AliyunCSDefaultRolePolicy is the authorization policy dedicated to a service role. In most cases, when a service role is created, the policy is attached to the service role. Then, the service role is authorized to access other cloud services. This policy is updated by the relevant Alibaba Cloud service. Do not attach this policy to a RAM identity other than a service role.
Policy details
Type: service system policy
Creation time: 11:12:59 on October 18, 2024
Update time: 11:12:59 on October 18, 2024
Current version: v1
Policy content
{
"Version": "1",
"Statement": [
{
"Action": [
"arms:CreateOrUpdateWebhookContact",
"arms:DeleteWebhookContact",
"arms:DescribeWebhookContacts",
"arms:CreateOrUpdateIMRobot",
"arms:DeleteIMRobot",
"arms:DescribeIMRobots",
"arms:SendTTSVerifyLink",
"arms:SaveContactMember",
"arms:UpdateContactMember",
"arms:DeleteContactMember",
"arms:SaveContactGroup",
"arms:UpdateContactGroup",
"arms:DeleteContactGroup",
"arms:DeleteContactLink",
"arms:GetAlertRulesByPage",
"arms:QueryAlarmHistory",
"arms:QueryAlarmName",
"arms:GetAlertEvents",
"arms:SearchEvents",
"arms:SearchAlarmHistories",
"arms:GetAlarmHistories",
"arms:CreateContact",
"arms:DeleteContact",
"arms:DeleteAlertContact",
"arms:SearchContact",
"arms:UpdateContact",
"arms:CreateContactGroup",
"arms:DeleteContactGroup",
"arms:DeleteAlertContactGroup",
"arms:SearchContactGroup",
"arms:UpdateContactGroup",
"arms:GetAlert",
"arms:DeleteGrafanaResource",
"arms:ListDashboards",
"arms:ListDispatchRule",
"arms:CreateDispatchRule",
"arms:DeleteDispatchRule",
"arms:DescribeDispatchRule",
"arms:UninstallManagedPrometheus",
"arms:InnerFetchContactByArmsContactId",
"arms:ListAlertContact",
"arms:SearchAlertContactGroup",
"arms:CreateAlertContactGroup",
"arms:UpdateAlertContactGroup",
"arms:UpdateDispatchRule"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ecs:RunInstances",
"ecs:RenewInstance",
"ecs:Create*",
"ecs:AllocatePublicIpAddress",
"ecs:AllocateEipAddress",
"ecs:Delete*",
"ecs:StartInstance",
"ecs:StopInstance",
"ecs:RebootInstance",
"ecs:Describe*",
"ecs:AuthorizeSecurityGroup",
"ecs:RevokeSecurityGroup",
"ecs:AuthorizeSecurityGroupEgress",
"ecs:AttachDisk",
"ecs:DetachDisk",
"ecs:WaitFor*",
"ecs:AddTags",
"ecs:ReplaceSystemDisk",
"ecs:ModifyInstanceAttribute",
"ecs:JoinSecurityGroup",
"ecs:LeaveSecurityGroup",
"ecs:UnassociateEipAddress",
"ecs:ReleaseEipAddress",
"ecs:CreateKeyPair",
"ecs:ImportKeyPair",
"ecs:AttachKeyPair",
"ecs:DetachKeyPair",
"ecs:DeleteKeyPairs",
"ecs:AttachInstanceRamRole",
"ecs:DetachInstanceRamRole",
"ecs:AllocateDedicatedHosts",
"ecs:CreateOrder",
"ecs:DeleteInstance",
"ecs:CreateDisk",
"ecs:Createvpc",
"ecs:Deletevpc",
"ecs:DeleteVSwitch",
"ecs:ResetDisk",
"ecs:DeleteSnapshot",
"ecs:AllocatePublicIpAddress",
"ecs:CreateVSwitch",
"ecs:DeleteSecurityGroup",
"ecs:CreateImage",
"ecs:RemoveTags",
"ecs:ReleaseDedicatedHost",
"ecs:CreateInstance",
"ecs:RevokeSecurityGroupEgress",
"ecs:DeleteDisk",
"ecs:StopInstance",
"ecs:CreateSecurityGroup",
"ecs:DeleteImage",
"ecs:ModifyInstanceSpec",
"ecs:CreateSnapshot",
"ecs:CreateCommand",
"ecs:InvokeCommand",
"ecs:StopInvocation",
"ecs:DeleteCommand",
"ecs:RunCommand",
"ecs:DescribeInvocationResults",
"ecs:ModifyCommand"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"vpc:Describe*",
"vpc:AllocateEipAddress",
"vpc:AssociateEipAddress",
"vpc:UnassociateEipAddress",
"vpc:ReleaseEipAddress",
"vpc:CreateRouteEntry",
"vpc:DeleteRouteEntry",
"vpc:CreateVSwitch",
"vpc:DeleteVSwitch",
"vpc:CreateVpc",
"vpc:DeleteVpc",
"vpc:CreateNatGateway",
"vpc:DeleteNatGateway",
"vpc:CreateSnatEntry",
"vpc:DeleteSnatEntry",
"vpc:ModifyEipAddressAttribute",
"vpc:CreateForwardEntry",
"vpc:DeleteBandwidthPackage",
"vpc:CreateBandwidthPackage",
"vpc:DeleteForwardEntry",
"vpc:TagResources",
"vpc:ListEnhanhcedNatGatewayAvailableZones",
"vpc:DeletionProtection"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"slb:Describe*",
"slb:CreateLoadBalancer",
"slb:DeleteLoadBalancer",
