ACK One服務角色策略內(nèi)容
服務角色是某個云服務在某些情況下,為了完成自身的某個功能,需要獲取其他云服務的訪問權限而提供的RAM角色。您需要為ACK One服務賬號授予對應的服務角色才能正常使用ACK One功能。本文為您介紹ACK One支持的服務角色以及角色的策略內(nèi)容。
授權操作
僅在第一次使用ACK One服務時需要授權,使用阿里云賬號(主賬號)或者RAM管理員賬號(子賬號)授權一次即可。
服務角色無需手動創(chuàng)建,您在首次使用ACK One控制臺和相關功能時,控制臺界面會自動彈出授權提示,您只需要按照提示操作即可完成自動授權。
僅阿里云賬號(主賬號)或RAM管理員賬號可以完成服務角色的自動授權,普通RAM用戶沒有授權操作的權限。如果您在操作時系統(tǒng)提示權限不足,請將賬號切換到阿里云(主賬號)或RAM管理員賬號完成授權。
服務關聯(lián)角色
角色名稱 | 角色權限說明 |
AliyunServiceRoleForAdcp |
|
AliyunAdcpServerlessKubernetesRole |
|
AliyunAdcpManagedMseRole |
|
角色策略內(nèi)容
AliyunServiceRoleForAdcp
ECS相關權限
ecs:CreateSecurityGroup
ecs:CreateSecurityGroupPermissions
ecs:DeleteSecurityGroup
ecs:DescribeAccountAttributes
ecs:DescribeSecurityGroups
ecs:AuthorizeSecurityGroup
ecs:RevokeSecurityGroup
ecs:AuthorizeSecurityGroupEgress
ecs:RevokeSecurityGroupEgress
ecs:DescribeNetworkInterfaces
ecs:DescribeZones
VPC相關權限
vpc:DescribeVpcAttribute
vpc:DescribeVSwitchAttributes
vpc:AllocateEipAddress
vpc:AssociateEipAddress
vpc:UnassociateEipAddress
vpc:ReleaseEipAddress
vpc:DescribeEipAddresses
vpc:TagResources
vpc:DeletionProtection
vpc:DescribeRouteTableList
vpc:CreateRouteEntry
vpc:DeleteeRouteEntry
vpc:AcceptVpcPeerConnection
vpc:GetVpcPeerConnectionAttribute
vpc:DescribeVSwitches
vpc:DescribeVpcs
CEN相關權限
cen:DescribeCenAttachedChildInstances
cen:DescribeCens
SLB相關權限
slb:DescribeLoadBalancerAttribute
slb:CreateLoadBalancer
slb:DeleteLoadBalancer
slb:StartLoadBalancerListener
slb:StopLoadBalancerListener
slb:CreateLoadBalancerTCPListener
slb:CreateLoadBalancerHTTPListener
slb:DeleteLoadBalancerListener
slb:AddTags
slb:RemoveTags
slb:SetLoadBalancerDeleteProtection
slb:SetLoadBalancerModificationProtection
slb:DescribeZones
slb:CreateAccessControlList
slb:DescribeAccessControlLists
slb:AddAccessControlListEntry
slb:RemoveAccessControlListEntry
slb:SetLoadBalancerTCPListenerAttribute
servicemesh:CreateServiceMesh
servicemesh:DeleteServiceMesh
servicemesh:DescribeServiceMeshDetail
servicemesh:DescribeServiceMeshes
servicemesh:DescribeServiceMeshKubeconfig
servicemesh:DescribeServiceMeshLogs
servicemesh:ModifyServiceMesh
servicemesh:ModifyServiceMeshName
servicemesh:DescribeClustersInServiceMesh
servicemesh:AddClusterIntoServiceMesh
servicemesh:RemoveClusterFromServiceMesh
servicemesh:UpdateMeshFeature
servicemesh:DescribeRegions
servicemesh:DescribeServiceMeshUpgradeStatus
servicemesh:DescribeVersions
servicemesh:RevokeKubeconfig
servicemesh:UpdateServiceMeshOwner
ram:CreateApplication
ram:ListApplications
ram:ListAppSecretIds
ram:GetApplication
ram:UpdateApplication
ram:CreateAppSecret
ram:GetAppSecret
ram:DeleteApplication
ram:DeleteAppSecret
ram:CreateApplication
ram:ListApplications
ram:ListAppSecretIds
ram:CreateServiceLinkedRole
