All Products
Search
Document Center

Resource Access Management:AliyunCSDefaultRolePolicy

更新時間:Oct 18, 2024

AliyunCSDefaultRolePolicy is the authorization policy dedicated to a service role. In most cases, when a service role is created, the policy is attached to the service role. Then, the service role is authorized to access other cloud services. This policy is updated by the relevant Alibaba Cloud service. Do not attach this policy to a RAM identity other than a service role.

Policy details

  • Type: service system policy

  • Creation time: 11:12:59 on October 18, 2024

  • Update time: 11:12:59 on October 18, 2024

  • Current version: v1

Policy content

{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "arms:CreateOrUpdateWebhookContact",
        "arms:DeleteWebhookContact",
        "arms:DescribeWebhookContacts",
        "arms:CreateOrUpdateIMRobot",
        "arms:DeleteIMRobot",
        "arms:DescribeIMRobots",
        "arms:SendTTSVerifyLink",
        "arms:SaveContactMember",
        "arms:UpdateContactMember",
        "arms:DeleteContactMember",
        "arms:SaveContactGroup",
        "arms:UpdateContactGroup",
        "arms:DeleteContactGroup",
        "arms:DeleteContactLink",
        "arms:GetAlertRulesByPage",
        "arms:QueryAlarmHistory",
        "arms:QueryAlarmName",
        "arms:GetAlertEvents",
        "arms:SearchEvents",
        "arms:SearchAlarmHistories",
        "arms:GetAlarmHistories",
        "arms:CreateContact",
        "arms:DeleteContact",
        "arms:DeleteAlertContact",
        "arms:SearchContact",
        "arms:UpdateContact",
        "arms:CreateContactGroup",
        "arms:DeleteContactGroup",
        "arms:DeleteAlertContactGroup",
        "arms:SearchContactGroup",
        "arms:UpdateContactGroup",
        "arms:GetAlert",
        "arms:DeleteGrafanaResource",
        "arms:ListDashboards",
        "arms:ListDispatchRule",
        "arms:CreateDispatchRule",
        "arms:DeleteDispatchRule",
        "arms:DescribeDispatchRule",
        "arms:UninstallManagedPrometheus",
        "arms:InnerFetchContactByArmsContactId",
        "arms:ListAlertContact",
        "arms:SearchAlertContactGroup",
        "arms:CreateAlertContactGroup",
        "arms:UpdateAlertContactGroup",
        "arms:UpdateDispatchRule"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "ecs:RunInstances",
        "ecs:RenewInstance",
        "ecs:Create*",
        "ecs:AllocatePublicIpAddress",
        "ecs:AllocateEipAddress",
        "ecs:Delete*",
        "ecs:StartInstance",
        "ecs:StopInstance",
        "ecs:RebootInstance",
        "ecs:Describe*",
        "ecs:AuthorizeSecurityGroup",
        "ecs:RevokeSecurityGroup",
        "ecs:AuthorizeSecurityGroupEgress",
        "ecs:AttachDisk",
        "ecs:DetachDisk",
        "ecs:WaitFor*",
        "ecs:AddTags",
        "ecs:ReplaceSystemDisk",
        "ecs:ModifyInstanceAttribute",
        "ecs:JoinSecurityGroup",
        "ecs:LeaveSecurityGroup",
        "ecs:UnassociateEipAddress",
        "ecs:ReleaseEipAddress",
        "ecs:CreateKeyPair",
        "ecs:ImportKeyPair",
        "ecs:AttachKeyPair",
        "ecs:DetachKeyPair",
        "ecs:DeleteKeyPairs",
        "ecs:AttachInstanceRamRole",
        "ecs:DetachInstanceRamRole",
        "ecs:AllocateDedicatedHosts",
        "ecs:CreateOrder",
        "ecs:DeleteInstance",
        "ecs:CreateDisk",
        "ecs:Createvpc",
        "ecs:Deletevpc",
        "ecs:DeleteVSwitch",
        "ecs:ResetDisk",
        "ecs:DeleteSnapshot",
        "ecs:AllocatePublicIpAddress",
        "ecs:CreateVSwitch",
        "ecs:DeleteSecurityGroup",
        "ecs:CreateImage",
        "ecs:RemoveTags",
        "ecs:ReleaseDedicatedHost",
        "ecs:CreateInstance",
        "ecs:RevokeSecurityGroupEgress",
        "ecs:DeleteDisk",
        "ecs:StopInstance",
