AliyunCSServerlessKubernetesRolePolicy is the authorization policy dedicated to a service role. In most cases, when a service role is created, the policy is attached to the service role. Then, the service role is authorized to access other cloud services. This policy is updated by the relevant Alibaba Cloud service. Do not attach this policy to a RAM identity other than a service role.
Policy details
Type: service system policy
Creation time: 11:11:57 on October 18, 2024
Update time: 11:11:57 on October 18, 2024
Current version: v1
Policy content
{
"Version": "1",
"Statement": [
{
"Action": [
"cs:ListClusterAddonInstances"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"arms:GetManagedPrometheusStatus",
"arms:InstallManagedPrometheus",
"arms:UninstallManagedPrometheus"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"vpc:DescribeVSwitches",
"vpc:DescribeVpcs",
"vpc:AssociateEipAddress",
"vpc:DescribeEipAddresses",
"vpc:AllocateEipAddress",
"vpc:ReleaseEipAddress",
"vpc:AddCommonBandwidthPackageIp",
"vpc:RemoveCommonBandwidthPackageIp"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ecs:DescribeSecurityGroups",
"ecs:CreateNetworkInterface",
"ecs:CreateNetworkInterfacePermission",
"ecs:DescribeNetworkInterfaces",
"ecs:AttachNetworkInterface",
"ecs:DetachNetworkInterface",
"ecs:DeleteNetworkInterface",
"ecs:DeleteNetworkInterfacePermission"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"slb:Describe*",
"slb:CreateLoadBalancer",
"slb:DeleteLoadBalancer",
"slb:RemoveBackendServers",
"slb:StartLoadBalancerListener",
"slb:StopLoadBalancerListener",
"slb:DeleteLoadBalancerListener",
"slb:CreateLoadBalancerTCPListener",
"slb:AddBackendServers*",
"slb:UploadServerCertificate",
"slb:CreateLoadBalancerHTTPListener",
"slb:CreateLoadBalancerHTTPSListener",
"slb:CreateLoadBalancerUDPListener",
"slb:ModifyLoadBalancerInternetSpec",
"slb:CreateRules",
"slb:DeleteRules",
"slb:SetRule",
"slb:CreateVServerGroup",
"slb:SetVServerGroupAttribute",
"slb:AddVServerGroupBackendServers",
"slb:RemoveVServerGroupBackendServers",
"slb:ModifyVServerGroupBackendServers",
"slb:DeleteVServerGroup",
"slb:SetLoadBalancerTCPListenerAttribute",
"slb:SetLoadBalancerHTTPListenerAttribute",
"slb:SetLoadBalancerHTTPSListenerAttribute",
"slb:AddTags"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"pvtz:AddZone",
"pvtz:DeleteZone",
"pvtz:DescribeZones",
"pvtz:DescribeZoneInfo",
"pvtz:BindZoneVpc",
"pvtz:AddZoneRecord",
"pvtz:DeleteZoneRecord",
"pvtz:DeleteZoneRecordsByRR",
"pvtz:DescribeZoneRecordsByRR",
"pvtz:DescribeZoneRecords"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"cr:Get*",
"cr:List*",
"cr:PullRepository"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"eci:CreateContainerGroup",
"eci:DeleteContainerGroup",
"eci:DescribeContainerGroups",
"eci:DescribeContainerGroupStatus",
"eci:DescribeContainerGroupEvents",
"eci:DescribeContainerLog",
"eci:UpdateContainerGroup",
"eci:UpdateContainerGroupByTemplate",
"eci:CreateContainerGroupFromTemplate",
"eci:RestartContainerGroup",
"eci:ExportContainerGroupTemplate",
"eci:DescribeContainerGroupMetaInfos",
"eci:DescribeContainerGroupMetric",
"eci:DescribeMultiContainerGroupMetric",
"eci:ResizeContainerGroupVolume",
"eci:ExecContainerCommand",
"eci:CreateImageCache",
"eci:DescribeImageCaches",
"eci:DeleteImageCache"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:PassRole",
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"oss:GetObject",
"oss:GetObjectMeta"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"fc:CreateService",
"fc:ListServices",
"fc:GetService",
"fc:UpdateService",
"fc:DeleteService",
"fc:CreateFunction",
"fc:ListFunctions",
"fc:GetFunction",
"fc:GetFunctionCode",
"fc:UpdateFunction",
"fc:DeleteFunction",
"fc:CreateTrigger",
"fc:ListTriggers",
"fc:GetTrigger",
"fc:UpdateTrigger",
"fc:DeleteTrigger",
"fc:PublishServiceVersion",
"fc:ListServiceVersions",
"fc:DeleteServiceVersion",
"fc:CreateAlias",
"fc:ListAliases",
"fc:GetAlias",
"fc:UpdateAlias",
"fc:DeleteAlias"
],
"Resource": "acs:fc:*:*:services/*",
"Effect": "Allow"
},
{
"Action": [
"log:CreateProject",
"log:GetProject",
"log:DeleteProject",
"log:CreateLogStore",
"log:GetLogStore",
"log:UpdateLogStore",
"log:DeleteLogStore",
"log:CreateConfig",
"log:UpdateConfig",
"log:GetConfig",
"log:DeleteConfig",
"log:CreateMachineGroup",
"log:UpdateMachineGroup",
"log:GetMachineGroup",
"log:DeleteMachineGroup",
"log:ApplyConfigToGroup",
"log:GetAppliedMachineGroups",
"log:GetAppliedConfigs",
"log:RemoveConfigFromMachineGroup",
"log:CreateIndex",
"log:GetIndex",
"log:UpdateIndex",
"log:DeleteIndex",
"log:CreateSavedSearch",
"log:GetSavedSearch",
"log:UpdateSavedSearch",
"log:DeleteSavedSearch",
"log:CreateDashboard",
"log:GetDashboard",
"log:UpdateDashboard",
"log:DeleteDashboard",
"log:CreateJob",
"log:GetJob",
"log:DeleteJob",
"log:PostLogStoreLogs",
"log:UpdateJob"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:CreateServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "eci.aliyuncs.com"
}
}
},
{
"Action": "ram:CreateServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "eipaccess.slb.aliyuncs.com"
}
}
}
]
}