Help Center/ Cloud Container Engine/ API Reference/ Permissions and Supported Actions/ Actions Supported by Identity Policy-based Authorization
Updated on 2025-11-18 GMT+08:00
View PDF
Share

Actions Supported by Identity Policy-based Authorization

IAM provides system-defined identity policies to define common actions supported by cloud services. You can also create custom identity policies using the actions supported by cloud services for more refined access control.

In addition to IAM, the Organizations service provides Service Control Policies (SCPs) to set access control policies.

SCPs do not actually grant any permissions to a principal. They only set the permissions boundary for the principal. When SCPs are attached to a member account or an organizational unit (OU), they do not directly grant permissions to that member account or OU. Instead, the SCPs just determine what permissions are available for that member account or the member accounts under that OU. The granted permissions can be applied only if they are allowed by the SCPs.

To learn more about how IAM is different from Organizations for access control, see What Are the Differences in Access Control Between IAM and Organizations?

This section describes the elements used by IAM custom identity policies and Organizations SCPs. The elements include actions, resources, and conditions.

Actions

Actions are specific operations that are allowed or denied in an identity policy.

  • The Access Level column describes how the action is classified (List, Read, or Write). This classification helps you understand the level of access that an action grants when you use it in an identity policy.
  • The Resource Type column indicates whether the action supports resource-level permissions.
    • You can use a wildcard (*) to indicate all resource types. If this column is empty (-), the action does not support resource-level permissions and you must specify all resources ("*") in your identity policy statements.
    • If this column includes a resource type, you must specify the URN in the Resource element of your statements.
    • Required resources are marked with asterisks (*) in the table. If you specify a resource in a statement using this action, then it must be of this type.

    For details about the resource types defined by CCE, see Resource Types.

  • The Condition Key column contains keys that you can specify in the Condition element of an identity policy statement.
    • If the Resource Type column has values for an action, the condition key takes effect only for the listed resource types.
    • If the Resource Type column is empty (-) for an action, the condition key takes effect for all resources that action supports.
    • If the Condition Key column is empty (-) for an action, the action does not support any condition keys.

    For details about the condition keys defined by CCE, see Conditions.

  • The Alias column lists the policy actions that are configured in identity policies. With these actions, you can use APIs for policy-based authorization. For details, see Policies and Identity Policies.

The following table lists the actions that you can define in identity policy statements for CCE.

Table 1 Actions supported by CCE

Action

Description

Access Level

Resource Type (*: required)

Condition Key

Alias

cce:imageCache:create

Grants permission to create an image cache.

Write

-

-

-

cce:imageCache:delete

Grants permission to delete an image cache.

Write

imageCache *

-

-

cce:imageCache:list

Grants permission to list image caches.

List

-

-

-

cce:imageCache:get

Grants permission to view details about an image cache.

Read

imageCache *

-

-

cce:packageProduct:list

Grants permission to view the package list.

List

-

-

-

cce:packageProduct:subscribe

Grants permission to subscribe to a package.

Write

-

-

-

cce:cluster:createCluster

Grants permission to create a cluster.

Write

cluster *

-
  • cce:cluster:create

-

cce:cluster:delete

Grants permission to delete a cluster.

Write

cluster *

-

cce:cluster:updateCluster

Grants permission to update a cluster.

Write

cluster *
  • cce:cluster:update

cce:cluster:upgrade

Grants permission to upgrade the version of a cluster.

Write

cluster *

-

cce:cluster:start

Grants permission to wake up a hibernated cluster.

Write

cluster *

-

cce:cluster:stop

Grants permission to hibernate a cluster.

Write

cluster *

-

cce:cluster:list

Grants permission to view the cluster details list.

List

cluster *

-

-

cce:cluster:getCluster

Grants permission to view details about a specified cluster.

Read

cluster *
  • cce:cluster:get

cce:cluster:getEndpoints

Grants permission to view the access address of a specified cluster.

Read

cluster *
  • cce:cluster:get

cce:cluster:resize

Grants permission to modify the specifications of a cluster.

Write

cluster *

-

cce:cluster:toperiod

Grants permission to change the billing mode of a cluster from pay-per-use to yearly/monthly.

