AliyunServiceRolePolicyForCloudMonitor 是专用于服务关联角色的授权策略,会在创建服务关联角色 AliyunServiceRoleForCloudMonitor 时自动授权,以允许服务关联角色代您访问其他云服务。本策略由对应的阿里云服务按需更新,请勿将本策略授权给服务关联角色之外的 RAM 身份使用。
策略详情
类型:系统策略
创建时间:2025-10-29 10:40:57
更新时间:2025-10-29 10:40:57
当前版本:v1
策略内容
{
"Version": "1",
"Statement": [
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "cloudmonitor.aliyuncs.com"
}
}
},
{
"Action": "ram:CreateServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": [
"ess.aliyuncs.com",
"fc.aliyuncs.com",
"privatelink.aliyuncs.com",
"arms.aliyuncs.com",
"xtrace.aliyuncs.com",
"rmc.resourcemanager.aliyuncs.com",
"audit.log.aliyuncs.com",
"cloudmonitor.aliyuncs.com",
"middlewarelens.log.aliyuncs.com",
"securitylens.log.aliyuncs.com",
"ai-lens.log.aliyuncs.com",
"storagelens.log.aliyuncs.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"ecs:RunCommand",
"ecs:DescribeInvocations",
"ecs:DescribeCloudAssistantStatus"
],
"Resource": [
"acs:ecs:*:*:instance/*",
"acs:ecs:*:*:command/*"
]
},
{
"Effect": "Allow",
"Action": [
"ecs:Describe*",
"vpc:Describe*",
"rds:DescribeDBInstances",
"gdb:DescribeDBInstances",
"slb:Describe*",
"slb:SetLoadbalancerListenerAttributeEx",
"slb:SetAccessLogsDownloadAttribute",
"slb:DeleteAccessLogsDownloadAttribute",
"alb:ListLoadBalancers",
"alb:ListListeners",
"alb:ListServerGroupServers",
"nlb:ListLoadBalancers",
"nlb:ListListeners",
"nlb:ListServerGroupServers",
"cdn:DescribeUserDomains",
"cs:Get*",
"yundun-antiddosbag:DescribeInstanceList",
"yundun-ddoscoo:DescribeInstances",
"yundun-cloudfirewall:DescribeNatFirewallList",
"elasticsearch:ListInstance",
"emr:ListClusters",
"kvstore:DescribeInstances",
"polardb:DescribeDBClusters",
"polardbx:DescribeDBInstances",
"yundun-ddoscoo:DescribeInstanceIds",
"yundun-waf:DescribeDomain",
"yundun-waf:DescribeDomains",
"dds:DescribeDBInstances",
"dataworks:ListResourceGroups",
"adb:DescribeDBClusters",
"alidns:DescribeDnsProductInstances",
"alidns:DescribeDomainGroups",
"alidns:DescribeDomains",
"apigateway:DescribeAppAttributes",
"apigateway:DescribeApis",
"cen:DescribeCens",
"cen:ListTransitRouter*",
"cs:ListClusters",
"cs:ListClusterAddonInstances",
"cs:Describe*",
"cs:RevokeClusterInnerServiceKubeconfig",
"asi:DescribeClusterDetail",
"asi:GetKubeConfig",
"asi:DescribeClusters",
"eci:DescribeContainerGroups",
"elasticsearch:ListLogstash",
"ess:DescribeScalingGroups",
"ess:DescribeScalingInstances",
"hbase:DescribeInstances",
"hcs-sgw:describeGateways",
"hitsdb:Describe*",
"hitsdb:GetLindormInstanceList",
"mq:OnsInstanceInServiceList",
"mq:QueryInstanceBaseInfo",
"nas:DescribeFileSystems",
"oss:GetBucketInfo",
"oss:ListBuckets",
"privatelink:ListVpcEndpoints",
"privatelink:ListVpcEndpointServices",
"yundun-waf:DescribeInstanceInfo",
"yundun-waf:DescribeInstance",
"alikafka:ListInstance",
"amqp:ListInstance",