        "ecs:CreateSecurityGroup",
        "ecs:DeleteImage",
        "ecs:ModifyInstanceSpec",
        "ecs:CreateSnapshot",
        "ecs:CreateCommand",
        "ecs:InvokeCommand",
        "ecs:StopInvocation",
        "ecs:DeleteCommand",
        "ecs:RunCommand",
        "ecs:DescribeInvocationResults",
        "ecs:ModifyCommand"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "vpc:Describe*",
        "vpc:AllocateEipAddress",
        "vpc:AssociateEipAddress",
        "vpc:UnassociateEipAddress",
        "vpc:ReleaseEipAddress",
        "vpc:CreateRouteEntry",
        "vpc:DeleteRouteEntry",
        "vpc:CreateVSwitch",
        "vpc:DeleteVSwitch",
        "vpc:CreateVpc",
        "vpc:DeleteVpc",
        "vpc:CreateNatGateway",
        "vpc:DeleteNatGateway",
        "vpc:CreateSnatEntry",
        "vpc:DeleteSnatEntry",
        "vpc:ModifyEipAddressAttribute",
        "vpc:CreateForwardEntry",
        "vpc:DeleteBandwidthPackage",
        "vpc:CreateBandwidthPackage",
        "vpc:DeleteForwardEntry",
        "vpc:TagResources",
        "vpc:ListEnhanhcedNatGatewayAvailableZones",
        "vpc:DeletionProtection"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "slb:Describe*",
        "slb:CreateLoadBalancer",
        "slb:DeleteLoadBalancer",
        "slb:RemoveBackendServers",
        "slb:StartLoadBalancerListener",
        "slb:StopLoadBalancerListener",
        "slb:CreateLoadBalancerTCPListener",
        "slb:AddBackendServers*",
        "slb:CreateVServerGroup",
        "slb:CreateLoadBalancerHTTPSListener",
        "slb:CreateLoadBalancerUDPListener",
        "slb:ModifyLoadBalancerInternetSpec",
        "slb:SetBackendServers",
        "slb:AddVServerGroupBackendServers",
        "slb:DeleteVServerGroup",
        "slb:ModifyVServerGroupBackendServers",
        "slb:CreateLoadBalancerHTTPListener",
        "slb:RemoveVServerGroupBackendServers",
        "slb:DeleteLoadBalancerListener",
        "slb:AddTags",
        "slb:RemoveTags",
        "slb:SetLoadBalancerDeleteProtection",
        "slb:SetLoadBalancerTCPListenerAttribute",
        "slb:CreateAccessControlList",
        "slb:DescribeAccessControlLists",
        "slb:AddAccessControlListEntry",
        "slb:SetLoadBalancerModificationProtection"
      ],
      "Resource": [
        "*"
      ],
      "Effect": "Allow"
    },
    {
      "Action": [
        "dns:Describe*",
        "dns:AddDomainRecord"
      ],
      "Resource": [
        "*"
      ],
      "Effect": "Allow"
    },
    {
      "Action": [
        "rds:Describe*",
        "rds:ModifySecurityIps",
        "rds:ModifySecurityGroupConfiguration"
      ],
      "Resource": [
        "*"
      ],
      "Effect": "Allow"
    },
    {
      "Action": [
        "ros:Describe*",
        "ros:WaitConditions",
        "ros:AbandonStack",
        "ros:DeleteStack",
        "ros:CreateStack",
        "ros:UpdateStack",
        "ros:ValidateTemplate",
        "ros:DoActions",
        "ros:InquiryStack",
        "ros:SetDeletionProtection",
        "ros:PreviewStack",
        "ros:GetStack",
        "ros:ListStackResources",
        "ros:GetStackResource",
        "ros:TagResources",
        "ros:ListStackOperationRisks"
      ],
      "Resource": [
        "*"
      ],
      "Effect": "Allow"
    },
    {
      "Action": "ram:PassRole",
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "ess:Describe*",
        "ess:CreateScalingConfiguration",
        "ess:EnableScalingGroup",
        "ess:ExitStandby",
        "ess:DetachDBInstances",
        "ess:DetachLoadBalancers",
        "ess:AttachInstances",
        "ess:DeleteScalingConfiguration",
        "ess:AttachLoadBalancers",
        "ess:DetachInstances",
        "ess:ModifyScalingRule",
        "ess:RemoveInstances",
        "ess:ModifyScalingGroup",
        "ess:AttachDBInstances",
