TKE Resource-level Permission API List

Last updated: 2020-04-26 16:18:04

With resource-level permissions, you can specify the resources that a user can operate on. TKE (formerly CCS) supports some resource-level permissions, where for certain TKE operations, you can control the operations that the user is allow to perform (based on the conditions that must be met) or the resources that the user can use.
The following table describes the types of resources that can be authorized in TKE.

Resource Type Resource Description Method in the Authorization Policy
Cluster resources qcs::ccs:$region::cluster/*

The following table describes the TKE (Tencent Kubernetes Engines) API operations that currently support resource-level permissions. You can use the wildcard (*) when specifying a resource path.

Notes:
Only the TKE API operations listed here support resource-level permissions. You can still authorize a user to perform a TKE API operation that does not support resource-level permissions, but you must specify the resource element in the policy statement with the asterisk (*).

API Operation Resource Path
DescribeClusterService Cluster resource
qcs::ccs:region:account:cluster/*
qcs::ccs:region:account:cluster/$clusterId
DescribeClusterServiceInfo Cluster resource
qcs::ccs:region:account:cluster/*
qcs::ccs:region:account:cluster/$clusterId
CreateClusterService Cluster resource
qcs::ccs:region:account:cluster/*
qcs::ccs:region:account:cluster/$clusterId
CLB resource
qcs::clb:$region:$account:clb/*
CBS resource
qcs::cvm:$region:$account:volume/*
qcs::cvm:$region:$account:volume/$diskId
ModifyClusterService Cluster resource
qcs::ccs:region:account:cluster/*
qcs::ccs:region:account:cluster/$clusterId
CLB resource
qcs::clb:$region:$account:clb/*
CBS resource
qcs::cvm:$region:$account:volume/*
qcs::cvm:$region:$account:volume/$diskId
DeleteClusterService Cluster resource
qcs::ccs:region:account:cluster/*
qcs::ccs:region:account:cluster/$clusterId
ModifyServiceDescription Cluster resource
qcs::ccs:region:account:cluster/*
qcs::ccs:region:account:cluster/$clusterId
DescribeServiceEvent Cluster resource
qcs::ccs:region:account:cluster/*
qcs::ccs:region:account:cluster/$clusterId
ResumeClusterService Cluster resource
qcs::ccs:region:account:cluster/*
qcs::ccs:region:account:cluster/$clusterId
PauseClusterService Cluster resource
qcs::ccs:region:account:cluster/*
qcs::ccs:region:account:cluster/$clusterId
RollBackClusterService Cluster resource
qcs::ccs:region:account:cluster/*
qcs::ccs:region:account:cluster/$clusterId
ModifyClusterServiceImage Cluster resource
qcs::ccs:region:account:cluster/*
qcs::ccs:region:account:cluster/$clusterId
RedeployClusterService Cluster resource
qcs::ccs:region:account:cluster/*
qcs::ccs:region:account:cluster/$clusterId
DescribeServiceInstance Cluster resource
qcs::ccs:region:account:cluster/*
qcs::ccs:region:account:cluster/$clusterId
ModifyServiceReplicas Cluster resource
qcs::ccs:region:account:cluster/*
qcs::ccs:region:account:cluster/$clusterId
DeleteInstances Cluster resource
qcs::ccs:region:account:cluster/*
qcs::ccs:region:account:cluster/$clusterId
DescribeClusterNameSpaces Cluster resource
qcs::ccs:region:account:cluster/*
qcs::ccs:region:account:cluster/$clusterId
CreateClusterNamespace Cluster resource
qcs::ccs:region:account:cluster/*
qcs::ccs:region:account:cluster/$clusterId
DeleteClusterNamespace Cluster resource
qcs::ccs:region:account:cluster/*
qcs::ccs:region:account:cluster/$clusterId
DescribeCluster Cluster resource
qcs::ccs:region:account:cluster/*
qcs::ccs:region:account:cluster/$clusterId
CreateCluster CVM resource
qcs::cvm:$region:$account:instance/*
DeleteCluster Cluster resource
qcs::ccs:region:account:cluster/*
qcs::ccs:region:account:cluster/$clusterId
DescribeClusterInstances Cluster resource
qcs::ccs:region:account:cluster/*
qcs::ccs:region:account:cluster/$clusterId
AddClusterInstances Cluster resource
qcs::ccs:region:account:cluster/*
qcs::ccs:region:account:cluster/$clusterId
CVM resource
qcs::cvm:$region:$account:instance/*
DeleteClusterInstances Cluster resource
qcs::ccs:region:account:cluster/*
qcs::ccs:region:account:cluster/$clusterId
CVM resource
qcs::cvm:$region:$account:instance/*
qcs::cvm:$region:$account:instance/$instanceId
AddClusterInstancesFromExistedCvm Cluster resource
qcs::ccs:region:account:cluster/*
qcs::ccs:region:account:cluster/$clusterId
CVM resource
qcs::cvm:$region:$account:instance/*
qcs::cvm:$region:$account:instance/$instanceId

Was this page helpful?

Was this page helpful?

  • Not at all
  • Not very helpful
  • Somewhat helpful
  • Very helpful
  • Extremely helpful
Send Feedback
Help