AliyunServiceRolePolicyForSDDP 是专用于服务关联角色的授权策略,会在创建服务关联角色 AliyunServiceRoleForSDDP 时自动授权,以允许服务关联角色代您访问其他云服务。本策略由对应的阿里云服务按需更新,请勿将本策略授权给服务关联角色之外的 RAM 身份使用。
策略详情
类型:系统策略
创建时间:2025-12-31 14:29:07
更新时间:2025-12-31 14:29:07
当前版本:v1
策略内容
{
"Version": "1",
"Statement": [
{
"Action": [
"oss:PutBucket",
"oss:ListBuckets",
"oss:GetObject",
"oss:ListObjects",
"oss:GetBucketInfo",
"oss:GetObjectToFile",
"oss:GetObjectAcl",
"oss:GetObjectMeta",
"oss:GetObjectTagging",
"oss:PutObjectTagging",
"oss:PutBucketAcl",
"oss:PutObjectAcl",
"oss:PutBucketPolicy",
"oss:GetBucketStat",
"oss:DoesObjectExist",
"oss:PutObject",
"oss:AppendObject",
"oss:CompleteMultipartUpload",
"oss:GetSimplifiedObjectMeta",
"oss:InitiateMultipartUpload",
"oss:UploadPart",
"oss:DeleteObject",
"oss:GetBucketPolicy",
"oss:GetBucketEncryption",
"oss:GetBucketVersioning",
"oss:GetBucketLogging",
"oss:GetBucketReferer",
"oss:GetBucketAcl"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"oss:PutObject",
"oss:DeleteObject"
],
"Resource": [
"acs:oss:*:*:yundun-sddp-*"
],
"Effect": "Allow"
},
{
"Action": [
"ram:GetRole",
"ram:ListUsers",
"ram:ListGroups",
"ram:ListUsersForGroup",
"ram:ListRoles",
"ram:ListPolicyVersions",
"ram:ListPoliciesForUser",
"ram:ListGroupsForUser",
"ram:ListPoliciesForGroup"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "sddp.aliyuncs.com"
}
}
},
{
"Action": [
"kms:ListSecretVersionIds",
"kms:DescribeReginos",
"kms:ListSecrets",
"kms:ListSecretVersinoIds",
"kms:ListAliases",
"kms:ListAliasesByKeyId",
"kms:ListKeys",
"kms:DescribeKey"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"yundun-aegis:DescribeAccesskeyLeakList",
"yundun-sas:DescribeAccessKeyLeakDetail",
"yundun-sas:DescribePropertyScaDetail",
"yundun-sas:GetAssetDetailByUuid",
"yundun-aegis:GenerateOnceTask",
"yundun-aegis:GetOnceTaskResultInfo"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"rds:DescribeDBInstances",
"rds:DescribeDatabases",
"rds:CreateAccount",
"rds:ResetAccountPassword",
"rds:GrantAccountPrivilege",
"rds:RevokeAccountPrivilege",
"rds:DescribeAccounts",
"rds:DeleteAccount",
"rds:DescribeDBInstanceAttribute",
"rds:DescribeDBInstanceNetInfo",
"rds:ModifySecurityIps",
"rds:DescribeDBInstanceIPArrayList",
"rds:DescribeSQLLogRecords",
"rds:StartSqlLogTrail",
"rds:ModifySQLCollectorPolicy",
"rds:DescribeSQLCollectorPolicy",
"rds:DescribeSQLCollectorVersion",
"rds:ModifySQLCollectorRetention",
"rds:DescribeSQLCollectorRetention",
"rds:DescribeSqlLogInstances",
"rds:EnableSqlLogDistribution",
"rds:DisableSqlLogDistribution",
"rds:DescribeBackupPolicy",
"rds:DescribeDBInstanceSSL",
"rds:DescribeDBInstanceTDE",
"rds:DescribeMaskingRules",
"rds:CreateMaskingRules",
"rds:ModifyMaskingRules",
"rds:DeleteMaskingRules",
"rds:DescribeAccountMaskingPrivilege",
"rds:ModifyAccountMaskingPrivilege",
"rds:DescribeDBMiniEngineVersions",
"rds:UpgradeDBInstanceKernelVersion",
"rds:DescribeParameters",
"rds:ModifyParameter",
"rds:ReleaseInstancePublicConnection",
"rds:DescribePostgresExtensions",
"rds:CreatePostgresExtensions",
"rds:DeletePostgresExtensions",
"rds:UpdatePostgresExtensions",
"rds:ModifyDBInstanceCLS",