"yundun-sas:InstallCloudMonitor",
"bssapi:QueryRelationList",
"bssapi:QueryCostUnitResource",
"bssapi:QueryCostUnit",
"lindorm:GetLindormInstanceList",
"lindorm:DescribeRegions",
"ens:DescribeInstances",
"ens:DescribeRegionIsps",
"dts:DescribeDtsJobDetail",
"dts:DescribeDtsJobs",
"dts:DescribeDtsInstances",
"dds:DescribeDBInstancesOverview",
"rocketmq:ListInstances",
"mq:ListInstance",
"oceanbase:DescribeInstances",
"mse:ListGatewayRoute",
"cdn:StopCdnDomain",
"ess:ExecuteScalingRule",
"fc:InvokeFunction",
"log:BatchGetLog",
"log:CreateProject",
"log:CreateLogStore",
"log:CreateIndex",
"log:Get*",
"log:Query*",
"log:List*",
"log:PostLogStoreLogs",
"log:UpdateIndex",
"log:UpdateLogStore",
"log:CreateConsumerGroup",
"log:UpdateConsumerGroup",
"log:DeleteConsumerGroup",
"log:UpdateCheckPoint",
"log:ConsumerGroupUpdateCheckPoint",
"log:ConsumerGroupHeartBeat",
"log:UpdateConsumerGroupCheckPoint",
"log:DeleteLogStore",
"log:DeleteProject",
"log:*ScheduledSQL*",
"log:*MetricStore*",
"log:PostProjectQuery",
"log:PutProjectQuery",
"log:DeleteProjectQuery",
"log:UpdateSubStore",
"log:CreateMetricsConfig",
"log:UpdateMetricsConfig",
"log:UpdateProject",
"log:ListCollectionPolicies",
"log:GetCollectionPolicy",
"mns:SendMessage",
"mns:PublishMessage",
"tag:ListTagResources",
"tag:DescribeRegions",
"tag:ListTagKeys",
"resourcemanager:Get*",
"resourcemanager:List*",
"kms:Encrypt",
"kms:Decrypt",
"kms:GenerateDataKey",
"kms:GenerateDataKeyWithoutPlaintext",
"log:CreateLogtailPipelineConfig",
"log:UpdateLogtailPipelineConfig",
"log:DeleteLogtailPipelineConfig",
"log:DescribeService",
"log:CallAiTools",
"log:PullLogs",
"log:CreateMachineGroup",
"log:UpdateMachineGroup",
"log:UpdateMachineGroupMachine",
"log:DeleteMachineGroup",
"log:TagResources",
"log:UntagResources",
"log:ApplyConfigToGroup",
"log:BatchPostLogStoreLogs",
"log:CreateDashboard",
"log:UpdateDashboard",
"log:CreateJob",
"log:UpdateJob",
"log:DeleteJob",
"log:CreateScheduledSQL",
"log:UpdateScheduledSQL",
"log:DeleteScheduledSQL",
"log:CreateEtlMeta",
"log:UpdateEtlMeta",
"log:DeleteEtlMeta",
"log:ModifyJobInstance",
"log:CreateLogging",
"log:UpdateLogging",
"log:DeleteLogging",
"log:SplitShard",
"log:UpdateSubStoreTTL",
"log:CreateStoreView",
"log:DeleteStoreView",
"log:UpdateStoreView",
"log:PutProjectPolicy",
"log:DeleteProjectPolicy",
"log:OpenProductDataCollection",
"log:CloseProductDataCollection",
"log:CreateAgentInstanceConfig",
"log:UpdateAgentInstanceConfig",
"log:DeleteAgentInstanceConfig",
"log:CreateResourceRecord",
"log:UpdateResourceRecord",
"cs:ScaleCluster",
"cs:CheckKritisInstall",
"cs:AttachInstances",
"cs:InstallKritis",
"cs:InstallKritisAttestationAuthority",
"cs:InstallKritisGenericAttestationPolicy",
"cs:UpdateClusterTags",
"cs:DeleteClusterNodes",
"cs:UninstallKritis",
"cs:DeleteKritisAttestationAuthority",
