGroupIngress` `ec2:AuthorizeSecurityGroupEgress` `ec2:RevokeSecurityGroupEgress` `ec2:CreateTags` | \$1 |
| [CreateSnapshot](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_CreateSnapshot.html) | `ds:CreateSnapshot` | \$1 |
| [CreateTrust](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_CreateTrust.html) | `ds:CreateTrust` | \$1 |
| [DeleteConditionalForwarder](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_DeleteConditionalForwarder.html) | `ds:DeleteConditionalForwarder` | \$1 |
| [DeleteDirectory](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_DeleteDirectory.html) | `ds:DeleteDirectory` `ec2:DescribeNetworkInterfaces` `ec2:DeleteSecurityGroup` `ec2:DeleteNetworkInterface` `ec2:RevokeSecurityGroupIngress` `ec2:RevokeSecurityGroupEgress` `ec2:DeleteTags` | \$1 |
| [DeleteLogSubscription](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_DeleteLogSubscription.html) | ds:DeleteLogSubscription | \$1 |
| [DeleteSnapshot](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_DeleteSnapshot.html) | `ds:DeleteSnapshot` | \$1 |
| [DeleteTrust](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_DeleteTrust.html) | `ds:DeleteTrust` | \$1 |
| [DeregisterEventTopic](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_DeregisterEventTopic.html) | `ds:DeregisterEventTopic` | \$1 |
| [DescribeConditionalForwarders](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_DescribeConditionalForwarders.html) | `ds:DescribeConditionalForwarders` | \$1 |
| [DescribeDirectories](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_DescribeDirectories.html) | `ds:DescribeDirectories` | \$1 |
| [DescribeDomainControllers](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_DescribeDomainControllers.html) | ds:DescribeDomainControllers | \$1 |
| [DescribeEventTopics](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_DescribeEventTopics.html) | `ds:DescribeEventTopics` | \$1 |
| [DescribeSharedDirectories](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_DescribeSharedDirectories.html) | ds:DescribeSharedDirectories | \$1 |
| [DescribeSnapshots](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_DescribeSnapshots.html) | `ds:DescribeSnapshots` | \$1 |
| [DescribeTrusts](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_DescribeTrusts.html) | `ds:DescribeTrusts` | \$1 |
| [DisableRadius](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_DisableRadius.html) | `ds:DisableRadius` | \$1 |
| [DisableSso](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_DisableSso.html) | `ds:DisableSso` | \$1 |
| [EnableRadius](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_EnableRadius.html) | `ds:EnableRadius` | \$1 |
| [EnableSso](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_EnableSso.html) | `ds:EnableSso` | \$1 |
| [GetDirectoryLimits](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_GetDirectoryLimits.html) | `ds:GetDirectoryLimits` | \$1 |
| [GetSnapshotLimits](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_GetSnapshotLimits.html) | `ds:GetSnapshotLimits` | \$1 |
| [ListIpRoutes](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_ListIpRoutes.html) | `ds:ListIpRoutes` | \$1 |
| [ListLogSubscriptions](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_ListLogSubscriptions.html) | ds:ListLogSubscriptions | \$1 |
| [ListSchemaExtensions](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_ListSchemaExtensions.html) | `ds:ListSchemaExtensions` | \$1 |
| [ListTagsForResource](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_ListTagsForResource.html) | `ds:ListTagsForResource` | \$1 |
| [RegisterEventTopic](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_RegisterEventTopic.html) | `ds:RegisterEventTopic` `sns:GetTopicAttributes` | \$1 |
| [RejectSharedDirectory](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_RejectSharedDirectory.html) | ds:RejectSharedDirectory | \$1 |
| [RemoveIpRoutes](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_RemoveIpRoutes.html) | `ds:RemoveIpRoutes` | \$1 |
| [RemoveTagsFromResource](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_RemoveTagsFromResource.html) | `ds:RemoveTagsFromResource` `ec2:DeleteTags` | \$1 |
| [ResetUserPassword](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_ResetUserPassword.html) | ds:ResetUserPassword | \$1 |
| [RestoreFromSnapshot](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_RestoreFromSnapshot.html) | `ds:RestoreFromSnapshot` | \$1 |