"rds:DescribeDBInstanceCLS"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Action": [
"ecs:DescribeInstances",
"eci:DescribeContainerGroups",
"ecs:AuthorizeSecurityGroup",
"ecs:RevokeSecurityGroup",
"ecs:DescribeSecurityGroups",
"ecs:DescribeSecurityGroupAttribute",
"ecs:DescribeInvocations",
"ecs:DescribeNetworkInterfaces",
"vpc:DescribeVSwitches",
"vpc:DescribeEipAddresses",
"vpc:DescribeNatGateways",
"ecs:CreateSecurityGroup",
"ecs:DeleteSecurityGroup",
"ecs:DescribeCloudAssistantStatus",
"vpc:DescribeVpcAttribute",
"vpc:DescribeVSwitchAttributes",
"vpc:DescribeVpcs"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Action": [
"log:ListConsumerGroup",
"log:CreateConsumerGroup",
"log:UpdateConsumerGroup",
"log:ConsumerGroupHeartBeat",
"log:GetConsumerGroupCheckPoint",
"log:GetCursorOrData",
"log:ConsumerGroupUpdateCheckPoint",
"log:GetApp",
"log:GetProject",
"log:GetLogStore",
"log:GetLogs",
"log:CreateProject",
"log:CreateLogStore",
"log:GetIndex",
"log:CreateIndex",
"log:UpdateIndex",
"log:GetLogStoreLogs",
"log:GetLogStoreHistogram",
"log:DescribeService",
"log:EnableService",
"log:ListProject",
"log:ListShards",
"log:OpenProductDataCollection",
"log:GetProductDataCollection",
"log:CloseProductDataCollection",
"log:ListLogStores",
"log:GetHistograms"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Action": [
"log:UpdateLogStore",
"log:DeleteLogStore",
"log:ListDashboard",
"log:DeleteProject",
"log:PostLogStoreLogs",
"log:BatchPostLogStoreLogs",
"log:ListJobs",
"log:CreateJob",
"log:GetJob",
"log:UpdateJob",
"log:DeleteJob",
"log:ClearLogStoreStorage",
"log:SplitShard",
"log:DeleteIndex"
],
"Resource": "acs:log:*:*:project/sddp-*",
"Effect": "Allow"
},
{
"Action": [
"drds:DescribeDrdsInstances",
"drds:DescribeDrdsInstance",
"drds:DescribeDrdsDBs",
"drds:DescribeDrdsDB",
"drds:DescribeTables",
"drds:DescribeTable",
"drds:ModifyDrdsIpWhiteList",
"drds:DescribeDrdsDBIpWhiteList",
"drds:DescribeDrdsSqlAuditStatus",
"drds:DescribeDrdsSlowSqls",
"drds:DescribeInstDbLogInfo",
"drds:EnableSqlAudit",
"drds:DescribeInstDbSlsInfo",
"drds:DisableSqlAudit",
"drds:DescribeDrdsDbInstances",
"drds:CreateInstanceAccount",
"drds:ModifyAccountDescription",
"drds:ChangeAccountPassword",
"drds:ModifyAccountPrivilege",
"drds:RemoveInstanceAccount",
"drds:DescribeInstanceAccounts",
"drds:DescribeBackupPolicy",
"polardbx:DescribeBackupPolicy",
"polardbx:DescribeSecurityIps",
"polardbx:DescribeAccountList",
"polardbx:DescribeDBInstanceAttribute",
"polardbx:DescribeDBInstanceSSL",
"polardbx:DescribeDBInstanceTDE",
"polardbx:DescribeDBInstances",
"polardbx:DescribeDbList",
"polardbx:ModifySecurityIps",
"polardbx:ResetAccountPassword",
"polardbx:ModifyAccountPrivilege",
"polardbx:CreateAccount",
"polardbx:ModifyAccountDescription",
"polardbx:DescribeDBInstanceTopology",
"polardbx:EncdbGrantUser",
"polardbx:EncdbDesribeUser",
"polardbx:UpgradeDBInstanceKernelVersion",
"polardbx:EncdbRegisterEncAlgo",
"polardbx:EncdbDescribeEncAlgo",
"polardbx:EncdbImportRule",
"polardbx:EncdbModifyRule",
"polardbx:EncdbDescribeRule",
"polardbx:EncdbDeleteRule",
