AliyunServiceRolePolicyForNativeApiGw

AliyunServiceRolePolicyForNativeApiGw 是专用于服务关联角色的授权策略,会在创建服务关联角色 AliyunServiceRoleForNativeApiGw 时自动授权,以允许服务关联角色代您访问其他云服务。本策略由对应的阿里云服务按需更新,请勿将本策略授权给服务关联角色之外的 RAM 身份使用。

策略详情

  • 类型:系统策略

  • 创建时间:2024-06-05 14:33:45

  • 更新时间:2024-06-05 14:33:45

  • 当前版本:v1

策略内容

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "cs:DescribeClusterDetail",
        "cs:DescribeClusterInnerServiceKubeconfig",
        "cs:RevokeClusterInnerServiceKubeconfig",
        "cs:GetUserConfig",
        "cs:DescribeClusterUserKubeconfig",
        "cs:GetClusterById",
        "cs:GetClustersByUid",
        "cs:DescribeClustersV1",
        "cs:ListClusters",
        "cs:GetClusters",
        "cs:DescribeClusterNodePools"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "fc:ListAliases",
        "fc:ListServices",
        "fc:ListServiceVersions",
        "fc:ListFunctions",
        "fc:ListFunctionVersions",
        "fc:ListTriggers",
        "fc:InvokeFunction",
        "fc:CreateFunction",
        "fc:DeleteFunction",
        "fc:GetFunctionCode",
        "fc:GetFunction"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "yundun-waf:DeleteCloudResourceProtection",
        "yundun-waf:CreateCloudResourceProtection",
        "yundun-waf:DescribeInstanceCompatible",
        "yundun-waf:CreateInstance"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "sae:DescribeNamespaces",
        "sae:DescribeNamespaceResources",
        "sae:ListApplications",
        "sae:DescribeApplicationConfig"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "slb:SetLoadBalancerName",
        "slb:CreateLoadBalancer",
        "slb:AddBackendServers",
        "slb:SetBackendServers",
        "slb:RemoveBackendServers",
        "slb:CreateLoadBalancerTCPListener",
        "slb:DescribeLoadBalancerTCPListenerAttribute",
        "slb:SetLoadBalancerTCPListenerAttribute",
        "slb:CreateLoadBalancerHTTPListener",
        "slb:DescribeLoadBalancerHTTPListenerAttribute",
        "slb:SetLoadBalancerHTTPListenerAttribute",
        "slb:CreateLoadBalancerHTTPSListener",
        "slb:DescribeLoadBalancerHTTPSListenerAttribute",
        "slb:SetLoadBalancerHTTPSListenerAttribute",
        "slb:StartLoadBalancerListener",
        "slb:StopLoadBalancerListener",
        "slb:DeleteLoadBalancerListener",
        "slb:DescribeLoadBalancers",
        "slb:DescribeLoadBalancerAttribute",
        "slb:DescribeHealthStatus",
        "slb:CreateLoadBalancerForCloudService",
        "slb:DeleteLoadBalancer",
        "slb:ModifyLoadBalancerInternetSpec",
        "slb:RemoveTags",
        "slb:AddTags",
        "slb:SetLoadBalancerUDPListenerAttribute",
        "slb:CreateLoadBalancerUDPListener",
        "slb:CreateVServerGroup",
        "slb:DeleteVServerGroup",
        "slb:SetVServerGroupAttribute",
        "slb:ModifyVServerGroupBackendServers",
        "slb:AddVServerGroupBackendServers",
        "slb:ModifyLoadBalancerInstanceChargeType",
        "slb:ModifyLoadBalancerInstanceSpec",
        "slb:ModifyLoadBalancerInternetSpec",
        "slb:RemoveVServerGroupBackendServers",
        "slb:SetLoadBalancerModificationProtection",
        "slb:SetLoadBalancerDeleteProtection",
        "slb:DescribeLoadBalancerUDPListenerAttribute  ",
        "slb:DescribeTags",
        "slb:DescribeVServerGroups",
        "slb:DescribeVServerGroupAttribute",
        "slb:DescribeLoadBalancerListeners",
        "slb:ListTagResources",
        "slb:TagResources",
        "slb:UntagResources"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "edas:ReadNamespace",
        "edas:ReadService",
        "edas:ListUserDefineRegion"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ecs:CreateSecurityGroup",
        "ecs:AuthorizeSecurityGroup",
        "ecs:AuthorizeSecurityGroupEgress",
        "ecs:RevokeSecurityGroup",
        "ecs:RevokeSecurityGroupEgress",
        "ecs:DeleteSecurityGroup",
        "ecs:JoinSecurityGroup",
        "ecs:LeaveSecurityGroup",
        "ecs:DescribeSecurityGroups",
        "ecs:DescribeInstances",
        "ecs:CreateNetworkInterface",
        "ecs:DeleteNetworkInterface",
        "ecs:DescribeNetworkInterfaces",
        "ecs:CreateNetworkInterfacePermission",
        "ecs:DescribeNetworkInterfacePermissions",
        "ecs:DeleteNetworkInterfacePermission",
        "ecs:DescribeSecurityGroupAttribute",
        "ecs:AddTags",
        "ecs:DescribeEipAddresses",
        "ecs:DescribeNetworkInterfaceAttribute",
        "ecs:ModifyNetworkInterfaceAttribute",
        "ecs:AssignPrivateIpAddresses",
        "ecs:UnassignPrivateIpAddresses",
        "ecs:AssignIpv6Addresses",
        "ecs:UnassignIpv6Addresses",
