All Products
Search
Document Center

Resource Access Management:AliyunCSDefaultRolePolicy

更新時間:Nov 29, 2024

AliyunCSDefaultRolePolicy is the authorization policy dedicated to a service role. In most cases, when a service role is created, the policy is attached to the service role. Then, the service role is authorized to access other cloud services. This policy is updated by the relevant Alibaba Cloud service. Do not attach this policy to a RAM identity other than a service role.

Policy details

  • Type: service system policy

  • Creation time: 11:12:59 on October 18, 2024

  • Update time: 11:12:59 on October 18, 2024

  • Current version: v1

Policy content

{
	"Version": "1",
	"Statement": [{
			"Action": [
				"arms:CreateOrUpdateWebhookContact",
				"arms:DeleteWebhookContact",
				"arms:DescribeWebhookContacts",
				"arms:CreateOrUpdateIMRobot",
				"arms:DeleteIMRobot",
				"arms:DescribeIMRobots",
				"arms:SendTTSVerifyLink",
				"arms:SaveContactMember",
				"arms:UpdateContactMember",
				"arms:DeleteContactMember",
				"arms:SaveContactGroup",
				"arms:UpdateContactGroup",
				"arms:DeleteContactGroup",
				"arms:DeleteContactLink",
				"arms:GetAlertRulesByPage",
				"arms:QueryAlarmHistory",
				"arms:QueryAlarmName",
				"arms:GetAlertEvents",
				"arms:SearchEvents",
				"arms:SearchAlarmHistories",
				"arms:GetAlarmHistories",
				"arms:CreateContact",
				"arms:DeleteContact",
				"arms:DeleteAlertContact",
				"arms:SearchContact",
				"arms:UpdateContact",
				"arms:CreateContactGroup",
				"arms:DeleteContactGroup",
				"arms:DeleteAlertContactGroup",
				"arms:SearchContactGroup",
				"arms:UpdateContactGroup",
				"arms:GetAlert",
				"arms:DeleteGrafanaResource",
				"arms:ListDashboards",
				"arms:ListDispatchRule",
				"arms:CreateDispatchRule",
				"arms:DeleteDispatchRule",
				"arms:DescribeDispatchRule",
				"arms:UninstallManagedPrometheus",
				"arms:InnerFetchContactByArmsContactId",
				"arms:ListAlertContact",
				"arms:SearchAlertContactGroup",
				"arms:CreateAlertContactGroup",
				"arms:UpdateAlertContactGroup",
				"arms:UpdateDispatchRule"
			],
			"Resource": "*",
			"Effect": "Allow"
		},
		{
			"Action": [
				"ecs:RunInstances",
				"ecs:RenewInstance",
				"ecs:Create*",
				"ecs:AllocatePublicIpAddress",
				"ecs:AllocateEipAddress",
				"ecs:Delete*",
				"ecs:StartInstance",
				"ecs:StopInstance",
				"ecs:RebootInstance",
				"ecs:Describe*",
				"ecs:AuthorizeSecurityGroup",
				"ecs:RevokeSecurityGroup",
				"ecs:AuthorizeSecurityGroupEgress",
				"ecs:AttachDisk",
				"ecs:DetachDisk",
				"ecs:WaitFor*",
				"ecs:AddTags",
				"ecs:ReplaceSystemDisk",
				"ecs:ModifyInstanceAttribute",
				"ecs:JoinSecurityGroup",
				"ecs:LeaveSecurityGroup",
				"ecs:UnassociateEipAddress",
				"ecs:ReleaseEipAddress",
				"ecs:CreateKeyPair",
				"ecs:ImportKeyPair",
				"ecs:AttachKeyPair",
