什么是系统权限策略

权限策略是用语法结构描述的一组权限的集合，可以精确地描述被授权的资源集、操作集以及授权条件。天翼云访问控制（IAM）产品提供了两种类型的权限策略：系统策略和自定义策略。系统策略统一由天翼云创建，策略的版本更新由天翼云维护，用户只能使用不能修改。自定义策略由用户管理，策略的版本更新由用户维护。用户可以自主创建、更新和删除自定义策略。在产品迭代过程中，弹性容器实例会向系统策略中添加新的权限，用来支持新的功能和能力。系统策略的更新将会影响所有授予了该策略的 IAM 身份，包括 IAM 用户、IAM 用户组。

产品系统策略

CtyunECIFullPolicy

您可以将 CtyunECIFullPolicy 策略授权给IAM身份。本策略定义了管理弹性容器实例（ECI）的权限。

{
    "Version": "1.1",
    "Statement": [
        {
            "Action": [
                "eci:containers:createContainerGroup",
                "eci:containers:deleteContainerGroup",
                "eci:containers:updateContainerGroup",
                "eci:containers:describeContainerGroup",
                "eci:containers:restartContainerGroup",
                "eci:containers:resizeContainerGroupVolume",
                "eci:containers:describeContainerGroups",
                "eci:containers:describeContainerGroupEvent",
                "eci:containers:describeContainerGroupStatus",
                "eci:containers:createCommitContainerTask",
                "eci:containers:deleteCommitContainerTask",
                "eci:containers:describeCommitContainerTask",
                "eci:containers:execContainerCommand",
                "eci:logs:describeContainerLog",
                "eci:dataCache:createDataCache",
                "eci:dataCache:deleteDataCache",
                "eci:dataCache:copyDataCache",
                "eci:dataCache:updateDataCache",
                "eci:dataCache:describeDataCaches",
                "eci:imageCache:createImageCache",
                "eci:imageCache:deleteImageCache",
                "eci:imageCache:updateImageCache",
                "eci:imageCache:describeImageCache",
                "eci:imageCache:describeImageCaches",
                "eci:monitors:describeConsoleContainerGroupMetric",
                "eci:monitors:describeMultiConsoleContainerGroupMetric",
                "eci:containers:createOpsTask",
                "eci:containers:describeOpsTask",
                "eci:virtualNode:createVirtualNode",
                "eci:virtualNode:deleteVirtualNode",
                "eci:virtualNode:updateVirtualNode",
                "eci:virtualNode:describeVirtualNodes",
                "eci:region:describeRegion",
                "eci:tag:bindTag",
                "eci:tag:unbindTag",
                "eci:tag:listTag",
                "eci:containers:describeAvailableResource",
                "eci:containers:describeContainerGroupPrice",
                "eci:resources:listUsage"
            ],
            "Resource": [
                "*"
            ],
            "Effect": "Allow"
        }
    ]
}

CtyunECIReadOnlyPolicy

您可以将 CtyunECIReadOnlyPolicy 策略授权给IAM身份。本策略定义了只读访问弹性容器实例（ECI）的权限。

{
    "Version": "1.1",
    "Statement": [
        {
            "Action": [
                "eci:containers:describeContainerGroup",
                "eci:containers:describeContainerGroups",
                "eci:containers:describeContainerGroupEvent",
                "eci:containers:describeContainerGroupStatus",
                "eci:containers:describeCommitContainerTask",
                "eci:logs:describeContainerLog",
                "eci:dataCache:describeDataCaches",
                "eci:imageCache:describeImageCache",
                "eci:imageCache:describeImageCaches",
                "eci:monitors:describeConsoleContainerGroupMetric",
                "eci:monitors:describeMultiConsoleContainerGroupMetric",
                "eci:containers:describeOpsTask",
                "eci:virtualNode:describeVirtualNodes",
                "eci:region:describeRegion",
                "eci:tag:listTag",
                "eci:containers:describeAvailableResource",
                "eci:containers:describeContainerGroupPrice",
                "eci:resources:listUsage"
            ],
            "Resource": [
                "*"
            ],
            "Effect": "Allow"
        }
    ]
}