"cs:DeleteKritisGenericAttestationPolicy",
"cs:UpdateKritisAttestationAuthority",
"cs:UpdateKritisGenericAttestationPolicy",
"cs:UpgradeCluster",
"cs:DeleteClusterNode",
"cs:ListTagResources",
"cs:InstallClusterAddons",
"cs:UnInstallClusterAddons",
"cs:UpgradeClusterAddons",
"cs:UpdateClusterAuditLogConfig",
"ecs:CreateNetworkInterfacePermission",
"ecs:DeleteNetworkInterfacePermission",
"ecs:CreateNetworkInterface",
"ecs:AttachNetworkInterface",
"ecs:DetachNetworkInterface",
"ecs:ModifyNetworkInterfaceAttribute",
"ecs:AuthorizeSecurityGroup",
"ecs:CreateSecurityGroup",
"ecs:AuthorizeSecurityGroupEgress",
"ecs:RevokeSecurityGroup",
"ecs:CreateCommand",
"ecs:StopInvocation",
"ecs:DeleteCommand",
"ecs:ModifyCommand",
"ecs:InvokeCommand",
"ecs:InstallCloudAssistant",
"ecs:ListTagResources",
"vpc:ModifyBypassToaAttribute",
"vpc:List*",
"adb:ListTagResources",
"alikafka:GetInstanceList",
"alikafka:ListTopic",
"clickhouse:DescribeDBClusters",
"clickhouse:DescribeDBInstances",
"drds:Describe*",
"drds:ListTagResources",
"dts:DescribeMigrationJobs",
"dts:DescribeSynchronizationJobs",
"dts:DescribeSubscriptionInstances",
"rds:ListTagResources",
"cdn:DescribeTagResources",
"dcdn:DescribeDcdnUserDomains",
"dcdn:DescribeDcdnTagResources",
"emr:ListTagResources",
"hbase:DescribeClusterList",
"hbase:DescribeInstance",
"lindorm:ListTagResources",
"lindorm:GetLindormInstance",
"lindorm:GetLindormInstanceEngineList",
"lindorm:GetInstanceIpWhiteList",
"lindorm:UpdateInstanceIpWhiteList",
"kvstore:DescribeLogicInstanceTopology",
"kvstore:DescribeDBInstanceNetInfo",
"mongodb:DescribeDBInstances",
"mongodb:DescribeDBInstanceAttribute",
"dds:DescribeDBInstanceAttribute",
"dds:Describe*",
"mns:ListQueue",
"mns:ListTopic",
"milvus:ListInstances",
"mq:OnsInstanceBaseInfo",
"netgateway:DescribeNatGateways",
"ocs:DescribeInstances",
"ons:OnsInstanceInServiceList",
"ons:ListTagResources",
"opensearch:ListApps",
"polardb:DescribeDBInstances",
"polardb:ListTagResources",
"rds:DescribeReplicas",
"rds:DescribeDBInstanceByTags",
"rds:DescribeDBInstanceNetInfo",
"nlb:ListTagResources",
"actiontrail:LookupEvents",
"polardb:DescribeDBClusterEndpoints",
"hdm:CreateRequestDiagnosis",
"hdm:Get*",
"hdm:Describe*",
"eflo:ListTagResources",
"eflo:ListClusters",
"eflo:ListClusterNodes",
"ga:ListAccelerators",
"ga:ListBasicAccelerators",
"ecd:DescribeDesktops",
"ecd:DescribeRegions",
"kms:List*",
"kms:DescribeKey",
"kms:TagResource",
"kms:UntagResource",
"graphcompute:ListInstances",
"domain:QueryCommonInfo",
"aire:ListInstance",
"bbebo:ListInstance",
"bd:DescribeInstances",
"cd:DescribeClusters",
"cloudphon:ListInstances",
"dbf:ListDbfs",
"dd:ListClusters",
"eipanycas:ListAnycastEipAddresses",
"es:DescribeScalingGroups",
"hd:DescribeServers",
"hbr_vaul:DescribeVaults",
"hdf:ListFileSystems",
"im:ListProjects",