Write

cluster *

-

cce:cluster:eipBinding

Grants permission to bind or unbind a public IP address to or from a cluster.

Write

cluster *
  • cce:cluster:update

cce:cluster:generateClientCredential

Grants permission to generate cluster client access credentials.

Read

cluster *
  • cce:cluster:get

cce:cluster:revokeClientCredential

Grants permission to revoke a cluster certificate.

Write

cluster *

-

cce:cluster:rotateCredentials

Grants permission to rotate a cluster certificate.

Write

cluster *

-

cce:cluster:addTags

Grants permission to add tags to a cluster.

Tagging

cluster *
  • cce:tag:operate

-

cce:cluster:removeTags

Grants permission to delete tags from a cluster.

Tagging

cluster *
  • cce:tag:operate

-

cce:cluster:listTags

Grants permission to list all tags of a cluster in a project.

Read

-

-
  • cce:tag:list

cce:cluster:listTagsForCluster

Grants permission to obtain project tags.

Read

cluster *

g:ResourceTag/<tag-key>
  • cce:cluster:get

cce:cluster:listClustersByTag

Grants permission to obtain clusters by tag.

Read

-

g:TagKeys
  • cce:cluster:list

cce:cluster:validate

Grants permission to verify the validity of cluster parameters.

Read

cluster *

-
  • cce:cluster:create

-

cce:cluster:getConfigurationTemplate

Grants permission to obtain the configuration template information about a cluster.

Read

cluster *

-
  • cce:cluster:get

-

cce:cluster:getConfiguration

Grants permission to obtain the current configurations of a cluster.

Read

cluster *
  • cce:cluster:get

cce:cluster:updateConfiguration

Grants permission to update the configurations of a cluster.

Write

cluster *
  • cce:cluster:update

cce:cluster:getLogConfig

Grants permission to obtain the current log collection configurations of a cluster.

Read

cluster *

-

cce:cluster:updateLogConfig

Grants permission to update the log collection configurations of a cluster.

Write

cluster *

-

cce:cluster:checkLock

Grants permission to check and release the CBC-related lock in a cluster.

Write

-

-

-

cce:partition:create

Grants permission to access a partition.

Write

cluster *

-

-

-

cce:partition:update

Grants permission to update a partition.

Write

cluster *

g:EnterpriseProjectId

-

cce:partition:get

Grants permission to obtain details about a specified partition.

Read

cluster *

g:EnterpriseProjectId

-

cce:partition:list

Grants permission to view the partition list in a specified cluster.

List

cluster *

-

-

-

cce:nodepool:create

Grants permission to create a node pool.

Write

cluster *

-

-

-

cce:nodepool:delete

Grants permission to delete a node pool.

Write

cluster *

g:EnterpriseProjectId

-

cce:nodepool:updateNodepool

Grants permission to update a node pool.

Write

cluster *

-
  • cce:nodepool:update

-

cce:nodepool:upgradeNodepool

Grants permission to upgrade a node pool.

Write

cluster *

-
  • cce:nodepool:update

-

g:EnterpriseProjectId

cce:nodepool:scale

Grants permission to scale a node pool.

Write

cluster *

g:EnterpriseProjectId

-

cce:nodepool:getNodepool

Grants permission to obtain details about a specified node pool.

Read

cluster *

g:EnterpriseProjectId
  • cce:nodepool:get

cce:nodepool:list

Grants permission to view the node pool list in a specified cluster.

List

cluster *

-

-

-

cce:nodepool:getQuota

Grants permission to obtain quotas of a node pool.

Read

cluster *

-
  • cce:nodepool:get

-

cce:nodepool:migrate

Grants permission to migrate nodes between node pools.

Write

cluster *

-
  • cce:nodepool:update

-

cce:nodepool:sync

Grants permission to synchronize configurations of nodes in a node pool.

Write

cluster *

g:EnterpriseProjectId
  • cce:nodepool:get

cce:nodepool:getConfigurationTemplate

Grants permission to obtain node pool configuration templates.

Read

cluster *

g:EnterpriseProjectId
  • cce:nodepool:get

cce:nodepool:getConfiguration

Grants permission to obtain the configurations of a node pool.

