All Products
Search
Document Center

Resource Access Management:AliyunCISDefaultRolePolicy

更新時間:Dec 19, 2024

AliyunCISDefaultRolePolicy is the authorization policy dedicated to a service role. In most cases, when a service role is created, the policy is attached to the service role. Then, the service role is authorized to access other cloud services. This policy is updated by the relevant Alibaba Cloud service. Do not attach this policy to a RAM identity other than a service role.

Policy details

  • Type: service system policy

  • Creation time: 11:13:15 on October 18, 2024

  • Update time: 06:53:28 on December 19, 2024

  • Current version: v7

Policy content

{
	"Version": "1",
	"Statement": [{
			"Action": [
				"ecs:DescribeInstances",
				"ecs:DescribeInstanceStatus",
				"ecs:DescribeInstanceTypes",
				"ecs:DescribeInstanceTypeFamilies",
				"ecs:DescribeInstanceAttribute",
				"ecs:DescribeDiagnosticReports",
				"ecs:DescribeDiagnosticReportAttributes",
				"ecs:DescribeDiagnosticMetricSets",
				"ecs:DescribeDiagnosticMetrics",
				"ecs:DescribeSecurityGroupAttribute",
				"ecs:DescribeSecurityGroups",
				"ecs:DescribeSecurityGroupReferences",
				"ecs:DescribeBandwidthLimitation",
				"ecs:DescribeCloudAssistantStatus",
				"ecs:DescribeCommands",
				"ecs:DescribeInvocationResults",
				"ecs:CreateCommand",
				"ecs:InvokeCommand",
				"ecs:StopInvocation",
				"ecs:CreateDiagnosticReport",
				"ecs:DescribeNetworkInterfaces",
				"ecs:DescribeDisks",
				"ecs:RunCommand"
			],
			"Resource": "*",
			"Effect": "Allow"
		},
		{
			"Action": [
				"vpc:DescribeVpcs",
				"vpc:DescribeVpcAttribute",
				"vpc:DescribeVSwitches",
				"vpc:DescribeVSwitchAttributes",
				"vpc:DescribeRouteTableList",
				"vpc:DescribeRouteEntryList",
				"vpc:DescribeNatGateways",
				"vpc:DescribeRouteTables",
				"vpc:DescribeSnatTableEntries",
				"vpc:DescribeNetworkAcls",
				"vpc:DescribeNetworkAclAttributes",
				"vpc:DescribeEipAddresses"
			],
			"Resource": "*",
			"Effect": "Allow"
		},
		{
			"Action": [
				"sls:GetLogStore"
			],
			"Resource": "*",
			"Effect": "Allow"
		},
		{
			"Action": [
				"oss:GetBucketInfo"
			],
			"Resource": "*",
			"Effect": "Allow"
		},
		{
			"Action": [
				"slb:DescribeLoadBalancers",
				"slb:DescribeLoadBalancerAttribute",
				"slb:DescribeVServerGroups",
				"slb:DescribeVServerGroupAttribute",
				"slb:DescribeLoadBalancerTCPListenerAttribute",
				"slb:DescribeLoadBalancerUDPListenerAttribute",
				"slb:DescribeAccessControlLists",
				"slb:DescribeAccessControlListAttribute",
				"slb:DescribeLoadBalancerListeners",
				"slb:DescribeHealthStatus"
			],
			"Resource": [
				"*"
			],
			"Effect": "Allow"
		},
		{
			"Action": [
				"grace:GetFile",
				"grace:AnalyzeFile",
				"grace:UploadFileByOSS",
				"grace:UploadFileByURL"
			],
			"Resource": "acs:grace:*:*:*",
			"Effect": "Allow"
		},
		{
			"Action": [
				"ram:ListPoliciesForRole"
			],
			"Resource": [
				"acs:ram:*:*:role/kubernetesworkerrole*"
			],
			"Effect": "Allow"
		},
		{
			"Action": [
				"cms:DescribeMetricData",
				"cms:DescribeMetricLast",
				"cms:DescribeMetricMetaList",
				"cms:DescribeMetricTop",
				"cms:QueryMetricMeta",
				"cms:QueryMetricTop",
				"cms:ListMetricMeta",
				"cms:ListMetricMetaProject",
				"cms:QueryMetricData",
				"cms:QueryMetricLast",
				"cms:DescribeMetricList",
				"cms:QueryMetricList",
				"cms:MetricMeta",
				"cms:DescribeAlertLogList",
				"cms:DescribeSystemEventAttribute",
				"cms:GetMetricStreamMeta"
			],
			"Resource": "*",
			"Effect": "Allow"
		},
		{
			"Action": [
				"eflo:DescribeNode",
				"eflo:RunCommand",
				"eflo:DescribeInvocations"
			],
			"Resource": "*",
			"Effect": "Allow"
		},
		{
			"Action": [
				"eci:DescribeContainerGroups",
				"eci:RunCommand",
				"eci:DescribeCommandResult",
				"eci:ListUsage"
			],
			"Resource": "*",
			"Effect": "Allow"
		},
		{
			"Action": [
				"ess:DescribeScalingGroups",
				"ess:DescribeScalingInstances",
				"ess:DescribeScalingActivities",
				"ess:DescribeScalingConfigurations",
				"ess:DescribeScalingRules",
				"ess:DescribeScheduledTasks",
				"ess:DescribeLifecycleHooks",
				"ess:DescribeNotificationConfigurations",
				"ess:DescribeNotificationTypes",
				"ess:DescribeRegions",
				"ess:DescribePatternTypes"
			],
			"Resource": [
				"*"
			],
			"Effect": "Allow"
		},
		{
			"Action": [
				"cs:DescribeClusterDetail",
				"cs:DescribeClusterResources",
				"cs:DescribeTasks",
				"cs:DescribeTaskInfo",
				"cs:DescribeClusterNodePools",
				"cs:DescribeNodePoolVuls",
				"cs:DescribeKubernetesVersionMetadata",
				"cs:DescribeClusterNodes",
				"cs:ListClusterAddonInstances",
				"cs:DescribeAddon",
				"cs:DescribeClusterNodePoolDetail",
				"cs:DescribeClusterAddonsUpgradeStatus"
			],
			"Resource": "*",
			"Effect": "Allow"
		},
		{
			"Action": [
				"quotas:ListProducts",
				"quotas:ListProductQuotas",
				"quotas:ListProductQuotas",
				"quotas:ListProductQuotaDimensions",
				"quotas:GetProductQuota",
				"quotas:GetProductQuotaDimension"
			],
			"Resource": "acs:quotas:*:*:*",
			"Effect": "Allow"
		},
		{
			"Action": "ram:CreateServiceLinkedRole",
			"Resource": "*",
			"Effect": "Allow",
			"Condition": {
				"StringEquals": {
					"ram:ServiceName": "selfservice.ecs.aliyuncs.com"
				}
			}
		}
	]
}

References