全部产品
Search
文档中心

访问控制:AliyunServiceRolePolicyForConfig

更新时间:Dec 24, 2024

AliyunServiceRolePolicyForConfig 是专用于服务关联角色的授权策略,会在创建服务关联角色 AliyunServiceRoleForConfig 时自动授权,以允许服务关联角色代您访问其他云服务。本策略由对应的阿里云服务按需更新,请勿将本策略授权给服务关联角色之外的 RAM 身份使用。

策略详情

  • 类型:系统策略

  • 创建时间:2020-02-28 03:51:12

  • 更新时间:2024-12-24 06:14:03

  • 当前版本:v79

策略内容

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": [
        "arms:GetPrometheusApiToken"
      ],
      "Resource": "*"
    },
    {
      "Action": [
        "alikafka:List*",
        "alikafka:Get*",
        "cr:List*",
        "cr:GetInstance",
        "cr:GetNamespace",
        "cr:GetRepository",
        "cr:GetInstanceStorage",
        "oceanbase:Describe*",
        "oceanbase:List*",
        "bpstudio:Get*",
        "bpstudio:List*",
        "opensearch:List*",
        "opensearch:Describe*",
        "smartag:Describe*",
        "smartag:List*",
        "smartag:Get*",
        "alb:List*",
        "alb:Get*",
        "emr:List*",
        "emr:Describe*",
        "iot:List*",
        "iot:Get*",
        "iot:Query*",
        "eventbridge:Get*",
        "eventbridge:List*",
        "*:ListTagResources",
        "ecs:Describe*",
        "ess:Describe*",
        "vpc:Describe*",
        "vpc:List*",
        "vpc:Get*",
        "rds:DescribeDBInstance*",
        "rds:DescribeRegions",
        "rds:DescribeBackup*",
        "rds:DescribeParameters",
        "rds:DescribeSQLCollector*",
        "rds:DescribeActionEventPolicy",
        "rds:DescribeParameterGroup*",
        "rds:DescribeGadInstance*",
        "rds:DescribeInstanceAutoRenewalAttribute",
        "rds:DescribeSecurityGroupConfiguration",
        "rds:DescribeRCDeploymentSets",
        "slb:Describe*",
        "*:DescribeTags",
        "oss:GetService",
        "oss:GetBucket*",
        "oss:ListBuckets",
        "oss:ListObjects",
        "oss:GetObjectAcl",
        "oss:GetCname",
        "oss:ListCname",
        "ram:List*",
        "ram:Get*",
        "actiontrail:LookupEvents",
        "actiontrail:Describe*",
        "actiontrail:Get*",
        "actiontrail:List*",
        "ots:BatchGet*",
        "ots:Describe*",
        "ots:Get*",
        "ots:List*",
        "ocs:Describe*",
        "cms:Get*",
        "cms:List*",
        "cms:Query*",
        "cms:BatchQuery*",
        "cms:Describe*",
        "kvstore:Describe*",
        "fc:Get*",
        "fc:List*",
        "kms:DescribeKey",
        "kms:DescribeRegions",
        "kms:ListAliases",
        "kms:ListAliasesByKeyId",
        "kms:ListKeys",
        "kms:DescribeKeyVersion",
        "kms:ListKeyVersions",
        "kms:GenerateDataKey",
        "kms:Decrypt",
        "kms:Encrypt",
        "kms:ListResourceTags",
        "kms:ListKmsInstances",
        "kms:GetKmsInstance",
        "cdn:Describe*",
        "yundun*:Get*",
        "yundun*:Describe*",
        "yundun*:Query*",
        "yundun*:List*",
        "polardb:Describe*",
        "dds:Describe*",
        "cen:Describe*",
        "cen:List*",
        "mns:List*",
        "mns:Get*",
        "composer:DescribeFlow",
        "composer:List*",
        "composer:Get*",
        "nas:Describe*",
        "nas:Get*",
        "hbase:Describe*",
        "hbase:Get*",
        "hbase:List*",
        "hbase:Query*",
        "cs:CheckControlPlaneLogEnable",
        "cs:Get*",
        "cs:List*",
        "cs:Describe*",
        "dms:List*",
        "dms:Get*",
        "mq:OnsInstanceInServiceList",
        "mq:OnsInstanceBaseInfo",
        "mq:OnsTopicList",
        "mq:OnsGroupList",
        "mq:QueryInstanceBaseInfo",
        "mq:PUB",
        "mq:SUB",
        "nis:Describe*",
        "nis:List*",
        "alidns:Describe*",
        "alidns:List*",
        "mse:Query*",
        "mse:List*",
        "ros:Describe*",
        "ros:Get*",
        "ros:List*",
        "elasticsearch:List*",
        "elasticsearch:Describe*",
        "dcdn:Describe*",
        "hcs-sgw:Describe*",
        "eci:Describe*",
        "kms:ListSecrets",
