服务(相关)角色是由腾讯云服务预定义,经用户授权后相应服务即可通过扮演服务相关角色对用户资源进行访问操作。本文档介绍具体服务相关角色的使用场景及相关权限策略信息。
| CAM中产品名 | 角色名称 | 角色类型 | 角色载体 |
|---|---|---|---|
| 隐私云计算 | PCC_QCSLinkedRoleInDash | 服务相关角色 | dashboard.pcc.cloud.tencent.com |
| 隐私云计算 | PCC_QCSLinkedRoleInCvmService | 服务相关角色 | cvm.qcloud.com pcc.cloud.tencent.com |
PCC_QCSLinkedRoleInDash
使用场景: 当前角色为隐私云计算(PCC)服务相关角色,用于授权管控台访问CVM、TKE、VPC、CLB、KMS、SSM等腾讯云资源,无需用户托管密钥,操作更高效、更安全。该角色将在已关联策略的权限范围内访问您的其他云服务资源
权限策略
- 策略名称: QcloudAccessForPCCRoleInDash
- 策略内容:
{ "statement": [ { "action": [ "cvm:RunInstances", "cvm:DescribeInstances", "cvm:ModifyInstancesAttribute", "cvm:StartInstances", "cvm:StopInstances", "cvm:DescribeImages", "cvm:ResetInstance", "cvm:TerminateInstances", "tke:DescribeClusters", "tke:AcquireClusterAdminRole", "tke:DescribeClusterEndpoints", "tke:DescribeClusterSecurity", "tke:CreateCluster", "tke:AddExistedInstances", "tke:CreateClusterEndpoint", "tke:DescribeClusterEndpoints", "tke:DescribeClusterKubeconfig", "tke:DeleteCluster", "tke:DescribeClusterInstances", "tke:DeleteClusterInstances", "tke:DescribeClusterStatus", "tke:DisableClusterDeletionProtection", "tke:EnableClusterDeletionProtection", "tke:AcquireClusterAdminRole", "tke:DescribeClusterLevelAttribute", "tke:DisableClusterAudit", "tke:EnableClusterAudit", "tke:ModifyClusterImage", "tke:DescribeEKSContainerInstances", "tke:DescribeRegions", "cam:PassRole", "sts:AssumeRole", "sts:AssumeRoleWithSAML", "monitor:GetMonitorData", "kms:AsymmetricRsaDecrypt", "kms:AsymmetricSm2Decrypt", "kms:BindCloudResource", "kms:CancelKeyArchive", "kms:CancelKeyDeletion", "kms:CreateKey", "kms:Decrypt", "kms:Encrypt", "kms:DescribeKey", "kms:DescribeKeys", "kms:ListKeyDetail", "kms:ListKeys", "kms:ScheduleKeyDeletion", "kms:GetServiceStatus", "ssm:CreateSecret", "ssm:DeleteSecret", "ssm:GetSecretValue", "ssm:ListSecrets", "ssm:UpdateSecret", "ssm:DescribeResourceIds", "ssm:DescribeSecret", "ssm:GetServiceStatus", "vpc:CreateVpc", "vpc:CreateSubnet", "vpc:DeleteSubnet", "vpc:DescribeSubnet", "vpc:DescribeSubnetEx", "vpc:CreateRoutes", "vpc:ReplaceRouteTableAssociation", "vpc:DeleteRoute", "vpc:CreateRouteTable", "vpc:DescribeRoutes", "vpc:DeleteRouteTable", "vpc:DescribeRouteList", "vpc:DescribeSecurityGroupPolicies", "clb:CreateGatewayLoadBalancer", "clb:CreateListener", "clb:CreateLoadBalancer", "clb:CreateLoadBalancerListeners", "clb:CreateLoadBalancerTask", "clb:CreateRule", "clb:DeleteForwardLBSeventhListeners", "clb:DeleteGatewayLoadBalancer", "clb:DeleteListener", "clb:DeleteLoadBalancer", "clb:DeleteLoadBalancerListeners", "clb:DeleteLoadBalancers", "clb:RegisterTargets", "clb:RegisterTargetsWithClassicalLB", "clb:SetLoadBalancerStartStatus", "clb:DescribeZone", "pcc:*" ], "effect": "allow", "resource": [ "*" ] }, { "action": [ "finance:trade" ], "effect": "allow", "resource": [ "qcs::tke:::*", "qcs::cvm:::*", "qcs::vpc:::*", "qcs::kms:::*", "qcs::ssm:::*", "qcs::monitor:::*", "qcs::clb:::*" ] } ], "version": "2.0" }
PCC_QCSLinkedRoleInCvmService
使用场景: 当前角色为隐私云计算(PCC)服务相关角色,用于授权CVM内应用访问KMS、SSM等腾讯云资源,无需用户托管密钥,操作更高效、更安全。该角色将在已关联策略的权限范围内访问您的其他云服务资源
权限策略
- 策略名称: QcloudAccessForPCCRoleInCvmService
- 策略内容:
{ "version": "2.0", "statement": [ { "effect": "allow", "action": [ "sts:AssumeRole", "kms:AsymmetricRsaDecrypt", "kms:AsymmetricSm2Decrypt", "kms:BindCloudResource", "kms:BindCloudResource", "kms:CancelKeyArchive", "kms:CancelKeyDeletion", "kms:CreateKey", "kms:Decrypt", "kms:Encrypt", "ssm:CreateSecret", "ssm:DeleteSecret", "ssm:GetSecretValue", "ssm:ListSecrets", "ssm:UpdateSecret", "ssm:DescribeResourceIds", "ssm:DescribeSecret", "pcc:*" ], "resource": [ "*" ] } ] }