"polardbx:ModifyParameter",
"polardbx:DescribeParameters",
"polardbx:EncdbRegisterDefaultPrivilege",
"polardbx:EncdbDescribeDefaultPrivilege"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Action": [
"polardb:DescribeDBClusters",
"polardb:DescribeDBClusterAttribute",
"polardb:DescribeDBClusterParameters",
"polardb:DescribeDBClusterEndpoints",
"polardb:DescribeDBClusterVersion",
"polardb:DescribeDatabases",
"polardb:DescribeDBClusterAccessWhitelist",
"polardb:ModifyDBClusterAccessWhitelist",
"polardb:DescribeSQLExplorerPolicy",
"polardb:DescribeSQLExplorerRetention",
"polardb:ModifySQLExplorerPolicy",
"polardb:ModifySQLExplorerRetention",
"polardb:StartSQLLogTrail",
"polardb:DescribeSQLLogRecords",
"polardb:DescribeAccounts",
"polardb:CreateAccount",
"polardb:ModifyAccountPassword",
"polardb:GrantAccountPrivilege",
"polardb:RevokeAccountPrivilege",
"polardb:DeleteAccount",
"polardb:DescribeDBClusterAuditLogCollector",
"polardb:ModifyDBClusterAuditLogCollector",
"polardb:DescribeBackupPolicy",
"polardb:DescribeDBClusterSSL",
"polardb:DescribeDBClusterTDE",
"polardb:UpgradeDBClusterVersion",
"polardb:DescribeMaskingRules",
"polardb:DeleteMaskingRules",
"polardb:ModifyMaskingRules",
"polardb:DeleteDBEndpointAddress",
"polardb:DescribeDBInstances",
"polardb:ResetAccountPassword",
"polardb:DescribeDBInstanceAttribute",
"polardb:DescribeDBInstanceNetInfo",
"polardb:ModifySecurityIps",
"polardb:DescribeDBInstanceIPArrayList",
"polardb:ModifySQLCollectorPolicy",
"polardb:DescribeSQLCollectorPolicy",
"polardb:ModifyAccountMaskingPrivilege"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Action": [
"ots:ListInstance",
"ots:GetInstance",
"ots:ListTable",
"ots:ComputeSplitPointsBySize",
"ots:GetRange"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Action": [
"oceanbase:DescribeDatabases",
"oceanbase:DescribeTenantUsers",
"oceanbase:ModifySecurityIps",
"oceanbase:DescribeInstances",
"oceanbase:DescribeTenants",
"oceanbase:DescribeTenantConnectionInfo",
"oceanbase:DescribeSqlAuditServiceInfo",
"oceanbase:StopSqlAuditService",
"oceanbase:CreateSqlAuditService",
"oceanbase:DescribeSecurityIpGroups",
"oceanbase:CreateSecurityIpGroup",
"oceanbase:DescribeTenantEncryption",
"oceanbase:DescribeInstanceSSL",
"oceanbase:DescribeDataBackupSet",
"oceanbase:DescribeInstance",
"oceanbase:CreateTenantSecurityIpGroup",
"oceanbase:ModifyTenantSecurityIpGroup",
"oceanbase:DescribeTenantSecurityIpGroups",
"oceanbase:DescribeSqlAuditInfo"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"privatelink:ListVpcEndpoints",
"privatelink:ListVpcEndpointZones",
"privatelink:AddZoneToVpcEndpoint",
"privatelink:CreateVpcEndpoint",
"privatelink:ListVpcEndpointServices",
"privatelink:UpdateVpcEndpointAttribute",
"privatelink:GetVpcEndpointAttribute",
"privatelink:DeleteVpcEndpoint",
"privatelink:ListVpcEndpointSecurityGroups",
"privatelink:AttachSecurityGroupToVpcEndpoint",
"privatelink:DetachSecurityGroupFromVpcEndpoint",
"privatelink:RemoveZoneFromVpcEndpoint",
"privatelink:OpenPrivateLinkService",
"privatelink:CheckProductOpen"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Action": [
