本文列出云服务器ECS常用系统策略的详情,供您了解权限策略涉及的操作等信息,您也可以按需自定义权限策略。
AliyunECSFullAccess
管理云服务器ECS相关资源的权限策略详情:
{
"Version": "1",
"Statement": [
{
"Action": "ecs:*",
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"vpc:DescribeVpcs",
"vpc:DescribeVSwitches"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
AliyunECSReadOnlyAccess
查看云服务器ECS相关资源的权限策略详情:
{
"Version": "1",
"Statement": [
{
"Action": "ecs:Describe*",
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ecs:List*",
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"vpc:DescribeVpcs",
"vpc:DescribeVSwitches"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
AliyunECSNetworkInterfaceManagementAccess
管理弹性网卡的权限策略详情:
{
"Version": "1",
"Statement": [
{
"Action": [
"vpc:DescribeVSwitchAttributes"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ecs:CreateNetworkInterface",
"ecs:DeleteNetworkInterface",
"ecs:DescribeNetworkInterfaces",
"ecs:CreateNetworkInterfacePermission",
"ecs:DescribeNetworkInterfacePermissions",
"ecs:DeleteNetworkInterfacePermission"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
AliyunECSAssistantFullAccess
管理云助手命令的权限策略详情:
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:DescribeInstances",
"ecs:DescribeTag*",
"ecs:*Command",
"ecs:DescribeCommand*",
"ecs:DescribeInvocation*",
"ecs:StopInvocation",
"ecs:*CloudAssistant*",
"ecs:SendFile",
"ecs:DescribeSendFileResults",
"ecs:*ManagedInstance",
"ecs:DescribeManagedInstances",
"ecs:*Activation",
"ecs:DescribeActivations"
],
"Resource": [
"acs:ecs:*:*:instance/*",
"acs:ecs:*:*:command/*",
"acs:ecs:*:*:activation/*"
]
},
{
"Effect": "Allow",
"Action": [
"ram:CreateServiceLinkedRole"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"ram:ServiceName": [
"archiving.ecs.aliyuncs.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"ecs:ListServiceSettings",
"ecs:UpdateServiceSettings"
],
"Resource": [
"acs:ecs:*:*:servicesettings/cloudassistantdeliverysettings"
]
}
]
}
AliyunECSAssistantReadonlyAccess
查看云助手命令的权限策略详情:
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:DescribeInstances",
"ecs:DescribeTag*",
"ecs:DescribeCommand*",
"ecs:DescribeInvocation*",
"ecs:DescribeCloudAssistant*",
"ecs:DescribeSendFileResults",
"ecs:DescribeManagedInstances",
"ecs:DescribeActivations"
],
"Resource": [
"acs:ecs:*:*:instance/*",
"acs:ecs:*:*:command/*",
"acs:ecs:*:*:activation/*"
]
},
{
"Effect": "Allow",
"Action": [
"ecs:ListServiceSettings"
],
"Resource": [
"acs:ecs:*:*:servicesettings/cloudassistantdeliverysettings"
]
}
]
}
AliyunECSImageExportRolePolicy
导出ECS实例镜像的权限策略详情:
{
"Version": "1",
"Statement": [
{
"Action": [
"oss:GetObject",
"oss:PutObject",
"oss:DeleteObject",
"oss:GetBucketLocation",
"oss:AbortMultipartUpload",
"oss:ListMultipartUploads",
"oss:ListParts",
"oss:GetBucketInfo",
"oss:GetBucketUserQos"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
AliyunECSImageImportRolePolicy
导入镜像的权限策略详情:
{
"Version": "1",
"Statement": [
{
"Action": [
"oss:GetObject",
"oss:GetBucketLocation",
"oss:GetBucketInfo"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
AliyunECSInstanceForYundunSysTrustRolePolicy
安全增强型实例可信服务的权限策略详情:
{
"Statement": [
{
"Action": [
"yundun-systrust:GenerateNonce",
"yundun-systrust:GenerateAikcert",
"yundun-systrust:RegisterMessage",
"yundun-systrust:PutMessage"
],
"Resource": "*",
"Effect": "Allow"
}
],
"Version": "1"
}
AliyunECSDiskEncryptRolePolicy
加密云盘的权限策略详情:
{
"Version": "1",
"Statement": [
{
"Action": [
"kms:List*",
"kms:DescribeKey",
"kms:TagResource",
"kms:UntagResource"
],
"Resource": [
"acs:kms:*:*:*",
"acs:kms:*:*:*/*"
],
"Effect": "Allow"
},
{
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Resource": [
"acs:kms:*:*:*/*"
],
"Effect": "Allow"
}
]
}
AliyunServiceRolePolicyForECSAutoProvisioning
弹性供应功能的权限策略详情:
