AliyunServiceRolePolicyForCloudFW 是专用于服务关联角色的授权策略,会在创建服务关联角色 AliyunServiceRoleForCloudFW 时自动授权,以允许服务关联角色代您访问其他云服务。本策略由对应的阿里云服务按需更新,请勿将本策略授权给服务关联角色之外的 RAM 身份使用。
策略详情
类型:系统策略
创建时间:2025-09-10 13:58:46
更新时间:2025-09-10 13:58:46
当前版本:v1
策略内容
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:DescribeInstances",
"ecs:DescribeTags",
"ecs:JoinSecurityGroup",
"ecs:LeaveSecurityGroup",
"ecs:AuthorizeSecurityGroupEgress",
"ecs:DescribeRegions",
"ecs:DescribeVpcs",
"ecs:RevokeSecurityGroupEgress",
"ecs:ModifySecurityGroupAttribute",
"ecs:DeleteSecurityGroup",
"ecs:RevokeSecurityGroup",
"ecs:DescribeSecurityGroupAttribute",
"ecs:CreateSecurityGroup",
"ecs:AuthorizeSecurityGroup",
"ecs:DescribeSecurityGroups",
"ecs:DescribeSecurityGroupReferences",
"ecs:ModifySecurityGroupPolicy",
"ecs:ModifySecurityGroupRule",
"ecs:ModifySecurityGroupEgressRule",
"ecs:CreateNetworkInterface",
"ecs:DeleteNetworkInterface",
"ecs:DescribeNetworkInterfaces",
"ecs:CreateNetworkInterfacePermission",
"ecs:DescribeNetworkInterfacePermissions",
"ecs:DeleteNetworkInterfacePermission",
"ecs:AttachNetworkInterface",
"ecs:DetachNetworkInterface",
"ecs:ModifyNetworkInterfaceAttribute",
"ecs:DescribePrefixLists",
"ecs:ListTagResources",
"ecs:ImportImage",
"ecs:ModifyInstanceSpec",
"ecs:CreateImage"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"vpc:DescribeVpcs",
"vpc:DescribeNatGateways",
"vpc:DescribeSnatTableEntries",
"vpc:DescribeForwardTableEntries",
"vpc:DescribeBandwidthPackages",
"vpc:GetNatGatewayAttribute",
"vpc:ModifyNatGatewayAttribute",
"vpc:DescribeEipAddresses",
"vpc:DescribeRouterInterfaces",
"vpc:DescribeRouteTableList",
"vpc:DescribeRouteTables",
"vpc:DescribeVSwitches",
"vpc:CreateRouteEntry",
"vpc:DeleteRouteEntry",
"vpc:CreateVpc",
"vpc:DeleteVpc",
"vpc:CreateVSwitch",
"vpc:DeleteVSwitch",
"vpc:DescribeZones",
"vpc:CreateVirtualBorderRouter",
"vpc:ConnectRouterInterface",
"vpc:ModifyRouterInterfaceAttribute",
"vpc:DeleteRouterInterface",
"vpc:CreateRouterInterface",
"vpc:DeleteVirtualBorderRouter",
"vpc:DeactivateRouterInterface",
"vpc:DescribeVirtualBorderRouters",
"vpc:DescribePhysicalConnections",
"vpc:ModifyVirtualBorderRouterAttribute",
"vpc:DescribeVpcAttribute",
"vpc:DescribeVSwitchAttributes",
"vpc:DescribeHaVips",
"vpc:DescribeVpnConnections",
"vpc:DescribeVpnRouteEntries",
"vpc:DescribeVpnPbrRouteEntries",
"vpc:DescribeVpnGateways",
"vpc:DescribeSslVpnServers",
"vpc:AssociateEipAddress",
"vpc:UnassociateEipAddress",
"vpc:CreateRouteTable",
"vpc:DeleteRouteTable",
"vpc:AssociateRouteTable",
"vpc:UnassociateRouteTable",
"vpc:CreateSnatEntry",
"vpc:DeleteSnatEntry",
"vpc:DescribeSnatTableEntries",
"vpc:DescribeRouteEntryList",
"vpc:DescribeIpv6Addresses",
"vpc:ListVpcPeerConnections",
"vpc:CreateRouteEntries",
"vpc:DeleteRouteEntries",
"vpc:ModifyRouteEntry",
"vpc:DescribeRegions",
"vpc:CheckCanAllocateVpcPrivateIpAddress",
"vpc:CreateTrafficMirrorFilterRules",
"vpc:UpdateTrafficMirrorFilterAttribute",
"vpc:AddSourcesToTrafficMirrorSession",
"vpc:GetTrafficMirrorServiceStatus",
"vpc:ListTrafficMirrorFilters",
