AliyunServiceRolePolicyForMagic 是专用于服务关联角色的授权策略,会在创建服务关联角色 AliyunServiceRoleForMagic 时自动授权,以允许服务关联角色代您访问其他云服务。本策略由对应的阿里云服务按需更新,请勿将本策略授权给服务关联角色之外的 RAM 身份使用。
策略详情
类型:系统策略
创建时间:2026-04-15 15:21:56
更新时间:2026-06-25 16:42:49
当前版本:v49
策略内容
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"schedulerx3:CreateCluster",
"schedulerx3:DeleteCluster",
"schedulerx3:ListClusters",
"schedulerx3:ListApps",
"schedulerx3:DeleteApp",
"schedulerx3:CreateJob",
"schedulerx3:UpdateJob",
"schedulerx3:DeleteJobs",
"schedulerx3:ListJobs",
"schedulerx3:CreateExecutorGroup",
"schedulerx3:DeleteExecutorGroup",
"schedulerx3:ListExecutorGroup",
"schedulerx3:UpdateExecutorGroup"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"agentidentity:CreateUserPool",
"agentidentity:DeleteUserPool",
"agentidentity:CreateUserPoolClient",
"agentidentity:UpdateUserPoolClient",
"agentidentity:DeleteUserPoolClient",
"agentidentity:ListUserPoolClients",
"agentidentity:DeleteClientSecret",
"agentidentity:CreateClientSecret",
"agentidentity:ListClientSecrets",
"agentidentity:CreateUser",
"agentidentity:UpdateUser",
"agentidentity:DeleteUser",
"agentidentity:GetUser",
"agentidentity:ListUsers",
"agentidentity:ListUserPools",
"agentidentity:SetUserPassword",
"agentidentity:SetSpecificIdentityProvider",
"agentidentity:GetUserPoolSyncJob",
"agentidentity:ListUserPoolSyncJobs",
"agentidentity:RunUserPoolSyncJob",
"agentidentity:ListWorkloadIdentities",
"agentidentity:CreateWorkloadIdentity",
"agentidentity:GetWorkloadIdentity",
"agentidentity:UpdateWorkloadIdentity",
"agentidentity:DeleteWorkloadIdentity",
"agentidentity:ListTokenVaults",
"agentidentity:GetTokenVault",
"agentidentity:CreateTokenVault",
"agentidentity:CreateAPIKeyCredentialProvider",
"agentidentity:ListAPIKeyCredentialProviders",
"agentidentity:GetAPIKeyCredentialProvider",
"agentidentity:DeleteAPIKeyCredentialProvider"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"agentidentitydata:GetWorkloadAccessToken",
"agentidentitydata:GetResourceAPIKey"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"oss:PutBucket",
"oss:ListOssBucket",
"oss:ListBuckets",
"oss:GetBucketAcl",
"oss:PutBucketTagging"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"oss:PutBucket",
"oss:ListOssBucket",
"oss:ListBuckets",
"oss:GetBucketAcl",
"oss:PutBucketTagging"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"cms:PutWorkspace",
"ram:CreateServiceLinkedRole",
"cms:CreateEntityStore",
"cms:CreateUmodel",
"cms:ListWorkspaces",
"log:GetLogStoreLogs",
"cms:GetServiceObservability",
"cms:CreateServiceObservability"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"airegistry:GetNamespace",
"airegistry:ListNamespaces",
"airegistry:ListSkills",
"airegistry:Read",
"airegistry:Write",
"mse:ListSkills",
"airegistry:GetSkillDetail",
"mse:GetSkillDetail",
"airegistry:GetSkillVersionDetail",
"mse:GetSkillVersionDetail",
"airegistry:CreateSkillDraft",
"mse:CreateSkillDraft",
"airegistry:UpdateSkillDraft",
"mse:UpdateSkillDraft",
"airegistry:DeleteSkillDraft",
"mse:DeleteSkillDraft",
"airegistry:DownloadSkillVersion",
"mse:DownloadSkillVersion",
"airegistry:AttachSecurityGroupToVpcEndpoint",
"airegistry:ListVpcEndpointServiceZones",
"airegistry:CreateVpcEndpoint",
"airegistry:GetVpcEndpoint",
"airegistry:ListVpcEndpoints",
"airegistry:CreateNamespaceWithSource"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"oss:GetObject",
"oss:GetObjectAcl",
"oss:GetObjectTagging",
"oss:DeleteObject",
"oss:DeleteObjectTagging",
"oss:PutObject",
"oss:PutObjectAcl",
"oss:PutObjectTagging",
"oss:RestoreObject",
"oss:ListObjects",
"oss:ListObjectVersions"
],
"Resource": "acs:oss:*:*:hiclaw-*"
},
{
"Effect": "Allow",
"Action": [
"apig:CreateGateway",
"apig:DeleteGateway",
"apig:GetGateway",
"apig:GetConsumer",
"apig:BatchDeleteConsumerAuthorizationRule",
"apig:CreateConsumer",
"apig:CreateConsumerAuthorizationRule",
