服务角色是某个云服务在某些情况下,为了完成自身的某个功能,需要获取其他云服务的访问权限而提供的RAM角色。您需要为ACK One服务账号授予对应的服务角色才能正常使用ACK One功能。本文为您介绍ACK One支持的服务角色以及角色的策略内容。
授权操作
首次使用ACK One服务时需要授权,使用阿里云账号(主账号)或者RAM管理员账号(子账号)授权一次即可。
服务角色无需手动创建,首次使用ACK One控制台,界面会自动弹出授权提示,您只需按提示操作即可完成授权。
仅阿里云账号(主账号)或RAM管理员账号可以完成自动授权,普通RAM用户没有授权操作的权限。如果系统提示权限不足,请将账号切换到阿里云(主账号)或RAM管理员账号完成授权。
服务关联角色
角色名称 | 角色权限说明 |
AliyunCSDefaultRole |
|
AliyunServiceRoleForAdcp |
|
AliyunAdcpServerlessKubernetesRole |
|
AliyunAdcpManagedMseRole |
|
AliyunCSManagedKubernetesRole | ACK One多集群舰队需要使用该角色访问ACK服务的资源。 |
AliyunCSManagedLogRole | ACK One中日志组件使用此角色来访问您在其他云产品中的资源。 |
AliyunCSManagedCmsRole | ACK One 中的CMS组件使用此角色来访问您在其他云产品中的资源。 |
AliyunCSManagedArmsRole | ACK One中的Arms插件使用此角色来访问您在其他云产品中的资源。 |
角色策略内容
AliyunServiceRoleForAdcp
ECS相关权限
ecs:CreateSecurityGroup
ecs:CreateSecurityGroupPermissions
ecs:DeleteSecurityGroup
ecs:DescribeAccountAttributes
ecs:DescribeSecurityGroups
ecs:AuthorizeSecurityGroup
ecs:RevokeSecurityGroup
ecs:AuthorizeSecurityGroupEgress
ecs:RevokeSecurityGroupEgress
ecs:DescribeNetworkInterfaces
ecs:DescribeZones
VPC相关权限
vpc:DescribeVpcAttribute
vpc:DescribeVSwitchAttributes
vpc:AllocateEipAddress
vpc:AssociateEipAddress
vpc:UnassociateEipAddress
vpc:ReleaseEipAddress
vpc:DescribeEipAddresses
vpc:TagResources
vpc:DeletionProtection
vpc:DescribeRouteTableList
vpc:CreateRouteEntry
vpc:DeleteeRouteEntry
vpc:AcceptVpcPeerConnection
vpc:GetVpcPeerConnectionAttribute
vpc:DescribeVSwitches
vpc:DescribeVpcs
CEN相关权限
cen:DescribeCenAttachedChildInstances
cen:DescribeCens
SLB相关权限
slb:DescribeLoadBalancerAttribute
slb:CreateLoadBalancer
slb:DeleteLoadBalancer
slb:StartLoadBalancerListener
slb:StopLoadBalancerListener
slb:CreateLoadBalancerTCPListener
slb:CreateLoadBalancerHTTPListener
slb:DeleteLoadBalancerListener
slb:AddTags
slb:RemoveTags
slb:SetLoadBalancerDeleteProtection
slb:SetLoadBalancerModificationProtection
slb:DescribeZones
slb:CreateAccessControlList
slb:DescribeAccessControlLists
slb:AddAccessControlListEntry
slb:RemoveAccessControlListEntry
slb:SetLoadBalancerTCPListenerAttribute
服务网格相关权限
servicemesh:CreateServiceMesh
servicemesh:DeleteServiceMesh
servicemesh:DescribeServiceMeshDetail
servicemesh:DescribeServiceMeshes
servicemesh:DescribeServiceMeshKubeconfig
servicemesh:DescribeServiceMeshLogs
servicemesh:ModifyServiceMesh
servicemesh:ModifyServiceMeshName
servicemesh:DescribeClustersInServiceMesh
servicemesh:AddClusterIntoServiceMesh
servicemesh:RemoveClusterFromServiceMesh
servicemesh:UpdateMeshFeature
servicemesh:DescribeRegions
servicemesh:DescribeServiceMeshUpgradeStatus
servicemesh:DescribeVersions
servicemesh:RevokeKubeconfig
servicemesh:UpdateServiceMeshOwner
RAM相关权限
ram:CreateApplication
ram:ListApplications
ram:ListAppSecretIds
ram:GetApplication
ram:UpdateApplication
ram:CreateAppSecret
ram:GetAppSecret
ram:DeleteApplication
ram:DeleteAppSecret
ram:CreateApplication
ram:ListApplications
ram:ListAppSecretIds
ram:CreateServiceLinkedRole
ARMS相关权限
arms:InstallManagedPrometheus
arms:UninstallManagedPrometheus
AliyunAdcpServerlessKubernetesRole
VPC相关权限
vpc:DescribeVSwitches
vpc:DescribeVpcs
vpc:AssociateEipAddress
vpc:DescribeEipAddresses
