AliyunServiceRolePolicyForARMS 是专用于服务关联角色的授权策略,会在创建服务关联角色 AliyunServiceRoleForARMS 时自动授权,以允许服务关联角色代您访问其他云服务。本策略由对应的阿里云服务按需更新,请勿将本策略授权给服务关联角色之外的 RAM 身份使用。
策略详情
类型:系统策略
创建时间:2025-09-17 10:57:48
更新时间:2025-10-28 12:47:40
当前版本:v190
策略内容
{
"Version": "1",
"Statement": [
{
"Action": [
"log:Get*",
"log:Query*",
"log:List*",
"log:Describe*",
"log:TagResources",
"log:UntagResources",
"log:CreateProject",
"log:EnableService",
"log:CreateLogStore",
"log:DeleteLogStore",
"log:DeleteProject",
"log:UpdateLogStore",
"log:CreateMetricStore",
"log:DeleteMetricStore",
"log:UpdateMetricStore",
"log:PullLogs",
"log:PostLogStoreLogs",
"log:AnalyzeProductLog",
"log:CreateConfig",
"log:UpdateConfig",
"log:DeleteConfig",
"log:CreateScheduledSQL",
"log:UpdateScheduledSQL",
"log:DeleteScheduledSQL",
"log:OpenProductDataCollection",
"log:CloseProductDataCollection",
"log:UpdateSubStore",
"log:CreateMetricsConfig",
"log:UpdateMetricsConfig",
"log:UpdateProject",
"ram:PassRole",
"ram:GetRole",
"ram:ListRoles",
"ram:ListPolicies",
"ram:ListPoliciesForRole",
"log:CreateLogtailPipelineConfig",
"log:UpdateLogtailPipelineConfig",
"log:DeleteLogtailPipelineConfig",
"log:CreateMachineGroup",
"log:UpdateMachineGroup",
"log:DeleteMachineGroup",
"log:UpdateMachineGroupMachine",
"log:ApplyConfigToGroup",
"log:RemoveConfigFromGroup",
"log:RetryShipperTask",
"log:CreateConsumerGroup",
"log:UpdateConsumerGroup",
"log:DeleteConsumerGroup",
"log:UpdateCheckPoint",
"log:HeartBeat",
"log:ConsumerGroupUpdateCheckPoint",
"log:ConsumerGroupHeartBeat",
"log:UpdateConsumerGroupCheckPoint",
"log:CreateIndex",
"log:DeleteIndex",
"log:UpdateIndex",
"log:CreateSavedSearch",
"log:UpdateSavedSearch",
"log:DeleteSavedSearch",
"log:CreateDashboard",
"log:UpdateDashboard",
"log:DeleteDashboard",
"log:CreateJob",
"log:UpdateJob",
"log:OpenProductDataCollection",
"log:CloseProductDataCollection",
"log:CreateTicket",
"log:BatchPostLogStoreLogs",
"log:DeleteJob",
"log:ModifyJobInstance",
"log:CreateLogging",
"log:UpdateLogging",
"log:DeleteLogging",
"log:SplitShard",
"log:CreateEtlMeta",
"log:UpdateEtlMeta",
"log:DeleteEtlMeta",
"log:UpdateSubStoreTTL",
"log:CreateStoreView",
"log:DeleteStoreView",
"log:UpdateStoreView",
"log:PutProjectPolicy",
"log:DeleteProjectPolicy",
"log:*CollectionPolicy",
"cs:ScaleCluster",
"cs:GetClusterById",
"cs:GetClusters",
"cs:DescribeClustersV1",
"cs:GetClustersByUid",
"cs:GetUserConfig",
"cs:CheckKritisInstall",
"cs:GetKritisAttestationAuthority",
"cs:GetKritisGenericAttestationPolicy",
"cs:AttachInstances",
"cs:InstallKritis",
"cs:InstallKritisAttestationAuthority",
"cs:InstallKritisGenericAttestationPolicy",
"cs:UpdateClusterTags",
"cs:DeleteClusterNodes",
"cs:UninstallKritis",
"cs:DeleteKritisAttestationAuthority",
"cs:DeleteKritisGenericAttestationPolicy",
"cs:UpdateKritisAttestationAuthority",
"cs:UpdateKritisGenericAttestationPolicy",
"cs:UpgradeCluster",
"cs:DeleteClusterNode",
"cs:GetClusterLogs",
"cs:DescribeClusterAddonsVersion",
"cs:ListTagResources",
"cs:InstallClusterAddons",
"cs:UnInstallClusterAddons",
"cs:UpgradeClusterAddons",
"cs:DescribeClusterInnerServiceKubeconfig",
"cs:RevokeClusterInnerServiceKubeconfig",
"cs:DescribeClusterUserKubeconfig",
"cs:DescribeClusterAddonUpgradeStatus",
"cs:DescribeClusterAddonMetadata",
"cs:GetClusterAddonInstance",
"cs:ListClusterAddonInstances",