Read

cluster *

g:EnterpriseProjectId
  • cce:nodepool:get

cce:nodepool:updateConfiguration

Grants permission to update the configurations of a node pool.

Write

cluster *

g:EnterpriseProjectId
  • cce:nodepool:update

cce:node:createNode

Grants permission to create a node.

Write

cluster *

-
  • cce:node:create

-

cce:node:reportStatus

Grants permission to report node status.

Write

cluster *

g:EnterpriseProjectId
  • cce:node:get

cce:node:delete

Grants permission to delete a node.

Write

cluster *

g:EnterpriseProjectId

-

cce:node:update

Grants permission to update a node.

Write

cluster *

g:EnterpriseProjectId

-

cce:node:getNode

Grants permission to obtain details about a specified node.

Read

cluster *

g:EnterpriseProjectId
  • cce:node:get

cce:node:list

Grants permission to view the node list in a specified cluster.

List

cluster *

-

-

-

cce:node:reset

Grants permission to reset a node.

Write

cluster *

-
  • cce:node:create

-

cce:node:add

Grants permission to manage a node.

Write

cluster *

-
  • cce:node:create

-

cce:node:remove

Grants permission to release a node.

Write

cluster *

-

-

-

cce:node:migrate

Grants permission to migrate nodes between clusters.

Write

cluster *

-

-

-

cce:node:unlock

Grants permission to unlock a node (used for internal interaction in the ECS resource foolproof scenario).

Write

cluster *

-
  • cce:node:update

-

cce:node:sync

Grants permission to synchronize infrastructure and resource status between nodes.

Read

cluster *

g:EnterpriseProjectId
  • cce:node:get

cce:node:toperiod

Grants permission to change the billing mode of nodes from pay-per-use to yearly/monthly in batches.

Write

cluster *

-

-

-

cce:job:delete

Grants permission to delete a job.

Write

cluster *

-

cce:job:get

Grants permission to obtain details about a specified job.

Read

cluster *

-

cce:job:list

Grants permission to view the job list.

List

cluster *

-

-

-

cce:ClusterId

cce:quota:get

Grants permission to obtain resource quotas of cloud services used in a CCE cluster.

Read

-

-

-

cce:addonInstance:create

Grants permission to create an add-on pod.

Write

cluster *

-

-

-

cce:addonInstance:delete

Grants permission to delete an add-on pod.

Write

cluster *

-

cce:addonInstance:update

Grants permission to update an add-on pod.

Write

cluster *

-

cce:addonInstance:get

Grants permission to obtain details about a specified add-on pod.

Read

cluster *

-

cce:addonInstance:list

Grants permission to view the add-on pod list in a specified cluster.

List

cluster *

-

-

-

cce:addonInstance:rollback

Grants permission to roll back a specified add-on pod.

Write

cluster *

-

cce:chart:upload

Grants permission to upload an application chart.

Write

-

-

-

cce:chart:delete

Grants permission to delete an application chart.

Write

-

-

-

cce:chart:update

Grants permission to update an application chart.

Write

-

-

-

cce:chart:listChart

Grants permission to view the application chart details list.

List

-

-
  • cce:chart:list

cce:chart:getChart

Grants permission to view details about an application chart specified by a user.

Read

-

-
  • cce:chart:get

cce:chart:download

Grants permission to view the application charts downloaded by a user.

Read

-

-
  • cce:chart:get

cce:chart:getQuota

Grants permission to view the application chart quota.

Read

-

-
  • cce:chart:list

cce:release:create

Grants permission to create a release.

Write

-

-

cce:release:delete

Grants permission to delete a release.

Write

cluster *

-

cce:release:update

Grants permission to update a release.

Write

cluster *

-

cce:release:get

Grants permission to obtain details about a specified release.

Read

cluster *

-

cce:release:list

Grants permission to view the release list in a specified cluster.

List

cluster *

-

-

-

cce:permissionApplyOrder:create

Grants permission to create a permission application (trustlist).

Write

-

-
  • cce:cluster:upgrade

cce:permissionApplyOrder:list

Grants permission to view the permission application list (trustlist).