vpc:AllocateEipAddress
vpc:ReleaseEipAddress
vpc:AddCommonBandwidthPackageIp
vpc:RemoveCommonBandwidthPackageIp
ECS 相关权限
ecs:DescribeSecurityGroups
ecs:CreateNetworkInterface
ecs:CreateNetworkInterfacePermission
ecs:DescribeNetworkInterfaces
ecs:AttachNetworkInterface
ecs:DetachNetworkInterface
ecs:DeleteNetworkInterface
ecs:DeleteNetworkInterfacePermission
ARMS相关权限
arms:GetManagedPrometheusStatus
arms:InstallManagedPrometheus
arms:UninstallManagedPrometheus
云解析相关权限
pvtz:AddZone
pvtz:DeleteZone
pvtz:DescribeZones
pvtz:DescribeZoneInfo
pvtz:BindZoneVpc
pvtz:AddZoneRecord
pvtz:DeleteZoneRecord
pvtz:DeleteZoneRecordsByRR
pvtz:DescribeZoneRecordsByRR
pvtz:DescribeZoneRecords
ECI相关权限
eci:CreateContainerGroup
eci:DeleteContainerGroup
eci:DescribeContainerGroups
eci:DescribeContainerGroupStatus
eci:DescribeContainerGroupEvents
eci:DescribeContainerLog
eci:UpdateContainerGroup
eci:UpdateContainerGroupByTemplate
eci:CreateContainerGroupFromTemplate
eci:RestartContainerGroup
eci:ExportContainerGroupTemplate
eci:DescribeContainerGroupMetric
eci:DescribeMultiContainerGroupMetric
eci:ResizeContainerGroupVolume
eci:ExecContainerCommand
eci:CreateImageCache
eci:DescribeImageCaches
eci:DeleteImageCache
日志服务相关权限
log:CreateProject
log:GetProject
log:DeleteProject
log:CreateLogStore
log:GetLogStore
log:UpdateLogStore
log:DeleteLogStore
log:CreateConfig
log:UpdateConfig
log:GetConfig
log:DeleteConfig
log:CreateMachineGroup
log:UpdateMachineGroup
log:GetMachineGroup
log:DeleteMachineGroup
log:ApplyConfigToGroup
log:GetAppliedMachineGroups
log:GetAppliedConfigs
log:RemoveConfigFromMachineGroup
log:CreateIndex
log:GetIndex
log:UpdateIndex
log:DeleteIndex
log:CreateSavedSearch
log:GetSavedSearch
log:UpdateSavedSearch
log:DeleteSavedSearch
log:CreateDashboard
log:GetDashboard
log:UpdateDashboard
log:DeleteDashboard
log:CreateJob
log:GetJob
log:DeleteJob
log:PostLogStoreLogs
log:UpdateJob
RAM相关权限
ram:CreateServiceLinkedRole
AliyunAdcpManagedMseRole
MSE相关权限
mse:AddBlackWhiteList
mse:AddGateway
mse:AddServiceSource
mse:CreateApplication
mse:DeleteGateway
mse:DeleteServiceSource
mse:GetBlackWhiteList
mse:GetGateway
mse:GetGatewayDetail
mse:GetGatewayOption
mse:ListServiceSource
mse:ListTagResources
mse:ModifyLosslessRule
mse:TagResources
mse:UntagResources
mse:UpdateBlackWhiteList
mse:UpdateGatewayOption
mse:UpdateServiceSource
日志服务相关权限
log:CloseProductDataCollection
log:OpenProductDataCollection
log:GetProductDataCollection
RAM相关权限
ram:CreateServiceLinkedRole
AliyunCSManagedKubernetesRole
ECS相关权限
ecs:Describe*
ecs:CreateRouteEntry
ecs:DeleteRouteEntry
ecs:CreateNetworkInterface
ecs:DeleteNetworkInterface
ecs:CreateNetworkInterfacePermission
ecs:DeleteNetworkInterfacePermission
ecs:ModifyInstanceAttribute
ecs:AttachKeyPair
ecs:StopInstance
ecs:StartInstance
ecs:ReplaceSystemDisk
SLB相关权限
slb:Describe*
slb:CreateLoadBalancer
slb:DeleteLoadBalancer
slb:ModifyLoadBalancerInternetSpec
slb:RemoveBackendServers
slb:AddBackendServers
slb:RemoveTags
slb:AddTags
slb:TagResources
slb:UnTagResources
slb:ListTagResources
slb:StopLoadBalancerListener
slb:StartLoadBalancerListener
slb:SetLoadBalancerHTTPListenerAttribute
