Product Introduction

CAM Overview

Features

Scenarios

Basic Concepts

Use Limits

User Types

Purchase Guide

Getting Started

Creating Admin User

Creating and Authorizing Sub-account

Logging In to Console with Sub-account

User Guide

Overview

Users

Access Key

User Groups

Role

Identity Provider

Policies

Permissions Boundary

Troubleshooting

Downloading Security Analysis Report

CAM-Enabled Role

Overview

Compute

Container

Microservice

Essential Storage Service

Data Process and Analysis

Data Migration

Relational Database

Enterprise Distributed DBMS

NoSQL Database

Database SaaS Tool

Database SaaS Service

Networking

CDN and Acceleration

Network Security

Data Security

Application Security

Domains & Websites

Big Data

Middleware

Interactive Video Services

Real-Time Interaction

Media On-Demand

Media Process Services

Media Process

Cloud Real-time Rendering

Game Services

Cloud Resource Management

Management and Audit Tools

Developer Tools

Monitor and Operation

CAM-Enabled API

Overview

Compute

Edge Computing

Container

Distributed cloud

Microservice

Serverless

Essential Storage Service

Data Process and Analysis

Data Migration

Relational Database

Enterprise Distributed DBMS

NoSQL Database

Database SaaS Tool

Networking

CDN and Acceleration

Network Security

Endpoint Security

Data Security

Business Security

Application Security

Domains & Websites

Office Collaboration

Big Data

Voice Technology

Image Creation

Tencent Big Model

AI Platform Service

Natural Language Processing

Optical Character Recognition

Middleware

Communication

Interactive Video Services

Real-Time Interaction

Stream Services

Media On-Demand

Media Process Services

Media Process

Cloud Real-time Rendering

Game Services

Education Sevices

Medical Services

Cloud Resource Management

Management and Audit Tools

Developer Tools

Monitor and Operation

Use Cases

Security Practical Tutorial

Multi-Identity Personnel Permission Management

Authorizing Certain Operations by Tag

Supporting Isolated Resource Access for Employees

Enterprise Multi-Account Permissions Management

Reviewing Employee Operation Records on Tencent Cloud

Implementing Attribute-Based Access Control for Employee Resource Permissions Management

During tag-based authentication, only tag key matching is supported

Business Use Cases

TencentDB for MySQL

CLB

CMQ

COS

CVM

VPC

VOD

Others

API Documentation

History

Introduction

API Category

Making API Requests

User APIs

Policy APIs

Role APIs

Identity Provider APIs

Data Types

Error Codes

FAQs

Role

Key

Others

CAM Users and Permissions

Glossary

Tencent Kubernetes Engine

PDF

Focus Mode

Font Size

Last updated: 2026-04-01 10:02:44

Service roles and service-linked roles are predefined by Tencent Cloud services and, upon user authorization, the corresponding services can access and use resources by assuming these service-linked roles. This document provides detailed information on the use cases and associated authorization policies of these specific service-linked roles.

Product	Role Name	Role Types	Role Entity
Tencent Kubernetes Engine	TKE_QCSLinkedRoleInEIS	Service-Related Roles	eis.tke.cloud.tencent.com
Tencent Kubernetes Engine	TKE_QCSLinkedRoleInTDCC	Service-Related Roles	cvm.qcloud.com tdcc.tke.cloud.tencent.com
Tencent Kubernetes Engine	TKE_QCSLinkedRoleInEKSLog	Service-Related Roles	cvm.qcloud.com ekslog.tke.cloud.tencent.com
Tencent Kubernetes Engine	TKE_QCSLinkedRoleInEtcdService	Service-Related Roles	cvm.qcloud.com etcdservice.tke.cloud.tencent.com
Tencent Kubernetes Engine	TKE_QCSLinkedRoleInEKSCostMaster	Service-Related Roles	cvm.qcloud.com ekscostmaster.tke.cloud.tencent.com
Tencent Kubernetes Engine	TKE_QCSLinkedRoleInPrometheusService	Service-Related Roles	cvm.qcloud.com prometheusservice.tke.cloud.tencent.com

TKE_QCSLinkedRoleInEIS

Use Cases： The current role is the Tencent Kubernetes Engine (TKE) service linked role, which will access your other service resources within the scope of the permissions of the associated policy.
Authorization Polices

