什么是系統權限策略

權限策略是用語法結構描述的一組權限的集合，可以精確地描述被授權的資源集、操作集以及授權條件。天翼云訪問控制（IAM）產品提供了兩種類型的權限策略：系統策略和自定義策略。系統策略統一由天翼云創建，策略的版本更新由天翼云維護，用戶只能使用不能修改。自定義策略由用戶管理，策略的版本更新由用戶維護。用戶可以自主創建、更新和刪除自定義策略。在產品迭代過程中，彈性容器實例會向系統策略中添加新的權限，用來支持新的功能和能力。系統策略的更新將會影響所有授予了該策略的 IAM 身份，包括 IAM 用戶、IAM 用戶組。

產品系統策略

CtyunECIFullPolicy

您可以將 CtyunECIFullPolicy 策略授權給IAM身份。本策略定義了管理彈性容器實例（ECI）的權限。

{
    "Version": "1.1",
    "Statement": [
        {
            "Action": [
                "eci:containers:createContainerGroup",
                "eci:containers:deleteContainerGroup",
                "eci:containers:updateContainerGroup",
                "eci:containers:describeContainerGroup",
                "eci:containers:restartContainerGroup",
                "eci:containers:resizeContainerGroupVolume",
                "eci:containers:describeContainerGroups",
                "eci:containers:describeContainerGroupEvent",
                "eci:containers:describeContainerGroupStatus",
                "eci:containers:createCommitContainerTask",
                "eci:containers:deleteCommitContainerTask",
                "eci:containers:describeCommitContainerTask",
                "eci:containers:execContainerCommand",
                "eci:logs:describeContainerLog",
                "eci:dataCache:createDataCache",
                "eci:dataCache:deleteDataCache",
                "eci:dataCache:copyDataCache",
                "eci:dataCache:updateDataCache",
                "eci:dataCache:describeDataCaches",
                "eci:imageCache:createImageCache",
                "eci:imageCache:deleteImageCache",
                "eci:imageCache:updateImageCache",
                "eci:imageCache:describeImageCache",
                "eci:imageCache:describeImageCaches",
                "eci:monitors:describeConsoleContainerGroupMetric",
                "eci:monitors:describeMultiConsoleContainerGroupMetric",
                "eci:containers:createOpsTask",
                "eci:containers:describeOpsTask",
                "eci:virtualNode:createVirtualNode",
                "eci:virtualNode:deleteVirtualNode",
                "eci:virtualNode:updateVirtualNode",
                "eci:virtualNode:describeVirtualNodes",
                "eci:region:describeRegion",
                "eci:tag:bindTag",
                "eci:tag:unbindTag",
                "eci:tag:listTag",
                "eci:containers:describeAvailableResource",
                "eci:containers:describeContainerGroupPrice",
                "eci:resources:listUsage"
            ],
            "Resource": [
                "*"
            ],
            "Effect": "Allow"
        }
    ]
}

CtyunECIReadOnlyPolicy

您可以將 CtyunECIReadOnlyPolicy 策略授權給IAM身份。本策略定義了只讀訪問彈性容器實例（ECI）的權限。

{
    "Version": "1.1",
    "Statement": [
        {
            "Action": [
                "eci:containers:describeContainerGroup",
                "eci:containers:describeContainerGroups",
                "eci:containers:describeContainerGroupEvent",
                "eci:containers:describeContainerGroupStatus",
                "eci:containers:describeCommitContainerTask",
                "eci:logs:describeContainerLog",
                "eci:dataCache:describeDataCaches",
                "eci:imageCache:describeImageCache",
                "eci:imageCache:describeImageCaches",
                "eci:monitors:describeConsoleContainerGroupMetric",
                "eci:monitors:describeMultiConsoleContainerGroupMetric",
                "eci:containers:describeOpsTask",
                "eci:virtualNode:describeVirtualNodes",
                "eci:region:describeRegion",
                "eci:tag:listTag",
                "eci:containers:describeAvailableResource",
                "eci:containers:describeContainerGroupPrice",
                "eci:resources:listUsage"
            ],
            "Resource": [
                "*"
            ],
            "Effect": "Allow"
        }
    ]
}