Grant RAM users access to AgentRun

Grant RAM users different levels of permissions for AgentRun by using custom policies.

Prerequisites

Overview

Grant RAM users permissions to use AgentRun through custom policies.

Policy details: Basic elements of a policy and Policy evaluation logic.

Custom policies

Log on to the Resource Access Management (RAM) console using your Alibaba Cloud account (master account) or as a RAM administrator. Grant the following custom permissions to the RAM user. Manage permissions for RAM users.

Full-access policy

Covers all AgentRun features. Recommended for full access.

Full custom policy

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "fnf:List*",
        "fnf:Describe*",
        "fnf:Get*",
        "fnf:CreateFlow",
        "fnf:UpdateFlow",
        "fnf:DeleteFlow",
        "fnf:DeleteFlowVersion",
        "fnf:UpdateFlowDraft",
        "fnf:PublishFlowVersion",
        "fnf:CreateFlowAlias",
        "fnf:UpdateFlowAlias",
        "fnf:DeleteFlowAlias",
        "fnf:StartExecution",
        "fnf:StartSyncExecution",
        "fnf:StartDebugExecution",
        "fnf:StopExecution"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "agentrun:List*",
        "agentrun:Get*",
        "agentrun:CreateAgentRuntime",
        "agentrun:UpdateAgentRuntime",
        "agentrun:DeleteAgentRuntime",
        "agentrun:PublishRuntimeVersion",
        "agentrun:CreateAgentRuntimeEndpoint",
        "agentrun:UpdateAgentRuntimeEndpoint",
        "agentrun:DeleteAgentRuntimeEndpoint",
        "agentrun:CreateModelService",
        "agentrun:UpdateModelService",
        "agentrun:DeleteModelService",
        "agentrun:CreateModelProxy",
        "agentrun:UpdateModelProxy",
        "agentrun:DeleteModelProxy",
        "agentrun:CreateCredential",
        "agentrun:UpdateCredential",
        "agentrun:DeleteCredential",
        "agentrun:CreateTemplate",
        "agentrun:UpdateTemplate",
        "agentrun:DeleteTemplate",
        "agentrun:ActivateTemplateMCP",
        "agentrun:StopTemplateMCP",
        "agentrun:StopSandbox",
        "agentrun:RetrieveMemory",
        "agentrun:UpdateMemory",
        "agentrun:CreateMemory",
        "agentrun:DeleteMemory",
        "agentrun:StartBrowserSession",
        "agentrun:StopBrowserSession",
        "agentrun:CreateCustomDomain",
        "agentrun:UpdateCustomDomain",
        "agentrun:DeleteCustomDomain",
        "agentrun:CreateSandbox",
        "agentrun:CreateMemoryCollection",
        "agentrun:UpdateMemoryCollection",
        "agentrun:DeleteMemoryCollection",
        "agentrun:CreateKnowledgeBase",
        "agentrun:UpdateKnowledgeBase",
        "agentrun:DeleteKnowledgeBase",
        "agentrun:InvokeRuntime",
        "agentrun:InvokeSandbox"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "devs:List*",
        "devs:Get*",
        "devs:Fetch*",
        "devs:Preview*",
        "devs:CreateProject",
        "devs:UpdateProject",
        "devs:UpdateEnvironment",
        "devs:DeployEnvironment",
        "devs:RenderServicesByTemplate",
        "devs:DeployServices",
        "devs:CreateToolset",
        "devs:UpdateToolset",
        "devs:DeleteToolset",
        "devs:CreateArtifact"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "fc:List*",
        "fc:Get*",
        "fc:Describe*",
        "fc:CreateFunction",
        "fc:UpdateFunction",
        "fc:DeleteFunction",
        "fc:CreateCustomDomain",
        "fc:UpdateCustomDomain",
        "fc:DeleteCustomDomain",
        "fc:PutProvisionConfig",
        "fc:DeleteProvisionConfig",
        "fc:InstanceExec"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ram:List*",
        "ram:Check*",
        "ram:Get*",
        "ram:GenerateCredentialReport",
        "ram:CreateRole",
        "ram:AttachPolicyToRole",
        "ram:CreateServiceLinkedRole"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": "ram:CreateServiceLinkedRole",
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": [
            "agentrun.fc.aliyuncs.com"
          ]
        }
      }
    },
    {
      "Action": "bss:DescribeAcccount",
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": "bssapi:Query*",
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Effect": "Allow",
