服务(相关)角色是由腾讯云服务预定义,经用户授权后相应服务即可通过扮演服务相关角色对用户资源进行访问操作。本文档介绍具体服务相关角色的使用场景及相关权限策略信息。
| CAM中产品名 | 角色名称 | 角色类型 | 角色载体 |
|---|---|---|---|
| Agent 沙箱服务 | AGS_QCSLinkedRoleInSandboxTool | 服务相关角色 | sandboxtool.ags.cloud.tencent.com |
AGS_QCSLinkedRoleInSandboxTool
使用场景: 当前角色为Agent沙箱(AGS)服务相关角色,用于授权AGS访问CFS、VPC等腾讯云资源,无需用户托管密钥,操作更高效、更安全。该角色将在已关联策略的权限范围内访问您的其他云服务资源。
权限策略
- 策略名称: QcloudAccessForAGSRoleInSandboxTool
- 策略内容:
{ "version": "2.0", "statement": [ { "effect": "allow", "action": [ "cfs:DescribeMountTargets", "vpc:DescribeSubnets", "vpc:DescribeSecurityGroups", "vpc:CreateVpcEndPointServiceWhiteList", "vpc:DeleteVpcEndPointServiceWhiteList", "vpc:DescribeVpcEndPointServiceWhiteList", "vpc:DescribeVpcEndPointService", "vpc:CreateVpcEndPointService", "vpc:DeleteVpcEndPointService", "vpc:DescribeSubnetEx", "cvm:DescribeSecurityGroups", "cos:GetService", "tcr:CreateInstanceToken", "tcr:DescribeImages", "tcr:DescribeInstances", "tcr:DescribeInternalEndpoints", "tcr:DescribeNamespaces", "tcr:DescribeRepositories", "tcr:DescribeApplicationTokenPersonal", "tcr:DescribeImagePersonal", "tcr:DescribeImageFilterPersonal", "tcr:DescribeRepositoryOwnerPersonal", "tcr:DescribeNamespacePersonal", "tcr:DescribeRepositoryFilterPersonal", "cos:PutObject", "cos:GetObject", "cos:HeadObject", "cos:DeleteObject", "cos:HeadBucket", "cos:GetBucket", "cos:UploadPart", "cos:ListParts", "cos:InitiateMultipartUpload", "cos:ListMultipartUploads", "cos:CompleteMultipartUpload", "cos:AbortMultipartUpload", "tcr:PullRepository" ], "resource": "*" } ] }