"slb:RemoveBackendServers",
"slb:StartLoadBalancerListener",
"slb:StopLoadBalancerListener",
"slb:CreateLoadBalancerTCPListener",
"slb:AddBackendServers*",
"slb:CreateVServerGroup",
"slb:CreateLoadBalancerHTTPSListener",
"slb:CreateLoadBalancerUDPListener",
"slb:ModifyLoadBalancerInternetSpec",
"slb:SetBackendServers",
"slb:AddVServerGroupBackendServers",
"slb:DeleteVServerGroup",
"slb:ModifyVServerGroupBackendServers",
"slb:CreateLoadBalancerHTTPListener",
"slb:RemoveVServerGroupBackendServers",
"slb:DeleteLoadBalancerListener",
"slb:AddTags",
"slb:RemoveTags",
"slb:SetLoadBalancerDeleteProtection",
"slb:SetLoadBalancerTCPListenerAttribute",
"slb:CreateAccessControlList",
"slb:DescribeAccessControlLists",
"slb:AddAccessControlListEntry",
"slb:SetLoadBalancerModificationProtection"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Action": [
"dns:Describe*",
"dns:AddDomainRecord"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Action": [
"rds:Describe*",
"rds:ModifySecurityIps",
"rds:ModifySecurityGroupConfiguration"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Action": [
"ros:Describe*",
"ros:WaitConditions",
"ros:AbandonStack",
"ros:DeleteStack",
"ros:CreateStack",
"ros:UpdateStack",
"ros:ValidateTemplate",
"ros:DoActions",
"ros:InquiryStack",
"ros:SetDeletionProtection",
"ros:PreviewStack",
"ros:GetStack",
"ros:ListStackResources",
"ros:GetStackResource",
"ros:TagResources",
"ros:ListStackOperationRisks"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Action": "ram:PassRole",
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ess:Describe*",
"ess:CreateScalingConfiguration",
"ess:EnableScalingGroup",
"ess:ExitStandby",
"ess:DetachDBInstances",
"ess:DetachLoadBalancers",
"ess:AttachInstances",
"ess:DeleteScalingConfiguration",
"ess:AttachLoadBalancers",
"ess:DetachInstances",
"ess:ModifyScalingRule",
"ess:RemoveInstances",
"ess:ModifyScalingGroup",
"ess:AttachDBInstances",
"ess:CreateScalingRule",
"ess:DeleteScalingRule",
"ess:ExecuteScalingRule",
"ess:SetInstancesProtection",
"ess:ModifyNotificationConfiguration",
"ess:CreateNotificationConfiguration",
"ess:EnterStandby",
"ess:DeleteScalingGroup",
"ess:CreateScalingGroup",
"ess:DisableScalingGroup",
"ess:DeleteNotificationConfiguration",
"ess:ModifyScalingConfiguration",
"ess:ReplaceSystemDisk",
"ess:ScaleWithAdjustment",
"ess:SetGroupDeletionProtection"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ram:Get*",
"ram:List*"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Action": [
"ram:DetachPolicyFromRole",
"ram:AttachPolicyToRole",
"ram:DeletePolicy",
"ram:DeletePolicyVersion",
"ram:DeleteRole"
],
"Resource": [
"acs:ram:*:*:role/KubernetesMasterRole-*",
"acs:ram:*:*:role/KubernetesWorkerRole-*",
"acs:ram:*:*:policy/k8sMasterRolePolicy-*",
"acs:ram:*:*:policy/k8sWorkerRolePolicy-*"
],
"Effect": "Allow"
},
{
"Action": [
"ram:CreateRole",
"ram:CreatePolicy"
],
"Resource": [
"acs:ram:*:*:role/*",
"acs:ram:*:*:policy/*"
],
"Effect": "Allow"
},
{
"Action": [
"ram:CreateOIDCProvider",
"ram:GetOIDCProvider",
"ram:UpdateOIDCProvider",
"ram:DeleteOIDCProvider"
],
"Effect": "Allow",
"Resource": "*",
"Condition": {
"StringLike": {
"ram:OidcIssuerUrl": [
"https://oidc-ack-*.aliyuncs.com/*"
]
}
}
},
{
"Action": [
"cms:CreateMyGroups",
"cms:AddMyGroupInstances",
"cms:DeleteMyGroupInstances",
"cms:DeleteMyGroups",
"cms:GetMyGroups",
"cms:ListMyGroups",
"cms:UpdateMyGroupInstances",
"cms:UpdateMyGroups",
"cms:TaskConfigCreate",
"cms:TaskConfigList",
"cms:DescribeMetricData",
"cms:DescribeMetricLast",
"cms:DescribeMetricMetaList",
"cms:DescribeMetricTop",
"cms:QueryMetricMeta",
"cms:QueryMetricTop",
"cms:ListMetricMeta",
"cms:ListMetricMetaProject",
"cms:QueryMetricData",
"cms:QueryMetricLast",
"cms:DescribeMetricList",
"cms:QueryMetricList",
"cms:MetricMeta",
"cms:PutMonitoringConfig",
"cms:DescribeContactList",
"cms:PutContact",
"cms:PutContactGroup",
"cms:DeleteContact",
"cms:DeleteContactGroup",
"cms:DescribeAlertLogList",
