AI 助理
备案控制台
官方文档
输入文档关键字查找
首页 访问控制 开发参考 系统策略参考 AliyunEMRRolePolicy

AliyunEMRRolePolicy

更新时间:
产品详情
我的收藏

AliyunEMRRolePolicy 是专用于服务角色的授权策略,通常会在创建对应的服务角色时同步完成授权,以允许服务角色代您访问其他云服务。本策略由对应的阿里云服务按需更新,请勿将本策略授权给服务角色之外的 RAM 身份使用。

策略详情

  • 类型:系统策略

  • 创建时间:2025-09-17 10:58:04

  • 更新时间:2025-09-17 10:58:04

  • 当前版本:v1

策略内容

{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "oss:PutObject",
        "oss:GetObject",
        "oss:ListObjects"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "ecs:CreateInstance",
        "ecs:RunInstances",
        "ecs:RenewInstance",
        "ecs:DescribeRegions",
        "ecs:DescribeZones",
        "ecs:DescribeImages",
        "ecs:CreateSecurityGroup",
        "ecs:AllocatePublicIpAddress",
        "ecs:DeleteInstance",
        "ecs:StartInstance",
        "ecs:StopInstance",
        "ecs:DescribeInstances",
        "ecs:DescribeDisks",
        "ecs:AuthorizeSecurityGroup",
        "ecs:RevokeSecurityGroup",
        "ecs:AuthorizeSecurityGroupEgress",
        "ecs:DescribeSecurityGroupAttribute",
        "ecs:DescribeSecurityGroups",
        "ecs:DescribeInstanceHistoryEvents",
        "ecs:DescribeInstancesFullStatus",
        "ecs:DescribeDisksFullStatus",
        "ecs:ModifyInstanceChargeType",
        "ecs:ModifyPrepayInstanceSpec",
        "ecs:DescribeResourcesModification",
        "ecs:DescribeAvailableResource",
        "ecs:DescribeBandwidthLimitation",
        "ecs:CreateNetworkInterface",
        "ecs:DeleteNetworkInterface",
        "ecs:DescribeNetworkInterfaces",
        "ecs:CreateNetworkInterfacePermission",
        "ecs:DescribeNetworkInterfacePermissions",
        "ecs:DeleteNetworkInterfacePermission",
        "ecs:DescribeKeyPairs",
        "ecs:DescribePrice",
        "ecs:RebootInstance",
        "ecs:AssignIpv6Addresses",
        "ecs:DescribeInstanceHistoryEvents",
        "ecs:AcceptInquiredSystemEvent",
        "ecs:RedeployInstance",
        "ecs:DescribeTasks",
        "ecs:TagResources",
        "ecs:UntagResources",
        "ecs:ListTagResources",
        "ecs:JoinResourceGroup",
        "ecs:ReportInstancesStatus",
        "ecs:ModifyInstanceAttribute",
        "ecs:ModifyInstanceSpec",
        "ecs:DeleteInstances",
        "ecs:RebootInstances",
        "ecs:StartInstances",
        "ecs:StopInstances",
        "ecs:AttachInstanceRamRole",
        "ecs:DescribeLocalDiskRepairActivities",
        "ecs:CreateAutoProvisioningGroup",
        "ecs:DescribeDeploymentSets",
        "ecs:DescribeInstanceMonitorData",
        "ecs:CreateDiagnosticReport",
        "ecs:CreateDeploymentSet",
        "ecs:DeleteDeploymentSet",
        "ecs:RelnitDisk"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "vpc:DescribeVSwitches",
        "vpc:DescribeVpcs",
        "vpc:AllocateEipAddress",
        "vpc:AssociateEipAddress",
        "vpc:UnassociateEipAddress",
        "vpc:ReleaseEipAddress",
        "vpc:DescribeEipAddresses"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "cms:CreateAlarm",
        "cms:DeleteAlarm",
        "cms:QueryAlarm",
        "cms:QueryAlarmHistory",
        "cms:QueryMetricList",
        "cms:CreateAlert",
        "cms:CreateDimensions",
        "cms:DeleteAlert",
        "cms:QueryAlert",
        "cms:QueryNotifyHistory",
        "cms:DisableAlarm",
        "cms:UpdateAlarm",
        "cms:DeleteAlarm",
        "cms:EnableAlarm",
        "cms:ListAlarmHistory",
        "cms:DescribeMonitorGroups",
        "cms:CreateMonitorGroup",
        "cms:DeleteMonitorGroup",
        "cms:ApplyMetricRuleTemplate",
        "cms:ModifyMonitorGroupInstances",
        "cms:DescribeMetricRuleTemplateList",
        "cms:CreateMonitoringTemplate",
        "cms:DescribeEventRuleList",
        "cms:DescribeMetricRuleList"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "ess:CreateScalingGroup",
        "ess:ModifyScalingGroup",
        "ess:EnableScalingGroup",
        "ess:DisableScalingGroup",
        "ess:DeleteScalingGroup",