| [ShareDirectory](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_ShareDirectory.html) | `ds:ShareDirectory` `organizations:DescribeAccount` `organizations:DescribeOrganization` `organizations:ListAWSServiceAccessForOrganization` | \$1 |
| [StartSchemaExtension](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_StartSchemaExtension.html) | `ds:StartSchemaExtension` | \$1 |
| [UnshareDirectory](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_UnshareDirectory.html) | ds:UnshareDirectory | \$1 |
| [UpdateConditionalForwarder](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_UpdateConditionalForwarder.html) | `ds:UpdateConditionalForwarder` | \$1 |
| [UpdateNumberOfDomainControllers](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_UpdateNumberOfDomainControllers.html) | `ds:UpdateNumberOfDomainControllers` `ec2:DescribeSubnets` `ec2:DescribeVpcs` `ec2:CreateNetworkInterface` `ec2:DescribeNetworkInterfaces` `ec2:DeleteNetworkInterface` | \$1 |
| [UpdateRadius](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_UpdateRadius.html) | `ds:UpdateRadius` | \$1 |
| [UpdateTrust](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_UpdateTrust.html) | ds:UpdateTrust | \$1 |
| [VerifyTrust](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_VerifyTrust.html) | `ds:VerifyTrust` | \$1 |
## AWS Directory Service Data API 和動作的必要許可
**注意**
若要指定動作,請使用 `ds-data:`字首,後面接著 API 操作的名稱 (例如,`ds-data:AddGroupMember`)。
| Directory Service Data API 操作 | 所需許可 (API 動作) | Resources |
| --- | --- | --- |
| [AddGroupMember](https://docs.aws.amazon.com/directoryservicedata/latest/DirectoryServiceDataAPIReference/API_AddGroupMember.html) | `ds-data:AddGroupMember` | \$1 |
| [CreateGroup](https://docs.aws.amazon.com/directoryservicedata/latest/DirectoryServiceDataAPIReference/API_CreateGroup.html) | `ds-data:CreateGroup` | \$1 |
| [CreateUser](https://docs.aws.amazon.com/directoryservicedata/latest/DirectoryServiceDataAPIReference/API_CreateUser.html) | `ds-data:CreateUser` | \$1 |
| [DeleteGroup](https://docs.aws.amazon.com/directoryservicedata/latest/DirectoryServiceDataAPIReference/API_DeleteGroup.html) | `ds-data:DeleteGroup` | \$1 |
| [DeleteUser](https://docs.aws.amazon.com/directoryservicedata/latest/DirectoryServiceDataAPIReference/DeleteUser.html) | `ds-data:DeleteUser` | \$1 |
| [DescribeGroup](https://docs.aws.amazon.com/directoryservicedata/latest/DirectoryServiceDataAPIReference/API_DescribeGroup.html) | `ds-data:DescribeGroup` | \$1 |
| [DescribeUser](https://docs.aws.amazon.com/directoryservicedata/latest/DirectoryServiceDataAPIReference/API_DescribeUser.html) | `ds-data:DescribeUser` | \$1 |
| [DisableUser](https://docs.aws.amazon.com/directoryservicedata/latest/DirectoryServiceDataAPIReference/API_DisableUser.html) | `ds-data:DisableUser` | \$1 |
| [ListGroups](https://docs.aws.amazon.com/directoryservicedata/latest/DirectoryServiceDataAPIReference/API_ListGroups.html) | `ds-data:ListGroups` | \$1 |
| [ListGroupMembers](https://docs.aws.amazon.com/directoryservicedata/latest/DirectoryServiceDataAPIReference/API_ListGroupMembers.html) | `ds-data:ListGroupMembers` | \$1 |
| [ListGroupsForMember](https://docs.aws.amazon.com/directoryservicedata/latest/DirectoryServiceDataAPIReference/API_ListGroupsForMember.html) | `ds-data:ListGroupsForMember` | \$1 |
| [ListUsers](https://docs.aws.amazon.com/directoryservicedata/latest/DirectoryServiceDataAPIReference/API_ListUsers.html) | `ds-data:ListUsers` | \$1 |
| [RemoveGroupMember](https://docs.aws.amazon.com/directoryservicedata/latest/DirectoryServiceDataAPIReference/API_RemoveGroupMember.html) | `ds-data:RemoveGroupMember` | \$1 |
| [SearchGroups](https://docs.aws.amazon.com/directoryservicedata/latest/DirectoryServiceDataAPIReference/API_SearchGroups.html) | `ds-data:DescribeGroup` `ds-data:SearchGroups` | \$1 |
| [SearchUsers](https://docs.aws.amazon.com/directoryservicedata/latest/DirectoryServiceDataAPIReference/API_SearchUsers.html) | `ds-data:DescribeUser` `ds-data:SearchUsers` | \$1 |
| [UpdateGroup](https://docs.aws.amazon.com/directoryservicedata/latest/DirectoryServiceDataAPIReference/API_UpdateGroup.html) | `ds-data:UpdateGroup` | \$1 |
| [UpdateUser](https://docs.aws.amazon.com/directoryservicedata/latest/DirectoryServiceDataAPIReference/API_UpdateUser.html) | `ds-data:UpdateUser` | \$1 |
## 相關主題
+ [存取控制](iam_auth_access.md#access_control)