        "ecs:AttachNetworkInterface",
        "ecs:DetachNetworkInterface",
        "ecs:ListTagResources"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "vpc:AllocateEipAddress",
        "vpc:AllocateEipAddressPro",
        "vpc:DescribeEipAddresses",
        "vpc:AssociateEipAddress",
        "vpc:UnassociateEipAddress",
        "vpc:ReleaseEipAddress",
        "vpc:ModifyEipAddressAttribute",
        "vpc:ModifyBypassToaAttribute",
        "vpc:AddCommonBandwidthPackageIp",
        "vpc:RemoveCommonBandwidthPackageIp",
        "vpc:TagResources",
        "vpc:DescribeVSwitches",
        "vpc:DescribeVSwitchAttributes",
        "vpc:DescribeVpcs",
        "vpc:CreateVSwitch",
        "vpc:DescribeVpcAttribute",
        "vpc:DescribeVRouters",
        "vpc:DescribeRouteTables",
        "vpc:DescribeRouteEntryList"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "mse:ListAnsServices",
        "mse:ListEngineNamespaces",
        "mse:ListClusters",
        "mse:QueryConfig",
        "mse:QueryClusterInfo"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "nlb:TagResources",
        "nlb:UnTagResources",
        "nlb:ListTagResources",
        "nlb:CreateLoadBalancer",
        "nlb:DeleteLoadBalancer",
        "nlb:GetLoadBalancerAttribute",
        "nlb:ListLoadBalancers",
        "nlb:UpdateLoadBalancerAttribute",
        "nlb:UpdateLoadBalancerAddressTypeConfig",
        "nlb:UpdateLoadBalancerZones",
        "nlb:CreateListener",
        "nlb:DeleteListener",
        "nlb:ListListeners",
        "nlb:UpdateListenerAttribute",
        "nlb:StopListener",
        "nlb:StartListener",
        "nlb:GetListenerAttribute",
        "nlb:GetListenerHealthStatus",
        "nlb:CreateServerGroup",
        "nlb:DeleteServerGroup",
        "nlb:UpdateServerGroupAttribute",
        "nlb:AddServersToServerGroup",
        "nlb:RemoveServersFromServerGroup",
        "nlb:UpdateServerGroupServersAttribute",
        "nlb:ListServerGroups",
        "nlb:ListServerGroupServers",
        "nlb:LoadBalancerLeaveSecurityGroup",
        "nlb:LoadBalancerJoinSecurityGroup",
        "nlb:GetJobStatus",
        "nlb:UpdateLoadBalancerProtection"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "arms:OpenArmsService",
        "arms:GetAlertRules",
        "arms:ReportCustomIncidents",
        "arms:AddPrometheusInstance",
        "arms:GetAuthToken",
        "arms:GetClusterAllUrl",
        "arms:OpenArmsServiceSecondVersion",
        "arms:CheckServiceStatus",
        "arms:OpenVCluster",
        "arms:GetPrometheusApiToken",
        "arms:ListDashboards",
        "arms:GetExploreUrl",
        "arms:CreateDefaultCloudProductPrometheusAlertRule",
        "arms:ListNotificationPolicies",
        "arms:ListDispatchRule",
        "arms:CreateDispatchRule",
        "arms:CreateOrUpdateNotificationPolicy",
        "arms:DescribeContactGroups",
        "arms:SearchContactGroup",
        "arms:CreatePrometheusAlertRule"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "cms:DescribeMetricRuleList",
        "cms:DescribeContactGroupList",
        "cms:PutResourceMetricRule",
        "cms:PutResourceMetricRules"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "alidns:AddDomainRecord",
        "alidns:DescribeDomains"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "log:DeleteLogstore",
        "log:CreateLogstore",
        "log:CreateIndex",
        "log:UpdateIndex",
        "log:GetIndex"
      ],
      "Resource": "acs:log:*:*:project/*/logstore/apig_*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "log:ListProject",
        "log:GetProject",
        "log:ListLogStores",
        "log:GetLogstore"
      ],
      "Resource": "acs:log:*:*:project/*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "log:PostLogStoreLogs",
        "log:OpenProductDataCollection",
        "log:CloseProductDataCollection",
        "log:GetProductDataCollection",
        "log:OpenSlsService",
        "log:GetSlsService"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": "xtrace:GetToken",
      "Resource": "*"
    },
    {
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "nativeapigw.aliyuncs.com"
        }
      }
    },
    {
      "Action": "ram:CreateServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": [
            "nlb.aliyuncs.com",
            "eipaccess.slb.aliyuncs.com",
            "middlewarelens.log.aliyuncs.com",
            "securitylens.log.aliyuncs.com",
            "ai-lens.log.aliyuncs.com",
            "storagelens.log.aliyuncs.com"
          ]
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": "mns:SendMessage",
      "Resource": "acs:mns:*:*:/queues/*/messages"
    }
  ]
}

相关文档