服务(相关)角色是由腾讯云服务预定义,经用户授权后相应服务即可通过扮演服务相关角色对用户资源进行访问操作。本文档介绍具体服务相关角色的使用场景及相关权限策略信息。
CAM中产品名 | 角色名称 | 角色类型 | 角色载体 |
---|---|---|---|
容器服务 | TKE_QCSLinkedRoleInTDCC | 服务相关角色 | cvm.qcloud.com tdcc.tke.cloud.tencent.com |
容器服务 | TKE_QCSLinkedRoleInEKSLog | 服务相关角色 | cvm.qcloud.com ekslog.tke.cloud.tencent.com |
容器服务 | TKE_QCSLinkedRoleInEtcdService | 服务相关角色 | cvm.qcloud.com etcdservice.tke.cloud.tencent.com |
容器服务 | TKE_QCSLinkedRoleInEKSCostMaster | 服务相关角色 | cvm.qcloud.com ekscostmaster.tke.cloud.tencent.com |
容器服务 | TKE_QCSLinkedRoleInPrometheusService | 服务相关角色 | cvm.qcloud.com prometheusservice.tke.cloud.tencent.com |
TKE_QCSLinkedRoleInTDCC
使用场景: 当前角色为容器服务(TKE)服务相关角色,该角色将在已关联策略的权限范围内访问您的其他云服务资源。
权限策略
- 策略名称: QcloudAccessForTKELinkedRoleInTDCC
- 策略内容:
{ "version": "2.0", "statement": [ { "effect": "allow", "action": [ "cls:listTopic", "cls:getTopic", "cls:createTopic", "cls:modifyTopic", "cls:listMachineGroup", "cls:getMachineGroup", "cls:createMachineGroup", "cls:modifyMachineGroup", "cls:deleteMachineGroup", "cls:getMachineStatus", "cls:pushLog", "cls:agentHeartBeat", "cls:getConfig", "cls:getIndex", "cls:modifyIndex", "cls:ApplyConfigToMachineGroup", "cls:CreateConfig", "cls:CreateIndex", "cls:CreateLogset", "cls:CreateMachineGroup", "cls:CreateTopic", "cls:DeleteConfig", "cls:DeleteConfigFromMachineGroup", "cls:DeleteLogset", "cls:DeleteMachineGroup", "cls:DeleteTopic", "cls:DescribeConfigMachineGroups", "cls:DescribeConfigs", "cls:DescribeLogsets", "cls:DescribeMachineGroupConfigs", "cls:DescribeMachineGroups", "cls:DescribeTopics", "cls:ModifyConfig", "cls:ModifyIndex", "cls:ModifyMachineGroup", "cls:ModifyTopic" ], "resource": [ "*" ] } ] }
TKE_QCSLinkedRoleInEKSLog
使用场景: 当前角色为容器服务(TKE)服务角色,该角色将在已关联策略的权限范围内访问您的其他云服务资源。
权限策略
- 策略名称: QcloudAccessForTKELinkedRoleInEKSLog
- 策略内容:
{ "version": "2.0", "statement": [ { "effect": "allow", "action": [ "cls:pushLog", "cls:agentHeartBeat", "cls:getConfig" ], "resource": [ "*" ] } ] }
TKE_QCSLinkedRoleInEtcdService
使用场景: 当前角色为容器服务(TKE)服务角色,该角色将在已关联策略的权限范围内访问您的其他云服务资源。
权限策略
- 策略名称: QcloudAccessForTKELinkedRoleInEtcdService
- 策略内容:
{ "version": "2.0", "statement": [ { "effect": "allow", "resource": [ "*" ], "action": [ "cos:DeleteBucket", "cos:GetBucket", "cos:PutBucket", "cos:HeadBucket", "cos:GetObject", "cos:HeadObject", "cos:PutObject", "cos:DeleteObject", "cos:DeleteMultipleObjects", "cos:ListMultipartUploads", "cos:AbortMultipartUpload" ] } ] }
TKE_QCSLinkedRoleInEKSCostMaster
使用场景: 当前角色为容器服务(TKE)服务相关角色,该角色将在已关联策略的权限范围内访问您的其他云服务资源。
权限策略
- 策略名称: QcloudAccessForTKELinkedRoleInEKSCostMaster
- 策略内容:
{ "version": "2.0", "statement": [ { "action": [ "monitor:DescribeMidDimensionValueList", "monitor:DescribeStatisticData", "monitor:GetMonitorData" ], "resource": "*", "effect": "allow" } ] }
TKE_QCSLinkedRoleInPrometheusService
使用场景: 当前角色为容器服务(TKE)服务角色,该角色将在已关联策略的权限范围内访问您的其他云服务资源。
权限策略
- 策略名称: QcloudAccessForTKELinkedRoleInPrometheusService
- 策略内容:
{ "statement": [ { "action": [ "cos:DeleteBucket", "cos:GetBucket", "cos:PutBucket", "cos:HeadBucket", "cos:GetObject", "cos:HeadObject", "cos:PutObject", "cos:DeleteObject", "cos:DeleteMultipleObjects", "cos:ListMultipartUploads", "cos:AbortMultipartUpload", "cos:AbortMultipartUpload", "cos:ListMultipartUploads", "monitor:DescribePrometheusInstances", "monitor:DescribeRecordingRules", "monitor:DescribeAlertRules", "monitor:DescribeAlarmNotice", "monitor:DescribeAlarmNotices", "monitor:DescribeAlarmNoticeCallbacks", "monitor:DescribeAlarmHistories", "monitor:CreatePrometheusMultiTenantInstance", "monitor:TerminatePrometheusInstances", "monitor:ModifyPrometheusInstanceAttributes", "monitor:CreateRecordingRule", "monitor:DeleteRecordingRules", "monitor:UpdateRecordingRule", "monitor:CreateAlertRule", "monitor:DeleteAlertRules", "monitor:UpdateAlertRule", "monitor:UpdateAlertRuleState", "monitor:CreateAlarmNotice", "monitor:DeleteAlarmNotices", "monitor:ModifyAlarmNotice", "monitor:ModifyAlarmPolicyNotice", "monitor:CreateManagedEKSAgent", "monitor:DescribeManagedEKSAgent", "monitor:CreateAlertRuleReceiverNotRequired", "monitor:UpdateAlertRuleReceiverNotRequired", "monitor:DescribeExporterIntegrations", "monitor:CreateExporterIntegration", "monitor:UpdateExporterIntegration", "monitor:DeleteExporterIntegration", "monitor:CreateGrafanaInstance", "monitor:CreatePrometheusMultiTenantInstancePostPayMode", "monitor:BindPrometheusManagedGrafana", "monitor:DescribeGrafanaInstances", "tdcc:DescribeExternalClusters", "tdcc:DescribeExternalClusterCredential", "monitor:UpgradeGrafanaDashboard", "monitor:UninstallGrafanaDashboard", "monitor:DescribePrometheusAlertGroups", "monitor:CreatePrometheusAlertGroup", "monitor:UpdatePrometheusAlertGroup", "monitor:DeletePrometheusAlertGroups", "monitor:UpdatePrometheusAlertGroupState", "tke:DescribeTKEEdgeExternalKubeconfig", "tke:DescribeTKEEdgeClusterCredential", "tke:DescribeTKEEdgeClusters", "tke:DescribeClusters", "tke:DescribeClusterSecurity" ], "effect": "allow", "resource": [ "*" ] } ], "version": "2.0" }