AliyunServiceRolePolicyForARMS 是专用于服务关联角色的授权策略,会在创建服务关联角色 AliyunServiceRoleForARMS 时自动授权,以允许服务关联角色代您访问其他云服务。本策略由对应的阿里云服务按需更新,请勿将本策略授权给服务关联角色之外的 RAM 身份使用。
策略详情
类型:系统策略
创建时间:2025-09-17 10:57:48
更新时间:2025-09-17 10:57:48
当前版本:v1
策略内容
{
"Version": "1",
"Statement": [
{
"Action": [
"log:Get*",
"log:Query*",
"log:List*",
"log:Describe*",
"log:TagResources",
"log:UntagResources",
"log:CreateProject",
"log:EnableService",
"log:CreateLogStore",
"log:DeleteLogStore",
"log:UpdateLogStore",
"log:CreateMetricStore",
"log:DeleteMetricStore",
"log:UpdateMetricStore",
"log:PullLogs",
"log:PostLogStoreLogs",
"log:AnalyzeProductLog",
"log:CreateConfig",
"log:UpdateConfig",
"log:DeleteConfig",
"log:CreateScheduledSQL",
"log:UpdateScheduledSQL",
"log:DeleteScheduledSQL",
"log:OpenProductDataCollection",
"log:CloseProductDataCollection",
"log:UpdateSubStore",
"ram:PassRole",
"ram:GetRole",
"ram:ListRoles",
"ram:ListPolicies",
"ram:ListPoliciesForRole",
"log:CreateLogtailPipelineConfig",
"log:UpdateLogtailPipelineConfig",
"log:DeleteLogtailPipelineConfig",
"log:GetLogtailPipelineConfig",
"log:CreateMachineGroup",
"log:UpdateMachineGroup",
"log:DeleteMachineGroup",
"log:GetMachineGroup",
"log:UpdateMachineGroupMachine",
"log:ApplyConfigToGroup",
"log:RemoveConfigFromGroup",
"log:RetryShipperTask",
"log:CreateConsumerGroup",
"log:UpdateConsumerGroup",
"log:DeleteConsumerGroup",
"log:UpdateCheckPoint",
"log:HeartBeat",
"log:ConsumerGroupUpdateCheckPoint",
"log:ConsumerGroupHeartBeat",
"log:GetConsumerGroupCheckPoint",
"log:UpdateConsumerGroupCheckPoint",
"log:CreateIndex",
"log:DeleteIndex",
"log:UpdateIndex",
"log:CreateSavedSearch",
"log:UpdateSavedSearch",
"log:DeleteSavedSearch",
"log:CreateDashboard",
"log:UpdateDashboard",
"log:DeleteDashboard",
"log:CreateJob",
"log:UpdateJob",
"log:OpenProductDataCollection",
"log:CloseProductDataCollection",
"log:CreateTicket",
"log:BatchPostLogStoreLogs",
"log:DeleteJob",
"log:ModifyJobInstance",
"log:CreateLogging",
"log:UpdateLogging",
"log:DeleteLogging",
"log:SplitShard",
"log:ListEtlMeta",
"log:GetEtlMeta",
"log:CreateEtlMeta",
"log:UpdateEtlMeta",
"log:DeleteEtlMeta",
"log:ListEtlJob",
"log:GetEtlJob",
"log:UpdateSubStoreTTL",
"log:CreateStoreView",
"log:DeleteStoreView",
"log:UpdateStoreView",
"log:PutProjectPolicy",
"log:DeleteProjectPolicy",
"log:*CollectionPolicy",
"cs:ScaleCluster",
"cs:GetClusterById",
"cs:GetClusters",
"cs:DescribeClustersV1",
"cs:GetClustersByUid",
"cs:GetUserConfig",
"cs:CheckKritisInstall",
"cs:GetKritisAttestationAuthority",
"cs:GetKritisGenericAttestationPolicy",
"cs:AttachInstances",
"cs:InstallKritis",
"cs:InstallKritisAttestationAuthority",
"cs:InstallKritisGenericAttestationPolicy",
"cs:UpdateClusterTags",
"cs:DeleteClusterNodes",
"cs:UninstallKritis",
"cs:DeleteKritisAttestationAuthority",
"cs:DeleteKritisGenericAttestationPolicy",
"cs:UpdateKritisAttestationAuthority",
"cs:UpdateKritisGenericAttestationPolicy",
"cs:UpgradeCluster",
"cs:DeleteClusterNode",
"cs:GetClusterLogs",