List

-

-
  • cce:cluster:list

cce:longaksk:getConfig

Grants permission to obtain the global OBS access secret configuration.

Read

-

-

-

cce:longaksk:updateConfig

Grants permission to update the global OBS access secret configuration.

Write

-

-

-

cce:cluster:getLongAKSKConfig

Grants permission to obtain the cluster OBS access secret configuration.

Read

cluster *

-

cce:cluster:updateLongAKSKConfig

Grants permission to update the global OBS access secret configuration of a cluster.

Write

cluster *

-

cce:accessPolicy:get

Grants permission to obtain an access policy.

Read

-

-

-

cce:accessPolicy:list

Grants permission to obtain the access policy list.

Read

-

-

-

cce:accessPolicy:post

Grants permission to create an access policy.

Write

-

-

-

cce:accessPolicy:put

Grants permission to update an access policy.

Write

-

-

-

cce:accessPolicy:delete

Grants permission to delete an access policy.

Write

-

-

-

cce:imageCache:get

Grants permission to view details about an image cache.

Read

-

-

-

cce:imageCache:list

Grants permission to list image caches.

List

-

-

-

cce:imageCache:create

Grants permission to create an image cache.

Write

-

-

-

cce:imageCache:delete

Grants permission to delete an image cache.

Write

-

-

-

cce:hypernode:list

Grants permission to view the supernode list in a cluster.

List

cluster *

-

-

cce:packageProduct:list

Grants permission to view the package list.

List

-

-

-

cce:packageProduct:subscribe

Grants permission to subscribe to a package.

Write

-

-

-

Each API of CCE usually supports one or more actions. Table 2 lists the supported actions and dependencies.

Table 2 Actions and dependencies supported by CCE APIs

API

Action

Dependency

POST /v5/imagecaches

cce:imageCache:create

-

DELETE /v5/imagecaches/{image_cache_id}

cce:imageCache:delete

-

GET /v5/imagecaches/{image_cache_id}

cce:imageCache:get

-

GET /v5/imagecaches

cce:imageCache:list

-

GET /v5/package-products

cce:packageProduct:list

-

POST /v5/package-products/subscribe

cce:packageProduct:subscribe

-

GET /api/v3/projects/{project_id}/longaksk/config

cce:longaksk:getConfig

-

PUT /api/v3/projects/{project_id}/longaksk/config

cce:longaksk:updateConfig

-

GET /api/v3/projects/{project_id}/clusters/{cluster_id}/longaksk/config

cce:cluster:getLongAKSKConfig

-

PUT /api/v3/projects/{project_id}/clusters/{cluster_id}/longaksk/config

cce:cluster:updateLongAKSKConfig

-

GET /api/v3/access-policies/{policy_id}

cce:accessPolicy:get

-

GET /api/v3/access-policies

cce:accessPolicy:list

-

POST /api/v3/access-policies

cce:accessPolicy:post

-

PUT /api/v3/access-policies/{policy_id}

cce:accessPolicy:put

-

DELETE /api/v3/access-policies/{policy_id}

cce:accessPolicy:delete

-

GET /api/v3/projects/{project_id}/quotas

cce:quota:get

-

POST /api/v3/projects/{project_id}/clusters

cce:cluster:createCluster

-

DELETE /api/v3/projects/{project_id}/clusters/{cluster_id}

cce:cluster:delete

-

PUT /api/v3/projects/{project_id}/clusters/{cluster_id}

cce:cluster:updateCluster

-

POST /api/v3/projects/{project_id}/clusters/{cluster_id}/operation/upgrade

cce:cluster:upgrade

-

POST /api/v3/projects/{project_id}/clusters/{cluster_id}/operation/upgrade/retry

cce:cluster:upgrade

-

GET /api/v3/projects/{project_id}/clusters/{cluster_id}/operation/upgrade/tasks/{task_id}

cce:cluster:getCluster

-

POST /api/v3/projects/{project_id}/clusters/{cluster_id}/operation/upgrade/continue

cce:cluster:upgrade

-

GET /api/v3.1/projects/{project_id}/clusters/{cluster_id}/operation/snapshot/tasks