      "Action": "ram:PassRole",
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "acs:Service": [
            "devs.aliyuncs.com",
            "fnf.aliyuncs.com",
            "fc.aliyuncs.com",
            "agentrun.fc.aliyuncs.com"
          ]
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": [
        "resourcemanager:Check*",
        "resourcemanager:CreateServiceLinkedRole"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "oss:List*",
        "oss:Get*",
        "oss:PutBucket",
        "oss:PutBucketCors"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "vpc:List*",
        "vpc:Describe*",
        "vpc:CreateVpc",
        "vpc:CreateVSwitch",
        "vpc:ModifyVpcAttribute"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ecs:Describe*",
        "ecs:AuthorizeSecurityGroup",
        "ecs:CreateSecurityGroup"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "arms:List*",
        "arms:Get*",
        "arms:Describe*",
        "arms:Search*",
        "arms:Query*",
        "arms:Check*",
        "arms:DoInsightsAction",
        "arms:ConfigApp",
        "arms:SaveTraceAppConfig",
        "arms:TagResources",
        "arms:UntagResources"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "xtrace:Get*",
        "xtrace:Read*",
        "xtrace:Describe*"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "cms:List*",
        "cms:Get*",
        "cms:Query*",
        "cms:Describe*",
        "cms:Cursor",
        "cms:BatchGet",
        "cms:BatchExport",
        "cms:Check*",
        "cms:BatchQuery*",
        "cms:CreatePrometheusVirtualInstance",
        "cms:OpenCmsService"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": "cdn:Describe*",
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": "yundun-greenweb:Get*",
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": "cr:List*",
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": "yundun-cert:Describe*",
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "log:Get*",
        "log:List*",
        "log:Query*",
        "log:ListProject",
        "log:DescribeService",
        "log:GetMLServiceResults",
        "log:OpenSlsService",
        "log:GetAgentInstanceConfig",
        "log:UpdateAgentInstanceConfig",
        "log:DeleteAgentInstanceConfig",
        "log:CreateAgentInstanceConfig"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "log:GetLogStoreLogs",
        "log:PostLogStoreLogs",
        "log:QueryPrometheusMetrics",
        "log:QueryMetrics",
        "log:RemoteWritePrometheus",
        "log:RemoteWrite"
      ],
      "Resource": "acs:log:*:*:project/*/logstore/aliyun-prom-*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "log:GetLogStoreLogs",
        "log:GetIndex"
      ],
      "Resource": "acs:log:*:*:project/proj-xtrace-*/logstore/*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "log:CreateIndex",
        "log:CreateLogStore",
        "log:CreateLogging",
        "log:CreateProject",
        "log:CreateMetricStore",
        "log:EnableService"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "bailiancontrol:ListWorkspaces",
        "bailiancontrol:CreateUser",
        "bailiancontrol:ListRoles",
        "bailiancontrol:ListUsers",
        "bailiancontrol:AttachWorkspaceToUser",
        "bailiancontrol:AttachRoleToUser",
        "sfm:ListIndex"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ots:Get*",
        "ots:List*",
        "ots:CreateInstance",
        "ots:OpenOtsService"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "nas:Describe*",
        "nas:CreateFileSystem",
        "nas:DeleteFileSystem",
        "nas:ModifyFileSystem",
        "nas:CreateMountTarget",
        "nas:DeleteMountTarget",
        "nas:ModifyMountTarget",
        "nas:CreateAccessGroup",
        "nas:CreateAccessRule"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "apig:ListGateways",
        "apig:ListHttpApis",
        "apig:GetHttpApi",
        "apig:GetGateway",
        "apig:QueryConsumerAuthorizationRules",
        "apig:ListHttpApiRoutes",
        "apig:GetConsumer"
      ],
      "Resource": "*"
    }
  ]
}

Least-privilege policy

Covers only core AgentRun features. To add permissions, generate a custom policy JSON from the AgentRun services and permissions page .

