プロダクトの概要

CAMの概要

製品機能

適用シーン

基本概念

使用制限

ユーザータイプ

購入ガイド

クイックスタート

管理者ユーザーを作成する

サブアカウントの作成と権限付与

サブアカウントのコンソールログイン

ユーザーガイド

概要

ユーザー

アクセスキー

ユーザーグループ

ロール

アイデンティティプロバイダー

ポリシー

権限境界

トラブルシューティング

セキュリティ分析レポートのダウンロード

CAM-Enabled Role

Overview

Compute

Container

Microservice

Essential Storage Service

Data Process and Analysis

Data Migration

Relational Database

Enterprise Distributed DBMS

NoSQL Database

Database SaaS Tool

Database SaaS Service

Networking

CDN and Acceleration

Network Security

Data Security

Application Security

Domains & Websites

Big Data

Middleware

Interactive Video Services

Real-Time Interaction

Media On-Demand

Media Process Services

Media Process

Cloud Real-time Rendering

Game Services

Cloud Resource Management

Management and Audit Tools

Developer Tools

Monitor and Operation

CAM-Enabled API

Overview

Compute

Edge Computing

Container

Distributed cloud

Microservice

Serverless

Essential Storage Service

Data Process and Analysis

Data Migration

Relational Database

Enterprise Distributed DBMS

NoSQL Database

Database SaaS Tool

Networking

CDN and Acceleration

Network Security

Endpoint Security

Data Security

Business Security

Application Security

Domains & Websites

Office Collaboration

Big Data

Voice Technology

Image Creation

Tencent Big Model

AI Platform Service

Natural Language Processing

Optical Character Recognition

Middleware

Communication

Interactive Video Services

Real-Time Interaction

Stream Services

Media On-Demand

Media Process Services

Media Process

Cloud Real-time Rendering

Game Services

Education Sevices

Medical Services

Cloud Resource Management

Management and Audit Tools

Developer Tools

Monitor and Operation

実践のチュートリアル

セキュリティの実践チュートリアル

複数アイデンティティ権限管理

Tag下の一部操作権限を付与する

従業員間のリソース分離アクセスのサポート

企業マルチアカウント権限管理

従業員のTencent Cloud操作ログを閲覧する

ABACによる従業員のリソースアクセス権限管理

タグ認証時にタグキーのみマッチをサポート

商用事例

MySQL関連ケース

CLB 関連ケース

CMQ関連ケース

COS 関連ケース

CVM関連ケース

VPC 関連ケース

VOD関連ケース

その他のケース

よくあるご質問

ロール関連問題

キー関連の問題

その他の問題

CAMユーザーと権限の問題

用語一覧

Tencent Kubernetes Engine

フォーカスモード

フォントサイズ

最終更新日: 2026-04-01 10:02:44

Service roles and service-linked roles are predefined by Tencent Cloud services and, upon user authorization, the corresponding services can access and use resources by assuming these service-linked roles. This document provides detailed information on the use cases and associated authorization policies of these specific service-linked roles.

Product	Role Name	Role Types	Role Entity
Tencent Kubernetes Engine	TKE_QCSLinkedRoleInEIS	Service-Related Roles	eis.tke.cloud.tencent.com
Tencent Kubernetes Engine	TKE_QCSLinkedRoleInTDCC	Service-Related Roles	cvm.qcloud.com tdcc.tke.cloud.tencent.com
Tencent Kubernetes Engine	TKE_QCSLinkedRoleInEKSLog	Service-Related Roles	cvm.qcloud.com ekslog.tke.cloud.tencent.com
Tencent Kubernetes Engine	TKE_QCSLinkedRoleInEtcdService	Service-Related Roles	cvm.qcloud.com etcdservice.tke.cloud.tencent.com
Tencent Kubernetes Engine	TKE_QCSLinkedRoleInEKSCostMaster	Service-Related Roles	cvm.qcloud.com ekscostmaster.tke.cloud.tencent.com
Tencent Kubernetes Engine	TKE_QCSLinkedRoleInPrometheusService	Service-Related Roles	cvm.qcloud.com prometheusservice.tke.cloud.tencent.com

TKE_QCSLinkedRoleInEIS

Use Cases： The current role is the Tencent Kubernetes Engine (TKE) service linked role, which will access your other service resources within the scope of the permissions of the associated policy.
Authorization Polices