cce:cluster:getCluster

-

POST /api/v3/projects/{project_id}/clusters/{cluster_id}/operation/upgradeworkflows

cce:cluster:upgrade

-

GET /api/v3/projects/{project_id}/clusters/{cluster_id}/operation/upgradeworkflows

cce:cluster:getCluster

-

GET /api/v3/projects/{project_id}/clusters/{cluster_id}/operation/upgrade/tasks

cce:cluster:getCluster

-

PATCH /api/v3/projects/{project_id}/clusters/{cluster_id}/operation/upgradeworkflows/{upgrade_workflow_id}

cce:cluster:upgrade

-

GET /api/v3/projects/{project_id}/clusters/{cluster_id}/operation/upgradeworkflows/{upgrade_workflow_id}

cce:cluster:getCluster

-

POST /api/v3/projects/{project_id}/clusters/{cluster_id}/operation/upgrade/pause

cce:cluster:upgrade

-

POST /api/v3/projects/{project_id}/clusters/{cluster_id}/operation/awake

cce:cluster:start

-

POST /api/v3/projects/{project_id}/clusters/{cluster_id}/operation/hibernate

cce:cluster:stop

-

GET /api/v3/projects/{project_id}/clusters

cce:cluster:list

-

GET /api/v3/projects/{project_id}/clusters/{cluster_id}

cce:cluster:getCluster

-

GET /api/v3/projects/{project_id}/clusters/{cluster_id}/openapi

cce:cluster:getEndpoints

-

GET /v5/imagecaches/{image_cache_id}

cce:imageCache:get

-

GET /v5/imagecaches

cce:imageCache:list

-

POST /v5/imagecaches

cce:imageCache:create

-

DELETE /v5/imagecaches/{image_cache_id}

cce:imageCache:delete

-

GET /v5/package-products

cce:packageProduct:list

-

POST /v5/package-products/subscribe

cce:packageProduct:subscribe

-

POST /api/v3/projects/{project_id}/clusters/{cluster_id}/operation/resize

cce:cluster:resize

-

PUT /api/v3/projects/{project_id}/clusters/{cluster_id}/mastereip

cce:cluster:eipBinding

-

POST /api/v3/projects/{project_id}/clusters/{cluster_id}/clustercert

cce:cluster:generateClientCredential

-

POST /api/v3/projects/{project_id}/clusters/{cluster_id}/clustercertrevoke

cce:cluster:revokeClientCredential

-

POST /api/v3/projects/{project_id}/clusters/{cluster_id}/tags/create

cce:cluster:addTags

-

POST /api/v3/projects/{project_id}/clusters/{cluster_id}/tags/delete

cce:cluster:removeTags

-

PUT /v1/services/checklock/cce

cce:cluster:checkLock

-

POST /api/v3/projects/{project_id}/clusters/{cluster_id}/partitions

cce:partition:create

-

PUT /api/v3/projects/{project_id}/clusters/{cluster_id}/partitions/{partition_name}

cce:partition:update

-

GET /api/v3/projects/{project_id}/clusters/{cluster_id}/partitions/{partition_name}

cce:partition:get

-

GET /api/v3/projects/{project_id}/clusters/{cluster_id}/partitions

cce:partition:list

-

POST /api/v3/projects/{project_id}/clusters/{cluster_id}/nodepools

cce:nodepool:create

-

DELETE /api/v3/projects/{project_id}/clusters/{cluster_id}/nodepools/{nodepool_id}

cce:nodepool:delete

-

PUT /api/v3/projects/{project_id}/clusters/{cluster_id}/nodepools/{nodepool_id}

cce:nodepool:updateNodepool

-

POST /api/v3/projects/{project_id}/clusters/{cluster_id}/nodepools/{nodepool_id}/operation/upgrade

cce:nodepool:upgradeNodepool

-

POST /api/v3/projects/{project_id}/clusters/{cluster_id}/nodepools/{nodepool_id}/operation/scale

cce:nodepool:scale

-

GET /api/v3/projects/{project_id}/clusters/{cluster_id}/nodepools/{nodepool_id}

cce:nodepool:getNodepool

-

GET /api/v3/projects/{project_id}/clusters/{cluster_id}/nodepools

cce:nodepool:list

-

PUT /api/v3.1/projects/{project_id}/clusters/{cluster_id}/nodepool/{nodepool_id}/sync