				"ecs:DetachKeyPair",
				"ecs:DeleteKeyPairs",
				"ecs:AttachInstanceRamRole",
				"ecs:DetachInstanceRamRole",
				"ecs:AllocateDedicatedHosts",
				"ecs:CreateOrder",
				"ecs:DeleteInstance",
				"ecs:CreateDisk",
				"ecs:Createvpc",
				"ecs:Deletevpc",
				"ecs:DeleteVSwitch",
				"ecs:ResetDisk",
				"ecs:DeleteSnapshot",
				"ecs:AllocatePublicIpAddress",
				"ecs:CreateVSwitch",
				"ecs:DeleteSecurityGroup",
				"ecs:CreateImage",
				"ecs:RemoveTags",
				"ecs:ReleaseDedicatedHost",
				"ecs:CreateInstance",
				"ecs:RevokeSecurityGroupEgress",
				"ecs:DeleteDisk",
				"ecs:StopInstance",
				"ecs:CreateSecurityGroup",
				"ecs:DeleteImage",
				"ecs:ModifyInstanceSpec",
				"ecs:CreateSnapshot",
				"ecs:CreateCommand",
				"ecs:InvokeCommand",
				"ecs:StopInvocation",
				"ecs:DeleteCommand",
				"ecs:RunCommand",
				"ecs:DescribeInvocationResults",
				"ecs:TagResources",
				"ecs:UntagResources",
				"ecs:ModifyCommand"
			],
			"Resource": "*",
			"Effect": "Allow"
		},
		{
			"Action": [
				"vpc:Describe*",
				"vpc:AllocateEipAddress",
				"vpc:AssociateEipAddress",
				"vpc:UnassociateEipAddress",
				"vpc:ReleaseEipAddress",
				"vpc:CreateRouteEntry",
				"vpc:DeleteRouteEntry",
				"vpc:CreateVSwitch",
				"vpc:DeleteVSwitch",
				"vpc:CreateVpc",
				"vpc:DeleteVpc",
				"vpc:CreateNatGateway",
				"vpc:DeleteNatGateway",
				"vpc:CreateSnatEntry",
				"vpc:DeleteSnatEntry",
				"vpc:ModifyEipAddressAttribute",
				"vpc:CreateForwardEntry",
				"vpc:DeleteBandwidthPackage",
				"vpc:CreateBandwidthPackage",
				"vpc:DeleteForwardEntry",
				"vpc:TagResources",
				"vpc:ListEnhanhcedNatGatewayAvailableZones",
				"vpc:DeletionProtection"
			],
			"Resource": "*",
			"Effect": "Allow"
		},
		{
			"Action": [
				"slb:Describe*",
				"slb:CreateLoadBalancer",
				"slb:DeleteLoadBalancer",
				"slb:RemoveBackendServers",
				"slb:StartLoadBalancerListener",
				"slb:StopLoadBalancerListener",
				"slb:CreateLoadBalancerTCPListener",
				"slb:AddBackendServers*",
				"slb:CreateVServerGroup",
				"slb:CreateLoadBalancerHTTPSListener",
				"slb:CreateLoadBalancerUDPListener",
				"slb:ModifyLoadBalancerInternetSpec",
				"slb:SetBackendServers",
				"slb:AddVServerGroupBackendServers",
				"slb:DeleteVServerGroup",
				"slb:ModifyVServerGroupBackendServers",
				"slb:CreateLoadBalancerHTTPListener",
				"slb:RemoveVServerGroupBackendServers",
				"slb:DeleteLoadBalancerListener",
				"slb:AddTags",
				"slb:RemoveTags",
				"slb:SetLoadBalancerDeleteProtection",
				"slb:SetLoadBalancerTCPListenerAttribute",
				"slb:CreateAccessControlList",
				"slb:DescribeAccessControlLists",
				"slb:AddAccessControlListEntry",
				"slb:SetLoadBalancerModificationProtection"
			],
			"Resource": [
				"*"
			],
			"Effect": "Allow"
		},
		{
			"Action": [
				"dns:Describe*",
				"dns:AddDomainRecord"
			],
			"Resource": [
				"*"
			],
