本文属于机器翻译版本。若本译文内容与英语原文存在差异，则一律以英文原文为准。

# Amazon DocumentDB API 权限：操作、资源和条件参考
<a name="UsingWithRDS.IAM.ResourcePermissions"></a>

在您设置 [将基于身份的策略（IAM 策略）用于 Amazon DocumentDB](UsingWithRDS.IAM.AccessControl.IdentityBased.md) 并编写您可以附加到 IAM 身份的权限策略（基于身份的策略）时，可以使用以下章节作为参考。

下文列出了每个 Amazon DocumentDB API 操作。列表中包括您可以授予执行操作权限的相应操作、可以授予权限的 AWS 资源以及可以包含的用于精细访问控制的条件密钥。您需要在策略的 `Action` 字段中指定操作、在策略的 `Resource` 字段中指定资源值、在策略的 `Condition` 字段中指定条件。有关条件的更多信息，请参阅“[在策略中指定条件](UsingWithRDS.IAM.AccessControl.Overview.md#SpecifyingIAMPolicyConditions-RDS)”。

您可以在 Amazon DocumentDB 政策中使用 AWS全局条件键来表达条件。有关 AWS范围密钥的完整列表，请参阅 *IAM 用户指南*中的[可用密钥](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html#AvailableKeys)。

您可以使用 IAM policy simulator 测试 IAM 策略 它会自动提供每项操作所需的资源和参数列表，包括 Amazon DocumentDB AWS 操作。IAM policy simulator 确定您指定的每个操作所要求的权限。有关 IAM policy simulator 的信息，请参阅 [IAM 用户指南中的用 IAM 策略模拟器测试](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_testing-policies.html) *IAM* 策略。

**注意**  
要指定操作，请在 API 操作名称之前使用 `rds:` 前缀（例如，`rds:CreateDBInstance`）。

下面列出了 Amazon RDS API 操作及其相关操作、资源和条件密钥。

**Topics**
+ [支持资源级权限的 Amazon DocumentDB 操作](#UsingWithRDS.IAM.ResourceLevelPermissions)
+ [不支持资源级权限的 Amazon DocumentDB 操作](#UsingWithRDS.IAM.UnsupportedResourceLevelPermissions)

## 支持资源级权限的 Amazon DocumentDB 操作
<a name="UsingWithRDS.IAM.ResourceLevelPermissions"></a>

资源级权限提供以下能力：指定允许用户对其执行操作的资源。Amazon DocumentDB 部分支持资源级权限。这意味着对于某些 Amazon DocumentDB 操作，您可以基于须满足的条件或允许用户使用的具体资源，控制何时允许用户使用这些操作。例如，您可以向用户授予仅修改特定实例的权限。

下面列出了 Amazon DocumentDB API 操作及其相关操作、资源和条件密钥。

**注意**  
对于某些管理功能，Amazon DocumentDB 使用与 Amazon RDS 共享的操作技术。有关 Amazon DocumentDB 操作和权限的更多信息，请参阅*《服务授权参考》*中的 [Amazon RDS 的操作、资源和条件键](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonrds.html)。

<a name="actions-related-to-objects-table"></a>

- **  [AddTagsToResource](https://docs.aws.amazon.com/documentdb/latest/developerguide/API_AddTagsToResource.html)  `rds:AddTagsToResource`**
  - **资源:** 实例<br />`arn:aws:rds:{{region}}:{{account-id}}:db:{{db-instance-name}}` / **条件键:** `rds:db-tag`
  - **资源:** 子网组<br />`arn:aws:rds:{{region}}:{{account-id}}:subgrp:{{subnet-group-name}}` / **条件键:** `rds:subgrp-tag`

- **  [ApplyPendingMaintenanceAction](https://docs.aws.amazon.com/documentdb/latest/developerguide/API_ApplyPendingMaintenanceAction.html)  `rds:ApplyPendingMaintenanceAction`**
  - **资源:** 实例<br />`arn:aws:rds:{{region}}:{{account-id}}:db:{{db-instance-name}}`
  - **条件键:** `rds:db-tag`