Least-privilege policy

Roles and authorization

Authorization process

AgentRun requires specific roles. After you complete permission assignment, if required roles are missing when you first access the page, an authorization pop-up guides you through role creation and authorization.

Required roles

AgentRun overall

Role	Trusted entity	Policy/Permission	Description
AliyunDevsCustomRole	devs.aliyuncs.com	AliyunDevsAgentrunDeployPolicy	Permission policy required for AgentRun deployment
AliyunDevsCustomRole	devs.aliyuncs.com	AliyunDevsFCServicesDeployPolicy	Permission policy required for function service deployment
AliyunDevsDefaultRole	devs.aliyuncs.com	AliyunDevsDefaultRolePolicy	Authorization policy for AgentRun service roles
AliyunServiceRoleForFC	fc.aliyuncs.com	-	FC service-linked role
AliyunServiceRoleForAgentRun	agentrun.aliyuncs.com	-	AgentRun service-linked role

Flow Agent (optional)

Role	Trusted entity	Policy/Permission	Description
AliyunFnFExecutionRole	fnf.aliyuncs.com	AliyunFCInvocationAccess	Permissions required to execute Function Compute nodes
		AliyunDevsReadOnlyAccess	Permissions required to execute tools and MCP nodes
		AliyunFnFFullAccess	Permissions required to execute other workflows within Flow Agent
		AliyunAgentRunReadOnlyAccess	Permissions required to use AgentRun sandbox, tools, and other resources
		AliyunEventBridgePutEventsPolicy	Permissions required to use triggers
		AliyunBailianDataFullAccess	Permissions required to execute knowledge base nodes

Feature module permission details

1. Agent management

API name	Product/Service	Description
ListAgentRuntimes	AgentRun	Get agent list
GetAgentRuntime	AgentRun	Get agent details
CreateAgentRuntime	AgentRun	Create agent
UpdateAgentRuntime	AgentRun	Update agent
DeleteAgentRuntime	AgentRun	Delete agent
ListAgentRuntimeVersions	AgentRun	Get version list
PublishRuntimeVersion	AgentRun	Publish agent version
ListAgentRuntimeEndpoints	AgentRun	Get endpoint list
CreateAgentRuntimeEndpoint	AgentRun	Create endpoint
UpdateAgentRuntimeEndpoint	AgentRun	Update endpoint
DeleteAgentRuntimeEndpoint	AgentRun	Delete endpoint
InstanceExec	FC	Log on to instance