"vpc:CreateTrafficMirrorFilter",
"vpc:DeleteTrafficMirrorFilter",
"vpc:UpdateTrafficMirrorSessionAttribute",
"vpc:DeleteTrafficMirrorFilterRules",
"vpc:ListTrafficMirrorSessions",
"vpc:CreateTrafficMirrorSession",
"vpc:RemoveSourcesFromTrafficMirrorSession",
"vpc:DeleteTrafficMirrorSession",
"vpc:OpenTrafficMirrorService",
"vpc:UpdateTrafficMirrorFilterRuleAttribute"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"slb:DescribeRegions",
"slb:DescribeLoadBalancers",
"slb:DescribeLoadBalancerAttribute",
"slb:DescribeLoadBalancerUDPListenerAttribute",
"slb:DescribeLoadBalancerTCPListenerAttribute",
"slb:DescribeLoadBalancerHTTPListenerAttribute",
"slb:DescribeLoadBalancerHTTPSListenerAttribute",
"slb:DescribeHealthStatus",
"slb:DescribeAccessControlListAttribute"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"alb:DescribeRegions",
"alb:ListLoadBalancers",
"alb:GetLoadBalancerAttribute",
"alb:ListListeners",
"alb:GetListenerAttribute",
"alb:GetListenerHealthStatus",
"alb:ListAcls",
"alb:ListAclEntries"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"nlb:DescribeRegions",
"nlb:ListLoadBalancers",
"nlb:GetLoadBalancerAttribute",
"nlb:ListListeners",
"nlb:GetListenerAttribute",
"nlb:GetListenerHealthStatus"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"log:PostLogStoreLogs",
"log:GetProject",
"log:ListProject",
"log:GetLogStore",
"log:ListLogStores",
"log:CreateLogStore",
"log:CreateProject",
"log:DeleteProject",
"log:GetLogStoreLogs",
"log:GetIndex",
"log:CreateIndex",
"log:UpdateIndex",
"log:CreateDashboard",
"log:ClearLogStoreStorage",
"log:UpdateLogStore",
"log:UpdateDashboard",
"log:CreateSavedSearch",
"log:UpdateSavedSearch",
"log:DeleteLogStore",
"log:DeleteSavedSearch",
"log:GetSavedSearch",
"log:ListSavedSearch",
"log:DeleteDashboard",
"log:GetDashboard",
"log:ListDashboard",
"log:GetLogStoreHistogram"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"yundun-bastionhost:DescribeInstance",
"yundun-bastionhost:DescribeRegions",
"yundun-bastionhost:DescribeInstances",
"yundun-bastionhost:DescribeInstanceBastionhost",
"yundun-bastionhost:DescribeInstanceAttribute"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"cen:DescribeCens",
"cen:DescribeCenAttachedChildInstances",
"cen:DescribeCenAttachedChildInstanceAttribute",
"cen:AttachCenChildInstance",
"cen:DetachCenChildInstance",
"cen:PublishRouteEntries",
"cen:WithdrawPublishedRouteEntries",
"cen:DescribePublishedRouteEntries",
"cen:DescribeCenRegionDomainRouteEntries",
"cen:ModifyCenAttribute",
"cen:CreateCenRouteMap",
"cen:DeleteCenRouteMap",
"cen:ModifyCenRouteMap",
"cen:DescribeCenRouteMaps",
"cen:DescribeCenChildInstanceRouteEntries",
"cen:CreateCenChildInstanceRouteEntryToCen",
"cen:DeleteCenChildInstanceRouteEntryToCen",
"cen:ListTransitRouters",
"cen:CreateTransitRouter",
"cen:DeleteTransitRouter",
"cen:ListTransitRouterAttachments",
"cen:CreateTransitRouterVpcAttachment",
"cen:DeleteTransitRouterVpcAttachment",
"cen:UpdateTransitRouterVpcAttachmentAttribute",
"cen:UpdateTransitRouterPeerAttachmentAttribute",
"cen:CreateTransitRouterVbrAttachment",