        "kms:DescribeSecret",
        "privatelink:List*",
        "privatelink:Get*",
        "brain-industrial:List*",
        "brain-industrial:Get*",
        "imagesearch:List*",
        "imagesearch:Describe*",
        "hitsdb:Describe*",
        "apigateway:Describe*",
        "sas:DescribeGroupedVul",
        "sas:DescribeFieldStatistics",
        "cmn:List*",
        "cmn:Get*",
        "ledgerdb:Describe*",
        "pvtz:Describe*",
        "oos:Search*",
        "oos:List*",
        "oos:Get*",
        "adb:Describe*",
        "edas:Read*",
        "edas:List*",
        "drds:Describe*",
        "gpdb:Describe*",
        "log:ListProject",
        "log:GetProject",
        "log:ListLogStores",
        "log:GetLogStore",
        "dts:Describe*",
        "arms:Get*",
        "arms:List*",
        "arms:Describe*",
        "arms:Search*",
        "arms:Check*",
        "arms:Query*",
        "polardbx:Describe*",
        "hbr:Describe*",
        "live:Describe*",
        "vod:Describe*",
        "vod:List*",
        "vod:Get*",
        "lindorm:Get*",
        "ga:List*",
        "ga:Describe*",
        "ga:Get*",
        "searchengine:Get*",
        "searchengine:List*",
        "smc:Describe*",
        "dysms:QuerySmsTemplate*",
        "dysms:ListTagResources",
        "ddi:List*",
        "ddi:Describe*",
        "cloudsso:List*",
        "cloudsso:Get*",
        "baas:DescribeFabricOrganizations",
        "baas:DescribeFabricOrganization",
        "baas:DescribeFabricConsortiums",
        "cloudphone:List*",
        "scdn:Describe*",
        "mse:Get*",
        "dm:QueryTemplate*",
        "dm:DescTemplate*",
        "dm:QueryDomain*",
        "dm:DescDomain*",
        "fnf:List*",
        "fnf:Describe*",
        "ebs:Describe*",
        "rocketmq:List*",
        "rocketmq:Get*",
        "resourcemanager:Get*",
        "resourcemanager:List*",
        "resourcesharing:List*",
        "domain:Query*",
        "dyvms:List*",
        "dbs:Describe*",
        "clickhouse:Describe*",
        "dhs:List*",
        "dhs:Get*",
        "gdb:Describe*",
        "gdb:List*",
        "eipanycast:List*",
        "eipanycast:Describe*",
        "eais:Describe*",
        "odps:List*",
        "odps:Get*",
        "dataworks:List*",
        "dataworks:Get*",
        "cen:List*",
        "cen:Get*",
        "cs:Describe*",
        "yundun-cert:List*",
        "yundun-cert:Get*",
        "nlb:List*",
        "nlb:Get*",
        "yundun-waf:Describe*",
        "hologram:Get*",
        "hologram:List*",
        "swas:List*",
        "swas-open:List*",
        "computenest:Get*",
        "computenest:List*",
        "eiam:Get*",
        "eiam:List*",
        "quotas:Get*",
        "quotas:List*",
        "bssapi:QueryAvailableInstances",
        "dfs:Get*",
        "dfs:List*",
        "dfs:Describe*",
        "acc:Describe*",
        "dysms:MessageTemplateQueryPage",
        "mse:GatewayHealthCheckList",
        "imm:List*",
        "imm:Get*",
        "datav:List*",
        "datav:Get*",
        "gwlb:List*",
        "gwlb:Get*",
        "adcp:Describe*",
        "ehpc:List*",
        "ehpc:Describe*",
        "stream:Describe*"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "oss:PutObject",
        "fc:InvokeFunction",
        "mns:PublishMessage",
        "composer:GroupInvokeFlow",
        "composer:CreateFlow",
        "log:PostLogStoreLogs",
        "log:CreateIndex",
        "log:CreateProject",
        "log:CreateLogStore",
        "log:UpdateIndex",
        "log:GetProject",
        "log:GetLogStore",
        "log:GetIndex",
        "resourcecenter:EnableResourceCenter",
        "esa:List*",
        "esa:Get*"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "config:*"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "config.aliyuncs.com"
        }
      }
    },
    {
      "Action": "ram:CreateServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "rmc.resourcemanager.aliyuncs.com"
        }
      }
    }
  ]
}

相关文档