"cs:DescribeClusterAddonsVersion",
"cs:ListTagResources",
"cs:InstallClusterAddons",
"cs:UnInstallClusterAddons",
"cs:UpgradeClusterAddons",
"cs:DescribeClusterInnerServiceKubeconfig",
"cs:RevokeClusterInnerServiceKubeconfig",
"cs:DescribeClusterUserKubeconfig",
"cs:DescribeClusterAddonUpgradeStatus",
"cs:DescribeClusterAddonMetadata",
"cs:GetClusterAddonInstance",
"cs:ListClusterAddonInstances",
"cs:UpdateClusterAuditLogConfig",
"cs:DescribeAddon",
"cs:GetClusterAuditProject",
"acc:DescribeClusterDetail",
"acc:DescribeClusterKubeconfig",
"acc:DescribeClusters",
"ecs:Describe*",
"ecs:CreateNetworkInterfacePermission",
"ecs:DeleteNetworkInterfacePermission",
"ecs:CreateNetworkInterface",
"ecs:AttachNetworkInterface",
"ecs:DetachNetworkInterface",
"ecs:ModifyNetworkInterfaceAttribute",
"ecs:AuthorizeSecurityGroup",
"ecs:CreateSecurityGroup",
"ecs:AuthorizeSecurityGroupEgress",
"ecs:RevokeSecurityGroup",
"ecs:InvokeCommand",
"ecs:CreateCommand",
"ecs:StopInvocation",
"ecs:DeleteCommand",
"ecs:ModifyCommand",
"ecs:InstallCloudAssistant",
"ecs:ListTagResources",
"cms:CreateAggTaskGroup",
"cms:DeleteAggTaskGroup",
"cms:PutAggTaskGroup",
"cms:DeleteAlertEventIntegrationPolicy",
"cms:CreateAlertEventIntegrationPolicy",
"cms:UpdateAlertEventIntegrationPolicy",
"cms:EnableAlertEventIntegrationPolicy",
"cms:DisableAlertEventIntegrationPolicy",
"cms:CreatePrometheusInstance",
"cms:DeletePrometheusInstance",
"cms:CreateApplicationInsightsInstance",
"cms:UpsertUmodelData",
"cms:DeleteUmodelData",
"cms:GetUmodelData",
"cms:UpdateAddonRelease",
"cms:CreateAddonRelease",
"cms:DeleteAddonRelease",
"cms:CreateIntegrationPolicy",
"cms:CreatePrometheus*",
"cms:UpdatePrometheus*",
"cms:DeletePrometheus*",
"slb:DescribeAccessControlListAttribute",
"sae:ListApplications",
"apig:ListGateways"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ecs:InvokeCommand",
"ecs:DescribeCloudAssistantStatus"
],
"Resource": [
"acs:ecs:*:*:instance/*",
"acs:ecs:*:*:command/ACS-ARMS-*"
],
"Effect": "Allow"
},
{
"Action": [
"slb:DescribeLoadBalancers",
"slb:DescribeLoadBalancerAttribute",
"slb:SetLoadbalancerListenerAttributeEx",
"slb:DescribeLoadbalancerListenersEx",
"slb:DescribeLoadbalancerListenersEx",
"slb:SetAccessLogsDownloadAttribute",
"slb:DeleteAccessLogsDownloadAttribute",
"slb:DescribeAccessLogsDownloadAttribute",
"privatelink:OpenPrivateLinkService",
"privatelink:CreateVpcEndpoint",
"privatelink:ListVpcEndpoints",
"privatelink:DeleteVpcEndpoint",
"privatelink:RemoveZoneFromVpcEndpoint"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ecs:DeleteNetworkInterface"
],
"Effect": "Allow",
"Resource": [
"*"
],
"Condition": {
"StringEquals": {
"ecs:tag/eni-creator": "function-compute"
}
}
},
{
"Action": [
"ecs:DeleteSecurityGroup"
],
"Effect": "Allow",
"Resource": [
"*"
],
"Condition": {
"StringEquals": {
"ecs:tag/serverless/sg-creator": "containernetworking"
}
}
},
{
"Action": [
"ecs:DeleteNetworkInterface"
],
"Effect": "Allow",
"Resource": [
"*"
],
"Condition": {
"StringEquals": {
