AliyunCSManagedKubernetesRolePolicy is the authorization policy dedicated to a service role. In most cases, when a service role is created, the policy is attached to the service role. Then, the service role is authorized to access other cloud services. This policy is updated by the relevant Alibaba Cloud service. Do not attach this policy to a RAM identity other than a service role.
Policy details
Type: service system policy
Creation time: 11:11:48 on October 18, 2024
Update time: 11:11:48 on October 18, 2024
Current version: v1
Policy content
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:Describe*",
"ecs:CreateRouteEntry",
"ecs:DeleteRouteEntry",
"ecs:CreateNetworkInterface",
"ecs:DeleteNetworkInterface",
"ecs:CreateNetworkInterfacePermission",
"ecs:DeleteNetworkInterfacePermission",
"ecs:ModifyInstanceAttribute",
"ecs:AttachKeyPair",
"ecs:StopInstance",
"ecs:StartInstance",
"ecs:ReplaceSystemDisk"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Action": [
"slb:Describe*",
"slb:CreateLoadBalancer",
"slb:DeleteLoadBalancer",
"slb:ModifyLoadBalancerInternetSpec",
"slb:RemoveBackendServers",
"slb:AddBackendServers",
"slb:RemoveTags",
"slb:AddTags",
"slb:TagResources",
"slb:UnTagResources",
"slb:ListTagResources",
"slb:StopLoadBalancerListener",
"slb:StartLoadBalancerListener",
"slb:SetLoadBalancerHTTPListenerAttribute",
"slb:SetLoadBalancerHTTPSListenerAttribute",
"slb:SetLoadBalancerTCPListenerAttribute",
"slb:SetLoadBalancerUDPListenerAttribute",
"slb:CreateLoadBalancerHTTPSListener",
"slb:CreateLoadBalancerHTTPListener",
"slb:CreateLoadBalancerTCPListener",
"slb:CreateLoadBalancerUDPListener",
"slb:DeleteLoadBalancerListener",
"slb:CreateVServerGroup",
"slb:DescribeVServerGroups",
"slb:DeleteVServerGroup",
"slb:SetVServerGroupAttribute",
"slb:DescribeVServerGroupAttribute",
"slb:ModifyVServerGroupBackendServers",
"slb:AddVServerGroupBackendServers",
"slb:ModifyLoadBalancerInstanceSpec",
"slb:ModifyLoadBalancerInternetSpec",
"slb:SetLoadBalancerModificationProtection",
"slb:SetLoadBalancerDeleteProtection",
"slb:SetLoadBalancerName",
"slb:ModifyLoadBalancerInstanceChargeType",
"slb:RemoveVServerGroupBackendServers"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Action": [
"vpc:Describe*",
"vpc:DeleteRouteEntry",
"vpc:CreateRouteEntry"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Action": [
"log:CreateProject",
"log:GetProject",
"log:GetProductDataCollection",
"log:OpenProductDataCollection",
"log:CloseProductDataCollection",
"log:GetLogStoreHistogram",
"log:AnalyzeProductLog",
"log:CreateIndex",
"log:UpdateIndex",
"log:DeleteIndex",
"log:CreateLogStore",
"log:UpdateLogStore",
"log:DeleteLogStore",
"log:CreateDashboard",
"log:UpdateDashboard",
"log:DeleteDashboard",
"log:SetGeneralDataAccessConfig"
],
"Resource": [
"acs:log:*:*:project/*/logstore/alb_*",
"acs:log:*:*:project/*/savedsearch/*",
"acs:log:*:*:project/*/dashboard/*",
"acs:alb:*:*:loadbalancer/*",
"acs:log:*:*:resource/sls.general_data_access.alb.global_conf.standard_channel/record"
],
"Effect": "Allow"
},
{
"Action": [
"alb:EnableLoadBalancerIpv6Internet",
"alb:DisableLoadBalancerIpv6Internet",
"alb:CreateAcl",
"alb:DeleteAcl",
"alb:ListAcls",
"alb:ListAclRelations",
"alb:AddEntriesToAcl",
"alb:AssociateAclsWithListener",
"alb:ListAclEntries",
"alb:RemoveEntriesFromAcl",
"alb:DissociateAclsFromListener",
"alb:TagResources",