Policy Name： QcloudAccessForTKEInEISRole

Policy Information：

{
  "version": "2.0",
  "statement": [
      {
          "effect": "allow",
          "action": [
              "cvm:ModifyInstancesProject",
              "cvm:DescribeInstances",
              "tke:InstallAddon",
              "tke:DescribeAddon",
              "tke:DescribeAddonValues",
              "tke:UpdateAddon",
              "tke:DeleteAddon",
              "tke:AddVpcCniSubnets",
              "tke:CheckClusterCIDR",
              "tke:DescribeClusterKubeconfig",
              "tke:AcquireClusterKubeConfigForProduct",
              "tke:ModifyClusterTags",
              "tke:ModifyClusterAttribute",
              "tke:DisableClusterDeletionProtection",
              "tke:DescribeClusterInstances",
              "tke:DeleteCluster",
              "tke:DescribeClusterStatus",
              "tke:DescribeClusters",
              "tke:DescribeExistedInstances",
              "tke:CreateCluster",
              "tke:DeleteClusterInstances",
              "tke:AddExistedInstances",
              "cls:CreateLogset",
              "cls:DescribeLogsets",
              "cls:CreateTopic",
              "cls:DescribeTopics",
              "monitor:DescribePrometheusInstances",
              "monitor:CreatePrometheusMultiTenantInstancePostPayMode",
              "monitor:CreatePrometheusClusterAgent",
              "monitor:DescribePrometheusClusterAgents",
              "monitor:DeletePrometheusClusterAgent",
              "monitor:TerminatePrometheusInstances",
              "monitor:CreateExporterIntegration",
              "monitor:DescribeExporterIntegrations",
              "monitor:CreateExternalCluster",
              "monitor:DescribeExternalClusterRegisterCommand",
              "vpc:DescribeSubnets",
              "tke:CreateClusterRelease",
              "tke:DescribeClusterReleases",
              "tke:DescribeClusterPendingReleases",
              "tke:UninstallClusterRelease",
              "tke:DescribeLogSwitches",
              "cvm:DescribeImages",
              "cvm:RebootInstances",
              "cvm:DescribeMarketImages",
              "cvm:ModifyInstancesAttribute",
              "cvm:RunInstances",
              "cvm:ResetInstance",
              "cvm:DescribeZones",
              "cvm:DescribeInstanceTypeConfigs",
              "cvm:DescribeZoneInstanceConfigInfos"
          ],
          "resource": "*"
      }
  ]
}

TKE_QCSLinkedRoleInTDCC

Use Cases： The current role is the TKE service linked role, which will access your other service resources within the scope of the permissions of the associated policy.
Authorization Polices

Policy Name： QcloudAccessForTKELinkedRoleInTDCC

Policy Information：

{
  "version": "2.0",
  "statement": [
      {
          "effect": "allow",
          "action": [
              "cls:listTopic",
              "cls:getTopic",
              "cls:createTopic",
              "cls:modifyTopic",
              "cls:listMachineGroup",
              "cls:getMachineGroup",
              "cls:createMachineGroup",
              "cls:modifyMachineGroup",
              "cls:deleteMachineGroup",
              "cls:getMachineStatus",
              "cls:pushLog",
              "cls:agentHeartBeat",
              "cls:getConfig",
              "cls:getIndex",
              "cls:modifyIndex",
              "cls:ApplyConfigToMachineGroup",
              "cls:CreateConfig",
              "cls:CreateIndex",
              "cls:CreateLogset",
              "cls:CreateMachineGroup",
              "cls:CreateTopic",
              "cls:DeleteConfig",
              "cls:DeleteConfigFromMachineGroup",
              "cls:DeleteLogset",
              "cls:DeleteMachineGroup",
              "cls:DeleteTopic",
              "cls:DescribeConfigMachineGroups",
              "cls:DescribeConfigs",
              "cls:DescribeLogsets",
              "cls:DescribeMachineGroupConfigs",
              "cls:DescribeMachineGroups",
              "cls:DescribeTopics",
              "cls:ModifyConfig",
              "cls:ModifyIndex",
              "cls:ModifyMachineGroup",
              "cls:ModifyTopic"
          ],
          "resource": [
              "*"
          ]
      }
  ]
}

TKE_QCSLinkedRoleInEKSLog

Use Cases： The current role is the TKE service role, which will access your other service resources within the scope of the permissions of the associated policy.
Authorization Polices

Policy Name： QcloudAccessForTKELinkedRoleInEKSLog

Policy Information：

{
  "version": "2.0",
  "statement": [
      {
          "effect": "allow",
          "action": [
              "cls:pushLog",
              "cls:agentHeartBeat",
              "cls:getConfig"
          ],
          "resource": [
              "*"
          ]
      }
  ]
}

TKE_QCSLinkedRoleInEtcdService

Use Cases： The current role is the TKE service role, which will access your other service resources within the scope of the permissions of the associated policy.
Authorization Polices