Policy Name： QcloudAccessForTKEInEISRole

Policy Information：

{
  "version": "2.0",
  "statement": [
      {
          "effect": "allow",
          "action": [
              "cvm:ModifyInstancesProject",
              "cvm:DescribeInstances",
              "tke:InstallAddon",
              "tke:DescribeAddon",
              "tke:DescribeAddonValues",
              "tke:UpdateAddon",
              "tke:DeleteAddon",
              "tke:AddVpcCniSubnets",
              "tke:CheckClusterCIDR",
              "tke:DescribeClusterKubeconfig",
              "tke:AcquireClusterKubeConfigForProduct",
              "tke:ModifyClusterTags",
              "tke:ModifyClusterAttribute",
              "tke:DisableClusterDeletionProtection",
              "tke:DescribeClusterInstances",
              "tke:DeleteCluster",
              "tke:DescribeClusterStatus",
              "tke:DescribeClusters",
              "tke:DescribeExistedInstances",
              "tke:CreateCluster",
              "tke:DeleteClusterInstances",
              "tke:AddExistedInstances",
              "cls:CreateLogset",
              "cls:DescribeLogsets",
              "cls:CreateTopic",
              "cls:DescribeTopics",
              "monitor:DescribePrometheusInstances",
              "monitor:CreatePrometheusMultiTenantInstancePostPayMode",
              "monitor:CreatePrometheusClusterAgent",
              "monitor:DescribePrometheusClusterAgents",
              "monitor:DeletePrometheusClusterAgent",
              "monitor:TerminatePrometheusInstances",
              "monitor:CreateExporterIntegration",
              "monitor:DescribeExporterIntegrations",
              "monitor:CreateExternalCluster",
              "monitor:DescribeExternalClusterRegisterCommand",
              "vpc:DescribeSubnets",
              "tke:CreateClusterRelease",
              "tke:DescribeClusterReleases",
              "tke:DescribeClusterPendingReleases",
              "tke:UninstallClusterRelease",
              "tke:DescribeLogSwitches",
              "cvm:DescribeImages",
              "cvm:RebootInstances",
              "cvm:DescribeMarketImages",
              "cvm:ModifyInstancesAttribute",
              "cvm:RunInstances",
              "cvm:ResetInstance",
              "cvm:DescribeZones",
              "cvm:DescribeInstanceTypeConfigs",
              "cvm:DescribeZoneInstanceConfigInfos"
          ],
          "resource": "*"
      }
  ]
}

TKE_QCSLinkedRoleInTDCC

Use Cases： The current role is the TKE service linked role, which will access your other service resources within the scope of the permissions of the associated policy.
Authorization Polices

Policy Name： QcloudAccessForTKELinkedRoleInTDCC

Policy Information：

{
  "version": "2.0",
  "statement": [
      {
          "effect": "allow",
          "action": [
              "cls:listTopic",
              "cls:getTopic",
              "cls:createTopic",
              "cls:modifyTopic",
              "cls:listMachineGroup",
              "cls:getMachineGroup",
              "cls:createMachineGroup",
              "cls:modifyMachineGroup",
              "cls:deleteMachineGroup",
              "cls:getMachineStatus",
              "cls:pushLog",
              "cls:agentHeartBeat",
              "cls:getConfig",
              "cls:getIndex",
              "cls:modifyIndex",
              "cls:ApplyConfigToMachineGroup",
              "cls:CreateConfig",
              "cls:CreateIndex",
              "cls:CreateLogset",
              "cls:CreateMachineGroup",
              "cls:CreateTopic",
              "cls:DeleteConfig",
              "cls:DeleteConfigFromMachineGroup",
              "cls:DeleteLogset",
              "cls:DeleteMachineGroup",
              "cls:DeleteTopic",
              "cls:DescribeConfigMachineGroups",
              "cls:DescribeConfigs",
              "cls:DescribeLogsets",
              "cls:DescribeMachineGroupConfigs",
              "cls:DescribeMachineGroups",
              "cls:DescribeTopics",
              "cls:ModifyConfig",
              "cls:ModifyIndex",
              "cls:ModifyMachineGroup",
              "cls:ModifyTopic"
          ],
          "resource": [
              "*"
          ]
      }
  ]
}

TKE_QCSLinkedRoleInEKSLog

Use Cases： The current role is the TKE service role, which will access your other service resources within the scope of the permissions of the associated policy.
Authorization Polices

Policy Name： QcloudAccessForTKELinkedRoleInEKSLog

Policy Information：

{
  "version": "2.0",
  "statement": [
      {
          "effect": "allow",
          "action": [
              "cls:pushLog",
              "cls:agentHeartBeat",
              "cls:getConfig"
          ],
          "resource": [
              "*"
          ]
      }
  ]
}

TKE_QCSLinkedRoleInEtcdService

Use Cases： The current role is the TKE service role, which will access your other service resources within the scope of the permissions of the associated policy.
Authorization Polices