arms:InstallManagedPrometheus
arms:UninstallManagedPrometheus
AliyunAdcpServerlessKubernetesRole
vpc:DescribeVSwitches
vpc:DescribeVpcs
vpc:AssociateEipAddress
vpc:DescribeEipAddresses
vpc:AllocateEipAddress
vpc:ReleaseEipAddress
vpc:AddCommonBandwidthPackageIp
vpc:RemoveCommonBandwidthPackageIp
ecs:DescribeSecurityGroups
ecs:CreateNetworkInterface
ecs:CreateNetworkInterfacePermission
ecs:DescribeNetworkInterfaces
ecs:AttachNetworkInterface
ecs:DetachNetworkInterface
ecs:DeleteNetworkInterface
ecs:DeleteNetworkInterfacePermission
arms:GetManagedPrometheusStatus
arms:InstallManagedPrometheus
arms:UninstallManagedPrometheus
pvtz:AddZone
pvtz:DeleteZone
pvtz:DescribeZones
pvtz:DescribeZoneInfo
pvtz:BindZoneVpc
pvtz:AddZoneRecord
pvtz:DeleteZoneRecord
pvtz:DeleteZoneRecordsByRR
pvtz:DescribeZoneRecordsByRR
pvtz:DescribeZoneRecords
eci:CreateContainerGroup
eci:DeleteContainerGroup
eci:DescribeContainerGroups
eci:DescribeContainerGroupStatus
eci:DescribeContainerGroupEvents
eci:DescribeContainerLog
eci:UpdateContainerGroup
eci:UpdateContainerGroupByTemplate
eci:CreateContainerGroupFromTemplate
eci:RestartContainerGroup
eci:ExportContainerGroupTemplate
eci:DescribeContainerGroupMetric
eci:DescribeMultiContainerGroupMetric
eci:ResizeContainerGroupVolume
eci:ExecContainerCommand
eci:CreateImageCache
eci:DescribeImageCaches
eci:DeleteImageCache
log:CreateProject
log:GetProject
log:DeleteProject
log:CreateLogStore
log:GetLogStore
log:UpdateLogStore
log:DeleteLogStore
log:CreateConfig
log:UpdateConfig
log:GetConfig
log:DeleteConfig
log:CreateMachineGroup
log:UpdateMachineGroup
log:GetMachineGroup
log:DeleteMachineGroup
log:ApplyConfigToGroup
log:GetAppliedMachineGroups
log:GetAppliedConfigs
log:RemoveConfigFromMachineGroup
log:CreateIndex
log:GetIndex
log:UpdateIndex
log:DeleteIndex
log:CreateSavedSearch
log:GetSavedSearch
log:UpdateSavedSearch
log:DeleteSavedSearch
log:CreateDashboard
log:GetDashboard
log:UpdateDashboard
log:DeleteDashboard
log:CreateJob
log:GetJob
log:DeleteJob
log:PostLogStoreLogs
log:UpdateJob
ram:CreateServiceLinkedRole
AliyunAdcpManagedMseRole
mse:AddBlackWhiteList
mse:AddGateway
mse:AddServiceSource
mse:CreateApplication
mse:DeleteGateway
mse:DeleteServiceSource
mse:GetBlackWhiteList
mse:GetGateway
mse:GetGatewayDetail
mse:GetGatewayOption
mse:ListServiceSource
mse:ListTagResources
mse:ModifyLosslessRule
mse:TagResources
mse:UntagResources
mse:UpdateBlackWhiteList
mse:UpdateGatewayOption
mse:UpdateServiceSource
log:CloseProductDataCollection
log:OpenProductDataCollection
log:GetProductDataCollection
ram:CreateServiceLinkedRole
相關文檔
ACK One的所有權限類型和授權場景,請參見授權概述。
為RAM用戶或RAM角色授予ACK One資源的操作權限,請參見為RAM用戶或RAM角色授予系統(tǒng)權限策略。
為RAM用戶或RAM角色授予ACK One指定集群內(nèi)K8s應用資源的操作權限,請參見為RAM用戶或RAM角色授予RBAC權限。