"io:QueryEdgeInstance",
"io:QueryConsumerGroupList",
"ea:ListResources",
"ordere:DescribeFabricConsortiums",
"opensearc:ListAppGroups",
"pee:DescribeFabricOrganizations",
"rt:DescribeApps",
"sa:DescribeSmartAccessGateways",
"swa:ListInstances",
"tai:DescribeInstances",
"vp:DescribePhysicalConnections",
"privatelink:ListVpcEndpointServicesByEndUser",
"vpcpee:ListVpcPeerConnections",
"cdd:DescribeDedicatedHostGroups",
"ahas:Query*",
"ahas:Search*",
"bss:ModifyInstance",
"mse:GetServiceList",
"sae:DescribeAppServiceDetail",
"sae:ListAppServicesPage",
"sae:DescribeInstancesServiceDiscovery",
"arms:Describe*",
"arms:List*",
"arms:Get*",
"arms:Search*",
"arms:Check*",
"arms:Query*",
"arms:createAliYunRecordingRuleYaml",
"arms:DeletePrometheusAlertRules",
"arms:CreatePrometheusAlertRules",
"arms:InstallEnvironmentFeature",
"arms:CreatePrometheusInstance",
"arms:UninstallPromCluster",
"arms:TagResourcesSystemTags",
"arms:UntagResourcesSystemTags",
"arms:UpgradeEnvironmentFeature",
"arms:DeleteEnvironmentFeature",
"arms:InstallAddon",
"arms:DeleteAddonRelease",
"arms:UpgradeAddonRelease",
"arms:AddPrometheusGlobalViewByAliClusterIds",
"arms:AddAliClusterIdsToPrometheusGlobalView",
"arms:RemoveAliClusterIdsFromPrometheusGlobalView",
"arms:DeletePrometheusGlobalView",
"arms:EnableGraphResource",
"arms:CreateEnvironment",
"arms:InitEnvironment",
"arms:CreateTimingSyntheticTask",
"arms:UpdateTimingSyntheticTask",
"arms:DeleteTimingSyntheticTask",
"arms:UpdateDeliverTask",
"adcp:DescribeHubClusterDetails",
"adcp:DescribeHubClusterKubeconfig",
"adcp:DescribeHubClusters",
"adcp:GrantUserPermission",
"eventbridge:CreateEventBus",
"eventbridge:CreateRule",
"eventbridge:DeleteEventBus",
"eventbridge:DeleteRule",
"eventbridge:DeleteTargets",
"eventbridge:DisableRule",
"eventbridge:EnableRule",
"eventbridge:GetEventBus",
"eventbridge:GetRule",
"eventbridge:List*",
"eventbridge:UpdateRule",
"eventbridge:CreateTargets",
"eventbridge:PutTargets",
"eventbridge:PutEvents",
"eventbridge:DeleteEventStreaming",
"eventbridge:PauseEventStreaming",
"eventbridge:StartEventStreaming",
"eventbridge:GetEventStreaming",
"eventbridge:UpdateEventStreaming",
"eventbridge:CreateEventStreaming",
"eventbridge:CheckRoleForProduct",
"eventbridge:CheckServiceLinkedRoleForProduct",
"stream:DescribeVvpInstances",
"stream:DescribeVvpNamespaces",
"stream:ListDeployments",
"stream:GetDeployment",
"stream:ActOnBehalfOfAnotherUser",
"rocketmq:ListTopics",
"hologram:ListInstances",
"odps:ListProjects",
"resourcecenter:Get*",
"resourcecenter:List*",
"resourcecenter:SearchResources",
"resourcecenter:ExecuteGraphQLQuery",
"resourcecenter:CreateServiceDeliveryChannel",
"resourcecenter:DeleteServiceDeliveryChannel",
"resourcecenter:EnableResourceCenter",
"resourcecenter:DeliverResourceSnapshot",
"fc:Get*",
"fc:List*",
