- Product Introduction
- Purchase Guide
- Getting Started
- User Guide
- Overview
- Users
- Identity Provider
- SSO Overview
- Practical Scenarios for SSO
- User-Based SSO
- Role-Based SSO
- Overview
- Overview of SAML Role-Based SSO
- Overview of OIDC Role-Based Single Sign-On
- SAML 2.0-Based Federation
- Accessing Tencent Cloud Console as SAML 2.0 Federated Users
- Creating a SAML IdP
- Creating an OIDC Identity Provider
- Managing IdPs
- Azure Active Directory Single Sign-On
- OneLogin Single Sign-On
- Okta Single Sign-On
- ADFS SSO to Tencent Cloud
- Implementing OIDC-Based Role-Based SSO
- Access Key
- User Groups
- Role
- Policies
- Troubleshooting
- Permissions Boundary
- Downloading Security Analysis Report
- CAM-Enabled Role
- Overview
- Compute
- Container
- Microservice
- Essential Storage Service
- Data Process and Analysis
- Data Migration
- Relational Database
- Enterprise Distributed DBMS
- NoSQL Database
- Database SaaS Tool
- Networking
- CDN and Acceleration
- Network Security
- Application Security
- Domains & Websites
- Big Data
- Middleware
- Interactive Video Services
- Media On-Demand
- Cloud Real-time Rendering
- Game Services
- Cloud Resource Management
- Management and Audit Tools
- CAM-Enabled API
- Overview
- Compute
- Edge Computing
- Container
- Microservice
- Serverless
- Essential Storage Service
- Data Process and Analysis
- Data Migration
- Relational Database
- Enterprise Distributed DBMS
- NoSQL Database
- Database SaaS Tool
- Networking
- CDN and Acceleration
- Network Security
- Endpoint Security
- Data Security
- Business Security
- Application Security
- Domains & Websites
- Big Data
- Voice Technology
- Natural Language Processing
- Middleware
- Communication
- Interactive Video Services
- Stream Services
- Media On-Demand
- Media Process Services
- Cloud Real-time Rendering
- Game Services
- Education Sevices
- Cloud Resource Management
- Management and Audit Tools
- Monitor and Operation
- More
- Best Practice
- Security Best Practice
- Multi-Identity Personnel Permission Management
- Authorizing Certain Operations by Tag
- Supporting Isolated Resource Access for Employees
- Enterprise Multi-Account Permissions Management
- Reviewing Employee Operation Records on Tencent Cloud
- Implementing Attribute-Based Access Control for Employee Resource Permissions Management
- During tag-based authentication, only tag key matching is supported
- Business Use Cases
- TencentDB for MySQL
- CLB
- CMQ
- COS
- Authorizing Sub-account Full Access to COS Resources under the Account
- Authorizing Sub-account Full Access to Specific Directory
- Authorizing Sub-account Read-only Access to Files in Specific Directory
- Authorizing Sub-account Read/Write Access to Specific File
- Authorizing Sub-account Read-only Access to COS Resources
- Authorizing a Sub-account Read/Write Access to All Files in Specified Directory Except Specified Files
- Authorizing Sub-account Read/Write Access to Files with Specified Prefix
- Authorizing Another Account Read/Write Access to Specific Files
- Authorizing Cross-Account ’s Sub-account Read/Write Access to Specified File
- CVM
- Authorizing Sub-account Full Access to CVMs
- Authorizing Sub-account Read-only Access to CVMs
- Authorizing Sub-account Read-only Access to CVM-related Resources
- Authorizing Sub-account Access to Perform Operations on CBSs
- Authorizing Sub-account Access to Perform Operations on Security Groups
- Authorizing Sub-account Access to Perform Operations on EIPs
- Authorizing Sub-account Access to Perform Operations on Specific CVM
- Authorizing Sub-account Access to Perform Operations on CVMs in Specific Region
- Authorizing Sub-account Full Access to CVMs Except Payment
- VPC
- Authorizing Sub-account Read-only Access to VPCs
- Authorizing Sub-account Access to Perform Operations on Specific VPC and Resources of This VPC