        "ess:CreateScalingRule",
        "ess:DeleteScalingRule",
        "ess:ExecuteScalingRule",
        "ess:SetInstancesProtection",
        "ess:ModifyNotificationConfiguration",
        "ess:CreateNotificationConfiguration",
        "ess:EnterStandby",
        "ess:DeleteScalingGroup",
        "ess:CreateScalingGroup",
        "ess:DisableScalingGroup",
        "ess:DeleteNotificationConfiguration",
        "ess:ModifyScalingConfiguration",
        "ess:ReplaceSystemDisk",
        "ess:ScaleWithAdjustment",
        "ess:SetGroupDeletionProtection"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "ram:Get*",
        "ram:List*"
      ],
      "Resource": [
        "*"
      ],
      "Effect": "Allow"
    },
    {
      "Action": [
        "ram:DetachPolicyFromRole",
        "ram:AttachPolicyToRole",
        "ram:DeletePolicy",
        "ram:DeletePolicyVersion",
        "ram:DeleteRole"
      ],
      "Resource": [
        "acs:ram:*:*:role/KubernetesMasterRole-*",
        "acs:ram:*:*:role/KubernetesWorkerRole-*",
        "acs:ram:*:*:policy/k8sMasterRolePolicy-*",
        "acs:ram:*:*:policy/k8sWorkerRolePolicy-*"
      ],
      "Effect": "Allow"
    },
    {
      "Action": [
        "ram:CreateRole",
        "ram:CreatePolicy"
      ],
      "Resource": [
        "acs:ram:*:*:role/*",
        "acs:ram:*:*:policy/*"
      ],
      "Effect": "Allow"
    },
    {
      "Action": [
        "ram:CreateOIDCProvider",
        "ram:GetOIDCProvider",
        "ram:UpdateOIDCProvider",
        "ram:DeleteOIDCProvider"
      ],
      "Effect": "Allow",
      "Resource": "*",
      "Condition": {
        "StringLike": {
          "ram:OidcIssuerUrl": [
            "https://oidc-ack-*.aliyuncs.com/*"
          ]
        }
      }
    },
    {
      "Action": [
        "cms:CreateMyGroups",
        "cms:AddMyGroupInstances",
        "cms:DeleteMyGroupInstances",
        "cms:DeleteMyGroups",
        "cms:GetMyGroups",
        "cms:ListMyGroups",
        "cms:UpdateMyGroupInstances",
        "cms:UpdateMyGroups",
        "cms:TaskConfigCreate",
        "cms:TaskConfigList",
        "cms:DescribeMetricData",
        "cms:DescribeMetricLast",
        "cms:DescribeMetricMetaList",
        "cms:DescribeMetricTop",
        "cms:QueryMetricMeta",
        "cms:QueryMetricTop",
        "cms:ListMetricMeta",
        "cms:ListMetricMetaProject",
        "cms:QueryMetricData",
        "cms:QueryMetricLast",
        "cms:DescribeMetricList",
        "cms:QueryMetricList",
        "cms:MetricMeta",
        "cms:PutMonitoringConfig",
        "cms:DescribeContactList",
        "cms:PutContact",
        "cms:PutContactGroup",
        "cms:DeleteContact",
        "cms:DeleteContactGroup",
        "cms:DescribeAlertLogList",
        "cms:DescribeSystemEventAttribute",
        "cms:GetMetricStreamMeta"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "ess:CreateLifecycleHook",
        "ess:DescribeLifecycleHooks",
        "ess:ModifyLifecycleHook",
        "ess:DeleteLifecycleHook"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Effect": "Allow",
      "Action": [
        "cen:AttachCenChildInstance",
        "cen:DetachCenChildInstance",
        "cen:DescribeCenAttachedChildInstances",
        "cen:DescribeCens"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "netana:DescribeNetworkQuotas"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "smartag:DescribeCloudConnectNetworks"
      ],
      "Resource": "*"
    },
    {
      "Action": [
        "ens:Describe*",
        "ens:CreateInstance",
        "ens:StartInstance",
        "ens:StopInstance",
        "ens:ReleasePrePaidInstance"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "bms:ListInstance",
        "bms:ListInstanceOverview"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "kvstore:RegistACKCluster",
