Tencent Kubernetes Engine
Last updated: 2025-12-04 09:16:57
Service roles and service-linked roles are predefined by Tencent Cloud services and, upon user authorization, the corresponding services can access and use resources by assuming these service-linked roles. This document provides detailed information on the use cases and associated authorization policies of these specific service-linked roles.
| Product | Role Name | Role Types | Role Entity |
|---|---|---|---|
| Tencent Kubernetes Engine | TKE_QCSLinkedRoleInEIS | Service-Related Roles | eis.tke.cloud.tencent.com |
| Tencent Kubernetes Engine | TKE_QCSLinkedRoleInTDCC | Service-Related Roles | cvm.qcloud.com tdcc.tke.cloud.tencent.com |
| Tencent Kubernetes Engine | TKE_QCSLinkedRoleInEKSLog | Service-Related Roles | cvm.qcloud.com ekslog.tke.cloud.tencent.com |
| Tencent Kubernetes Engine | TKE_QCSLinkedRoleInEtcdService | Service-Related Roles | cvm.qcloud.com etcdservice.tke.cloud.tencent.com |
| Tencent Kubernetes Engine | TKE_QCSLinkedRoleInEKSCostMaster | Service-Related Roles | cvm.qcloud.com ekscostmaster.tke.cloud.tencent.com |
| Tencent Kubernetes Engine | TKE_QCSLinkedRoleInPrometheusService | Service-Related Roles | cvm.qcloud.com prometheusservice.tke.cloud.tencent.com |
TKE_QCSLinkedRoleInEIS
Use Cases: The current role is the Tencent Kubernetes Engine (TKE) service linked role, which will access your other service resources within the scope of the permissions of the associated policy.
Authorization Polices
- Policy Name: QcloudAccessForTKEInEISRole
- Policy Information:
{ "version": "2.0", "statement": [ { "effect": "allow", "action": [ "cvm:ModifyInstancesProject", "cvm:DescribeInstances", "tke:InstallAddon", "tke:DescribeAddon", "tke:DescribeAddonValues", "tke:UpdateAddon", "tke:DeleteAddon", "tke:AddVpcCniSubnets", "tke:CheckClusterCIDR", "tke:DescribeClusterKubeconfig", "tke:AcquireClusterKubeConfigForProduct", "tke:ModifyClusterTags", "tke:ModifyClusterAttribute", "tke:DisableClusterDeletionProtection", "tke:DescribeClusterInstances", "tke:DeleteCluster", "tke:DescribeClusterStatus", "tke:DescribeClusters", "tke:DescribeExistedInstances", "tke:CreateCluster", "tke:DeleteClusterInstances", "tke:AddExistedInstances", "cls:CreateLogset", "cls:DescribeLogsets", "cls:CreateTopic", "cls:DescribeTopics", "monitor:DescribePrometheusInstances", "monitor:CreatePrometheusMultiTenantInstancePostPayMode", "monitor:CreatePrometheusClusterAgent", "monitor:DescribePrometheusClusterAgents", "monitor:DeletePrometheusClusterAgent", "monitor:TerminatePrometheusInstances", "monitor:CreateExporterIntegration", "monitor:DescribeExporterIntegrations", "monitor:CreateExternalCluster", "monitor:DescribeExternalClusterRegisterCommand", "vpc:DescribeSubnets", "tke:CreateClusterRelease", "tke:DescribeClusterReleases", "tke:DescribeClusterPendingReleases", "tke:UninstallClusterRelease", "tke:DescribeLogSwitches", "cvm:DescribeImages", "cvm:RebootInstances", "cvm:DescribeMarketImages", "cvm:ModifyInstancesAttribute", "cvm:RunInstances", "cvm:ResetInstance", "cvm:DescribeZones", "cvm:DescribeInstanceTypeConfigs", "cvm:DescribeZoneInstanceConfigInfos" ], "resource": "*" } ] }
TKE_QCSLinkedRoleInTDCC
Use Cases: The current role is the TKE service linked role, which will access your other service resources within the scope of the permissions of the associated policy.
Authorization Polices
- Policy Name: QcloudAccessForTKELinkedRoleInTDCC
- Policy Information:
{ "version": "2.0", "statement": [ { "effect": "allow", "action": [ "cls:listTopic", "cls:getTopic", "cls:createTopic", "cls:modifyTopic", "cls:listMachineGroup", "cls:getMachineGroup", "cls:createMachineGroup", "cls:modifyMachineGroup", "cls:deleteMachineGroup", "cls:getMachineStatus", "cls:pushLog", "cls:agentHeartBeat", "cls:getConfig", "cls:getIndex", "cls:modifyIndex", "cls:ApplyConfigToMachineGroup", "cls:CreateConfig", "cls:CreateIndex", "cls:CreateLogset", "cls:CreateMachineGroup", "cls:CreateTopic", "cls:DeleteConfig", "cls:DeleteConfigFromMachineGroup", "cls:DeleteLogset", "cls:DeleteMachineGroup", "cls:DeleteTopic", "cls:DescribeConfigMachineGroups", "cls:DescribeConfigs", "cls:DescribeLogsets", "cls:DescribeMachineGroupConfigs", "cls:DescribeMachineGroups", "cls:DescribeTopics", "cls:ModifyConfig", "cls:ModifyIndex", "cls:ModifyMachineGroup", "cls:ModifyTopic" ], "resource": [ "*" ] } ] }
TKE_QCSLinkedRoleInEKSLog
Use Cases: The current role is the TKE service role, which will access your other service resources within the scope of the permissions of the associated policy.