			"Effect": "Allow"
		},
		{
			"Action": [
				"nlb:GetLoadBalancerAttribute",
				"nlb:ListListeners"
			],
			"Resource": [
				"*"
			],
			"Effect": "Allow"
		},
		{
			"Action": [
				"rds:Describe*",
				"rds:ModifySecurityIps",
				"rds:ModifySecurityGroupConfiguration"
			],
			"Resource": [
				"*"
			],
			"Effect": "Allow"
		},
		{
			"Action": [
				"ros:Describe*",
				"ros:WaitConditions",
				"ros:AbandonStack",
				"ros:DeleteStack",
				"ros:CreateStack",
				"ros:UpdateStack",
				"ros:ValidateTemplate",
				"ros:DoActions",
				"ros:InquiryStack",
				"ros:SetDeletionProtection",
				"ros:PreviewStack",
				"ros:GetStack",
				"ros:ListStackResources",
				"ros:GetStackResource",
				"ros:TagResources",
				"ros:ListStackOperationRisks"
			],
			"Resource": [
				"*"
			],
			"Effect": "Allow"
		},
		{
			"Action": "ram:PassRole",
			"Resource": "*",
			"Effect": "Allow"
		},
		{
			"Action": [
				"ess:Describe*",
				"ess:CreateScalingConfiguration",
				"ess:EnableScalingGroup",
				"ess:ExitStandby",
				"ess:DetachDBInstances",
				"ess:DetachLoadBalancers",
				"ess:AttachInstances",
				"ess:DeleteScalingConfiguration",
				"ess:AttachLoadBalancers",
				"ess:DetachInstances",
				"ess:ModifyScalingRule",
				"ess:RemoveInstances",
				"ess:ModifyScalingGroup",
				"ess:AttachDBInstances",
				"ess:CreateScalingRule",
				"ess:DeleteScalingRule",
				"ess:ExecuteScalingRule",
				"ess:SetInstancesProtection",
				"ess:ModifyNotificationConfiguration",
				"ess:CreateNotificationConfiguration",
				"ess:EnterStandby",
				"ess:DeleteScalingGroup",
				"ess:CreateScalingGroup",
				"ess:DisableScalingGroup",
				"ess:DeleteNotificationConfiguration",
				"ess:ModifyScalingConfiguration",
				"ess:ReplaceSystemDisk",
				"ess:ScaleWithAdjustment",
				"ess:SetGroupDeletionProtection"
			],
			"Resource": "*",
			"Effect": "Allow"
		},
		{
			"Action": [
				"ram:Get*",
				"ram:List*"
			],
			"Resource": [
				"*"
			],
			"Effect": "Allow"
		},
		{
			"Action": [
				"ram:DetachPolicyFromRole",
				"ram:AttachPolicyToRole",
				"ram:DeletePolicy",
				"ram:DeletePolicyVersion",
				"ram:DeleteRole"
			],
			"Resource": [
				"acs:ram:*:*:role/KubernetesMasterRole-*",
				"acs:ram:*:*:role/KubernetesWorkerRole-*",
				"acs:ram:*:*:policy/k8sMasterRolePolicy-*",
				"acs:ram:*:*:policy/k8sWorkerRolePolicy-*"
			],
			"Effect": "Allow"
		},
		{
			"Action": [
				"ram:CreateRole",
				"ram:CreatePolicy"
			],
			"Resource": [
				"acs:ram:*:*:role/*",
				"acs:ram:*:*:policy/*"
			],
			"Effect": "Allow"
		},
		{
			"Action": [
				"ram:CreateOIDCProvider",
				"ram:GetOIDCProvider",
				"ram:UpdateOIDCProvider",
				"ram:DeleteOIDCProvider"
			],
			"Effect": "Allow",
			"Resource": "*",
			"Condition": {
				"StringLike": {
					"ram:OidcIssuerUrl": [
						"https://oidc-ack-*.aliyuncs.com/*"
					]
				}
			}
		},
		{
			"Action": [