cce:nodepool:sync

-

GET /api/v3/projects/{project_id}/clusters/{cluster_id}/nodepools/{nodepool_id}/configuration/detail

cce:nodepool:getConfigurationTemplate

-

POST /api/v3/projects/{project_id}/clusters/{cluster_id}/nodes

cce:node:createNode

-

DELETE /api/v3/projects/{project_id}/clusters/{cluster_id}/nodes/{node_id}

cce:node:delete

-

PUT /api/v3/projects/{project_id}/clusters/{cluster_id}/nodes/{node_id}

cce:node:update

-

GET /api/v3/projects/{project_id}/clusters/{cluster_id}/nodes/{node_id}

cce:node:getNode

-

GET /api/v3/projects/{project_id}/clusters/{cluster_id}/nodes

cce:node:list

-

POST /api/v3/projects/{project_id}/clusters/{cluster_id}/nodes/sync

cce:node:update

-

POST /api/v3/projects/{project_id}/clusters/{cluster_id}/nodepools/{nodepool_id}/nodes/add

cce:node:add

-

POST /api/v3/projects/{project_id}/clusters/{cluster_id}/nodes/reset

cce:node:reset

-

POST /api/v3/projects/{project_id}/clusters/{cluster_id}/nodes/add

cce:node:add

-

PUT /api/v3/projects/{project_id}/clusters/{cluster_id}/nodes/operation/remove

cce:node:remove

-

PUT /api/v3/projects/{project_id}/clusters/{cluster_id}/nodes/operation/migrateto/{target_cluster_id}