"cms:DescribeSystemEventAttribute",
"cms:GetMetricStreamMeta"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ess:CreateLifecycleHook",
"ess:DescribeLifecycleHooks",
"ess:ModifyLifecycleHook",
"ess:DeleteLifecycleHook"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Effect": "Allow",
"Action": [
"cen:AttachCenChildInstance",
"cen:DetachCenChildInstance",
"cen:DescribeCenAttachedChildInstances",
"cen:DescribeCens"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"netana:DescribeNetworkQuotas"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"smartag:DescribeCloudConnectNetworks"
],
"Resource": "*"
},
{
"Action": [
"ens:Describe*",
"ens:CreateInstance",
"ens:StartInstance",
"ens:StopInstance",
"ens:ReleasePrePaidInstance"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"bms:ListInstance",
"bms:ListInstanceOverview"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"kvstore:RegistACKCluster",
"kvstore:UnRegistACKCluster"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"eci:DescribeContainerGroups",
"eci:DeleteContainerGroup",
"eci:RunCommand",
"eci:DescribeCommandResult"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"acc:DescribeInstances",
"acc:DeleteInstance"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"cs:DescribeClusterDetail",
"cs:DescribeClusterResources",
"cs:DescribeTasks",
"cs:DescribeTaskInfo",
"cs:DescribeClusterNodePools",
"cs:DescribeNodePoolVuls",
"cs:ScanClusterVuls",
"cs:FixNodePoolVuls",
"cs:PauseTask",
"cs:ResumeTask",
"cs:CancelTask",
"cs:InstallClusterAddons",
"cs:UnInstallClusterAddons",
"cs:UpgradeClusterAddons",
"cs:DescribeClusterAddonsVersion",
"cs:UpgradeCluster",
"cs:ModifyCluster",
"cs:ListClusterAddonInstances",
"cs:GetClusters",
"cs:UpgradeClusterNodepool",
"cs:ModifyClusterNodePool",
"cs:DescribeClusterNodes",
"cs:DescribeKubernetesVersionMetadata",
"cs:GetClusterCheck",
"cs:RunClusterCheck",
"cs:ListAddons",
"cs:DescribeClusterAddonsUpgradeStatus"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"log:CreateResourceRecord",
"log:UpdateResourceRecord",
"log:UpsertResourceRecord",
"log:GetResourceRecord",
"log:ListResourceRecords",
"log:ListResources",
"log:GetResource",
"log:CreateLogStore",
"log:CreateIndex",
"log:UpdateIndex",
"log:CreateDashboard",
"log:UpdateDashboard",
"log:CreateProject",
"log:DeleteProject",
"log:GetLogStoreLogs",
"log:PostLogStoreLogs",
"log:GetLogStore",
"log:UpdateLogStore",
"log:DeleteResourceRecord"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"mscsub:ListContacts"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"quotas:ListProducts",
"quotas:ListProductQuotas",
"quotas:ListProductQuotas",
"quotas:ListProductQuotaDimensions",
"quotas:GetProductQuota",
"quotas:GetProductQuotaDimension"
],
"Resource": "acs:quotas:*:*:*",
"Effect": "Allow"
},
{
"Action": [
"nas:DescribeFileSystems",
"nas:DescribeMountTargets",
"nas:CreateFileSystem",
"nas:TagResources",
"nas:EnableRecycleBin",
"nas:CreateMountTarget"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Effect": "Allow",
"Action": [
"yundun-sas:DescribeVulList",
"yundun-sas:DescribeVersionConfig",
"yundun-sas:ModifyOperateVul",
"yundun-sas:DescribeVersionConfig",
"yundun-sas:DescribeGroupedContainerInstances",
"yundun-sas:DescribeSuspEvents"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"cr:ListCloudProductAuth",
"cr:CreateClusterImageAnalysisTask",
"cr:GetClusterImageAnalysisTask"
],
"Resource": "*"
},
{
"Action": [
"oos:StartExecution",
"oos:ListExecutions"
],
"Resource": [
"acs:oos:*:*:template/ACS-CS-DedicatedMigration",
"acs:oos:*:*:execution/*"
],
"Effect": "Allow"
},
{
"Action": "ram:CreateServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": [
"ess.aliyuncs.com",
"nat.aliyuncs.com"
]
}
}
},
{
"Action": "ram:CreateServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "eipaccess.slb.aliyuncs.com"
}
}
},
{
"Action": "ram:CreateServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "systemeventoperator.oos.aliyuncs.com"
}
}
}
]
}