slb:SetLoadBalancerHTTPSListenerAttribute
slb:SetLoadBalancerTCPListenerAttribute
slb:SetLoadBalancerUDPListenerAttribute
slb:CreateLoadBalancerHTTPSListener
slb:CreateLoadBalancerHTTPListener
slb:CreateLoadBalancerTCPListener
slb:CreateLoadBalancerUDPListener
slb:DeleteLoadBalancerListener
slb:CreateVServerGroup
slb:DescribeVServerGroups
slb:DeleteVServerGroup
slb:SetVServerGroupAttribute
slb:DescribeVServerGroupAttribute
slb:ModifyVServerGroupBackendServers
slb:AddVServerGroupBackendServers
slb:ModifyLoadBalancerInstanceSpec
slb:ModifyLoadBalancerInternetSpec
slb:SetLoadBalancerModificationProtection
slb:SetLoadBalancerDeleteProtection
slb:SetLoadBalancerName
slb:ModifyLoadBalancerInstanceChargeType
slb:RemoveVServerGroupBackendServers
VPC相关权限
vpc:Describe*
vpc:DeleteRouteEntry
vpc:CreateRouteEntry
日志服务相关权限
log:CreateProject
log:GetProject
log:GetProductDataCollection
log:OpenProductDataCollection
log:CloseProductDataCollection
log:GetLogStoreHistogram
log:AnalyzeProductLog
log:CreateIndex
log:UpdateIndex
log:DeleteIndex
log:CreateLogStore
log:UpdateLogStore
log:DeleteLogStore
log:CreateDashboard
log:UpdateDashboard
log:DeleteDashboard
log:SetGeneralDataAccessConfig
ALB相关权限
alb:EnableLoadBalancerIpv6Internet
alb:DisableLoadBalancerIpv6Internet
alb:CreateAcl
alb:DeleteAcl
alb:ListAcls
alb:ListAclRelations
alb:AddEntriesToAcl
alb:AssociateAclsWithListener
alb:ListAclEntries
alb:RemoveEntriesFromAcl
alb:DissociateAclsFromListener
alb:TagResources
alb:UnTagResources
alb:ListServerGroups
alb:ListServerGroupServers
alb:AddServersToServerGroup
alb:RemoveServersFromServerGroup
alb:ReplaceServersInServerGroup
alb:CreateLoadBalancer
alb:DeleteLoadBalancer
alb:UpdateLoadBalancerAttribute
alb:UpdateLoadBalancerEdition
alb:EnableLoadBalancerAccessLog
alb:DisableLoadBalancerAccessLog
alb:EnableDeletionProtection
alb:DisableDeletionProtection
alb:ListLoadBalancers
alb:GetLoadBalancerAttribute
alb:ListListeners
alb:CreateListener
alb:GetListenerAttribute
alb:UpdateListenerAttribute
alb:ListListenerCertificates
alb:AssociateAdditionalCertificatesWithListener
alb:DissociateAdditionalCertificatesFromListener
alb:DeleteListener
alb:CreateRule
alb:DeleteRule
alb:UpdateRuleAttribute
alb:CreateRules
alb:UpdateRulesAttribute
alb:DeleteRules
alb:ListRules
alb:UpdateListenerLogConfig
alb:CreateServerGroup
alb:DeleteServerGroup
alb:UpdateServerGroupAttribute
alb:UpdateLoadBalancerAddressTypeConfig
alb:AttachCommonBandwidthPackageToLoadBalancer
alb:DetachCommonBandwidthPackageFromLoadBalancer
alb:UpdateServerGroupServersAttribute
alb:MoveResourceGroup
alb:ListAScripts
alb:CreateAScripts
alb:UpdateAScripts
alb:DeleteAScripts
alb:LoadBalancerJoinSecurityGroup
alb:LoadBalancerLeaveSecurityGroup
alb:DescribeZones
NLB相关权限
nlb:TagResources
nlb:UnTagResources
nlb:ListTagResources
nlb:CreateLoadBalancer
nlb:DeleteLoadBalancer
nlb:GetLoadBalancerAttribute
nlb:ListLoadBalancers
nlb:UpdateLoadBalancerAttribute
nlb:UpdateLoadBalancerAddressTypeConfig
nlb:UpdateLoadBalancerZones
nlb:CreateListener
nlb:DeleteListener
nlb:ListListeners
nlb:UpdateListenerAttribute
nlb:StopListener
nlb:StartListener
nlb:GetListenerAttribute
