AliyunAIPaaSDefaultRolePolicy is the authorization policy dedicated to a service role. In most cases, when a service role is created, the policy is attached to the service role. Then, the service role is authorized to access other cloud services. This policy is updated by the relevant Alibaba Cloud service. Do not attach this policy to a RAM identity other than a service role.
Policy details
Type: service system policy
Creation time: 15:32:14 on June 27, 2024
Update time: 06:16:59 on November 14, 2025
Current version: v19
Policy content
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cr:Get*",
"cr:List*",
"cr:Update*",
"cr:PullRepository",
"cr:SearchRepo",
"cr:StartImageScan",
"cr:CreateArtifactBuildTask",
"cr:PushRepository"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"cr-ee:Get*",
"cr-ee:List*",
"cr-ee:Update*",
"cr-ee:PullRepository",
"cr-ee:SearchRepo",
"cr-ee:StartImageScan",
"cr-ee:CreateArtifactBuildTask",
"cr-ee:PushRepository"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"oss:Get*",
"oss:List*",
"oss:Put*",
"oss:Describe*",
"oss:Create*",
"oss:Delete*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"nas:Describe*",
"nas:CPFSDescribe*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "CPFS:Describe*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"sls:List*",
"sls:Get*",
"sls:Create*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"log:List*",
"log:Get*",
"log:Create*",
"log:Update*",
"log:DeleteLogStore*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"cs:Describe*",
"cs:Get*",
"cs:Check*",
"cs:Query*",
"cs:ScanClusterVuls",
"cs:InstallClusterAddons",
"cs:UnInstallClusterAddons",
"cs:ModifyCluster",
"cs:ModifyClusterAddon"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"cms:QueryMetricLast",
"cms:QueryMetricList",
"cms:GetMyGroups",
"cms:ListMyGroups",
"cms:DescribeMetricData",
"cms:DescribeMetricLast",
"cms:DescribeMetricMetaList",
"cms:DescribeMetricTop",
"cms:QueryMetricMeta",
"cms:QueryMetricTop",
"cms:ListMetricMeta",
"cms:ListMetricMetaProject",
"cms:QueryMetricData",
"cms:DescribeMetricList",
"cms:MetricMeta"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ascm:List*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"Ucs:DescribeCpfsClientCluster",
"Ucs:DescribeNodesState"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"CPCM:DescribeClientCluster",
"CPCM:DescribeNodesState"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ECM:DescribeClientCluster",
"ECM:DescribeNodesState"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"sfm-web-proxy:sfm.api.dataprocess.data-engine.api.v2.datasets.get",
"sfm-web-proxy:sfm.api.dataprocess.data-engine.api.v2.datasets.Code.subsets.get",
"sfm-web-proxy:PostApiUcSfmSystemWorkspaceQueryWorkspaceList"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"EasyAI:ListAckCluster",
"EasyAI:ListAckClusterInstances",
"EasyAI:DescribeAckCluster",
"EasyAI:InstallAIAddOn",
"EasyAI:DeleteAIAddOn",
"EasyAI:ListAckInstanceType",
"EasyAI:DescribeAckClusterLogs",
"EasyAI:DescribeAckClusterAddon",
"EasyAI:ListHistoryEvent",
"EasyAI:ListBmcpMachineType",
"EasyAI:GetClusterInfo",
"EasyAI:GetClusterInstanceInfo",
"EasyAI:TagResources",
"EasyAI:RunInstance",
"EasyAI:Describe*",
"EasyAI:List*",
"EasyAI:Delete*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"cs-inner:*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ram:GetRole",
"ram:GetPolicy"
],
"Resource": [
"acs:ram:*:*:role/AIStudioClusterRole-*",
"acs:ram:*:*:policy/AIStudioClusterPolicy-*"
]
},
{
"Effect": "Allow",
"Action": [
"slb:DescribeHealthStatus",
"slb:DescribeLoadBalancers",
"slb:DescribeListenerAccessControlAttribute",
"slb:SetListenerAccessControlStatus",
"slb:AddListenerWhiteListItem",
"slb:RemoveListenerWhiteListItem"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"aipaas:*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"prometheus2:Get*",
"prometheus2:*Read",
"prometheus2:List*",
"prometheus:Get*",
"prometheus:*Read",
"prometheus:List*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"alikafka:List*",
"alikafka:Get*",
"alikafka:UpdateInstance*",
"alikafka:RebalanceInstanceTopic",
"alikafka:CreateInstance",
"alikafka:ScaleInstance"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"csb2:*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"yundun-green:TextModerationPlus"
],
"Resource": "*"
}
]
}