"gpdb:DescribeDBInstances",
"gpdb:ModifySQLCollectorPolicy",
"gpdb:DescribeSQLCollectorPolicy",
"gpdb:DescribeDBInstanceAttribute",
"gpdb:ModifySecurityIps",
"gpdb:DescribeDBInstanceNetInfo",
"gpdb:DescribeSQLLogRecords",
"gpdb:DescribeSQLLogs",
"gpdb:DescribeBackupPolicy",
"gpdb:DescribeDBInstanceIPArrayList",
"gpdb:DescribeDBInstanceSSL"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Action": [
"adb:DescribeDBClusters",
"adb:DescribeDBClusterAttribute",
"adb:DescribeDBClusterNetInfo",
"adb:ModifyDBClusterAccessWhiteList",
"adb:ModifyAuditLogConfig",
"adb:DescribeAuditLogRecords",
"adb:DescribeAuditLogConfig",
"adb:DescribeAllDataSource",
"adb:DescribeBackupPolicy",
"adb:DescribeDBClusterAccessWhiteList",
"adb:DescribeAccounts",
"adb:DescribeAllAccounts"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Action": [
"kvstore:DescribeInstances",
"kvstore:DescribeRedisLogConfig",
"kvstore:ModifyAuditLogConfig",
"kvstore:DescribeDBInstanceNetInfo",
"kvstore:DescribeSecurityIps",
"kvstore:ModifySecurityIps",
"kvstore:DescribeInstanceAttribute",
"kvstore:DescribeBackupPolicy",
"kvstore:DescribeAuditLogConfig",
"kvstore:DescribeAccounts",
"kvstore:DescribeInstanceSSL",
"kvstore:DescribeInstanceTDEStatus"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Action": [
"dds:DescribeDBInstances",
"dds:DescribeDBInstanceAttribute",
"dds:DescribeShardingNetworkAddress",
"dds:ModifySecurityIps",
"dds:ModifyAuditPolicy",
"dds:DescribeAuditPolicy",
"dds:DescribeRunningLogRecords",
"dds:DescribeAuditRecords",
"dds:DescribeReplicaSetRole",
"dds:DescribeBackupPolicy",
"dds:DescribeSecurityIps",
"dds:DescribeDBInstanceSSL",
"dds:DescribeDBInstanceTDEInfo",
"dds:DescribeAuditLogFilter",
"dds:ModifyAuditLogFilter"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Action": [
"odps:ListProjects",
"odps:GetProject",
"odps:UpdateUsersToAdmin",
"odps:UpdateProjectIpWhiteList"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"acs:kms:*:*:*"
]
},
{
"Action": [
"ram:CreateServiceLinkedRole"
],
"Resource": "acs:ram:*:*:role/*",
"Condition": {
"StringEquals": {
"ram:ServiceName": [
"privatelink.aliyuncs.com",
"r-kvstore.aliyuncs.com"
]
}
},
"Effect": "Allow"
},
{
"Action": "ram:CreateServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": [
"r-kvstore.aliyuncs.com",
"privatelink.aliyuncs.com",
"audit.log.aliyuncs.com",
"mongodb.aliyuncs.com"
]
}
}
},
{
"Action": "ram:CreateServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "middlewarelens.log.aliyuncs.com"
}
}
},
{
"Effect": "Allow",
"Action": [
"yundun-waf:DescribeInstance",
"yundun-waf:DescribeSensitiveOutboundStatistic",
"yundun-waf:DescribeSensitiveApiStatistic",
"yundun-waf:DescribeSensitiveOutboundTrend",
"yundun-waf:DescribeSensitiveOutboundDistribution",
"yundun-waf:DescribeSensitiveDetectionResult"
],
"Resource": "*"
},
{
"Action": "ram:CreateServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": [
"securitylens.log.aliyuncs.com",
"ai-lens.log.aliyuncs.com",
"storagelens.log.aliyuncs.com"
]
}
}
},
{
"Action": [
"Hologram:ListInstances"
],
"Resource": [
"*"
],
"Effect": "Allow"
}
]
}相关文档
该文章对您有帮助吗?