        "kvstore:UnRegistACKCluster"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "eci:DescribeContainerGroups",
        "eci:DeleteContainerGroup",
        "eci:RunCommand",
        "eci:DescribeCommandResult"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "acc:DescribeInstances",
        "acc:DeleteInstance"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "cs:DescribeClusterDetail",
        "cs:DescribeClusterResources",
        "cs:DescribeTasks",
        "cs:DescribeTaskInfo",
        "cs:DescribeClusterNodePools",
        "cs:DescribeNodePoolVuls",
        "cs:ScanClusterVuls",
        "cs:FixNodePoolVuls",
        "cs:PauseTask",
        "cs:ResumeTask",
        "cs:CancelTask",
        "cs:InstallClusterAddons",
        "cs:UnInstallClusterAddons",
        "cs:UpgradeClusterAddons",
        "cs:DescribeClusterAddonsVersion",
        "cs:UpgradeCluster",
        "cs:ModifyCluster",
        "cs:ListClusterAddonInstances",
        "cs:GetClusters",
        "cs:UpgradeClusterNodepool",
        "cs:ModifyClusterNodePool",
        "cs:DescribeClusterNodes",
        "cs:DescribeKubernetesVersionMetadata",
        "cs:GetClusterCheck",
        "cs:RunClusterCheck",
        "cs:ListAddons",
        "cs:DescribeClusterAddonsUpgradeStatus"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "log:CreateResourceRecord",
        "log:UpdateResourceRecord",
        "log:UpsertResourceRecord",
        "log:GetResourceRecord",
        "log:ListResourceRecords",
        "log:ListResources",
        "log:GetResource",
        "log:CreateLogStore",
        "log:CreateIndex",
        "log:UpdateIndex",
        "log:CreateDashboard",
        "log:UpdateDashboard",
        "log:CreateProject",
        "log:DeleteProject",
        "log:GetLogStoreLogs",
        "log:PostLogStoreLogs",
        "log:GetLogStore",
        "log:UpdateLogStore",
        "log:DeleteResourceRecord"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "mscsub:ListContacts"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "quotas:ListProducts",
        "quotas:ListProductQuotas",
        "quotas:ListProductQuotas",
        "quotas:ListProductQuotaDimensions",
        "quotas:GetProductQuota",
        "quotas:GetProductQuotaDimension"
      ],
      "Resource": "acs:quotas:*:*:*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "nas:DescribeFileSystems",
        "nas:DescribeMountTargets",
        "nas:CreateFileSystem",
        "nas:TagResources",
        "nas:EnableRecycleBin",
        "nas:CreateMountTarget"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Effect": "Allow",
      "Action": [
        "yundun-sas:DescribeVulList",
        "yundun-sas:DescribeVersionConfig",
        "yundun-sas:ModifyOperateVul",
        "yundun-sas:DescribeVersionConfig",
        "yundun-sas:DescribeGroupedContainerInstances",
        "yundun-sas:DescribeSuspEvents"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "cr:ListCloudProductAuth",
        "cr:CreateClusterImageAnalysisTask",
        "cr:GetClusterImageAnalysisTask"
      ],
      "Resource": "*"
    },
    {
      "Action": [
        "oos:StartExecution",
        "oos:ListExecutions"
      ],
      "Resource": [
        "acs:oos:*:*:template/ACS-CS-DedicatedMigration",
        "acs:oos:*:*:execution/*"
      ],
      "Effect": "Allow"
    },
    {
      "Action": "ram:CreateServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": [
            "ess.aliyuncs.com",
            "nat.aliyuncs.com"
          ]
        }
      }
    },
    {
      "Action": "ram:CreateServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "eipaccess.slb.aliyuncs.com"
        }
      }
    },
    {
      "Action": "ram:CreateServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "systemeventoperator.oos.aliyuncs.com"
        }
      }
    }
  ]
}

References