2. Workflow (Flow) management

API name	Product/Service	Description
ListFlows	FNF	Get flow list
DescribeFlow	FNF	Get flow details
CreateFlow	FNF	Create flow
UpdateFlow	FNF	Update flow
DeleteFlow	FNF	Delete flow
DeleteFlowVersion	FNF	Delete flow version
UpdateFlowDraft	FNF	Update flow draft
ListFlowVersions	FNF	Get version list
PublishFlowVersion	FNF	Publish flow version
ListFlowAliases	FNF	Get alias list
DescribeFlowAlias	FNF	Get alias details
CreateFlowAlias	FNF	Create alias
UpdateFlowAlias	FNF	Update alias
DeleteFlowAlias	FNF	Delete alias
StartExecution	FNF	Start execution
StartSyncExecution	FNF	Synchronous execution
StartDebugExecution	FNF	Start debug execution
StopExecution	FNF	Stop execution
ListExecutions	FNF	Get execution list
DescribeExecution	FNF	Get execution details
GetExecutionHistory	FNF	Get execution history
DescribeAgentRunLogs	FNF	Get agent operational logs
ListModelSets	Devs	Get model set list
GetModelSet	Devs	Get model set details
ListToolsets	Devs	Get toolset list
GetToolset	Devs	Get toolset details
FetchModelSetAuthorization	Devs	Get model set authorization information
ListFunctions	FC	Get function list (Function Compute node)
ListAliases	FC	Get function alias list (Function Compute node)
ListFunctionVersions	FC	Get function version list (Function Compute node)
ListTriggers	FC	Get trigger list (Function Compute node)
GetCmsService	CMS	Get CMS service status (infrastructure monitoring)
OpenCmsService	CMS	Activate CMS service (infrastructure monitoring)
ListWorkspaces	Bailian	Get Model Studio workspace list (knowledge base node)
CreateUser	Bailian	Create a Model Studio user (knowledge base node)
ListRoles	Bailian	Retrieve the list of Model Studio roles (knowledge base nodes).
ListUsers	Bailian	Retrieve the Model Studio user list (knowledge base node)
AttachWorkspaceToUser	Bailian	Associate workspace with user (knowledge base node)
AttachRoleToUser	Bailian	Associate role with user (knowledge base node)
ListIndex	SFM	Get index list (knowledge base node)
ListModelServices	AgentRun	Get AgentRun service list
ListTemplates	AgentRun	Get sandbox list
GetCredential	AgentRun	Get authentication information for model services and sandbox
ListAgentRuntimes	AgentRun	Get Agent Runtime list
ListAgentRuntimeEndpoints	AgentRun	Get Agent Runtime endpoint list

3. Model service management

API name	Product/Service	Description
ListModelProviders	AgentRun	Get model provider list
ListModelServices	AgentRun	Get model service list
GetModelService	AgentRun	Get model service details
CreateModelService	AgentRun	Create model service
UpdateModelService	AgentRun	Update model service
DeleteModelService	AgentRun	Delete model service
ListModelProxies	AgentRun	Get model proxy list
GetModelProxy	AgentRun	Get model proxy details
CreateModelProxy	AgentRun	Create model proxy
UpdateModelProxy	AgentRun	Update model proxy
DeleteModelProxy	AgentRun	Delete model proxy

4. Credential management

API name	Product/Service	Description
ListCredentials	AgentRun	Get credential list
GetCredential	AgentRun	Get credential details
CreateCredential	AgentRun	Create credential
UpdateCredential	AgentRun	Update credential
DeleteCredential	AgentRun	Delete credential
GetAccessToken	AgentRun	Get access token

5. Sandbox and template management

API name	Product/Service	Description
ListTemplates	AgentRun	Get sandbox list
GetTemplate	AgentRun	Get sandbox details
CreateTemplate	AgentRun	Create sandbox
UpdateTemplate	AgentRun	Update sandbox
DeleteTemplate	AgentRun	Delete sandbox
ActivateTemplateMCP	AgentRun	Activate sandbox MCP
StopTemplateMCP	AgentRun	Stop sandbox MCP
GetSandbox	AgentRun	Get sandbox instance details
StopSandbox	AgentRun	Stop sandbox instance
CreateSandbox	AgentRun	Create sandbox instance
ListSandboxes	AgentRun	Get sandbox instance list

6. Memory storage

6.1. Memory storage management

API name	Product/Service	Description
ListMemoryCollections	AgentRun	Get memory storage list
GetMemoryCollection	AgentRun	Get memory storage details
CreateMemoryCollection	AgentRun	Create memory storage
UpdateMemoryCollection	AgentRun	Update memory storage
DeleteMemoryCollection	AgentRun	Delete memory storage
ListInstances	OTS	Get OTS instance list
GetInstance	OTS	Get OTS instance information
CreateInstance	OTS	Create OTS instance

6.2 Observability

API name	Product/Service	Description
GetChartData	OTS	Get chart data (for monitoring metrics display)
GetTableData	OTS	Get table data (for status statistics)