cce:node:migrate

-

GET /api/v2/projects/{project_id}/clusters/{cluster_id}/nodes/{node_id}/sync

cce:node:sync

-

DELETE /api/v2/projects/{project_id}/jobs/{job_id}

cce:job:delete

-

GET /api/v3/projects/{project_id}/jobs/{job_id}

cce:job:get

-

GET /api/v2/projects/{project_id}/jobs

cce:job:list

-

GET /api/v3/addontemplates

cce:cluster:list

-

POST /api/v3/addons

cce:addonInstance:create

-

DELETE /api/v3/addons/{id}

cce:addonInstance:delete

-

PUT /api/v3/addons/{id}

cce:addonInstance:update

-

GET /api/v3/addons/{id}

cce:addonInstance:get

-

GET /api/v3/addons

cce:addonInstance:list

-

POST /api/v3/addons/{id}/operation/rollback

cce:addonInstance:rollback

-

POST /v2/charts

cce:chart:upload

-

DELETE /v2/charts/{chart_id}

cce:chart:delete

-

PUT /v2/charts/{chart_id}

cce:chart:update

-

GET /v2/charts/{chart_id}

cce:chart:getChart

-

GET /v2/charts

cce:chart:listChart

-

GET /v2/charts/{chart_id}/archive

cce:chart:download

-

POST /cce/cam/v3/clusters/{cluster_id}/releases

cce:release:create

-

DELETE /cce/cam/v3/clusters/{cluster_id}/namespace/{namespace}/releases/{name}

cce:release:delete

-

PUT /cce/cam/v3/clusters/{cluster_id}/namespace/{namespace}/releases/{name}

cce:release:update

-

GET /cce/cam/v3/clusters/{cluster_id}/namespace/{namespace}/releases/{name}

cce:release:get

-

GET /cce/cam/v3/clusters/{cluster_id}/releases

cce:release:list

-

POST /autopilot/v3/projects/{project_id}/clusters

cce:cluster:createCluster

-

POST /autopilot/v3/projects/{project_id}/clusters/{cluster_id}/clustercert

cce:cluster:generateClientCredential

-

DELETE /autopilot/v3/projects/{project_id}/clusters/{cluster_id}

cce:cluster:delete

-

GET /autopilot/v3/projects/{project_id}/clusters

cce:cluster:list

-

GET /autopilot/v3/projects/{project_id}/clusters/{cluster_id}

cce:cluster:getCluster

-

GET /autopilot/v3/projects/{project_id}/clusters/{cluster_id}/openapi

cce:cluster:getEndpoints

-

GET /autopilot/v3/projects/{project_id}/jobs/{job_id}

cce:job:get

-

PUT /autopilot/v3/projects/{project_id}/clusters/{cluster_id}

cce:cluster:updateCluster

-

PUT /autopilot/v3/projects/{project_id}/clusters/{cluster_id}/mastereip

cce:cluster:eipBinding

-

POST /autopilot/v3/addons

cce:addonInstance:create

-

DELETE /autopilot/v3/addons/{id}

cce:addonInstance:delete

-

PUT /autopilot/v3/addons/{id}

cce:addonInstance:update

-

GET /autopilot/v3/addons/{id}

cce:addonInstance:get

-

GET /autopilot/v3/addons

cce:addonInstance:list

-

POST /autopilot/v3/addons/{id}/operation/rollback

cce:addonInstance:rollback

-

POST /autopilot/v3/projects/{project_id}/clusters/{cluster_id}/operation/upgrade

cce:cluster:upgrade

-

POST /autopilot/v3/projects/{project_id}/clusters/{cluster_id}/operation/upgrade/retry

cce:cluster:upgrade

-

GET /autopilot/v3/projects/{project_id}/clusters/{cluster_id}/operation/upgrade/tasks/{task_id}

cce:cluster:getCluster

-

GET /autopilot/v3/projects/{project_id}/clusters/{cluster_id}/operation/precheck/tasks/{task_id}

cce:cluster:getCluster

-

GET /autopilot/v3.1/projects/{project_id}/clusters/{cluster_id}/operation/snapshot/tasks

cce:cluster:getCluster

-

POST /autopilot/v3/projects/{project_id}/clusters/{cluster_id}/operation/upgradeworkflows

cce:cluster:upgrade

-

POST /autopilot/v3.1/projects/{project_id}/clusters/{cluster_id}/operation/snapshot

cce:cluster:upgrade

-

GET /autopilot/v3/projects/{project_id}/clusters/{cluster_id}/operation/upgradeworkflows

cce:cluster:getCluster

-

POST /autopilot/v3/projects/{project_id}/clusters/{cluster_id}/operation/precheck

cce:cluster:upgrade

-

GET /autopilot/v3/projects/{project_id}/clusters/{cluster_id}/operation/precheck/tasks

cce:cluster:getCluster

-

GET /autopilot/v3/projects/{project_id}/clusters/{cluster_id}/upgradeinfo

cce:cluster:getCluster

-

GET /autopilot/v3/projects/{project_id}/clusters/{cluster_id}/operation/upgrade/tasks

cce:cluster:getCluster

-

PATCH /autopilot/v3/projects/{project_id}/clusters/{cluster_id}/operation/upgradeworkflows/{upgrade_workflow_id}

cce:cluster:upgrade

-

POST /autopilot/v3/projects/{project_id}/clusters/{cluster_id}/operation/postcheck

cce:cluster:upgrade

-

GET /autopilot/v3/projects/{project_id}/clusters/{cluster_id}/operation/upgradeworkflows/{upgrade_workflow_id}

cce:cluster:getCluster

-

GET /autopilot/v3/projects/{project_id}/clusters/{cluster_id}/upgradeplans

cce:cluster:getCluster

-

PUT /autopilot/v3/projects/{project_id}/clusters/{cluster_id}/upgradeplans/{upgrade_plan_id}

cce:cluster:upgrade

-

POST /autopilot/v3/projects/{project_id}/clusters/{cluster_id}/tags/create

cce:cluster:addTags

-

POST /autopilot/v3/projects/{project_id}/clusters/{cluster_id}/tags/delete

cce:cluster:removeTags

-

GET /autopilot/v3/projects/{project_id}/quotas

cce:quota:get

-

POST /autopilot/v2/charts

cce:chart:upload

-

DELETE /autopilot/v2/charts/{chart_id}

cce:chart:delete

-

PUT /autopilot/v2/charts/{chart_id}

cce:chart:update

-

GET /autopilot/v2/charts/{chart_id}

cce:chart:getChart

-

GET /autopilot/v2/charts

cce:chart:listChart

-

GET /autopilot/v2/charts/{chart_id}/archive

cce:chart:download

-

GET /autopilot/v2/charts/{project_id}/quotas

cce:chart:getQuota

-

GET /autopilot/v2/charts/{chart_id}/values

cce:chart:getChart

-

POST /autopilot/cam/v3/clusters/{cluster_id}/releases

cce:release:create

-

DELETE /autopilot/cam/v3/clusters/{cluster_id}/namespace/{namespace}/releases/{name}

