本文属于机器翻译版本。若本译文内容与英语原文存在差异，则一律以英文原文为准。

# Amazon WorkSpaces 控制台操作权限参考
<a name="wsp-console-permissions-ref"></a>

某些 Amazon WorkSpaces API 只能通过 AWS 管理控制台进行调用。它们不是公共 API，无法以编程方式调用，也未由任何 SDK 提供。这些 API 操作包括：
+ workspaces:DirectoryAccessManagement
+ workspaces:CreateRootClientCertificate
+ workspaces:UpdateRootClientCertificate
+ workspaces:DeleteRootClientCertificate
+ workspaces:DescribeConsent
+ workspaces:UpdateConsent

## WorkSpaces 控制台操作和必需的操作权限
<a name="wsp-console-operations"></a>

控制台使用额外 API 操作实现其功能，因此 WorkSpaces 公共 API 可能没有足够的权限。例如，有权通过 CLI/SDK 使用 [CreateWorkspaces](https://docs.aws.amazon.com/workspaces/latest/api/API_CreateWorkspaces.html) API 的用户在尝试在控制台上创建 WorkSpace 时可能会遇到错误，因为他们缺少选择或创建用户的某些权限。下表列出了仅在 WorkSpaces 控制台上可用的功能，以及允许用户使用控制台的这些特定部分所需的额外权限。

[策略示例](https://docs.aws.amazon.com/workspaces/latest/adminguide/workspaces-access-control.html#workspaces-example-iam-policies)部分提供了对 Personal、Pools 和 BYOL WorkSpaces 执行所有 WorkSpaces 任务所需的权限列表。

或者，您也可以使用精细许可，应用最低权限许可来执行某项任务。

下表列出了依赖于 SDK 未提供的 API 的 WorkSpaces 控制台功能，以及允许用户使用控制台的这些特定部分所需的权限。这些是除了 SDK 提供的 API 所需的其他操作外还应添加的权限。


| WorkSpaces 控制台操作 | 所需的权限 | 
| --- | --- | 
|  [WorkSpaces 个人版快速设置](https://docs.aws.amazon.com/workspaces/latest/adminguide/managing-wsp-personal.html#getting-started)  |  workspaces:DirectoryAccessManagement ds:\$1 ec2:CreateVpc ec2:CreateSubnet ec2:CreateNetworkInterface ec2:CreateInternetGateway ec2:CreateRouteTable ec2:CreateRoute ec2:CreateTags ec2:CreateSecurityGroup ec2:DescribeInternetGateways ec2:DescribeSecurityGroups ec2:DescribeRouteTables ec2:DescribeVpcs ec2:DescribeSubnets ec2:DescribeNetworkInterfaces ec2:DescribeAvailabilityZones ec2:AttachInternetGateway ec2:AssociateRouteTable ec2:AuthorizeSecurityGroupIngress ec2:AuthorizeSecurityGroupEgress iam:CreateRole iam:GetRole iam:PutRolePolicy workspaces:DescribeAccount workspaces:DescribeWorkspaceDirectories workspaces:CreateWorkspaces workspaces:DescribeWorkspaces workspaces:RegisterWorkspaceDirectory workspaces:DescribeWorkspaceBundles workspaces:DescribeWorkspaces  | 
|  [将 WorkSpaces 个人版访问限定于受信任设备](https://docs.aws.amazon.com/workspaces/latest/adminguide/trusted-devices.html#configure-restriction)  |  workspaces:CreateRootClientCertificate workspaces:UpdateRootClientCertificate workspaces:DeleteRootClientCertificate ds:DescribeDirectories ec2:DescribeSubnets ec2:DescribeSecurityGroups workspaces:DescribeAccount workspaces:DescribeWorkspaceDirectories workspaces:DescribeTags workspaces:DescribeClientProperties workspaces:DescribeConnectClientAddins workspaces:DirectoryAccessManagement  | 
|  [在 WorkSpaces Personal 控制台中创建 WorkSpace](https://docs.aws.amazon.com/workspaces/latest/adminguide/create-workspaces-personal.html) – create/search/describe 目录服务目录用户  |  workspaces:DirectoryAccessManagement workspaces:DescribeAccount workspaces:CreateWorkspaces workspaces:DescribeWorkspaces workspaces:DescribeWorkspaceDirectories workspaces:DescribeWorkspaceBundles workspaces:DescribeTags workspaces:CreateTags workspaces:DescribeClientProperties kms:ListKeys kms:ListAliases kms:DescribeKey ds:DescribeTrusts ds:DescribeDirectories ec2:DescribeSubnets ec2:DescribeSecurityGroups  | 
|  [在 WorkSpaces Personal 中管理用户](https://docs.aws.amazon.com/workspaces/latest/adminguide/manage-workspaces-users.html) – 编辑用户并向用户发送邀请电子邮件  |  workspaces:DirectoryAccessManagement workspaces:DescribeAccount workspaces:DescribeWorkspaceDirectories workspaces:DescribeWorkspaces workspaces:DescribeTags workspaces:DescribeWorkspaceBundles workspaces:DescribeWorkspacesConnectionStatus workspaces:DescribeWorkspaceAssociations workspaces:DescribeWorkspaceSnapshots workspaces:DescribeWorkspaceImages workspaces:DescribeConnectionAliases  | 
|  [更新 WorkSpaces 个人版的 AD Connector 账户（AD Connector](https://docs.aws.amazon.com/workspaces/latest/adminguide/connect-account.html)  |  workspaces:DirectoryAccessManagement ds:DescribeDirectories ds:UpdateDirectory ec2:DescribeSubnets ec2:DescribeSecurityGroups workspaces:DescribeAccount workspaces:DescribeWorkspaceDirectories workspaces:DescribeTags workspaces:DescribeClientProperties workspaces:DescribeConnectClientAddins  | 
|  [为 WorkSpaces 个人版选择组织部门](https://docs.aws.amazon.com/workspaces/latest/adminguide/select-ou.html)  |  workspaces:DirectoryAccessManagement ds:DescribeDirectories ec2:DescribeSubnets ec2:DescribeSecurityGroups workspaces:DescribeAccount workspaces:DescribeWorkspaceDirectories workspaces:DescribeTags workspaces:DescribeClientProperties workspaces:DescribeConnectClientAddins workspaces:ModifyWorkspaceCreationProperties  | 
|  [启用 BYOL 账户](https://docs.aws.amazon.com/workspaces/latest/adminguide/byol-windows-images.html) – 确认了解使用 BYOL WorkSpaces 的要求  |  workspaces:DescribeConsent workspaces:UpdateConsent workspaces:DescribeAccount workspaces:ListAccountLinks workspaces:DescribeWorkspaceBundles workspaces:DescribeWorkspaceImages workspaces:DescribeWorkspaceDirectories  |