"cs:UpdateClusterAuditLogConfig",
"cs:DescribeAddon",
"cs:DescribeClusterDetail",
"cs:GetClusterAuditProject",
"asi:DescribeClusterDetail",
"asi:GetKubeConfig",
"asi:DescribeClusters",
"acc:DescribeClusterDetail",
"acc:DescribeClusterKubeconfig",
"acc:DescribeClusters",
"ecs:Describe*",
"ecs:CreateNetworkInterfacePermission",
"ecs:DeleteNetworkInterfacePermission",
"ecs:CreateNetworkInterface",
"ecs:AttachNetworkInterface",
"ecs:DetachNetworkInterface",
"ecs:ModifyNetworkInterfaceAttribute",
"ecs:AuthorizeSecurityGroup",
"ecs:CreateSecurityGroup",
"ecs:DescribeSecurityGroupAttribute",
"ecs:AuthorizeSecurityGroupEgress",
"ecs:RevokeSecurityGroup",
"ecs:InvokeCommand",
"ecs:CreateCommand",
"ecs:StopInvocation",
"ecs:DeleteCommand",
"ecs:ModifyCommand",
"ecs:InstallCloudAssistant",
"ecs:ListTagResources",
"cms:CreateAggTaskGroup",
"cms:DeleteAggTaskGroup",
"cms:PutAggTaskGroup",
"cms:DeleteAlertEventIntegrationPolicy",
"cms:CreateAlertEventIntegrationPolicy",
"cms:UpdateAlertEventIntegrationPolicy",
"cms:EnableAlertEventIntegrationPolicy",
"cms:DisableAlertEventIntegrationPolicy",
"cms:CreatePrometheusInstance",
"cms:DeletePrometheusInstance",
"cms:CreateApplicationInsightsInstance",
"cms:UpsertUmodelData",
"cms:DeleteUmodelData",
"cms:GetUmodelData",
"cms:UpdateAddonRelease",
"cms:CreateAddonRelease",
"cms:DeleteAddonRelease",
"cms:CreateIntegrationPolicy",
"cms:CreatePrometheus*",
"cms:UpdatePrometheus*",
"cms:DeletePrometheus*",
"cms:DeleteIntegrationPolicy",
"cms:EnableHighResolutionMonitor",
"cms:DisableHighResolutionMonitor",
"cms:DeleteCloudResource",
"cms:CreateCloudResource",
"cms:GetCloudResource",
"slb:DescribeAccessControlListAttribute",
"gwlb:ListLoadBalancers",
"mq:ListMqttInstance",
"vpc:ListVpcPeerConnections",
"vpc:ListIpamScopes",
"vpc:ListIpamPools",
"expressconnectrouter:DescribeExpressConnectRouter",
"opensearch:ListAppGroup",
"apig:ListGateways",
"clickhouse:DescribeDBClusters",
"clickhouse:DescribeDBInstances",
"dataworks:ListResourceGroups",
"arms:StartAlertRule",
"arms:StopAlertRule"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ecs:InvokeCommand",
"ecs:DescribeCloudAssistantStatus"
],
"Resource": [
"acs:ecs:*:*:instance/*",
"acs:ecs:*:*:command/ACS-ARMS-*"
],
"Effect": "Allow"
},
{
"Action": [
"slb:DescribeLoadBalancers",
"slb:DescribeLoadBalancerAttribute",
"slb:SetLoadbalancerListenerAttributeEx",
"slb:DescribeLoadbalancerListenersEx",
"slb:DescribeLoadbalancerListenersEx",
"slb:SetAccessLogsDownloadAttribute",
"slb:DeleteAccessLogsDownloadAttribute",
"slb:DescribeAccessLogsDownloadAttribute",
"privatelink:OpenPrivateLinkService",
"privatelink:CreateVpcEndpoint",
"privatelink:ListVpcEndpoints",
"privatelink:DeleteVpcEndpoint",
"privatelink:RemoveZoneFromVpcEndpoint"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ecs:DeleteNetworkInterface"
],
"Effect": "Allow",
"Resource": [
"*"
],
"Condition": {
"StringEquals": {
"ecs:tag/eni-creator": "function-compute"
}
}
},
{
"Action": [
"ecs:DeleteSecurityGroup"
],
"Effect": "Allow",
"Resource": [
"*"
],
"Condition": {
"StringEquals": {
"ecs:tag/serverless/sg-creator": "containernetworking"
}
}
},
{
"Action": [
"ecs:DeleteNetworkInterface"
],
"Effect": "Allow",
"Resource": [
"*"
],
"Condition": {
"StringEquals": {
"ecs:tag/serverless/eni-creator": "asi-cni-service"
}
}
},
{
"Action": [