Policy Name： QcloudAccessForTKELinkedRoleInEtcdService

Policy Information：

{
  "version": "2.0",
  "statement": [
      {
          "effect": "allow",
          "resource": [
              "*"
          ],
          "action": [
              "cos:DeleteBucket",
              "cos:GetBucket",
              "cos:PutBucket",
              "cos:HeadBucket",
              "cos:GetObject",
              "cos:HeadObject",
              "cos:PutObject",
              "cos:DeleteObject",
              "cos:DeleteMultipleObjects",
              "cos:ListMultipartUploads",
              "cos:AbortMultipartUpload"
          ]
      }
  ]
}

TKE_QCSLinkedRoleInEKSCostMaster

Policy Name： QcloudAccessForTKELinkedRoleInEKSCostMaster

Policy Information：

{
  "version": "2.0",
  "statement": [
      {
          "action": [
              "monitor:DescribeMidDimensionValueList",
              "monitor:DescribeStatisticData",
              "monitor:GetMonitorData"
          ],
          "resource": "*",
          "effect": "allow"
      }
  ]
}

TKE_QCSLinkedRoleInPrometheusService

Use Cases： The current role is the TKE service role, which will access your other service resources within the scope of the permissions of the associated policy.
Authorization Polices

Policy Name： QcloudAccessForTKELinkedRoleInPrometheusService

Policy Information：

{
  "statement": [
      {
          "action": [
              "cos:DeleteBucket",
              "cos:GetBucket",
              "cos:PutBucket",
              "cos:HeadBucket",
              "cos:GetObject",
              "cos:HeadObject",
              "cos:PutObject",
              "cos:DeleteObject",
              "cos:DeleteMultipleObjects",
              "cos:ListMultipartUploads",
              "cos:AbortMultipartUpload",
              "cos:AbortMultipartUpload",
              "cos:ListMultipartUploads",
              "monitor:DescribePrometheusInstances",
              "monitor:DescribeRecordingRules",
              "monitor:DescribeAlertRules",
              "monitor:DescribeAlarmNotice",
              "monitor:DescribeAlarmNotices",
              "monitor:DescribeAlarmNoticeCallbacks",
              "monitor:DescribeAlarmHistories",
              "monitor:CreatePrometheusMultiTenantInstance",
              "monitor:TerminatePrometheusInstances",
              "monitor:ModifyPrometheusInstanceAttributes",
              "monitor:CreateRecordingRule",
              "monitor:DeleteRecordingRules",
              "monitor:UpdateRecordingRule",
              "monitor:CreateAlertRule",
              "monitor:DeleteAlertRules",
              "monitor:UpdateAlertRule",
              "monitor:UpdateAlertRuleState",
              "monitor:CreateAlarmNotice",
              "monitor:DeleteAlarmNotices",
              "monitor:ModifyAlarmNotice",
              "monitor:ModifyAlarmPolicyNotice",
              "monitor:CreateManagedEKSAgent",
              "monitor:DescribeManagedEKSAgent",
              "monitor:CreateAlertRuleReceiverNotRequired",
              "monitor:UpdateAlertRuleReceiverNotRequired",
              "monitor:DescribeExporterIntegrations",
              "monitor:CreateExporterIntegration",
              "monitor:UpdateExporterIntegration",
              "monitor:DeleteExporterIntegration",
              "monitor:CreateGrafanaInstance",
              "monitor:CreatePrometheusMultiTenantInstancePostPayMode",
              "monitor:BindPrometheusManagedGrafana",
              "monitor:DescribeGrafanaInstances",
              "tdcc:DescribeExternalClusters",
              "tdcc:DescribeExternalClusterCredential",
              "monitor:UpgradeGrafanaDashboard",
              "monitor:UninstallGrafanaDashboard",
              "monitor:DescribePrometheusAlertGroups",
              "monitor:CreatePrometheusAlertGroup",
              "monitor:UpdatePrometheusAlertGroup",
              "monitor:DeletePrometheusAlertGroups",
              "monitor:UpdatePrometheusAlertGroupState",
              "tke:DescribeTKEEdgeExternalKubeconfig",
              "tke:DescribeTKEEdgeClusterCredential",
              "tke:DescribeTKEEdgeClusters",
              "tke:DescribeClusters",
              "tke:DescribeClusterSecurity"
          ],
          "effect": "allow",
          "resource": [
              "*"
          ]
      }
  ],
  "version": "2.0"
}

ヘルプとサポート

この記事はお役に立ちましたか？

営業担当者にお問い合わせいただくかチケットを提出してサポートを求めることができます。

フィードバック

tencent cloud

Cloud Access Management

Tencent Kubernetes Engine

TKE_QCSLinkedRoleInEIS

TKE_QCSLinkedRoleInTDCC

TKE_QCSLinkedRoleInEKSLog

TKE_QCSLinkedRoleInEtcdService

TKE_QCSLinkedRoleInEKSCostMaster

TKE_QCSLinkedRoleInPrometheusService

ヘルプとサポート