7. Custom domain management

API name	Product/Service	Description
ListCustomDomains	AgentRun	Get custom domain list
GetCustomDomain	AgentRun	Get custom domain details
CreateCustomDomain	AgentRun	Create custom domain
UpdateCustomDomain	AgentRun	Update custom domain
DeleteCustomDomain	AgentRun	Delete custom domain
DescribeUserCertificateList	Yundun	Get user certificate list
DescribeUserCertificateDetail	Yundun	Get certificate details

8. Tool management

API name	Product/Service	Description
ListToolsets	Devs	Get toolset list
GetToolset	Devs	Get toolset details
CreateToolset	Devs	Create toolset
UpdateToolset	Devs	Update toolset
DeleteToolset	Devs	Delete toolset
FetchToolsetAuthorization	Devs	Get toolset authorization
GetArtifact	Devs	Get artifact information
CreateArtifact	Devs	Create artifact
FetchArtifactTempBucketToken	Devs	Get temporary artifact credentials
PreviewEnvironment	Devs	Preview configuration content to be deployed

9. Model set management

API name	Product/Service	Description
ListModelSets	Devs	Get model set list
GetModelSet	Devs	Get model set details
FetchModelSetAuthorization	Devs	Get model set authorization

10. Project and environment management

API name	Product/Service	Description
ListProjects	Devs	Get project list
GetProject	Devs	Get project details
CreateProject	Devs	Create project
UpdateProject	Devs	Update project
GetEnvironment	Devs	Get environment information
UpdateEnvironment	Devs	Update environment
DeployEnvironment	Devs	Deploy environment
RenderServicesByTemplate	Devs	Render services based on template
DeployServices	Devs	Deploy services
ListServiceDeployments	Devs	Get deployment list

11. Function Compute management

API name	Product/Service	Description
GetFunction	FC	Get function information
CreateFunction	FC	Create function
DeleteFunction	FC	Delete function
GetFunctionCode	FC	Get function code
ListFunctions	FC	Get function list
ListAliases	FC	Get function alias list
ListFunctionVersions	FC	Get function version list
ListTriggers	FC	Get trigger list
ListInstances	FC	List function instances
DescribeRegions	FC	Get supported regions
ListCustomDomains	FC	Get custom domain list
CreateCustomDomain	FC	Create custom domain
UpdateCustomDomain	FC	Update custom domain
DeleteCustomDomain	FC	Delete custom domain
ListProvisionConfigs	FC	List provisioned concurrency configurations
GetProvisionConfig	FC	Get provisioned concurrency configuration
PutProvisionConfig	FC	Update provisioned concurrency configuration
DeleteProvisionConfig	FC	Delete provisioned concurrency configuration

12. Network configuration

API name	Product/Service	Description
DescribeVpcs	VPC	Get VPC list
DescribeVSwitches	VPC	Get vSwitch list
DescribeSecurityGroups	ECS	Get security group list

13. Object Storage Service

API name	Product/Service	Description
ListBuckets	OSS	Get bucket list
ListObjectsV2	OSS	Get bucket contents

14. Simple Log Service

API name	Product/Service	Description
GetSlsService	Log	Get SLS service status
OpenSlsService	Log	Activate SLS service
ListProject	Log	List log projects
CreateProject	Log	Create log project
CreateLogStore	Log	Create log store
CreateIndex	Log	Create index
CreateLogging	Log	Create service logs for a project.
CreateMetricStore	Log	Create MetricStore to store time series data.
GetLogStoreLogs	Log	Get log data
GetIndex	Log	Query index information for a specified Logstore.
EnableService	Log	Enable service
ListLogstore	Log	Get log store list
GetMLServiceResults	Log	Get algorithm analysis results for a specified scenario task
QueryPrometheusMetrics	Log	Prometheus protocol query permission
QueryMetrics	Log	Query monitoring metrics
RemoteWritePrometheus	Log	Write time series metric data to MetricStore using Prometheus Remote Write protocol
RemoteWrite	Log	Write time series metric data