- Authorizing Sub-account Access to Perform Operations on VPC Except on Routing Table
- Authorizing Sub-account Access to Perform Operations on VPN
- Authorizing Sub-account Full Access to VPCs
- Authorizing a Sub-account Full Access to VPCs Except Payment
- VOD
- Others
- API Documentation
- History
- Introduction
- API Category
- Making API Requests
- Identity Provider APIs
- Policy APIs
- UpdatePolicy
- ListPolicies
- ListEntitiesForPolicy
- ListAttachedUserPolicies
- ListAttachedGroupPolicies
- GetPolicy
- DetachUserPolicy
- DetachGroupPolicy
- DeletePolicy
- CreatePolicy
- AttachUserPolicy
- AttachGroupPolicy
- SetDefaultPolicyVersion
- ListPolicyVersions
- GetPolicyVersion
- DeletePolicyVersion
- CreatePolicyVersion
- ListAttachedUserAllPolicies
- User APIs
- CreateGroup
- UpdateUser
- UpdateGroup
- RemoveUserFromGroup
- ListUsersForGroup
- ListUsers
- ListGroupsForUser
- ListGroups
- GetUser
- GetGroup
- DeleteUser
- DeleteGroup
- AddUserToGroup
- AddUser
- SetMfaFlag
- GetCustomMFATokenInfo
- ConsumeCustomMFAToken
- ListCollaborators
- ListAccessKeys
- PutUserPermissionsBoundary
- DeleteUserPermissionsBoundary
- DescribeSafeAuthFlagColl
- DescribeSubAccounts
- GetSecurityLastUsed
- GetAccountSummary
- GetUserAppId
- UpdateAccessKey
- DeleteAccessKey
- CreateAccessKey
- Role APIs
- UpdateRoleDescription
- UpdateAssumeRolePolicy
- ListAttachedRolePolicies
- GetRole
- DetachRolePolicy
- DescribeRoleList
- DeleteRole
- CreateRole
- AttachRolePolicy
- UpdateRoleConsoleLogin
- GetServiceLinkedRoleDeletionStatus
- DeleteServiceLinkedRole
- CreateServiceLinkedRole
- PutRolePermissionsBoundary
- DeleteRolePermissionsBoundary
- DescribeSafeAuthFlag
- DescribeSafeAuthFlagIntl
- UntagRole
- TagRole
- Data Types
- Error Codes
- FAQs
- Glossary
- Product Introduction
- Purchase Guide
- Getting Started
- User Guide
- Overview
- Users
- Identity Provider
- SSO Overview
- Practical Scenarios for SSO
- User-Based SSO
- Role-Based SSO
- Overview
- Overview of SAML Role-Based SSO
- Overview of OIDC Role-Based Single Sign-On
- SAML 2.0-Based Federation
- Accessing Tencent Cloud Console as SAML 2.0 Federated Users
- Creating a SAML IdP
- Creating an OIDC Identity Provider
- Managing IdPs
- Azure Active Directory Single Sign-On
- OneLogin Single Sign-On
- Okta Single Sign-On
- ADFS SSO to Tencent Cloud
- Implementing OIDC-Based Role-Based SSO
- Access Key
- User Groups
- Role
- Policies
- Troubleshooting
- Permissions Boundary
- Downloading Security Analysis Report
- CAM-Enabled Role
- Overview
- Compute
- Container
- Microservice
- Essential Storage Service
- Data Process and Analysis
- Data Migration
- Relational Database
- Enterprise Distributed DBMS
- NoSQL Database
- Database SaaS Tool
- Networking
- CDN and Acceleration
- Network Security
- Application Security
- Domains & Websites
- Big Data
- Middleware
- Interactive Video Services
- Media On-Demand
- Cloud Real-time Rendering
- Game Services
- Cloud Resource Management
- Management and Audit Tools
- CAM-Enabled API
- Overview
- Compute
- Edge Computing
- Container
- Microservice
- Serverless
- Essential Storage Service
- Data Process and Analysis
- Data Migration
- Relational Database
- Enterprise Distributed DBMS
- NoSQL Database
- Database SaaS Tool
- Networking
- CDN and Acceleration
- Network Security
- Endpoint Security
- Data Security
- Business Security
- Application Security
- Domains & Websites
- Big Data
- Voice Technology
- Natural Language Processing
- Middleware
- Communication
- Interactive Video Services
- Stream Services
- Media On-Demand
- Media Process Services
- Cloud Real-time Rendering
- Game Services
- Education Sevices
- Cloud Resource Management
- Management and Audit Tools
- Monitor and Operation
- More
- Best Practice
- Security Best Practice
- Multi-Identity Personnel Permission Management
- Authorizing Certain Operations by Tag
- Supporting Isolated Resource Access for Employees
