本文属于机器翻译版本。若本译文内容与英语原文存在差异，则一律以英文原文为准。

# 亚马逊 VPC 莱迪思 API 权限
<a name="additional-api-permissions"></a>

您必须授予 IAM 身份（如用户或角色）调用所需 VPC Lattice API 操作的权限，如 [VPC Lattice 的策略操作](security_iam_service-with-iam.md#security_iam_service-with-iam-id-based-policies-actions) 中所述。此外，对于某些 VPC Lattice 操作，您必须授予 IAM 身份从其他 AWS APIs身份调用特定操作的权限。

## API 所需的权限
<a name="required-API-permissions"></a>

从 API 调用以下操作时，必须授予 IAM 用户调用指定操作的权限。

`CreateResourceConfiguration`  
+ `vpc-lattice:CreateResourceConfiguration`
+ `ec2:DescribeSubnets`
+ `rds:DescribeDBInstances`
+ `rds:DescribeDBClusters`

`CreateResourceGateway`  
+ `vpc-lattice:CreateResourceGateway`
+ `ec2:AssignPrivateIpAddresses`
+ `ec2:AssignIpv6Addresses`
+ `ec2:CreateNetworkInterface`
+ `ec2:CreateNetworkInterfacePermission`
+ `ec2:DeleteNetworkInterface`
+ `ec2:DescribeNetworkInterfaces`
+ `ec2:DescribeSecurityGroups`
+ `ec2:DescribeSubnets`

`DeleteResourceGateway`  
+ `vpc-lattice:DeleteResourceGateway`
+ `ec2:DeleteNetworkInterface`

`UpdateResourceGateway`  
+ `vpc-lattice:UpdateResourceGateway`
+ `ec2:AssignPrivateIpAddresses`
+ `ec2:AssignIpv6Addresses`
+ `ec2:UnassignPrivateIpAddresses`
+ `ec2:CreateNetworkInterface`
+ `ec2:CreateNetworkInterfacePermission`
+ `ec2:DeleteNetworkInterface`
+ `ec2:DescribeNetworkInterfaces`
+ `ec2:DescribeSecurityGroups`
+ `ec2:DescribeSubnets`
+ `ec2:ModifyNetworkInterfaceAttribute`

`CreateServiceNetworkResourceAssociation`  
+ `vpc-lattice:CreateServiceNetworkResourceAssociation`
+ `ec2:AssignIpv6Addresses`
+ `ec2:CreateNetworkInterface`
+ `ec2:CreateNetworkInterfacePermission`
+ `ec2:DescribeNetworkInterfaces`

`CreateServiceNetworkVpcAssociation`  
+ `vpc-lattice:CreateServiceNetworkVpcAssociation`
+ `ec2:DescribeVpcs`
+ `ec2:DescribeSecurityGroups`（仅在提供安全组时才需要）

`UpdateServiceNetworkVpcAssociation`  
+ `vpc-lattice:UpdateServiceNetworkVpcAssociation`
+ `ec2:DescribeSecurityGroups`（仅在提供安全组时才需要）

`CreateTargetGroup`  
+ `vpc-lattice:CreateTargetGroup`
+ `ec2:DescribeVpcs`

`RegisterTargets`  
+ `vpc-lattice:RegisterTargets`
+ `ec2:DescribeInstances`（仅当目标组类型为 `INSTANCE` 时才需要）
+ `ec2:DescribeVpcs`（仅当目标组类型为 `INSTANCE` 或 `IP` 时才需要）
+ `ec2:DescribeSubnets`（仅当目标组类型为 `INSTANCE` 或 `IP` 时才需要）
+ `lambda:GetFunction`（仅当目标组类型为 `LAMBDA` 时才需要）
+ `lambda:AddPermission`（仅当目标组还没有调用指定 Lambda 函数的权限时才需要）

`DeregisterTargets`  
+ `vpc-lattice:DeregisterTargets`

`CreateAccessLogSubscription`  
+ `vpc-lattice:CreateAccessLogSubscription`
+ `logs:GetLogDelivery`
+ `logs:CreateLogDelivery`

`DeleteAccessLogSubscription`  
+ `vpc-lattice:DeleteAccessLogSubscription`
+ `logs:DeleteLogDelivery`

`UpdateAccessLogSubscription`  
+ `vpc-lattice:UpdateAccessLogSubscription`
+ `logs:UpdateLogDelivery`