Authorization Polices
- Policy Name: QcloudAccessForTKELinkedRoleInEKSLog
- Policy Information:
{ "version": "2.0", "statement": [ { "effect": "allow", "action": [ "cls:pushLog", "cls:agentHeartBeat", "cls:getConfig" ], "resource": [ "*" ] } ] }
TKE_QCSLinkedRoleInEtcdService
Use Cases: The current role is the TKE service role, which will access your other service resources within the scope of the permissions of the associated policy.
Authorization Polices
- Policy Name: QcloudAccessForTKELinkedRoleInEtcdService
- Policy Information:
{ "version": "2.0", "statement": [ { "effect": "allow", "resource": [ "*" ], "action": [ "cos:DeleteBucket", "cos:GetBucket", "cos:PutBucket", "cos:HeadBucket", "cos:GetObject", "cos:HeadObject", "cos:PutObject", "cos:DeleteObject", "cos:DeleteMultipleObjects", "cos:ListMultipartUploads", "cos:AbortMultipartUpload" ] } ] }
TKE_QCSLinkedRoleInEKSCostMaster
Use Cases: The current role is the TKE service linked role, which will access your other service resources within the scope of the permissions of the associated policy.
Authorization Polices
- Policy Name: QcloudAccessForTKELinkedRoleInEKSCostMaster
- Policy Information:
{ "version": "2.0", "statement": [ { "action": [ "monitor:DescribeMidDimensionValueList", "monitor:DescribeStatisticData", "monitor:GetMonitorData" ], "resource": "*", "effect": "allow" } ] }
TKE_QCSLinkedRoleInPrometheusService
Use Cases: The current role is the TKE service role, which will access your other service resources within the scope of the permissions of the associated policy.
Authorization Polices
- Policy Name: QcloudAccessForTKELinkedRoleInPrometheusService
- Policy Information:
{ "statement": [ { "action": [ "cos:DeleteBucket", "cos:GetBucket", "cos:PutBucket", "cos:HeadBucket", "cos:GetObject", "cos:HeadObject", "cos:PutObject", "cos:DeleteObject", "cos:DeleteMultipleObjects", "cos:ListMultipartUploads", "cos:AbortMultipartUpload", "cos:AbortMultipartUpload", "cos:ListMultipartUploads", "monitor:DescribePrometheusInstances", "monitor:DescribeRecordingRules", "monitor:DescribeAlertRules", "monitor:DescribeAlarmNotice", "monitor:DescribeAlarmNotices", "monitor:DescribeAlarmNoticeCallbacks", "monitor:DescribeAlarmHistories", "monitor:CreatePrometheusMultiTenantInstance", "monitor:TerminatePrometheusInstances", "monitor:ModifyPrometheusInstanceAttributes", "monitor:CreateRecordingRule", "monitor:DeleteRecordingRules", "monitor:UpdateRecordingRule", "monitor:CreateAlertRule", "monitor:DeleteAlertRules", "monitor:UpdateAlertRule", "monitor:UpdateAlertRuleState", "monitor:CreateAlarmNotice", "monitor:DeleteAlarmNotices", "monitor:ModifyAlarmNotice", "monitor:ModifyAlarmPolicyNotice", "monitor:CreateManagedEKSAgent", "monitor:DescribeManagedEKSAgent", "monitor:CreateAlertRuleReceiverNotRequired", "monitor:UpdateAlertRuleReceiverNotRequired", "monitor:DescribeExporterIntegrations", "monitor:CreateExporterIntegration", "monitor:UpdateExporterIntegration", "monitor:DeleteExporterIntegration", "monitor:CreateGrafanaInstance", "monitor:CreatePrometheusMultiTenantInstancePostPayMode", "monitor:BindPrometheusManagedGrafana", "monitor:DescribeGrafanaInstances", "tdcc:DescribeExternalClusters", "tdcc:DescribeExternalClusterCredential", "monitor:UpgradeGrafanaDashboard", "monitor:UninstallGrafanaDashboard", "monitor:DescribePrometheusAlertGroups", "monitor:CreatePrometheusAlertGroup", "monitor:UpdatePrometheusAlertGroup", "monitor:DeletePrometheusAlertGroups", "monitor:UpdatePrometheusAlertGroupState", "tke:DescribeTKEEdgeExternalKubeconfig", "tke:DescribeTKEEdgeClusterCredential", "tke:DescribeTKEEdgeClusters", "tke:DescribeClusters", "tke:DescribeClusterSecurity" ], "effect": "allow", "resource": [ "*" ] } ], "version": "2.0" }
Was this page helpful?
You can also Contact Sales or Submit a Ticket for help.
Yes
No
Feedback