				"cms:CreateMyGroups",
				"cms:AddMyGroupInstances",
				"cms:DeleteMyGroupInstances",
				"cms:DeleteMyGroups",
				"cms:GetMyGroups",
				"cms:ListMyGroups",
				"cms:UpdateMyGroupInstances",
				"cms:UpdateMyGroups",
				"cms:TaskConfigCreate",
				"cms:TaskConfigList",
				"cms:DescribeMetricData",
				"cms:DescribeMetricLast",
				"cms:DescribeMetricMetaList",
				"cms:DescribeMetricTop",
				"cms:QueryMetricMeta",
				"cms:QueryMetricTop",
				"cms:ListMetricMeta",
				"cms:ListMetricMetaProject",
				"cms:QueryMetricData",
				"cms:QueryMetricLast",
				"cms:DescribeMetricList",
				"cms:QueryMetricList",
				"cms:MetricMeta",
				"cms:PutMonitoringConfig",
				"cms:DescribeContactList",
				"cms:PutContact",
				"cms:PutContactGroup",
				"cms:DeleteContact",
				"cms:DeleteContactGroup",
				"cms:DescribeAlertLogList",
				"cms:DescribeSystemEventAttribute",
				"cms:GetMetricStreamMeta"
			],
			"Resource": "*",
			"Effect": "Allow"
		},
		{
			"Action": [
				"ess:CreateLifecycleHook",
				"ess:DescribeLifecycleHooks",
				"ess:ModifyLifecycleHook",
				"ess:DeleteLifecycleHook"
			],
			"Resource": "*",
			"Effect": "Allow"
		},
		{
			"Effect": "Allow",
			"Action": [
				"cen:AttachCenChildInstance",
				"cen:DetachCenChildInstance",
				"cen:DescribeCenAttachedChildInstances",
				"cen:DescribeCens"
			],
			"Resource": "*"
		},
		{
			"Effect": "Allow",
			"Action": [
				"netana:DescribeNetworkQuotas"
			],
			"Resource": "*"
		},
		{
			"Effect": "Allow",
			"Action": [
				"smartag:DescribeCloudConnectNetworks"
			],
			"Resource": "*"
		},
		{
			"Action": [
				"ens:Describe*",
				"ens:CreateInstance",
				"ens:StartInstance",
				"ens:StopInstance",
				"ens:ReleasePrePaidInstance"
			],
			"Resource": "*",
			"Effect": "Allow"
		},
		{
			"Action": [
				"bms:ListInstance",
				"bms:ListInstanceOverview"
			],
			"Resource": "*",
			"Effect": "Allow"
		},
		{
			"Action": [
				"kvstore:RegistACKCluster",
				"kvstore:UnRegistACKCluster"
			],
			"Resource": "*",
			"Effect": "Allow"
		},
		{
			"Action": [
				"eci:DescribeContainerGroups",
				"eci:DeleteContainerGroup",
				"eci:RunCommand",
				"eci:DescribeCommandResult"
			],
			"Resource": "*",
			"Effect": "Allow"
		},
		{
			"Action": [
				"acc:DescribeInstances",
				"acc:DeleteInstance"
			],
			"Resource": "*",
			"Effect": "Allow"
		},
		{
			"Action": [
				"cs:DescribeClusterDetail",
				"cs:DescribeClusterResources",
				"cs:DescribeTasks",
				"cs:DescribeTaskInfo",
				"cs:DescribeClusterNodePools",
				"cs:DescribeNodePoolVuls",
				"cs:ScanClusterVuls",
				"cs:FixNodePoolVuls",
				"cs:PauseTask",
				"cs:ResumeTask",
				"cs:CancelTask",
				"cs:InstallClusterAddons",
				"cs:UnInstallClusterAddons",
				"cs:UpgradeClusterAddons",
				"cs:DescribeClusterAddonsVersion",
				"cs:UpgradeCluster",
				"cs:ModifyCluster",
				"cs:ListClusterAddonInstances",