- Enterprise Multi-Account Permissions Management
- Reviewing Employee Operation Records on Tencent Cloud
- Implementing Attribute-Based Access Control for Employee Resource Permissions Management
- During tag-based authentication, only tag key matching is supported
- Business Use Cases
- TencentDB for MySQL
- CLB
- CMQ
- COS
- Authorizing Sub-account Full Access to COS Resources under the Account
- Authorizing Sub-account Full Access to Specific Directory
- Authorizing Sub-account Read-only Access to Files in Specific Directory
- Authorizing Sub-account Read/Write Access to Specific File
- Authorizing Sub-account Read-only Access to COS Resources
- Authorizing a Sub-account Read/Write Access to All Files in Specified Directory Except Specified Files
- Authorizing Sub-account Read/Write Access to Files with Specified Prefix
- Authorizing Another Account Read/Write Access to Specific Files
- Authorizing Cross-Account ’s Sub-account Read/Write Access to Specified File
- CVM
- Authorizing Sub-account Full Access to CVMs
- Authorizing Sub-account Read-only Access to CVMs
- Authorizing Sub-account Read-only Access to CVM-related Resources
- Authorizing Sub-account Access to Perform Operations on CBSs
- Authorizing Sub-account Access to Perform Operations on Security Groups
- Authorizing Sub-account Access to Perform Operations on EIPs
- Authorizing Sub-account Access to Perform Operations on Specific CVM
- Authorizing Sub-account Access to Perform Operations on CVMs in Specific Region
- Authorizing Sub-account Full Access to CVMs Except Payment
- VPC
- Authorizing Sub-account Read-only Access to VPCs
- Authorizing Sub-account Access to Perform Operations on Specific VPC and Resources of This VPC
- Authorizing Sub-account Access to Perform Operations on VPC Except on Routing Table
- Authorizing Sub-account Access to Perform Operations on VPN
- Authorizing Sub-account Full Access to VPCs
- Authorizing a Sub-account Full Access to VPCs Except Payment
- VOD
- Others
- API Documentation
- History
- Introduction
- API Category
- Making API Requests
- Identity Provider APIs
- Policy APIs
- UpdatePolicy
- ListPolicies
- ListEntitiesForPolicy
- ListAttachedUserPolicies
- ListAttachedGroupPolicies
- GetPolicy
- DetachUserPolicy
- DetachGroupPolicy
- DeletePolicy
- CreatePolicy
- AttachUserPolicy
- AttachGroupPolicy
- SetDefaultPolicyVersion
- ListPolicyVersions
- GetPolicyVersion
- DeletePolicyVersion
- CreatePolicyVersion
- ListAttachedUserAllPolicies
- User APIs
- CreateGroup
- UpdateUser
- UpdateGroup
- RemoveUserFromGroup
- ListUsersForGroup
- ListUsers
- ListGroupsForUser
- ListGroups
- GetUser
- GetGroup
- DeleteUser
- DeleteGroup
- AddUserToGroup
- AddUser
- SetMfaFlag
- GetCustomMFATokenInfo
- ConsumeCustomMFAToken
- ListCollaborators
- ListAccessKeys
- PutUserPermissionsBoundary
- DeleteUserPermissionsBoundary
- DescribeSafeAuthFlagColl
- DescribeSubAccounts
- GetSecurityLastUsed
- GetAccountSummary
- GetUserAppId
- UpdateAccessKey
- DeleteAccessKey
- CreateAccessKey
- Role APIs
- UpdateRoleDescription
- UpdateAssumeRolePolicy
- ListAttachedRolePolicies
- GetRole
- DetachRolePolicy
- DescribeRoleList
- DeleteRole
- CreateRole
- AttachRolePolicy
- UpdateRoleConsoleLogin
- GetServiceLinkedRoleDeletionStatus
- DeleteServiceLinkedRole
- CreateServiceLinkedRole
- PutRolePermissionsBoundary
- DeleteRolePermissionsBoundary
- DescribeSafeAuthFlag
- DescribeSafeAuthFlagIntl
- UntagRole
- TagRole
- Data Types
- Error Codes
- FAQs
- Glossary
Tencent Kubernetes Engine
Last updated: 2024-05-02 09:11:51
Service roles and service-linked roles are predefined by Tencent Cloud services and, upon user authorization, the corresponding services can access and use resources by assuming these service-linked roles. This document provides detailed information on the use cases and associated authorization policies of these specific service-linked roles.