nlb:GetListenerHealthStatus
nlb:CreateServerGroup
nlb:DeleteServerGroup
nlb:UpdateServerGroupAttribute
nlb:AddServersToServerGroup
nlb:RemoveServersFromServerGroup
nlb:UpdateServerGroupServersAttribute
nlb:ListServerGroups
nlb:ListServerGroupServers
nlb:LoadBalancerLeaveSecurityGroup
nlb:LoadBalancerJoinSecurityGroup
nlb:DisableLoadBalancerIpv6Internet
nlb:EnableLoadBalancerIpv6Internet
nlb:UpdateLoadBalancerProtection
nlb:AttachCommonBandwidthPackageToLoadBalancer
nlb:DetachCommonBandwidthPackageFromLoadBalancer
nlb:GetJobStatus
CMS相关权限
cms:DescribeMetricData
cms:DescribeMetricLast
cms:DescribeMetricMetaList
cms:DescribeMetricTop
cms:QueryMetricData
cms:QueryMetricLast
cms:DescribeMetricList
cms:QueryMetricList
cms:MetricMeta
ACR相关权限
cr:Get*
cr:List*
cr:PullRepository
AliyunCSManagedLogRole
日志服务相关权限
log:CreateProject
log:GetProject
log:DeleteProject
log:CreateLogStore
log:GetLogStore
log:UpdateLogStore
log:DeleteLogStore
log:CreateConfig
log:UpdateConfig
log:GetConfig
log:DeleteConfig
log:CreateMachineGroup
log:UpdateMachineGroup
log:GetMachineGroup
log:DeleteMachineGroup
log:ApplyConfigToGroup
log:GetAppliedMachineGroups
log:GetAppliedConfigs
log:RemoveConfigFromMachineGroup
log:RemoveConfigFromGroup
log:CreateIndex
log:GetIndex
log:UpdateIndex
log:DeleteIndex
log:CreateSavedSearch
log:GetSavedSearch
log:UpdateSavedSearch
log:DeleteSavedSearch
log:CreateDashboard
log:GetDashboard
log:UpdateDashboard
log:DeleteDashboard
log:CreateJob
log:GetJob
log:DeleteJob
log:UpdateJob
log:PostLogStoreLogs
log:CreateSortedSubStore
log:GetSortedSubStore
log:ListSortedSubStore
log:UpdateSortedSubStore
log:DeleteSortedSubStore
log:CreateApp
log:UpdateApp
log:GetApp
log:DeleteApp
log:GetLogStoreLogs
log:TagResources
log:ListJobs
log:ListTagResources
log:UntagResources
log:CreateResourceRecord
log:UpdateResourceRecord
log:UpsertResourceRecord
log:GetResourceRecord
log:DeleteResourceRecord
log:ListResourceRecords
log:ListResources
log:GetResource
log:PutLogs
log:UpdateLogStoreMeteringMode
log:GetLogStoreMeteringMode
log:CreateLogtailPipelineConfig
log:DeleteLogtailPipelineConfig
log:GetLogtailPipelineConfig
log:UpdateLogtailPipelineConfig
log:ListLogtailPipelineConfig
log:CreateSubStore
cs:UpdateContactGroup
cs:DescribeTemplates
cs:DescribeTemplateAttribute
eventbridge:PutEvents
AliyunCSManagedCmsRole
CMS相关权限
cms:DescribeMonitorGroups
cms:DescribeMonitorGroupInstances
cms:CreateMonitorGroup
cms:DeleteMonitorGroup
cms:ModifyMonitorGroupInstances
cms:CreateMonitorGroupInstances
cms:DeleteMonitorGroupInstances
cms:TaskConfigCreate
cms:TaskConfigList
cms:DescribeMetricList
cms:QueryMetricList
cms:CreateDynamicTagGroup
cms:PutGroupMetricRule
cms:DescribeMetricRuleList
cms:DeleteMetricRules
cs:DescribeMonitorToken
ahas:GetSentinelAppSumMetric
log:GetLogStoreLogs
slb:DescribeMetricList
sls:GetLogs
sls:PutLogs
AliyunCSManagedArmsRole
ARMS相关权限
arms:CMonitorCloudInstances
arms:CMonitorRegister
arms:ConfigAgentLabel
arms:CreateAlertRules
arms:CreateAlertTemplate
arms:CreateApp
arms:CreateContact
arms:CreateContactGroup
arms:CreateDispatchRule
arms:CreateOrUpdateIMRobot
arms:CreateOrUpdateWebhookContact