14. Observability

API name	Product/Service	Description
CheckCommercialStatus	ARMS	Check commercial status
GetCommercialStatus	ARMS	Get commercial status
DescribeTraceLicenseKey	ARMS	Get Trace License
SearchTraceAppByName	ARMS	Search applications by name
ListAppInstances	ARMS	Get application instance list
ListLLMSessions	ARMS	Get LLM session list
QueryLLMSessionDetail	ARMS	Get session details
ListAllServices	ARMS	Get all service list
DoInsightsAction	ARMS	Perform insights action
ConfigApp	ARMS	Configure application
SaveTraceAppConfig	ARMS	Save tracing configuration
DoInsightsAction	ARMS	Access various sub-features related to Insights
GetTraceApp	ARMS	Get application monitoring task details
GetTrace	ARMS	Get trace details
GetStack	ARMS	Get call stack information
GetMultipleTrace	ARMS	Get details of multiple traces
GetTraceAppConfig	ARMS	Query all custom settings for an application in Application Monitoring (such as trace sampling settings, Agent switches, etc.).
ConfigApp	ARMS	Turn the global Agent switch for Application Monitoring on or off, or check its status.
SaveTraceAppConfig	ARMS	Configure custom settings for Application Monitoring (such as trace sampling settings, Agent switches, etc.).
TagResources	ARMS	Tag ARMS resource instances.
UntagResources	ARMS	Remove tags from ARMS resource instances.

16. Cloud Monitor

API name	Product/Service	Description
ListPrometheusVirtualInstances	CMS	Get Prometheus instances
CreatePrometheusVirtualInstance	CMS	Create Prometheus instance
GetCmsService	CMS	Get CMS service status
OpenCmsService	CMS	Activate CMS service
QueryCommercialUsage	CMS	Query observability usage data
DescribeEnvironment	CMS	Query environment details
Cursor	CMS	Define the range for exporting monitoring data
BatchGet	CMS	Batch get monitoring data
BatchExport	CMS	Batch export monitoring data

17. Tracing Analysis

API name	Product/Service	Description
GetTraceLicenseKey	Xtrace	Get Trace License
DescribeTraceApps	Xtrace	Describe tracing applications

18. Resource Access Management

API name	Product/Service	Description
ListRolesForService	RAM	Get service role list
ListPoliciesForRole	RAM	Get role policy list
CheckServiceLinkedRoleExistence	ResourceManager	Check service-linked role
CreateServiceLinkedRole	RAM	Create service-linked role
PassRole	RAM	Pass role

19. CDN

API name	Product/Service	Description
DescribeUserDomains	CDN	Get user CDN domain list

20. Container Registry

API name	Product/Service	Description
ListRepoTag	ACR	Get image repository tag list

21. Security Services

API name	Product/Service	Description
GetUserBuyStatus	Yundun	Get user purchase status

22. Commercial status query

API name	Product/Service	Description
DescribeUserBusinessStatus	Ubsms	Get user commercial status

23. Knowledge base management

API name	Product/Service	Description
GetKnowledgeBase	AgentRun	Get knowledge base details
CreateKnowledgeBase	AgentRun	Create knowledge base
UpdateKnowledgeBase	AgentRun	Update knowledge base
DeleteKnowledgeBase	AgentRun	Delete knowledge base
ListKnowledgeBases	AgentRun	List knowledge bases
ListWorkspaces	Bailian	Retrieve the list of Model Studio workspaces.
CreateUser	Bailian	Create Model Studio user
ListRoles	Bailian	Obtain the Model Studio role list
ListUsers	Bailian	Get Model Studio user list
AttachWorkspaceToUser	Bailian	Associate workspace with user

24. Invoke Agent and Sandbox

API name	Product/Service	Description
InvokeRuntime	AgentRun	Invoke Agent
InvokeSandbox	AgentRun	Invoke Sandbox

These two APIs are used to invoke Agent instances and Sandbox instances through the AgentRun service. They are invocation actions. When creating a custom policy, include the agentrun:InvokeRuntime and agentrun:InvokeSandbox actions.