| Product | Role Name | Role Types | Role Entity |
|---|---|---|---|
| Tencent Kubernetes Engine | TKE_QCSLinkedRoleInTDCC | Service-Related Roles | cvm.qcloud.com tdcc.tke.cloud.tencent.com |
| Tencent Kubernetes Engine | TKE_QCSLinkedRoleInEKSLog | Service-Related Roles | cvm.qcloud.com ekslog.tke.cloud.tencent.com |
| Tencent Kubernetes Engine | TKE_QCSLinkedRoleInEtcdService | Service-Related Roles | cvm.qcloud.com etcdservice.tke.cloud.tencent.com |
| Tencent Kubernetes Engine | TKE_QCSLinkedRoleInEKSCostMaster | Service-Related Roles | cvm.qcloud.com ekscostmaster.tke.cloud.tencent.com |
| Tencent Kubernetes Engine | TKE_QCSLinkedRoleInPrometheusService | Service-Related Roles | cvm.qcloud.com prometheusservice.tke.cloud.tencent.com |
TKE_QCSLinkedRoleInTDCC
Use Cases: The current role is the TKE service linked role, which will access your other service resources within the scope of the permissions of the associated policy.
Authorization Polices
- Policy Name: QcloudAccessForTKELinkedRoleInTDCC
- Policy Information:
{
"version": "2.0",
"statement": [
{
"effect": "allow",
"action": [
"cls:listTopic",
"cls:getTopic",
"cls:createTopic",
"cls:modifyTopic",
"cls:listMachineGroup",
"cls:getMachineGroup",
"cls:createMachineGroup",
"cls:modifyMachineGroup",
"cls:deleteMachineGroup",
"cls:getMachineStatus",
"cls:pushLog",
"cls:agentHeartBeat",
"cls:getConfig",
"cls:getIndex",
"cls:modifyIndex",
"cls:ApplyConfigToMachineGroup",
"cls:CreateConfig",
"cls:CreateIndex",
"cls:CreateLogset",
"cls:CreateMachineGroup",
"cls:CreateTopic",
"cls:DeleteConfig",
"cls:DeleteConfigFromMachineGroup",
"cls:DeleteLogset",
"cls:DeleteMachineGroup",
"cls:DeleteTopic",
"cls:DescribeConfigMachineGroups",
"cls:DescribeConfigs",
"cls:DescribeLogsets",
"cls:DescribeMachineGroupConfigs",
"cls:DescribeMachineGroups",
"cls:DescribeTopics",
"cls:ModifyConfig",
"cls:ModifyIndex",
"cls:ModifyMachineGroup",
"cls:ModifyTopic"
],
"resource": [
"*"
]
}
]
}
TKE_QCSLinkedRoleInEKSLog
Use Cases: The current role is the TKE service role, which will access your other service resources within the scope of the permissions of the associated policy.
Authorization Polices
- Policy Name: QcloudAccessForTKELinkedRoleInEKSLog
- Policy Information:
{
"version": "2.0",
"statement": [
{
"effect": "allow",
"action": [
"cls:listTopic",
"cls:getTopic",
"cls:createTopic",
"cls:modifyTopic",
"cls:listMachineGroup",
"cls:getMachineGroup",
"cls:createMachineGroup",
"cls:modifyMachineGroup",
"cls:deleteMachineGroup",
"cls:getMachineStatus",
"cls:pushLog",
"cls:agentHeartBeat",
"cls:getConfig",
"cls:getIndex",
"cls:modifyIndex",
"cls:ApplyConfigToMachineGroup",
"cls:CreateConfig",
"cls:CreateIndex",
"cls:CreateLogset",
"cls:CreateMachineGroup",
"cls:CreateTopic",
"cls:DeleteConfig",
"cls:DeleteConfigFromMachineGroup",
"cls:DeleteLogset",
"cls:DeleteMachineGroup",
"cls:DeleteTopic",
"cls:DescribeConfigMachineGroups",
"cls:DescribeConfigs",
"cls:DescribeLogsets",
"cls:DescribeMachineGroupConfigs",
"cls:DescribeMachineGroups",
"cls:DescribeTopics",
"cls:ModifyConfig",
"cls:ModifyIndex",
"cls:ModifyMachineGroup",
"cls:ModifyTopic"
],
"resource": [
"*"
]
}
]
}
TKE_QCSLinkedRoleInEtcdService
Use Cases: The current role is the TKE service role, which will access your other service resources within the scope of the permissions of the associated policy.