arms:CreateProm
arms:CreatePrometheusAlertRule
arms:DeleteAlert
arms:DeleteAlertContact
arms:DeleteAlertContactGroup
arms:DeleteAlertRules
arms:DeleteAlertTemplate
arms:DeleteApp
arms:DeleteContact
arms:DeleteContactGroup
arms:DeleteContactLink
arms:DeleteContactMember
arms:DeleteDispatchRule
arms:DeleteIMRobot
arms:DeletePrometheusAlertRule
arms:DeleteWebhookContact
arms:DescribeDispatchRule
arms:DescribeIMRobots
arms:DescribePrometheusAlertRule
arms:DescribeWebhookContacts
arms:DisableAlertTemplate
arms:EnableAlertTemplate
arms:GetAlarmHistories
arms:GetAlert
arms:GetAlertEvents
arms:GetAlertRules
arms:GetAlertRulesByPage
arms:GetAssumeRoleCredentials
arms:GetCommercialStatus
arms:InstallEventer
arms:InstallManagedPrometheus
arms:ListActivatedAlerts
arms:ListAlertTemplates
arms:ListDashboards
arms:ListDispatchRule
arms:ListEscalationPolicies
arms:ListOnCallSchedules
arms:ListPrometheusAlertRules
arms:ListPrometheusAlertTemplates
arms:QueryAlarmHistory
arms:QueryAlarmName
arms:SaveAlert
arms:SaveContactGroup
arms:SaveContactMember
arms:SaveTraceAppConfig
arms:SearchAlarmHistories
arms:SearchAlertRules
arms:SearchContact
arms:SearchContactGroup
arms:SearchEvents
arms:SendTTSVerifyLink
arms:StartAlert
arms:StartAlertRule
arms:StopAlert
arms:StopAlertRule
arms:UninstallManagedPrometheus
arms:UpdateAlertRules
arms:UpdateAlertTemplate
arms:UpdateContact
arms:UpdateContactGroup
arms:UpdateContactMember
arms:UpdateDispatchRule
arms:UpdatePrometheusAlertRule
arms:UpgradeAddonRelease
arms:CheckServiceStatus
arms:GetClusterAllUrl
arms:GetClusterInfoForArms
arms:GetExploreUrl
arms:GetIntegrationState
arms:GetManagedPrometheusStatus
arms:ListAlertEvents
arms:QueryMetric
arms:QueryPromInstallStatus
arms:SearchAlertContactGroup
arms:SearchAlertHistories
arms:CreateAlertContact
arms:CreateAlertContactGroup
arms:ImportCustomAlertRules
arms:SearchAlertContact
arms:UpdateAlertContact
arms:UpdateAlertContactGroup
arms:UpdateAlertRule
arms:UpdateWebhook
arms:InnerFetchContactGroupByArmsContactGroupId
xtrace:GetToken
arms:ListEnvironments
arms:DescribeAddonRelease
arms:InstallAddon
arms:DeleteAddonRelease
arms:ListEnvironmentDashboards
arms:ListAddonReleases
arms:CreateEnvironment
arms:InitEnvironment
arms:DescribeEnvironment
arms:InstallEnvironmentFeature
arms:ListEnvironmentFeatures
arms:UpdateEnvironment
arms:GetPrometheusInstance
arms:GetPrometheusApiToken
MSE相关权限
mse:AddBlackWhiteList
mse:AddGateway
mse:AddServiceSource
mse:CreateApplication
mse:DeleteGateway
mse:GetBlackWhiteList
mse:GetGateway
mse:GetGatewayDetail
mse:GetGatewayOption
mse:ListServiceSource
mse:ListTagResources
mse:ModifyLosslessRule
mse:TagResources
mse:UntagResources
mse:UpdateBlackWhiteList
mse:UpdateGatewayOption
mse:UpdateServiceSource
mse:GetLicenseKey
mse:CreateGovernanceKubernetesCluster
mse:ReportOnePilotInfo
mse:GenerateAgentLogSts
mse:GetOpenSergoInfoByClusterId
mse:ListNamespaces
mse:ReportAppProfile
日志服务相关权限
log:PostLogStoreLogs
log:RemoteWritePrometheus
log:RemoteWrite
相关文档
ACK One的所有权限类型和授权场景,请参见授权概述。
为RAM用户或RAM角色授予ACK One资源的操作权限,请参见为RAM用户或RAM角色授予系统权限策略。
为RAM用户或RAM角色授予ACK One指定集群内K8s应用资源的操作权限,请参见为RAM用户或RAM角色授予RBAC权限。