"ecs:DeleteNetworkInterface"
],
"Effect": "Allow",
"Resource": [
"*"
],
"Condition": {
"StringEqualsIgnoreCase": {
"acs:ResourceTag/acs:eci:Product": "ARMS"
}
}
},
{
"Action": [
"fc:GetService",
"fc:UpdateService",
"fc:DeleteService",
"fc:GetFunction",
"fc:CreateFunction",
"fc:UpdateFunction",
"fc:DeleteFunction",
"fc:InvokeFunction"
],
"Resource": "acs:fc:*:*:services/grafana-*",
"Effect": "Allow"
},
{
"Action": [
"fc:CreateService"
],
"Resource": "acs:fc:*:*:services/*",
"Effect": "Allow"
},
{
"Action": [
"vpc:Describe*",
"vpc:ModifyBypassToaAttribute",
"vpc:List*",
"adb:Describe*",
"adb:List*",
"alikafka:Get*",
"alikafka:List*",
"apigateway:Describe*",
"clickhouse:Describe*",
"cms:BatchGet",
"cms:BatchExport",
"cms:Cursor",
"cms:Query*",
"cms:Get*",
"cms:List*",
"cms:Describe*",
"cms:PutResourceMetricRule",
"cms:PutWorkspace",
"yundun-waf:Describe*",
"yundun-antiddosbag:Describe*",
"yundun-ddoscoo:Describe*",
"yundun-cloudfirewall:Describe*",
"drds:Describe*",
"drds:List*",
"polardbx:Describe*",
"dts:Describe*",
"rds:List*",
"alb:List*",
"cen:DescribeCens",
"cdn:Describe*",
"dcdn:Describe*",
"elasticsearch:List*",
"emr:List*",
"hbase:Describe*",
"hitsdb:Describe*",
"lindorm:Get*",
"lindorm:List*",
"lindorm:UpdateInstanceIpWhiteList",
"kvstore:Describe*",
"mongodb:Describe*",
"dds:Describe*",
"mns:List*",
"milvus:List*",
"mq:OnsInstanceBaseInfo",
"mq:List*",
"netgateway:DescribeNatGateways",
"ocs:DescribeInstances",
"ons:OnsInstanceInServiceList",
"amqp:List*",
"mq:Query*",
"ons:List*",
"opensearch:List*",
"oss:List*",
"polardb:Describe*",
"polardb:List*",
"rds:Describe*",
"slb:Describe*",
"nas:DescribeFileSystems",
"nlb:List*",
"oceanbase:DescribeInstances",
"actiontrail:LookupEvents",
"hdm:CreateRequestDiagnosis",
"hdm:Get*",
"hdm:Describe*",
"eflo:List*",
"ga:List*",
"fc:List*",
"fc:Get*",
"ecd:Describe*",
"kms:List*",
"kms:Describe*",
"kms:TagResource",
"kms:UntagResource",
"kms:Encrypt",
"kms:Decrypt",
"kms:GenerateDataKey",
"tag:ListTagResources",
"resourcemanager:List*",
"graphcompute:ListInstances",
"gdb:DescribeDBInstances",
"domain:QueryCommonInfo",
"airec:ListInstance",
"chatbot:ListInstance",
"cassandra:DescribeClusters",
"cloudphone:ListInstances",
"dbfs:ListDbfs",
"ddi:ListClusters",
"eipanycast:ListAnycastEipAddresses",
"ess:DescribeScalingGroups",
"hdr:DescribeServers",
"hbr:DescribeVault",
"dfs:ListFileSystems",
"imm:ListProjects",
"iot:Query*",
"baas:Describe*",
"rtc:DescribeApps",
"smartag:DescribeSmartAccessGateways",
"swas-open:ListInstances",
"privatelink:ListVpcEndpointServicesByEndUser",
"vpcpeer:ListVpcPeerConnections",
"cddc:DescribeDedicatedHostGroups",
"ebs:DescribeDiskReplicaPairs",
"expressconnectrouter:DescribeExpressConnectRouter",
"actiontrail:DescribeTrails",
"mts:SearchPipeline",
"snsu:ListOssEpn",
"pai:List*",
"pai:Get*",
"paiworkspace:List*",
"paiworkspace:Get*",
"paidlc:List*",
"paidlc:Get*",
"paidsw:List*",
"paidsw:Get*",
"eas:List*",
"eas:Get*",
"eas:Describe*",
"paieas:Describe*",
"stream:DescribeVvpInstances",
"apig:List*",
"apig:Get*",
"emr-serverless-spark:List*"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ahas:Query*",
"ahas:Search*",
"bss:ModifyInstance",
"mse:GetServiceList",
"sae:List*",
"sae:Describe*",
"arms:Describe*",
"arms:List*",
"arms:Get*",
"arms:Search*",
"arms:Check*",
"arms:Query*",
"arms:createAliYunRecordingRuleYaml",