"ram:PassRole",
"ram:GetRole",
"ram:ListRoles",
"sae:ListApplications",
"apig:ListGateways",
"gwlb:ListLoadBalancers",
"expressconnectrouter:DescribeExpressConnectRouter",
"xtrace:GetToken",
"xtrace:GetCommercialStatus",
"cms:BatchGet",
"cms:BatchExport",
"cms:Cursor",
"cms:PutResourceMetricRule",
"cms:EnableActiveMetricRule",
"cms:DeleteMetricRules",
"cms:Describe*",
"cms:Query*",
"cms:Get*",
"cms:List*",
"cms:CreatePrometheus*",
"cms:UpdatePrometheus*",
"cms:DeletePrometheus*",
"cms:DeleteCloudResource",
"cms:CreateAggTaskGroup*",
"cms:UpdateAggTaskGroup*",
"cms:DeleteAggTaskGroup*",
"cms:UpsertUmodelData",
"cms:DeleteUmodelData",
"cms:CreateUmodel",
"cms:UpdateUmodel",
"cms:GetUmodelCommonSchemaRef",
"cms:UpsertUmodelCommonSchemaRef",
"cms:DeleteUmodelCommonSchemaRef",
"cms:PutWorkspace",
"cms:DeleteAlertEventIntegrationPolicy",
"cms:CreateAlertEventIntegrationPolicy",
"cms:UpdateAlertEventIntegrationPolicy",
"cms:EnableAlertEventIntegrationPolicy",
"cms:DisableAlertEventIntegrationPolicy",
"cms:CreateApplicationInsightsInstance",
"cms:CreateSiteMonitor",
"cms:DeleteSiteMonitors",
"cms:EnableSiteMonitors",
"cms:DisableSiteMonitors",
"cms:UpdateAlertRuleKvs",
"cms:UpdateAddonRelease",
"cms:CreateAddonRelease",
"cms:DeleteAddonRelease",
"cms:GetAddonRelease",
"cms:CreateIntegrationPolicy",
"cms:CreateService",
"cms:UpdateService",
"cms:DeleteService",
"cms:EnableHighResolutionMonitor",
"cms:DisableHighResolutionMonitor",
"cms:CreateServiceObservability",
"cms:CreateEntityStore",
"cms:CreateCloudResource",
"cms:GetCloudResource",
"cms:UpdateServiceObservability",
"cms:EnableSiteMonitor",
"cms:UpdateSiteMonitor",
"cms:DisableSiteMonitor",
"cms:DeleteSiteMonitor",
"cms:CreateSiteMonitor",
"pai:List*",
"pai:Get*",
"paiworkspace:List*",
"paiworkspace:Get*",
"paidlc:List*",
"paidlc:Get*",
"paidsw:List*",
"paidsw:Get*",
"eas:List*",
"eas:Get*",
"eas:Describe*",
"paieas:Describe*",
"apig:List*",
"apig:Get*",
"emr-serverless-spark:List*"
],
"Resource": "*"
},
{
"Action": [
"ecs:DeleteSecurityGroup"
],
"Effect": "Allow",
"Resource": [
"*"
],
"Condition": {
"StringEquals": {
"ecs:tag/serverless/sg-creator": "containernetworking"
}
}
},
{
"Action": [
"ecs:DeleteNetworkInterface"
],
"Effect": "Allow",
"Resource": [
"*"
],
"Condition": {
"StringEquals": {
"ecs:tag/eni-creator": "function-compute"
}
}
},
{
"Action": [
"ecs:DeleteNetworkInterface"
],
"Effect": "Allow",
"Resource": [
"*"
],
"Condition": {
"StringEquals": {
"ecs:tag/serverless/eni-creator": "asi-cni-service"
}
}
},
{
"Action": [
"ecs:DeleteNetworkInterface"
],
"Effect": "Allow",
"Resource": [
"*"
],
"Condition": {
"StringEqualsIgnoreCase": {
"acs:ResourceTag/acs:eci:Product": [
"CloudMonitor",
"ARMS"
]
}
}
},
{
"Action": [
"fc:CreateService"
],
"Resource": "acs:fc:*:*:services/*",
"Effect": "Allow"
}
]
}相关文档
该文章对您有帮助吗?