        "ess:DescribeScalingGroups",
        "ess:DescribeScalingInstances",
        "ess:DescribeScalingActivities",
        "ess:CreateScalingConfiguration",
        "ess:DescribeScalingConfigurations",
        "ess:DeleteScalingConfiguration",
        "ess:CreateScalingRule",
        "ess:ModifyScalingRule",
        "ess:DescribeScalingRules",
        "ess:DeleteScalingRule",
        "ess:CreateScheduledTask",
        "ess:ModifyScheduledTask",
        "ess:DescribeScheduledTasks",
        "ess:DeleteScheduledTask",
        "ess:EnableScheduledTask",
        "ess:DisableScheduledTask",
        "ess:RemoveInstances",
        "ess:CreateLifecycleHook",
        "ess:DescribeLifecycleHooks",
        "ess:ModifyLifecycleHook",
        "ess:DeleteLifecycleHook",
        "ess:CompleteLifecycleAction",
        "ess:RecordLifecycleActionHeartbeat",
        "ess:CreateNotificationConfiguration",
        "ess:DescribeNotificationConfigurations",
        "ess:VerifyAuthentication",
        "ess:DescribeRegions",
        "ess:SetInstancesProtection",
        "ecs:ResizeDisk",
        "ess:ExecuteScalingRule",
        "ess:DetachInstances",
        "ess:ModifyScalingConfiguration",
        "ess:DescribeScalingActivityDetail",
        "ess:ScaleWithAdjustment"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "ram:GetUser",
        "ram:GetRole"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "ram:PassRole"
      ],
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "acs:Service": "ecs.aliyuncs.com"
        }
      }
    },
    {
      "Action": [
        "log:ListProject",
        "log:GetProject",
        "log:CreateProject",
        "log:GetLogStore",
        "log:CreateLogStore",
        "log:GetConfig",
        "log:CreateConfig",
        "log:GetIndex",
        "log:CreateIndex",
        "log:GetAppliedMachineGroups",
        "log:ApplyConfigToMachineGroup",
        "log:ApplyConfigToGroup",
        "log:ListLogStores",
        "log:ListSavedSearch",
        "log:ListDashboard",
        "log:GetLogStoreLogs",
        "log:GetLogStoreHistogram",
        "log:GetProductDataCollection"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "ram:ListRoles",
        "ram:ListPoliciesForRole"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "ram:AttachPolicyToRole",
        "ram:DetachPolicyFromRole"
      ],
      "Resource": [
        "acs:ram:*:*:role/KubernetesMasterRole-*",
        "acs:ram:*:*:role/KubernetesWorkerRole-*",
        "acs:ram:*:*:policy/AliyunEMRECSRolePolicy"
      ],
      "Effect": "Allow"
    },
    {
      "Action": [
        "cs:CreateCluster",
        "cs:GetClusterById",
        "cs:GetClusters",
        "cs:GetUserConfig",
        "cs:DeleteCluster",
        "cs:AttachInstances",
        "cs:DescribeClusterLogsRequest",
        "cs:GetClusterLogs"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "arms:AddIntegration",
        "arms:AddGrafana",
        "arms:ListDashboards",
        "arms:GetPrometheusApiToken"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "rds:DescribeDBInstances",
        "rds:DescribeDBInstanceAttribute",
        "rds:DescribeDatabases"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": "quotas:ListProductQuotas",
      "Resource": "acs:quotas:*:*:quota/ecs/*",
      "Effect": "Allow"
    },
    {
      "Action": "kms:ListKeys",
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": "pvtz:DescribeZones",
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": "ram:CreateServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": [
            "selfservice.ecs.aliyuncs.com",
            "middlewarelens.log.aliyuncs.com",
            "autoprovisioning.ecs.aliyuncs.com",
            "ess.aliyuncs.com"
          ]
        }
      }
    },
    {
      "Action": [
        "bss:Describe*",
        "bss:Refund*"
      ],
      "Resource": "*",
      "Effect": "Allow"
    }
  ]
}

相关文档

上一篇:AliyunEMRFlowAdmin下一篇:AliyunESAAccessingPrivateOSSRolePolicy