TKE Resource-level Permission API List

Last updated: 2019-09-18 18:06:16

PDF

Resource-level permissions refers to the ability to specify which resources a user is allowed to operate. TKE (formerly CCS) supports certain resource-level permissions, which means that for certain TKE operations, you can control when the user is allowed to perform operations (based on conditions that must be met) or use specific resources.
Types of resources that can be authorized in TKE include:

Resource type Resource description method in authorization policy
Cluster-related qcs::ccs:$region::cluster/*

The table below describes the TKE API operations that currently support resource-level permissions. When specifying a resource path, you can use the * wildcard in the path.

Note:
TKE API operations not listed here do not support resource-level permissions. If a TKE API operation does not support resource-level permissions, you can still authorize users to perform this operation, but you must specify * for the resource element of the policy statement.

API operation Resource path
DescribeClusterService Cluster resource
qcs::ccs:region:account:cluster/*
qcs::ccs:region:account:cluster/$clusterId
DescribeClusterServiceInfo Cluster resource
qcs::ccs:region:account:cluster/*
qcs::ccs:region:account:cluster/$clusterId
CreateClusterService Cluster resource
qcs::ccs:region:account:cluster/*
qcs::ccs:region:account:cluster/$clusterId
CLB resource
qcs::clb:$region:$account:clb/*
CBS resource
qcs::cvm:$region:$account:volume/*
qcs::cvm:$region:$account:volume/$diskId
ModifyClusterService Cluster resource
qcs::ccs:region:account:cluster/*
qcs::ccs:region:account:cluster/$clusterId
CLB resource
qcs::clb:$region:$account:clb/*
CBS resource
qcs::cvm:$region:$account:volume/*
qcs::cvm:$region:$account:volume/$diskId
DeleteClusterService Cluster resource
qcs::ccs:region:account:cluster/*
qcs::ccs:region:account:cluster/$clusterId
ModifyServiceDescription Cluster resource
qcs::ccs:region:account:cluster/*
qcs::ccs:region:account:cluster/$clusterId
DescribeServiceEvent Cluster resource
qcs::ccs:region:account:cluster/*
qcs::ccs:region:account:cluster/$clusterId
ResumeClusterService Cluster resource
qcs::ccs:region:account:cluster/*
qcs::ccs:region:account:cluster/$clusterId
PauseClusterService Cluster resource
qcs::ccs:region:account:cluster/*
qcs::ccs:region:account:cluster/$clusterId
RollBackClusterService Cluster resource
qcs::ccs:region:account:cluster/*
qcs::ccs:region:account:cluster/$clusterId
ModifyClusterServiceImage Cluster resource
qcs::ccs:region:account:cluster/*
qcs::ccs:region:account:cluster/$clusterId
RedeployClusterService Cluster resource
qcs::ccs:region:account:cluster/*
qcs::ccs:region:account:cluster/$clusterId
DescribeServiceInstance Cluster resource
qcs::ccs:region:account:cluster/*
qcs::ccs:region:account:cluster/$clusterId
ModifyServiceReplicas Cluster resource
qcs::ccs:region:account:cluster/*
qcs::ccs:region:account:cluster/$clusterId
DeleteInstances Cluster resource
qcs::ccs:region:account:cluster/*
qcs::ccs:region:account:cluster/$clusterId
DescribeClusterNameSpaces Cluster resource
qcs::ccs:region:account:cluster/*
qcs::ccs:region:account:cluster/$clusterId
CreateClusterNamespace Cluster resource
qcs::ccs:region:account:cluster/*
qcs::ccs:region:account:cluster/$clusterId
DeleteClusterNamespace Cluster resource
qcs::ccs:region:account:cluster/*
qcs::ccs:region:account:cluster/$clusterId
DescribeCluster Cluster resource
qcs::ccs:region:account:cluster/*
qcs::ccs:region:account:cluster/$clusterId
CreateCluster CVM resource
qcs::cvm:$region:$account:instance/*
DeleteCluster Cluster resource
qcs::ccs:region:account:cluster/*
qcs::ccs:region:account:cluster/$clusterId
DescribeClusterInstances Cluster resource
qcs::ccs:region:account:cluster/*
qcs::ccs:region:account:cluster/$clusterId
AddClusterInstances Cluster resource
qcs::ccs:region:account:cluster/*
qcs::ccs:region:account:cluster/$clusterId
CVM resource
qcs::cvm:$region:$account:instance/*
DeleteClusterInstances Cluster resource
qcs::ccs:region:account:cluster/*
qcs::ccs:region:account:cluster/$clusterId
CVM resource
qcs::cvm:$region:$account:instance/*
qcs::cvm:$region:$account:instance/$instanceId
AddClusterInstancesFromExistedCvm Cluster resource
qcs::ccs:region:account:cluster/*
qcs::ccs:region:account:cluster/$clusterId
CVM resource
qcs::cvm:$region:$account:instance/*
qcs::cvm:$region:$account:instance/$instanceId