cce:release:delete

-

PUT /autopilot/cam/v3/clusters/{cluster_id}/namespace/{namespace}/releases/{name}

cce:release:update

-

GET /autopilot/cam/v3/clusters/{cluster_id}/namespace/{namespace}/releases/{name}

cce:release:get

-

GET /autopilot/cam/v3/clusters/{cluster_id}/releases

cce:release:list

-

GET /autopilot/cam/v3/clusters/{cluster_id}/namespace/{namespace}/releases/{name}/history

cce:release:get

-

Resource Types

A resource type indicates the resource to which a policy applies to. If you specify a resource type for any action in Table 3, a resource URN must be specified in the identity policy statements using that action, and the identity policy applies only to the resource. If no resource type is specified, the Resource element is marked with an asterisk (*) and the identity policy applies to all resources. You can also set condition keys in an identity policy to define resource types.

The following table lists the resource types that you can define in identity policy statements for CCE.

Table 3 Resource types supported by CCE

Resource Type

URN

cluster

cce:<region>:<account-id>:cluster:<cluster-name>

imageCache

cce:<region>:<account-id>:imageCache:<imageCache-name>

Conditions

Condition Key

A Condition element lets you specify conditions for when an identity policy is in effect. It contains condition keys and operators.

  • The condition key that you specify can be a global condition key or a service-specific condition key.
    • Global condition keys (with the g: prefix) apply to all actions. Cloud services do not need to provide user identity information. Instead, the system automatically obtains such information and authenticates users. For details, see Global Condition Keys.
    • Service-specific condition keys (with the abbreviation of a service name plus a colon as the prefix, for example, cce:) only apply to operations of the CCE service. For details, see Table 4.
    • The number of values associated with a condition key in the request context of an API call makes the condition key single-valued or multivalued. Single-valued condition keys have at most one value in the request context of an API call. Multivalued condition keys can have multiple values in the request context of an API call. For example, a request can originate from at most one VPC endpoint, so g:SourceVpce is a single-valued condition key. You can tag resources and include multiple tag key-value pairs in a request, so g:TagKeys is a multivalued condition key.
  • A condition operator, condition key, and a condition value together constitute a complete condition statement. An identity policy can be applied only when its request conditions are met. For supported condition operators, see Condition operators.

Service-specific condition keys supported by CCE

The following table lists the condition keys that you can define in identity policies for CCE. You can include these condition keys to specify conditions for when your identity policy is in effect.

Table 4 Service-specific condition keys supported by CCE

Service-specific Condition Key

Type

Single-valued/Multivalued

Description

cce:ClusterId

string

Single-valued

Obtains access permissions based on the cluster ID transferred in a request.

cce:nodeTransferSourceCluster

string

Single-valued

Obtains access permissions based on the ID of the source cluster from which a node is migrated.

cce:nodeTransferTargetCluster

string

Single-valued

Obtains access permissions based on the ID of the destination cluster to which a node is migrated.

cce:AssociatePublicIp

boolean

Single-valued

Obtains permissions for binding EIPs to nodes based on the value of the parameter specified for EIP binding.

cce:VpcId

string

Single-valued

Obtains access permissions based on the VPC ID.

cce:SubnetId

string

Single-valued

Obtains access permissions based on the subnet ID.

cce:Subnets

string

Multivalued

Obtains access permissions based on the subnet ID list.

cce:KmsKeys

string

Multivalued

Obtains access permissions based on the KMS key list.

cce:AvailableZones

string

Multivalued

Obtains access permissions based on the AZ list.
Parent Topic: Permissions and Supported Actions