				"cs:GetClusters",
				"cs:UpgradeClusterNodepool",
				"cs:ModifyClusterNodePool",
				"cs:DescribeClusterNodes",
				"cs:DescribeKubernetesVersionMetadata",
				"cs:GetClusterCheck",
				"cs:RunClusterCheck",
				"cs:ListAddons",
				"cs:DescribeClusterAddonsUpgradeStatus"
			],
			"Resource": "*",
			"Effect": "Allow"
		},
		{
			"Action": [
				"log:CreateResourceRecord",
				"log:UpdateResourceRecord",
				"log:UpsertResourceRecord",
				"log:GetResourceRecord",
				"log:ListResourceRecords",
				"log:ListResources",
				"log:GetResource",
				"log:CreateLogStore",
				"log:CreateIndex",
				"log:UpdateIndex",
				"log:CreateDashboard",
				"log:UpdateDashboard",
				"log:CreateProject",
				"log:DeleteProject",
				"log:GetLogStoreLogs",
				"log:PostLogStoreLogs",
				"log:GetLogStore",
				"log:UpdateLogStore",
				"log:DeleteResourceRecord"
			],
			"Resource": "*",
			"Effect": "Allow"
		},
		{
			"Action": [
				"mscsub:ListContacts"
			],
			"Resource": "*",
			"Effect": "Allow"
		},
		{
			"Action": [
				"quotas:ListProducts",
				"quotas:ListProductQuotas",
				"quotas:ListProductQuotas",
				"quotas:ListProductQuotaDimensions",
				"quotas:GetProductQuota",
				"quotas:GetProductQuotaDimension"
			],
			"Resource": "acs:quotas:*:*:*",
			"Effect": "Allow"
		},
		{
			"Action": [
				"nas:DescribeFileSystems",
				"nas:DescribeMountTargets",
				"nas:CreateFileSystem",
				"nas:TagResources",
				"nas:EnableRecycleBin",
				"nas:CreateMountTarget"
			],
			"Resource": "*",
			"Effect": "Allow"
		},
		{
			"Effect": "Allow",
			"Action": [
				"yundun-sas:DescribeVulList",
				"yundun-sas:DescribeVersionConfig",
				"yundun-sas:ModifyOperateVul",
				"yundun-sas:DescribeVersionConfig",
				"yundun-sas:DescribeGroupedContainerInstances",
				"yundun-sas:DescribeSuspEvents"
			],
			"Resource": "*"
		},
		{
			"Effect": "Allow",
			"Action": [
				"cr:ListCloudProductAuth",
				"cr:CreateClusterImageAnalysisTask",
				"cr:GetClusterImageAnalysisTask"
			],
			"Resource": "*"
		},
		{
			"Action": [
				"oos:StartExecution",
				"oos:ListExecutions"
			],
			"Resource": [
				"acs:oos:*:*:template/ACS-CS-DedicatedMigration",
				"acs:oos:*:*:execution/*"
			],
			"Effect": "Allow"
		},
		{
			"Action": "ram:CreateServiceLinkedRole",
			"Resource": "*",
			"Effect": "Allow",
			"Condition": {
				"StringEquals": {
					"ram:ServiceName": [
						"ess.aliyuncs.com",
						"nat.aliyuncs.com"
					]
				}
			}
		},
		{
			"Action": "ram:CreateServiceLinkedRole",
			"Resource": "*",
			"Effect": "Allow",
			"Condition": {
				"StringEquals": {
					"ram:ServiceName": "eipaccess.slb.aliyuncs.com"
				}
			}
		},
		{
			"Action": "ram:CreateServiceLinkedRole",
			"Resource": "*",
			"Effect": "Allow",
			"Condition": {
				"StringEquals": {
					"ram:ServiceName": "systemeventoperator.oos.aliyuncs.com"
				}
			}
		}
	]
}

References