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:CreateInstance",
"ecs:RunInstances",
"ecs:StartInstance",
"ecs:AllocatePublicIpAddress",
"ecs:StopInstance",
"ecs:DeleteInstance",
"ecs:DescribeInstances",
"ecs:DescribeInstanceAttribute",
"ecs:ModifyInstanceAttribute",
"ecs:DescribeSecurityGroupAttribute",
"ecs:DescribeImages",
"ecs:DescribeSnapshots",
"ecs:DescribeKeyPairs",
"ecs:CreateLaunchTemplate",
"ecs:DescribeLaunchTemplates",
"ecs:DescribeLaunchTemplateVersions",
"ecs:DescribeSecurityGroups",
"ecs:DescribeHpcClusters",
"ecs:DescribeImageFromFamily",
"slb:DescribeLoadBalancerAttribute",
"slb:RemoveBackendServers",
"slb:DescribeHealthStatus",
"slb:AddBackendServers",
"slb:SetBackendServers",
"slb:DescribeLoadBalancers",
"slb:DescribeVServerGroups",
"slb:DescribeVServerGroupAttribute",
"slb:AddVServerGroupBackendServers",
"slb:RemoveVServerGroupBackendServers",
"slb:DescribeMasterSlaveServerGroupAttribute",
"slb:DescribeMasterSlaveServerGroups",
"slb:SetVServerGroupAttribute",
"slb:DescribeLoadBalancerUDPListenerAttribute",
"slb:DescribeLoadBalancerHTTPListenerAttribute",
"slb:DescribeLoadBalancerHTTPSListenerAttribute",
"slb:DescribeLoadBalancerTCPListenerAttribute",
"rds:ModifySecurityIps",
"rds:DescribeDBInstanceAttribute",
"rds:DescribeTaskInfo",
"rds:DescribeDBInstanceIPArrayList",
"oos:GetTemplate",
"oos:StartExecution",
"ecs:DescribeUserData",
"ecs:DescribeInstanceRamRole",
"ecs:DescribeDisks",
"ecs:DescribeAutoSnapshotPolicyEx",
"ecs:DescribeDedicatedHosts",
"ecs:DescribeDedicatedHostTypes"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"vpc:DescribeVpcs",
"vpc:DescribeVSwitches"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"mns:ListTopic",
"mns:ListQueue",
"mns:SendMessage",
"mns:PublishMessage"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"cms:NodeInstall",
"cms:NodeStatusList",
"cms:QueryCustomMetricList",
"cms:ProfileSet",
"cms:CreateAlert",
"cms:DeleteAlert",
"cms:QueryAlert",
"cms:UpdateAlert",
"cms:DisableAlert",
"cms:EnableAlert",
"cms:CreateAction",
"cms:GetAction",
"cms:CreateDimensions",
"cms:QueryDimensions",
"cms:UpdateDimensions",
"cms:QueryMetricList",
"cms:ListAlarmHistory"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:PassRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"acs:Service": [
"ecs.aliyuncs.com",
"oos.aliyuncs.com"
]
}
}
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "autoprovisioning.ecs.aliyuncs.com"
}
}
}
]
}
AliyunServiceRolePolicyForECSImageBuilder
镜像构建功能的权限策略详情:
{
"Version": "1",
"Statement": [
{
"Action": [
"oos:CreateTemplate",
"oos:StartExecution",
"oos:CancelExecution",
"oos:ListExecutions",
"oos:ListTaskExecutions",
"oos:ListExecutionLogs",
"oos:DeleteTemplate"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ecs:DescribeAvailableResource",
"ecs:DescribeInstances",
"ecs:DescribeCloudAssistantStatus",
"ecs:DescribeImages",
"ecs:DescribeInvocations",
"ecs:DescribeInvocationResults",
"ecs:CreateSecurityGroup",
"ecs:DescribeSecurityGroups",
"ecs:CancelCopyImage",
"ecs:RunInstances",
"ecs:CopyImage",
"ecs:DeleteSnapshot"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ecs:RebootInstance",
"ecs:DeleteInstance",
"ecs:DeleteImage",
"ecs:DescribeImageSharePermission",
"ecs:DeleteSecurityGroup",
"ecs:ModifyImageSharePermission",
"ecs:InstallCloudAssistant",
"ecs:RunCommand",
"ecs:StopInstance",
"ecs:CreateImage"
],
"Effect": "Allow",
"Resource": "*",
"Condition": {
"StringLike": {
"ecs:tag/imagepipelineid": "*"
}
}
},
{
"Action": [
"vpc:DescribeVSwitches",
"vpc:DescribeVpcs",
"vpc:CreateVpc",
"vpc:CreateVSwitch",
"vpc:DeleteVSwitch",
"vpc:DeleteVpc"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Effect": "Allow",
"Resource": "*",
"Condition": {
"StringEquals": {
"ram:ServiceName": "imagebuilder.ecs.aliyuncs.com"
}
}
}
]
}