IAM
IAM
- Documentation
IAMUser GuidePermission PolicyCommon System Default Policies
Copy page
Download PDFCopy pageDownload PDFThis article introduces some commonly used system default policies to help you understand and use system policies for permission control more quickly.
- If the system's preset policy does not meet your needs, you can create a custom policy based on your actual needs.
- For more system default policies, please log in to the Volcano Engine console Policy Management with an account with access control rights.
Access Control System Preset Policy
AdministratorAccess
IAM identities (IAM users, user groups, roles) that are authorized by this policy can obtain administrative privileges for products that support all IAM capabilities, such as ECSFullAccess, VPCFullAccess, IAMFullAccess, and so on.
{ "Statement": [ { "Effect": "Allow", "Action": [ "*" ], "Resource": [ "*" ] } ] }
ReadOnlyAccess
After being authorized for this policy, IAM identities (IAM users, user groups, roles) can obtain read-only access to all IAM-enabled products, such as ECSReadOnlyAccess, VPCReadOnlyAccess, IAMReadOnlyAccess, and so on.
{ "Statement": [ { "Effect": "Allow", "Action": [ "*:*Describe*", "*:List*", "*:Get*", "*:Query*", "*:Check*", "*:Read*", "*:Desc*", "*:Search*", "tos:Head*", "rms:*Get*", "rtc:Find*", "cloud_trail:Lookup*" ], "Resource": [ "*" ] } ] }
IAMReadOnlyAccess
After being authorized for this policy, the IAM identity (IAM user, user group, role) can obtain read-only access to Access Control (IAM), and can enter the Access Control Console to view access control-related information, excluding the viewing permission of the Secret Access Key.
{ "Statement": [ { "Effect": "Allow", "Action": [ "iam:Get*", "iam:ListUser*", "iam:ListRole*", "iam:ListGroup*", "iam:ListPolicy*", "iam:ListSAML*", "iam:ListIdentity*", "iam:ListProject*", "iam:ListAccount*", "iam:ListAttach*", "iam:ListVirtualMFADevices", "iam:ListThirdParty*", "iam:ListConsole*", "iam:ListService*", "iam:ListPlatformIdentity*", "iam:ListCategory*", "iam:ListSystem*", "iam:ListEntities*", "iam:ListIDP*", "iam:ListAccessKeys*", "iam:ListPolicies*", "iam:ListAppID*", "iam:ListResource*", "iam:ListTag*" ], "Resource": [ "*" ] } ] }
IAMFullAccess
IAM identities (IAM users, user groups, roles) that are authorized to this policy gain full administrative access control (IAM) privileges.
{ "Statement": [ { "Effect": "Allow", "Action": [ "iam:*" ], "Resource": [ "*" ] } ] }
AccessKeySelfManageAccess
This policy allows IAM users to manage only their own API access keys, including key creation, deletion, status modification, key list query, and console access to secret access keys.
{ "Statement": [ { "Effect": "Allow", "Action": [ "iam:CreateAccessKey", "iam:DeleteAccessKey", "iam:UpdateAccessKey", "iam:ListAccessKeys", "iam:ListSecretKeys" ], "Resource": [ "trn:iam::*:user/${volc:UserName}" ] } ] }
AccessKeyFullAccess
This policy allows IAM users to manage the API access keys of all IAM users, including key creation, deletion, status modification, key list query, and console access to secret access keys.
{ "Statement": [ { "Effect": "Allow", "Action": [ "iam:CreateAccessKey", "iam:DeleteAccessKey", "iam:ListAccessKeys", "iam:UpdateAccessKey", "iam:ListSecretKeys" ], "Resource": [ "*" ] } ] }
AccessKeyReadOnlyAccess
This policy allows IAM users to query the API Access Key of any IAM user, including the ability to query the list of keys and the console to view the Secret Access Key.
{ "Statement": [ { "Effect": "Allow", "Action": [ "iam:ListAccessKeys", "iam:ListSecretKeys" ], "Resource": [ "*" ] } ] }
Label service system default policy
TagFullAccess
The IAM identity (IAM user, user group, role) authorized by this policy can obtain content related to the label service in the management account, such as searching by label.
{ "Statement": [ { "Effect": "Allow", "Action": [ "tag:*" ], "Resource": [ "*" ] } ] }
