更新时间:2020-12-04 09:45
本文介绍如何自定义RAM授权策略。
{
"Version": "1",
"Statement": [
{
"Action": [
"servicemesh:*"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ecs:CreateSecurityGroup",
"ecs:CreateSecurityGroupPermissions",
"ecs:DeleteSecurityGroup",
"ecs:DescribeAccountAttributes",
"ecs:DescribeSecurityGroups",
"ecs:AuthorizeSecurityGroup",
"ecs:RevokeSecurityGroup",
"ecs:AuthorizeSecurityGroupEgress",
"ecs:JoinSecurityGroup",
"ecs:LeaveSecurityGroup",
"ecs:UnassociateEipAddress",
"ecs:ReleaseEipAddress",
"ecs:RevokeSecurityGroupEgress",
"ecs:DescribeInstances",
"ecs:DescribeNetworkInterfaces"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"vpc:DescribeVpcs",
"vpc:DescribeVSwitches",
"vpc:DescribeEipAddresses",
"vpc:DescribeNetworkQuotas",
"vpc:AllocateEipAddress",
"vpc:AssociateEipAddress",
"vpc:UnassociateEipAddress",
"vpc:ReleaseEipAddress",
"vpc:DeletionProtection",
"vpc:DescribeVpcAttribute"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"slb:DescribeLoadBalancerAttribute",
"slb:CreateLoadBalancer",
"slb:DeleteLoadBalancer",
"slb:RemoveBackendServers",
"slb:StartLoadBalancerListener",
"slb:StopLoadBalancerListener",
"slb:CreateLoadBalancerTCPListener",
"slb:AddBackendServers",
"slb:CreateVServerGroup",
"slb:CreateLoadBalancerHTTPSListener",
"slb:CreateLoadBalancerUDPListener",
"slb:ModifyLoadBalancerInternetSpec",
"slb:SetBackendServers",
"slb:AddVServerGroupBackendServers",
"slb:DeleteVServerGroup",
"slb:ModifyVServerGroupBackendServers",
"slb:CreateLoadBalancerHTTPListener",
"slb:RemoveVServerGroupBackendServers",
"slb:DeleteLoadBalancerListener",
"slb:AddTags",
"slb:RemoveTags",
"slb:SetLoadBalancerDeleteProtection"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Action": "xtrace:GetToken",
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"cen:DescribeCenAttachedChildInstances",
"cen:DescribeCens"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"arms:ListClusterFromGrafana",
"arms:GetPrometheusApiToken",
"arms:Get*"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"log:GetProject"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
"Action": "cs:Get*"/"Effect": "Allow"
对应的Resource中设置为"acs:cs:*:*:cluster/{某个集群ID}"
,也可以设置为"acs:cs:*:*:cluster/*"
(即代表所有的ACK集群)。
{
"Version": "1",
"Statement": [
{
"Action": "cs:Get*",
"Effect": "Allow",
"Resource": [
"acs:cs:*:*:cluster/{某个集群ID或者*}"
]
},
]
}
在文档使用中是否遇到以下问题
更多建议
匿名提交