"cen:DeleteTransitRouterVbrAttachment",
"cen:ListTransitRouterPeerAttachments",
"cen:ListTransitRouterVpcAttachments",
"cen:ListTransitRouterVbrAttachments",
"cen:ListTransitRouterAvailableResource",
"cen:CreateTransitRouterRouteTable",
"cen:UpdateTransitRouterRouteTable",
"cen:DeleteTransitRouterRouteTable",
"cen:ListTransitRouterRouteTables",
"cen:CreateTransitRouterRouteEntry",
"cen:DeleteTransitRouterRouteEntry",
"cen:ListTransitRouterRouteEntries",
"cen:ListTransitRouterRouteTableAssociations",
"cen:AssociateTransitRouterAttachmentWithRouteTable",
"cen:DissociateTransitRouterAttachmentFromRouteTable",
"cen:ListTransitRouterRouteTablePropagations",
"cen:EnableTransitRouterRouteTablePropagation",
"cen:DisableTransitRouterRouteTablePropagation",
"cen:ModifyCenUserQuota",
"cen:ReplaceTransitRouterRouteTableAssociation",
"cen:CheckTransitRouterService",
"cen:ListTransitRouterPrefixListAssociation"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"netana:DescribeNetworkQuotas",
"netana:DescribeNetworkQuotaRequestResult",
"netana:CreateNetworkQuotaRequest"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"privatelink:CheckProductOpen",
"privatelink:OpenPrivateLinkService",
"privatelink:CreateVpcEndpoint",
"privatelink:DeleteVpcEndpoint",
"privatelink:ListVpcEndpoints",
"privatelink:ListVpcEndpointZones",
"privatelink:AddZoneToVpcEndpoint",
"privatelink:RemoveZoneFromVpcEndpoint",
"privatelink:ListVpcEndpointServicesByEndUser"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"yundun-sas:DescribeVulList",
"yundun-sas:DescribeVulDetails",
"yundun-sas:DescribeCloudCenterInstances"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"yundun-cert:DescribeCACertificateList",
"yundun-cert:GetUserStatus",
"yundun-cert:CreateTestOrder",
"yundun-cert:CreateRootCACertificate",
"yundun-cert:CreateSubCACertificate"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"cs:DescribeUserQuota",
"cs:DescribeClusterNodes",
"cs:DescribeClusterNodePools",
"cs:DescribeClusterNodePoolDetail",
"cs:DescribeUserClusterNamespaces",
"cs:DescribeClustersV1",
"cs:DescribeClusterUserKubeconfig",
"cs:DescribeClusterResources",
"cs:DescribeClusterDetail",
"cs:GetClusters",
"cs:DescribeUserPermission",
"cs:UpdateUserPermissions",
"cs:GrantPermissions",
"cs:CleanClusterUserPermissions"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"rds:DescribeDBInstances"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "quotas:ListProductQuotas",
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:CreateServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "cen.aliyuncs.com"
}
}
},
{
"Action": [
"resourcemanager:ListAccounts"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"cms:QueryMetricList",
"cms:QueryMetricData",
"cms:QueryMetricLast"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "yundun-aegis:DescribeAccesskeyLeakList",
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "cloudfw.aliyuncs.com"
}
}
},
{
"Action": "ram:CreateServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "privatelink.aliyuncs.com"
}
}
}
]
}相关文档
该文章对您有帮助吗?