"apig:CreateConsumerAuthorizationRules",
"apig:DeleteConsumer",
"apig:DeleteConsumerAuthorizationRule",
"apig:GetConsumerAuthorizationRule",
"apig:ListConsumerAuthorizationRules",
"apig:QueryConsumerAuthorizationRules",
"apig:RemoveConsumerAuthorizationRule",
"apig:UpdateConsumer",
"apig:UpdateConsumerAuthorizationRule",
"apig:ListConsumers",
"apig:CreateService",
"apig:CreateHttpApi",
"apig:UpdateService",
"apig:DeleteHttpApi",
"apig:DeleteService",
"apig:ListHttpApis",
"apig:ListServices",
"apig:DeployHttpApi",
"apig:CreateHttpApiRoute",
"apig:CreatePolicy",
"apig:CreatePolicyAttachment",
"apig:DeletePolicy",
"apig:ListHttpApiRoutes",
"apig:UpdateHttpApiRoute",
"apig:CreateMcpServer",
"apig:DeployMcpServer",
"apig:GetMcpServer",
"apig:ImportHttpApi",
"apig:ListPluginClasses",
"apig:CreatePluginAttachment",
"apig:CreateAndAttachPolicy",
"apig:UpdateMcpServer",
"apig:UpdatePluginAttachment",
"apig:ListPolicies",
"apig:UpdateAndAttachPolicy",
"apig:UnDeployMcpServer",
"apig:DeleteMcpServer",
"apig:ListMcpServers",
"apig:ListDomains",
"apig:CreateDomain",
"apig:GetHttpApi",
"apig:GetService",
"apig:GetEnvironment",
"apig:UpdateHttpApi",
"apig:InvokeHttpApi",
"apig:ListSslCerts",
"apig:UpdateDomain",
"apig:UndeployHttpApi",
"apig:RemoveConsumerAuthorizationRule",
"apig:UpdateNetworkAccess",
"apig:ListGatewayAuthorizableSecurityGroups",
"apig:CreateSource",
"apig:DeletePolicyAttachment",
"apig:ListExternalServices",
"apig:DeleteDomain"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ecs:BatchValidateSecurityGroup",
"ecs:DescribeSecurityGroupAttribute",
"ecs:DescribeSecurityGroupReferences",
"ecs:DescribeSecurityGroups",
"ecs:DescribeSecurityGroupSnapshotAttributes",
"ecs:ValidateSecurityGroup",
"ecs:ApplySecurityGroupSnapshot",
"ecs:AssociateSecurityGroupSnapshotPolicy",
"ecs:AuthorizeSecurityGroup",
"ecs:AuthorizeSecurityGroupEgress",
"ecs:ConfigureSecurityGroupPermissions",
"ecs:CreateSecurityGroup",
"ecs:CreateSecurityGroupSnapshotPolicy",
"ecs:DeleteSecurityGroup",
"ecs:DeleteSecurityGroupSnapshotPolicy",
"ecs:ModifySecurityGroupAttribute",
"ecs:ModifySecurityGroupEgressRule",
"ecs:ModifySecurityGroupPolicy",
"ecs:ModifySecurityGroupRule",
"ecs:ModifySecurityGroupSnapshotPolicy",
"ecs:RevokeSecurityGroup",
"ecs:RevokeSecurityGroupEgress",
"ecs:UnassociateSecurityGroupSnapshotPolicy",
"ecs:DescribeSecurityGroupSnapshotPolicies",
"ecs:DescribeSecurityGroupSnapshots",
"ecs:DescribeSnapshotPolicyAssociatedSecurityGroups",
"ecs:DescribeNetworkInterfaces",
"ecs:CreateNetworkInterface",
"ecs:DeleteNetworkInterface",
"ecs:CreateNetworkInterfacePermission",
"ecs:DescribeNetworkInterfacePermissions",
"ecs:DeleteNetworkInterfacePermission",
"ecs:DescribeNetworkInterfaceAttribute",
"ecs:AddTags",
"ecs:DescribeEipAddresses",
"ecs:ListTagResources"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"vpc:DescribeVSwitchAttributes",
"vpc:CreateNatGateway",
"vpc:DescribeVpcs",
"vpc:DescribeNatGateways",
"vpc:AllocateEipAddress",
"vpc:DescribeEipAddresses",
"vpc:AssociateEipAddress",
"vpc:CreateSnatEntry",
"vpc:DescribeSnatTableEntries"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"privatelink:ListVpcEndpoints",
"privatelink:CreateVpcEndpoint",
"privatelink:DeleteVpcEndpoint",
"privatelink:UpdateVpcEndpointAttribute",
"privatelink:GetVpcEndpointAttribute",
"privatelink:ListVpcEndpointServicesByEndUser"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"cs:DescribeClusterInnerServiceKubeconfig",
"cs:RevokeClusterInnerServiceKubeconfig",
"cs:CreateCluster",
"cs:DescribeClusterDetail",
"cs:DeleteCluster"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "bss:ModifyInstance",
"Resource": "*"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "magic.aliyuncs.com"
}
}
},
{
"Action": "ram:CreateServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "privatelink.aliyuncs.com"
}
}
}
]
}相关文档
该文章对您有帮助吗?