"ecs:tag/serverless/eni-creator": "asi-cni-service"
}
}
},
{
"Action": [
"ecs:DeleteNetworkInterface"
],
"Effect": "Allow",
"Resource": [
"*"
],
"Condition": {
"StringEqualsIgnoreCase": {
"acs:ResourceTag/acs:eci:Product": "ARMS"
}
}
},
{
"Action": [
"fc:GetService",
"fc:UpdateService",
"fc:DeleteService",
"fc:GetFunction",
"fc:CreateFunction",
"fc:UpdateFunction",
"fc:DeleteFunction",
"fc:InvokeFunction"
],
"Resource": "acs:fc:*:*:services/grafana-*",
"Effect": "Allow"
},
{
"Action": [
"fc:CreateService"
],
"Resource": "acs:fc:*:*:services/*",
"Effect": "Allow"
},
{
"Action": [
"vpc:DescribeCommonBandwidthPackages",
"vpc:DescribeVpcs",
"vpc:DescribeVSwitches",
"vpc:DescribeVpcAttribute",
"vpc:ModifyBypassToaAttribute",
"vpc:DescribeVSwitchAttributes",
"vpc:DescribeEipAddresses",
"vpc:DescribeRouterInterfaces",
"vpc:DescribeGlobalAccelerationInstances",
"vpc:DescribeVpnGateways",
"vpc:DescribeNatGateways",
"vpc:ListTagResources",
"vpc:DescribeVirtualBorderRouters",
"vpc:DescribeVirtualBorderRoutersForPhysicalConnection",
"adb:DescribeDBClusters",
"adb:ListTagResources",
"alikafka:GetInstanceList",
"alikafka:ListInstance",
"alikafka:ListTopic",
"apigateway:DescribeApis",
"clickhouse:DescribeDBClusters",
"cms:BatchGet",
"cms:BatchExport",
"cms:Cursor",
"cms:Query*",
"cms:Get*",
"cms:List*",
"cms:Describe*",
"cms:PutResourceMetricRule",
"cms:PutWorkspace",
"yundun-waf:DescribeInstanceInfo",
"yundun-antiddosbag:DescribeInstanceList",
"yundun-ddoscoo:DescribeInstances",
"dds:DescribeDBInstances",
"dds:DescribeDBInstancesOverview",
"drds:DescribeDrdsInstances",
"drds:DescribeDrdsInstance",
"drds:DescribeDrdsDbInstance",
"drds:DescribeDrdsDbInstances",
"drds:DescribeDrdsDBs",
"drds:DescribeDrdsInstanceMonitor",
"drds:ListTagResources",
"polardbx:DescribeDBInstances",
"dts:DescribeMigrationJobs",
"dts:DescribeSynchronizationJobs",
"dts:DescribeSubscriptionInstances",
"dts:DescribeDtsInstances",
"rds:ListTagResources",
"alb:ListLoadBalancers",
"alb:ListListeners",
"cen:DescribeCens",
"cdn:DescribeUserDomains",
"cdn:DescribeTagResources",
"dcdn:DescribeDcdnUserDomains",
"dcdn:DescribeDcdnTagResources",
"elasticsearch:ListInstance",
"elasticsearch:ListLogstash",
"emr:ListClusters",
"emr:ListTagResources",
"hbase:DescribeClusterList",
"hbase:DescribeInstances",
"hbase:DescribeInstance",
"hitsdb:DescribeHiTSDBInstanceList",
"hitsdb:DescribeHiTSDBInstance",
"lindorm:GetLindormInstanceList",
"lindorm:ListTagResources",
"lindorm:GetLindormInstance",
"lindorm:GetLindormInstanceEngineList",
"lindorm:GetInstanceIpWhiteList",
"lindorm:UpdateInstanceIpWhiteList",
"kvstore:DescribeInstances",
"kvstore:DescribeLogicInstanceTopology",
"kvstore:DescribeDBInstanceNetInfo",
"mongodb:DescribeDBInstances",
"mongodb:DescribeDBInstanceAttribute",
"dds:DescribeDBInstanceAttribute",
"mns:ListQueue",
"mns:ListTopic",
"milvus:ListInstances",
"mq:OnsInstanceBaseInfo",
"mq:ListInstance",
"netgateway:DescribeNatGateways",
"ocs:DescribeInstances",
"ons:OnsInstanceInServiceList",
"amqp:ListInstance",
