AliyunServiceRolePolicyForADBPG is the authorization policy dedicated to a service-linked role. The policy is automatically attached to a service role when the service role is created. Then, the service-linked role is authorized to access other cloud services. This policy is updated by the relevant Alibaba Cloud service. Do not attach this policy to a RAM identity other than a service-linked role.
Policy details
Type: service system policy
Creation time: 12:08:23 on August 10, 2020
Update time: 05:36:21 on January 13, 2026
Current version: v15
Policy content
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:CreateNetworkInterface",
"ecs:DeleteNetworkInterface",
"ecs:AttachNetworkInterface",
"ecs:DetachNetworkInterface",
"ecs:DescribeNetworkInterfaces",
"ecs:CreateNetworkInterfacePermission",
"ecs:DescribeNetworkInterfacePermissions",
"ecs:CreateSecurityGroup",
"ecs:DeleteSecurityGroup",
"ecs:DescribeSecurityGroupAttribute",
"ecs:DescribeSecurityGroups",
"ecs:ModifySecurityGroupAttribute",
"ecs:AuthorizeSecurityGroup",
"ecs:AuthorizeSecurityGroupEgress",
"ecs:RevokeSecurityGroup",
"ecs:RevokeSecurityGroupEgress",
"ecs:ModifyNetworkInterfaceAttribute",
"ecs:DescribeNetworkInterfaceAttribute"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"kms:Listkeys",
"kms:Listaliases",
"kms:ListResourceTags",
"kms:DescribeKey",
"kms:UntagResource",
"kms:TagResource",
"kms:DescribeAccountKmsStatus"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEqualsIgnoreCase": {
"kms:tag/acs:adbpg:instance-encryption": "true"
}
}
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "adbpg.aliyuncs.com"
}
}
},
{
"Action": [
"vpc:DescribeVSwitches",
"vpc:DescribeVpcs"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"alb:TagResources",
"alb:UnTagResources",
"alb:ListServerGroups",
"alb:ListServerGroupServers",
"alb:AddServersToServerGroup",
"alb:RemoveServersFromServerGroup",
"alb:ReplaceServersInServerGroup",
"alb:CreateLoadBalancer",
"alb:DeleteLoadBalancer",
"alb:UpdateLoadBalancerAttribute",
"alb:UpdateLoadBalancerEdition",
"alb:EnableLoadBalancerAccessLog",
"alb:DisableLoadBalancerAccessLog",
"alb:EnableDeletionProtection",
"alb:DisableDeletionProtection",
"alb:ListLoadBalancers",
"alb:GetLoadBalancerAttribute",
"alb:ListListeners",
"alb:CreateListener",
"alb:GetListenerAttribute",
"alb:UpdateListenerAttribute",
"alb:ListListenerCertificates",
"alb:AssociateAdditionalCertificatesWithListener",
"alb:DissociateAdditionalCertificatesFromListener",
"alb:DeleteListener",
"alb:CreateRule",
"alb:DeleteRule",
"alb:UpdateRuleAttribute",
"alb:CreateRules",
"alb:UpdateRulesAttribute",
"alb:DeleteRules",
"alb:ListRules",
"alb:CreateServerGroup",
"alb:DeleteServerGroup",
"alb:UpdateServerGroupAttribute",
"alb:DescribeZones"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"yundun-cert:DescribeUserCertificateList",
"yundun-cert:DescribeUserCertificateDetail"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"emr:GetCluster",
"emr:ListApplicationConfigs",
"emr:ListClusters",
"emr:ListNodes"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"rds:DescribeDBInstanceAttribute",
"rds:DescribeDBInstanceIPArrayList",
"rds:DescribeDBInstanceNetInfo",
"rds:DescribeDBInstanceSSL",
"rds:DescribeDBInstances",
"rds:DescribeDatabases",
"rds:DescribeOssDownloads",
"rds:DescribeRegions",
"rds:DescribeResourceUsage",
"rds:ModifySecurityIps"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"gpdb:DescribeDBInstanceAttribute",
"gpdb:DescribeDBInstances",
"gpdb:DescribeRegions",
"gpdb:DescribeDBInstanceIPArrayList",
"gpdb:DescribeDBClusterIPArrayList",
"gpdb:ModifySecurityIps",
"gpdb:DescribeDBInstanceNetInfo",
"gpdb:DescribeDBClusterPerformance",
"gpdb:ListStreamingDataServices",
"gpdb:CreateStreamingDataService",
"gpdb:DeleteStreamingDataService",
"gpdb:DescribeStreamingDataService"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"polardb:DescribeDBClusterIPArrayList",
"polardb:DescribeDBClusterNetInfo",
"polardb:DescribeDBClusters",
"polardb:DescribeRegions",
"polardb:DescribeDBClusterEndpoints",
"polardb:DescribeDBClusterAccessWhiteList",
"polardb:ModifyDBClusterAccessWhitelist",
"polardb:ModifySecurityIps",
"polardb:DescribeDBClusterAttribute"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"dts:DescribeDtsJobs",
"dts:ModifyDtsJobEndpoint"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"dds:DescribeDBInstanceAttribute",
"dds:DescribeReplicaSetRole",
"dds:DescribeSecurityIps",
"dds:DescribeDBInstances",
"dds:ModifySecurityIps",
"dds:DescribeShardingNetworkAddress"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"lindorm:UpdateInstanceIpWhiteList",
"lindorm:GetLindormInstanceEngineList",
"lindorm:GetLindormInstanceList",
"lindorm:GetLindormInstance",
"lindorm:GetInstanceIpWhiteList"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"cs:DescribeClusterDetail"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"rds:DescribeAvailableZones",
"dbs:DescribeBackupDataList"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"log:GetProductDataCollection",
"log:CloseProductDataCollection",
"log:OpenProductDataCollection"
],
"Resource": "acs:log:*:*:project/*/logstore/*",
"Effect": "Allow"
}
]
}