Policy Name： QcloudAccessForTKELinkedRoleInEtcdService

Policy Information：

{
  "version": "2.0",
  "statement": [
      {
          "effect": "allow",
          "resource": [
              "*"
          ],
          "action": [
              "cos:DeleteBucket",
              "cos:GetBucket",
              "cos:PutBucket",
              "cos:HeadBucket",
              "cos:GetObject",
              "cos:HeadObject",
              "cos:PutObject",
              "cos:DeleteObject",
              "cos:DeleteMultipleObjects",
              "cos:ListMultipartUploads",
              "cos:AbortMultipartUpload"
          ]
      }
  ]
}

TKE_QCSLinkedRoleInEKSCostMaster

Policy Name： QcloudAccessForTKELinkedRoleInEKSCostMaster

Policy Information：

{
  "version": "2.0",
  "statement": [
      {
          "action": [
              "monitor:DescribeMidDimensionValueList",
              "monitor:DescribeStatisticData",
              "monitor:GetMonitorData"
          ],
          "resource": "*",
          "effect": "allow"
      }
  ]
}

TKE_QCSLinkedRoleInPrometheusService

Use Cases： The current role is the TKE service role, which will access your other service resources within the scope of the permissions of the associated policy.
Authorization Polices

Policy Name： QcloudAccessForTKELinkedRoleInPrometheusService

Policy Information：

{
  "statement": [
      {
          "action": [
              "cos:DeleteBucket",
              "cos:GetBucket",
              "cos:PutBucket",
              "cos:HeadBucket",
              "cos:GetObject",
              "cos:HeadObject",
              "cos:PutObject",
              "cos:DeleteObject",
              "cos:DeleteMultipleObjects",
              "cos:ListMultipartUploads",
              "cos:AbortMultipartUpload",
              "cos:AbortMultipartUpload",
              "cos:ListMultipartUploads",
              "monitor:DescribePrometheusInstances",
              "monitor:DescribeRecordingRules",
              "monitor:DescribeAlertRules",
              "monitor:DescribeAlarmNotice",
              "monitor:DescribeAlarmNotices",
              "monitor:DescribeAlarmNoticeCallbacks",
              "monitor:DescribeAlarmHistories",
              "monitor:CreatePrometheusMultiTenantInstance",
              "monitor:TerminatePrometheusInstances",
              "monitor:ModifyPrometheusInstanceAttributes",
              "monitor:CreateRecordingRule",
              "monitor:DeleteRecordingRules",
              "monitor:UpdateRecordingRule",
              "monitor:CreateAlertRule",
              "monitor:DeleteAlertRules",
              "monitor:UpdateAlertRule",
              "monitor:UpdateAlertRuleState",
              "monitor:CreateAlarmNotice",
              "monitor:DeleteAlarmNotices",
              "monitor:ModifyAlarmNotice",
              "monitor:ModifyAlarmPolicyNotice",
              "monitor:CreateManagedEKSAgent",
              "monitor:DescribeManagedEKSAgent",
              "monitor:CreateAlertRuleReceiverNotRequired",
              "monitor:UpdateAlertRuleReceiverNotRequired",
              "monitor:DescribeExporterIntegrations",
              "monitor:CreateExporterIntegration",
              "monitor:UpdateExporterIntegration",
              "monitor:DeleteExporterIntegration",
              "monitor:CreateGrafanaInstance",
              "monitor:CreatePrometheusMultiTenantInstancePostPayMode",
              "monitor:BindPrometheusManagedGrafana",
              "monitor:DescribeGrafanaInstances",
              "tdcc:DescribeExternalClusters",
              "tdcc:DescribeExternalClusterCredential",
              "monitor:UpgradeGrafanaDashboard",
              "monitor:UninstallGrafanaDashboard",
              "monitor:DescribePrometheusAlertGroups",
              "monitor:CreatePrometheusAlertGroup",
              "monitor:UpdatePrometheusAlertGroup",
              "monitor:DeletePrometheusAlertGroups",
              "monitor:UpdatePrometheusAlertGroupState",
              "tke:DescribeTKEEdgeExternalKubeconfig",
              "tke:DescribeTKEEdgeClusterCredential",
              "tke:DescribeTKEEdgeClusters",
              "tke:DescribeClusters",
              "tke:DescribeClusterSecurity"
          ],
          "effect": "allow",
          "resource": [
              "*"
          ]
      }
  ],
  "version": "2.0"
}

Help and Support

Was this page helpful?

You can also Contact sales or Submit a Ticket for help.

Help us improve! Rate your documentation experience in 5 mins.

Feedback

tencent cloud

Cloud Access Management

Tencent Kubernetes Engine

TKE_QCSLinkedRoleInEIS

TKE_QCSLinkedRoleInTDCC

TKE_QCSLinkedRoleInEKSLog

TKE_QCSLinkedRoleInEtcdService

TKE_QCSLinkedRoleInEKSCostMaster

TKE_QCSLinkedRoleInPrometheusService

Help and Support