"mq:QueryInstanceBaseInfo",
"ons:ListTagResources",
"opensearch:ListApps",
"oss:ListBuckets",
"polardb:DescribeDBClusters",
"polardb:DescribeDBInstances",
"polardb:ListTagResources",
"rds:DescribeDBInstances",
"rds:DescribeReplicas",
"rds:DescribeDBInstanceByTags",
"rds:DescribeDBInstanceNetInfo",
"slb:DescribeLoadBalancers",
"slb:DescribeLoadBalancerAttribute",
"slb:DescribeLoadBalancerListeners",
"nas:DescribeFileSystems",
"nlb:ListLoadBalancers",
"nlb:ListTagResources",
"oceanbase:DescribeInstances",
"actiontrail:LookupEvents",
"polardb:DescribeDBClusters",
"polardb:DescribeDBClusterEndpoints",
"hdm:CreateRequestDiagnosis",
"hdm:Get*",
"hdm:Describe*",
"eflo:ListTagResources",
"eflo:ListClusters",
"eflo:ListClusterNodes",
"ga:ListAccelerators",
"ga:ListBasicAccelerators",
"fc:ListServices",
"fc:ListTaggedResources",
"fc:GetResourceTags",
"ecd:DescribeDesktops",
"ecd:DescribeRegions",
"kms:ListKmsInstances",
"kms:ListKeys",
"kms:ListAliases",
"kms:ListAliasesByKeyId",
"kms:ListKeyVersions",
"kms:ListResourceTags",
"kms:DescribeKey",
"kms:TagResource",
"kms:UntagResource",
"kms:Encrypt",
"kms:Decrypt",
"kms:GenerateDataKey",
"tag:ListTagResources",
"resourcemanager:ListResourceGroups",
"resourcemanager:ListResources",
"graphcompute:ListInstances",
"gdb:DescribeDBInstances",
"domain:QueryCommonInfo",
"airec:ListInstance",
"chatbot:ListInstance",
"hbase:DescribeInstances",
"cassandra:DescribeClusters",
"cloudphone:ListInstances",
"dbfs:ListDbfs",
"ddi:ListClusters",
"eipanycast:ListAnycastEipAddresses",
"ess:DescribeScalingGroups",
"hdr:DescribeServers",
"hbr:DescribeVault",
"dfs:ListFileSystems",
"imm:ListProjects",
"vpc:DescribeIpv6Gateways",
"iot:QueryEdgeInstance",
"iot:QueryConsumerGroupList",
"baas:DescribeFabricConsortiums",
"opensearch:ListAppGroups",
"baas:DescribeFabricOrganizations",
"rtc:DescribeApps",
"smartag:DescribeSmartAccessGateways",
"swas-open:ListInstances",
"kvstore:DescribeInstances",
"vpc:DescribePhysicalConnections",
"privatelink:ListVpcEndpointServicesByEndUser",
"vpcpeer:ListVpcPeerConnections",
"cddc:DescribeDedicatedHostGroups",
"ebs:DescribeDiskReplicaPairs",
"expressconnectrouter:DescribeExpressConnectRouter",
"actiontrail:DescribeTrails",
"mts:SearchPipeline",
"snsu:ListOssEpn",
"pai:List*",
"pai:Get*",
"paiworkspace:List*",
"paiworkspace:Get*",
"paidlc:List*",
"paidlc:Get*",
"paidsw:List*",
"paidsw:Get*",
"eas:List*",
"eas:Get*",
"eas:Describe*",
"paieas:Describe*",
"stream:DescribeVvpInstances"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ahas:Query*",
"ahas:Search*",
"bss:ModifyInstance",
"mse:GetServiceList",
"sae:DescribeAppServiceDetail",
"sae:ListAppServicesPage",
"arms:Describe*",
"arms:List*",
"arms:Get*",
"arms:Search*",
"arms:Check*",
"arms:Query*",
"arms:DeletePrometheusAlertRules",
"arms:CreatePrometheusAlertRules",
"arms:TagResourcesSystemTags",
"arms:UntagResourcesSystemTags",
"arms:InstallEnvironmentFeature",
"arms:CreatePrometheusInstance",
"arms:UninstallPromCluster",
"arms:UpgradeEnvironmentFeature",