- **  [复制DBCluster快照](https://docs.aws.amazon.com/documentdb/latest/developerguide/API_CopyDBClusterSnapshot.html) `rds:CopyDBClusterSnapshot`**
  - **资源:** 集群快照<br />`arn:aws:rds:{{region}}:{{account-id}}:cluster-snapshot:{{cluster-snapshot-name}}`
  - **条件键:** `rds:cluster-snapshot-tag`

- **  [创建DBCluster](https://docs.aws.amazon.com/documentdb/latest/developerguide/API_CreateDBCluster.html) `rds:CreateDBCluster`**
  - **资源:** Cluster<br />`arn:aws:rds:{{region}}:{{account-id}}:cluster:{{db-cluster-name}}` / **条件键:** `rds:cluster-tag`
  - **资源:** 集群参数组<br />`arn:aws:rds:{{region}}:{{account-id}}:cluster-pg:{{cluster-parameter-group-name}}` / **条件键:** `rds:cluster-pg-tag`
  - **资源:** 子网组<br />`arn:aws:rds:{{region}}:{{account-id}}:subgrp:{{subnet-group-name}}` / **条件键:** `rds:subgrp-tag`

- **  [创建DBClusterParameterGroup](https://docs.aws.amazon.com/documentdb/latest/developerguide/API_CreateDBClusterParameterGroup.html) `rds:CreateDBClusterParameterGroup`**
  - **资源:** 集群参数组<br />`arn:aws:rds:{{region}}:{{account-id}}:cluster-pg:{{cluster-parameter-group-name}}`
  - **条件键:** `rds:cluster-pg-tag`

- **  [创建DBCluster快照](https://docs.aws.amazon.com/documentdb/latest/developerguide/API_CreateDBClusterSnapshot.html) `rds:CreateDBClusterSnapshot`**
  - **资源:** Cluster<br />`arn:aws:rds:{{region}}:{{account-id}}:cluster:{{db-cluster-name}}` / **条件键:** `rds:cluster-tag`
  - **资源:** 集群快照<br />`arn:aws:rds:{{region}}:{{account-id}}:cluster-snapshot:{{cluster-snapshot-name}}` / **条件键:** `rds:cluster-snapshot-tag`

- **  [创建DBInstance](https://docs.aws.amazon.com/documentdb/latest/developerguide/API_CreateDBInstance.html) `rds:CreateDBInstance` **
  - **资源:** 实例<br />`arn:aws:rds:{{region}}:{{account-id}}:db:{{db-instance-name}}` / **条件键:** `rds:DatabaseClass`<br />`rds:db-tag`
  - **资源:** Cluster<br />`arn:aws:rds:{{region}}:{{account-id}}:cluster:{{db-cluster-name}}` / **条件键:** `rds:cluster-tag`

- **  [创建DBSubnet群组](https://docs.aws.amazon.com/documentdb/latest/developerguide/API_CreateDBSubnetGroup.html) `rds:CreateDBSubnetGroup`**
  - **资源:** 子网组<br />`arn:aws:rds:{{region}}:{{account-id}}:subgrp:{{subnet-group-name}}`
  - **条件键:** `rds:subgrp-tag`

- **  [删除DBInstance](https://docs.aws.amazon.com/documentdb/latest/developerguide/API_DeleteDBInstance.html)  `rds:DeleteDBInstance` **
  - **资源:** 实例<br />`arn:aws:rds:{{region}}:{{account-id}}:db:{{db-instance-name}}`
  - **条件键:** `rds:db-tag`

- **  [删除DBSubnet群组](https://docs.aws.amazon.com/documentdb/latest/developerguide/API_DeleteDBSubnetGroup.html) `rds:DeleteDBSubnetGroup`**
  - **资源:** 子网组<br />`arn:aws:rds:{{region}}:{{account-id}}:subgrp:{{subnet-group-name}}`
  - **条件键:** `rds:subgrp-tag`

- **  [描述DBClusterParameterGroups](https://docs.aws.amazon.com/documentdb/latest/developerguide/API_DescribeDBClusterParameterGroups.html) `rds:DescribeDBClusterParameterGroups`**
  - **资源:** 集群参数组<br />`arn:aws:rds:{{region}}:{{account-id}}:cluster-pg:{{cluster-parameter-group-name}}`
  - **条件键:** `rds:cluster-pg-tag`