"alb:UnTagResources",
"alb:ListServerGroups",
"alb:ListServerGroupServers",
"alb:AddServersToServerGroup",
"alb:RemoveServersFromServerGroup",
"alb:ReplaceServersInServerGroup",
"alb:CreateLoadBalancer",
"alb:DeleteLoadBalancer",
"alb:UpdateLoadBalancerAttribute",
"alb:UpdateLoadBalancerEdition",
"alb:EnableLoadBalancerAccessLog",
"alb:DisableLoadBalancerAccessLog",
"alb:EnableDeletionProtection",
"alb:DisableDeletionProtection",
"alb:ListLoadBalancers",
"alb:GetLoadBalancerAttribute",
"alb:ListListeners",
"alb:CreateListener",
"alb:GetListenerAttribute",
"alb:UpdateListenerAttribute",
"alb:ListListenerCertificates",
"alb:AssociateAdditionalCertificatesWithListener",
"alb:DissociateAdditionalCertificatesFromListener",
"alb:DeleteListener",
"alb:CreateRule",
"alb:DeleteRule",
"alb:UpdateRuleAttribute",
"alb:CreateRules",
"alb:UpdateRulesAttribute",
"alb:DeleteRules",
"alb:ListRules",
"alb:UpdateListenerLogConfig",
"alb:CreateServerGroup",
"alb:DeleteServerGroup",
"alb:UpdateServerGroupAttribute",
"alb:UpdateLoadBalancerAddressTypeConfig",
"alb:AttachCommonBandwidthPackageToLoadBalancer",
"alb:DetachCommonBandwidthPackageFromLoadBalancer",
"alb:UpdateServerGroupServersAttribute",
"alb:MoveResourceGroup",
"alb:DescribeZones"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"nlb:TagResources",
"nlb:UnTagResources",
"nlb:ListTagResources",
"nlb:CreateLoadBalancer",
"nlb:DeleteLoadBalancer",
"nlb:GetLoadBalancerAttribute",
"nlb:ListLoadBalancers",
"nlb:UpdateLoadBalancerAttribute",
"nlb:UpdateLoadBalancerAddressTypeConfig",
"nlb:UpdateLoadBalancerZones",
"nlb:CreateListener",
"nlb:DeleteListener",
"nlb:ListListeners",
"nlb:UpdateListenerAttribute",
"nlb:StopListener",
"nlb:StartListener",
"nlb:GetListenerAttribute",
"nlb:GetListenerHealthStatus",
"nlb:CreateServerGroup",
"nlb:DeleteServerGroup",
"nlb:UpdateServerGroupAttribute",
"nlb:AddServersToServerGroup",
"nlb:RemoveServersFromServerGroup",
"nlb:UpdateServerGroupServersAttribute",
"nlb:ListServerGroups",
"nlb:ListServerGroupServers",
"nlb:LoadBalancerLeaveSecurityGroup",
"nlb:LoadBalancerJoinSecurityGroup",
"nlb:DisableLoadBalancerIpv6Internet",
"nlb:EnableLoadBalancerIpv6Internet",
"nlb:UpdateLoadBalancerProtection",
"nlb:AttachCommonBandwidthPackageToLoadBalancer",
"nlb:DetachCommonBandwidthPackageFromLoadBalancer",
"nlb:GetJobStatus"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"cms:DescribeMetricData",
"cms:DescribeMetricLast",
"cms:DescribeMetricMetaList",
"cms:DescribeMetricTop",
"cms:QueryMetricData",
"cms:QueryMetricLast",
"cms:DescribeMetricList",
"cms:QueryMetricList",
"cms:MetricMeta"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:CreateServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": [
"alb.aliyuncs.com",
"audit.log.aliyuncs.com",
"nlb.aliyuncs.com",
"logdelivery.alb.aliyuncs.com"
]
}
}
},
{
"Action": [
"yundun-cert:CreateSSLCertificateWithName",
"yundun-cert:DeleteSSLCertificate",
"yundun-cert:DescribeSSLCertificateList",
"yundun-cert:DescribeSSLCertificatePublicKeyDetail"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"cr:Get*",
"cr:List*",
"cr:PullRepository"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:CreateServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "eipaccess.slb.aliyuncs.com"
}
}
},
{
"Action": "ram:CreateServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "middlewarelens.log.aliyuncs.com"
}
}
}
]
}