"arms:DeleteEnvironmentFeature",
"arms:InstallAddon",
"arms:DeleteAddonRelease",
"arms:UpgradeAddonRelease",
"arms:AddPrometheusGlobalViewByAliClusterIds",
"arms:AddAliClusterIdsToPrometheusGlobalView",
"arms:RemoveAliClusterIdsFromPrometheusGlobalView",
"arms:DeletePrometheusGlobalView",
"arms:EnableGraphResource",
"arms:CreateEnvironment",
"arms:InitEnvironment",
"arms:CreateTimingSyntheticTask",
"arms:UpdateTimingSyntheticTask",
"arms:DeleteTimingSyntheticTask",
"arms:DoInsightsAction",
"arms:UpdateDeliverTask",
"arms:GetDeliverTask",
"arms:ListDeliverTask",
"arms:EnableDeliverTask",
"arms:DisableDeliverTask",
"arms:DeleteDeliverTask",
"arms:CreateDispatchRule",
"arms:DeleteDispatchRule",
"arms:UpdatePrometheusInstance"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:CreateServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": [
"fc.aliyuncs.com",
"privatelink.aliyuncs.com",
"arms.aliyuncs.com",
"cloudmonitor.aliyuncs.com",
"actiontrail.aliyuncs.com",
"middlewarelens.log.aliyuncs.com",
"securitylens.log.aliyuncs.com",
"ai-lens.log.aliyuncs.com",
"storagelens.log.aliyuncs.com",
"rmc.resourcemanager.aliyuncs.com",
"audit.log.aliyuncs.com"
]
}
}
},
{
"Action": [
"adcp:DescribeHubClusterDetails",
"adcp:DescribeHubClusterKubeconfig",
"adcp:DescribeHubClusters",
"adcp:GrantUserPermission",
"eventbridge:CreateEventBus",
"eventbridge:CreateRule",
"eventbridge:DeleteEventBus",
"eventbridge:DeleteRule",
"eventbridge:DeleteTargets",
"eventbridge:DisableRule",
"eventbridge:EnableRule",
"eventbridge:GetEventBus",
"eventbridge:GetRule",
"eventbridge:ListEventBuses",
"eventbridge:ListRules",
"eventbridge:ListTargets",
"eventbridge:UpdateRule",
"eventbridge:CreateTargets",
"eventbridge:PutTargets",
"eventbridge:PutEvents",
"eventbridge:ListEventStreamings",
"eventbridge:DeleteEventStreaming",
"eventbridge:PauseEventStreaming",
"eventbridge:StartEventStreaming",
"eventbridge:GetEventStreaming",
"eventbridge:UpdateEventStreaming",
"eventbridge:CreateEventStreaming",
"eventbridge:CheckRoleForProduct",
"rocketmq:ListInstances",
"rocketmq:ListTopics",
"hologram:ListInstances",
"odps:ListProjects",
"fc:GetService",
"fc:ListServices",
"fc:ListServiceVersions",
"fc:ListAliases",
"fc:GetAlias",
"fc:ListFunctions",
"fc:GetFunction",
"fc:InvokeFunction",
"fc:GetStatefulAsyncInvocation",
"resourcecenter:GetResourceCounts",
"resourcecenter:GetResourceManageMetrics",
"resourcecenter:ListResources",
"resourcecenter:ListResourceTypes",
"resourcecenter:ListResourceRelationships",
"resourcecenter:SearchResources",
"resourcecenter:ExecuteGraphQLQuery",
"resourcecenter:CreateServiceDeliveryChannel",
"resourcecenter:DeleteServiceDeliveryChannel",
"resourcecenter:DeliverResourceSnapshot",
"resourcecenter:EnableResourceCenter"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "arms.aliyuncs.com"
}
}
},
{
"Effect": "Allow",
"Action": [
"cms:GetRumInstance",
"cms:CreateRumInstance",
"cms:DeleteRumInstance"
],
"Resource": [
"acs:cms:*:*:ruminstance/*"
]
}
]
}相关文档
该文章对您有帮助吗?