- **  [描述DBCluster参数](https://docs.aws.amazon.com/documentdb/latest/developerguide/API_DescribeDBClusterParameters.html) `rds:DescribeDBClusterParameters`**
  - **资源:** 集群参数组<br />`arn:aws:rds:{{region}}:{{account-id}}:cluster-pg:{{cluster-parameter-group-name}}`
  - **条件键:** `rds:cluster-pg-tag`

- **  [描述DBClusters](https://docs.aws.amazon.com/documentdb/latest/developerguide/API_DescribeDBClusters.html) `rds:DescribeDBClusters`**
  - **资源:** Cluster<br />`arn:aws:rds:{{region}}:{{account-id}}:cluster:{{db-cluster-instance-name}}`
  - **条件键:** `rds:cluster-tag`

- **  [描述DBClusterSnapshotAttributes](https://docs.aws.amazon.com/documentdb/latest/developerguide/API_DescribeDBClusterSnapshotAttributes.html) `rds:DescribeDBClusterSnapshotAttributes`**
  - **资源:** 集群快照<br />`arn:aws:rds:{{region}}:{{account-id}}:cluster-snapshot:{{cluster-snapshot-name}}`
  - **条件键:** `rds:cluster-snapshot-tag`

- **  [描述DBSubnet群组](https://docs.aws.amazon.com/documentdb/latest/developerguide/API_DescribeDBSubnetGroups.html) `rds:DescribeDBSubnetGroups`**
  - **资源:** 子网组<br />`arn:aws:rds:{{region}}:{{account-id}}:subgrp:{{subnet-group-name}}`
  - **条件键:** `rds:subgrp-tag`

- **  [DescribePendingMaintenanceActions](https://docs.aws.amazon.com/documentdb/latest/developerguide/API_DescribePendingMaintenanceActions.html) `rds:DescribePendingMaintenanceActions`**
  - **资源:** 实例<br />`arn:aws:rds:{{region}}:{{account-id}}:db:{{db-instance-name}}`
  - **条件键:** `rds:DatabaseClass`<br />`rds:db-tag`

- **  [故障转移 DBCluster](https://docs.aws.amazon.com/documentdb/latest/developerguide/API_FailoverDBCluster.html) `rds:FailoverDBCluster`**
  - **资源:** Cluster<br />`arn:aws:rds:{{region}}:{{account-id}}:cluster:{{db-cluster-instance-name}}`
  - **条件键:** `rds:cluster-tag`

- **  [ListTagsForResource](https://docs.aws.amazon.com/documentdb/latest/developerguide/API_ListTagsForResource.html) `rds:ListTagsForResource`**
  - **资源:** 实例<br />`arn:aws:rds:{{region}}:{{account-id}}:db:{{db-instance-name}}` / **条件键:** `rds:db-tag`
  - **资源:** 子网组<br />`arn:aws:rds:{{region}}:{{account-id}}:subgrp:{{subnet-group-name}}` / **条件键:** `rds:subgrp-tag`

- **  [ModifyDBCluster](https://docs.aws.amazon.com/documentdb/latest/developerguide/API_ModifyDBCluster.html)  `rds:ModifyDBCluster`**
  - **资源:** Cluster<br />`arn:aws:rds:{{region}}:{{account-id}}:cluster:{{db-cluster-name}}` / **条件键:** `rds:cluster-tag`
  - **资源:** 集群参数组<br />`arn:aws:rds:{{region}}:{{account-id}}:cluster-pg:{{cluster-parameter-group-name}}` / **条件键:** `rds:cluster-pg-tag`

- **  [ModifyDBClusterParameterGroup](https://docs.aws.amazon.com/documentdb/latest/developerguide/API_ModifyDBClusterParameterGroup.html) `rds:ModifyDBClusterParameterGroup`**
  - **资源:** 集群参数组<br />`arn:aws:rds:{{region}}:{{account-id}}:cluster-pg:{{cluster-parameter-group-name}}`
  - **条件键:** `rds:cluster-pg-tag`