Authorization Polices
- Policy Name: QcloudAccessForTKELinkedRoleInEtcdService
- Policy Information:
{
"version": "2.0",
"statement": [
{
"effect": "allow",
"resource": [
"*"
],
"action": [
"cos:DeleteBucket",
"cos:GetBucket",
"cos:PutBucket",
"cos:HeadBucket",
"cos:GetObject",
"cos:HeadObject",
"cos:PutObject",
"cos:DeleteObject",
"cos:DeleteMultipleObjects",
"cos:ListMultipartUploads",
"cos:AbortMultipartUpload"
]
}
]
}
TKE_QCSLinkedRoleInEKSCostMaster
Use Cases: The current role is the TKE service linked role, which will access your other service resources within the scope of the permissions of the associated policy.
Authorization Polices
- Policy Name: QcloudAccessForTKELinkedRoleInEKSCostMaster
- Policy Information:
{
"version": "2.0",
"statement": [
{
"action": [
"monitor:DescribeMidDimensionValueList",
"monitor:DescribeStatisticData",
"monitor:GetMonitorData"
],
"resource": "*",
"effect": "allow"
}
]
}
TKE_QCSLinkedRoleInPrometheusService
Use Cases: The current role is the TKE service role, which will access your other service resources within the scope of the permissions of the associated policy.
Authorization Polices
- Policy Name: QcloudAccessForTKELinkedRoleInPrometheusService
- Policy Information:
{
"statement": [
{
"action": [
"cos:DeleteBucket",
"cos:GetBucket",
"cos:PutBucket",
"cos:HeadBucket",
"cos:GetObject",
"cos:HeadObject",
"cos:PutObject",
"cos:DeleteObject",
"cos:DeleteMultipleObjects",
"cos:ListMultipartUploads",
"cos:AbortMultipartUpload",
"cos:AbortMultipartUpload",
"cos:ListMultipartUploads",
"monitor:DescribePrometheusInstances",
"monitor:DescribeRecordingRules",
"monitor:DescribeAlertRules",
"monitor:DescribeAlarmNotice",
"monitor:DescribeAlarmNotices",
"monitor:DescribeAlarmNoticeCallbacks",
"monitor:DescribeAlarmHistories",
"monitor:CreatePrometheusMultiTenantInstance",
"monitor:TerminatePrometheusInstances",
"monitor:ModifyPrometheusInstanceAttributes",
"monitor:CreateRecordingRule",
"monitor:DeleteRecordingRules",
"monitor:UpdateRecordingRule",
"monitor:CreateAlertRule",
"monitor:DeleteAlertRules",
"monitor:UpdateAlertRule",
"monitor:UpdateAlertRuleState",
"monitor:CreateAlarmNotice",
"monitor:DeleteAlarmNotices",
"monitor:ModifyAlarmNotice",
"monitor:ModifyAlarmPolicyNotice",
"monitor:CreateManagedEKSAgent",
"monitor:DescribeManagedEKSAgent",
"monitor:CreateAlertRuleReceiverNotRequired",
"monitor:UpdateAlertRuleReceiverNotRequired",
"monitor:DescribeExporterIntegrations",
"monitor:CreateExporterIntegration",
"monitor:UpdateExporterIntegration",
"monitor:DeleteExporterIntegration",
"monitor:CreateGrafanaInstance",
"monitor:CreatePrometheusMultiTenantInstancePostPayMode",
"monitor:BindPrometheusManagedGrafana",
"monitor:DescribeGrafanaInstances",
"tdcc:DescribeExternalClusters",
"tdcc:DescribeExternalClusterCredential",
"monitor:UpgradeGrafanaDashboard",
"monitor:UninstallGrafanaDashboard",
"monitor:DescribePrometheusAlertGroups",
"monitor:CreatePrometheusAlertGroup",
"monitor:UpdatePrometheusAlertGroup",
"monitor:DeletePrometheusAlertGroups",
"monitor:UpdatePrometheusAlertGroupState",
"tke:DescribeTKEEdgeExternalKubeconfig",
"tke:DescribeTKEEdgeClusterCredential",
"tke:DescribeTKEEdgeClusters",
"tke:DescribeClusters",
"tke:DescribeClusterSecurity"
],
"effect": "allow",
"resource": [
"*"
]
}
],
"version": "2.0"
}
Yes
No
Was this page helpful?