"arms:DeletePrometheusAlertRules",
"arms:CreatePrometheusAlertRules",
"arms:TagResourcesSystemTags",
"arms:UntagResourcesSystemTags",
"arms:InstallEnvironmentFeature",
"arms:CreatePrometheusInstance",
"arms:UninstallPromCluster",
"arms:UpgradeEnvironmentFeature",
"arms:DeleteEnvironmentFeature",
"arms:InstallAddon",
"arms:DeleteAddonRelease",
"arms:UpgradeAddonRelease",
"arms:AddPrometheusGlobalViewByAliClusterIds",
"arms:AddAliClusterIdsToPrometheusGlobalView",
"arms:RemoveAliClusterIdsFromPrometheusGlobalView",
"arms:DeletePrometheusGlobalView",
"arms:EnableGraphResource",
"arms:CreateEnvironment",
"arms:InitEnvironment",
"arms:CreateTimingSyntheticTask",
"arms:UpdateTimingSyntheticTask",
"arms:DeleteTimingSyntheticTask",
"arms:DoInsightsAction",
"arms:UpdateDeliverTask",
"arms:GetDeliverTask",
"arms:ListDeliverTask",
"arms:EnableDeliverTask",
"arms:DisableDeliverTask",
"arms:DeleteDeliverTask",
"arms:CreateDispatchRule",
"arms:DeleteDispatchRule",
"arms:UpdatePrometheusInstance"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:CreateServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": [
"fc.aliyuncs.com",
"privatelink.aliyuncs.com",
"arms.aliyuncs.com",
"cloudmonitor.aliyuncs.com",
"actiontrail.aliyuncs.com",
"middlewarelens.log.aliyuncs.com",
"securitylens.log.aliyuncs.com",
"ai-lens.log.aliyuncs.com",
"storagelens.log.aliyuncs.com",
"rmc.resourcemanager.aliyuncs.com",
"audit.log.aliyuncs.com"
]
}
}
},
{
"Action": [
"adcp:DescribeHubClusterDetails",
"adcp:DescribeHubClusterKubeconfig",
"adcp:DescribeHubClusters",
"adcp:GrantUserPermission",
"eventbridge:CreateEventBus",
"eventbridge:CreateRule",
"eventbridge:DeleteEventBus",
"eventbridge:DeleteRule",
"eventbridge:DeleteTargets",
"eventbridge:DisableRule",
"eventbridge:EnableRule",
"eventbridge:GetEventBus",
"eventbridge:GetRule",
"eventbridge:ListEventBuses",
"eventbridge:ListRules",
"eventbridge:ListTargets",
"eventbridge:UpdateRule",
"eventbridge:CreateTargets",
"eventbridge:PutTargets",
"eventbridge:PutEvents",
"eventbridge:ListEventStreamings",
"eventbridge:DeleteEventStreaming",
"eventbridge:PauseEventStreaming",
"eventbridge:StartEventStreaming",
"eventbridge:GetEventStreaming",
"eventbridge:UpdateEventStreaming",
"eventbridge:CreateEventStreaming",
"eventbridge:CheckRoleForProduct",
"eventbridge:CheckServiceLinkedRoleForProduct",
"rocketmq:ListInstances",
"rocketmq:ListTopics",
"hologram:ListInstances",
"odps:ListProjects",
"fc:GetService",
"fc:ListServices",
"fc:ListServiceVersions",
"fc:ListAliases",
"fc:GetAlias",
"fc:ListFunctions",
"fc:GetFunction",
"fc:InvokeFunction",
"fc:GetStatefulAsyncInvocation",
"resourcecenter:GetResourceCounts",
"resourcecenter:GetResourceManageMetrics",
"resourcecenter:ListResources",
"resourcecenter:ListResourceTypes",
"resourcecenter:ListResourceRelationships",
"resourcecenter:SearchResources",
"resourcecenter:ExecuteGraphQLQuery",
"resourcecenter:CreateServiceDeliveryChannel",
"resourcecenter:DeleteServiceDeliveryChannel",
"resourcecenter:DeliverResourceSnapshot",
"resourcecenter:EnableResourceCenter"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "arms.aliyuncs.com"
}
}
},
{
"Effect": "Allow",
"Action": [
"cms:GetRumInstance",
"cms:CreateRumInstance",
"cms:DeleteRumInstance"
],
"Resource": [
"acs:cms:*:*:ruminstance/*"
]
}
]
}相关文档
该文章对您有帮助吗?