- **  [ModifyDBClusterSnapshotAttribute](https://docs.aws.amazon.com/documentdb/latest/developerguide/API_ModifyDBClusterSnapshotAttribute.html) `rds:ModifyDBClusterSnapshotAttribute`**
  - **资源:** 集群快照<br />`arn:aws:rds:{{region}}:{{account-id}}:cluster-snapshot:{{cluster-snapshot-name}}`
  - **条件键:** `rds:cluster-snapshot-tag`

- **  [ModifyDBInstance](https://docs.aws.amazon.com/documentdb/latest/developerguide/API_ModifyDBInstance.html) `rds:ModifyDBInstance`**
  - **资源:** 实例<br />`arn:aws:rds:{{region}}:{{account-id}}:db:{{db-instance-name}}`
  - **条件键:** `rds:DatabaseClass`<br />`rds:db-tag`

- **  [重启 DBInstance](https://docs.aws.amazon.com/documentdb/latest/developerguide/API_RebootDBInstance.html) `rds:RebootDBInstance`**
  - **资源:** 实例<br />`arn:aws:rds:{{region}}:{{account-id}}:db:{{db-instance-name}}`
  - **条件键:** `rds:db-tag`

- **  [RemoveTagsFromResource](https://docs.aws.amazon.com/documentdb/latest/developerguide/API_RemoveTagsFromResource.html) `rds:RemoveTagsFromResource`**
  - **资源:** 实例<br />`arn:aws:rds:{{region}}:{{account-id}}:db:{{db-instance-name}}` / **条件键:** `rds:db-tag`
  - **资源:** 子网组<br />`arn:aws:rds:{{region}}:{{account-id}}:subgrp:{{subnet-group-name}}` / **条件键:** `rds:subgrp-tag`

- **  [ResetDBClusterParameterGroup](https://docs.aws.amazon.com/documentdb/latest/developerguide/API_ResetDBClusterParameterGroup.html) `rds:ResetDBClusterParameterGroup`**
  - **资源:** 集群参数组<br />`arn:aws:rds:{{region}}:{{account-id}}:cluster-pg:{{cluster-parameter-group-name}}`
  - **条件键:** `rds:cluster-pg-tag`

- **  [还原DBClusterFromSnapshot](https://docs.aws.amazon.com/documentdb/latest/developerguide/API_RestoreDBClusterFromSnapshot.html) `rds:RestoreDBClusterFromSnapshot`**
  - **资源:** Cluster<br />`arn:aws:rds:{{region}}:{{account-id}}:cluster:{{db-cluster-instance-name}}` / **条件键:** `rds:cluster-tag`
  - **资源:** 集群快照<br />`arn:aws:rds:{{region}}:{{account-id}}:cluster-snapshot:{{cluster-snapshot-name}}` / **条件键:** `rds:cluster-snapshot-tag`

- **  [还原DBClusterToPointInTime](https://docs.aws.amazon.com/documentdb/latest/developerguide/API_RestoreDBClusterToPointInTime.html) `rds:RestoreDBClusterToPointInTime`**
  - **资源:** Cluster<br />`arn:aws:rds:{{region}}:{{account-id}}:cluster:{{db-cluster-instance-name}}` / **条件键:** `rds:cluster-tag`
  - **资源:** 子网组<br />`arn:aws:rds:{{region}}:{{account-id}}:subgrp:{{subnet-group-name}}` / **条件键:** `rds:subgrp-tag`



## 不支持资源级权限的 Amazon DocumentDB 操作
<a name="UsingWithRDS.IAM.UnsupportedResourceLevelPermissions"></a>

您可以使用一个 IAM policy 略中的所有 Amazon DocumentDB 操作授予或拒绝用户使用该操作的权限。但是，并非所有 Amazon DocumentDB 操作都支持资源级权限，这使您能够指定可对其执行操作的资源。以下 Amazon DocumentDB API 操作当前不支持资源级权限。因此，要在IAM policy略中使用这些操作，您必须通过对您声明中的 `Resource` 元素使用 `*` 通配符，授予用户对该操作使用所有资源的权限。
+ `rds:DescribeDBClusterSnapshots`
+ `rds:DescribeDBInstances`