Copied.
Permissions Required for Data Collection over the Internet
The tables below describe the permissions required for collecting resource details from supported cloud platforms over the Internet.
Alibaba Cloud Data Collection
The following table lists the permissions required for collecting data of Alibaba Cloud resources.
Resource Type |
Cloud Service |
Action |
Minimum Permission Policy |
---|---|---|---|
Servers |
Elastic Compute Service (ECS) |
ecs:DescribeInstances |
Read |
ecs:DescribeDisks |
List |
||
ecs:DescribeMetricData |
List |
||
Storage |
NAS |
nas:DescribeFileSystems |
Read |
Object Storage Service (OSS) |
ListBuckets |
oss:ListBuckets |
|
oss:DescribeMetricData |
List |
||
Databases |
Relational Database Service (RDS) |
rds:DescribeDBInstances |
Read |
rds:DescribeDBInstanceAttribute |
Read |
||
MongoDB |
rds:DescribeDBInstances |
Read |
|
rds:DescribeDBInstanceAttribute |
Read |
||
Middleware |
Redis |
kvstore:DescribeInstances |
List |
kvstore:DescribeInstanceAttribute |
Read |
||
kvstore:DescribeMetricData |
List |
||
Kafka |
alikafka:ListInstance |
Read |
|
kafka::DescribeMetricData |
List |
||
RocketMQ |
rocketmq:GetInstance |
Read |
|
rocketmq::DescribeMetricData |
List |
||
Containers |
K8S ACK |
cs:GetClusters |
Read |
cs:DescribeClusterDetail |
Read |
||
k8s::DescribeMetricData |
List |
||
Big data clusters |
Elastic MapReduce (EMR) |
emr:ListClusters |
List |
Networks |
CEN |
cen:ListTransitRouters |
Read |
cen:DescribeCenPrivateZoneRoutes |
Read |
||
cen:DescribeRouteServicesInCen |
Read |
||
cen:ListTransitRouterVpcAttachments |
List |
||
cen:ListTransitRouterVbrAttachments |
List |
||
cen:ListTransitRouterVpnAttachments |
List |
||
cen:DescribeCenAttachedChildInstances |
Read |
||
cen:DescribeCenAttachedChildInstanceAttribute |
Read |
||
cen:ListTransitRouterPeerAttachments |
Read |
||
cen:ListTransitRouterRouteTables |
Read |
||
cen:ListTransitRouterRouteEntries |
Read |
||
cen:ListTransitRouterRouteTableAssociations |
Read |
||
cen:ListTransitRouterPrefixListAssociation |
Read |
||
cen:DescribeCenRouteMaps |
Read |
||
cen:ListTransitRouterRouteTables |
Read |
||
cen:DescribeCenRegionDomainRouteEntries |
Read |
||
cen:ListTransitRouters |
Read |
||
cen:DescribeCens |
Read |
||
ALB |
alb:ListLoadBalancers |
Read |
|
alb:ListServerGroupServers |
Read |
||
CLB |
slb:DescribeLoadBalancers |
Read |
|
slb:DescribeLoadBalancerListeners |
Read |
||
slb:DescribeVServerGroupAttribute |
Read |
||
slb:DescribeMasterSlaveServerGroupAttribute |
Read |
||
slb:DescribeHealthStatus |
Read |
||
slb:DescribeMasterSlaveServerGroupAttribute |
Read |
||
slb:DescribeMasterSlaveServerGroups |
Read |
||
Virtual Private Cloud (VPC) |
vpc:DescribePhysicalConnections |
Read |
|
vpc:DescribeVirtualBorderRouters |
Read |
||
vpc:DescribeRouteTables |
Read |
||
vpc:DescribeRouteTableList |
List |
||
DNS |
alidns:DescribeDomainRecords |
Read |
|
alidns:DescribeDomains |
Read |
||
Private Zone |
pvtz:DescribeZoneVpcTree |
Read |
|
pvtz:DescribeZoneRecords |
Read |
||
Elastic IP (EIP) |
ens:DescribeEipAddresses |
Read |
|
NAT Gateway |
ens:DescribeNatGateways |
Read |
|
ens:DescribeSnatTableEntries |
List |
||
ens:DescribeForwardTableEntries |
List |
Huawei Cloud Data Collection
The following table lists the permissions required for collecting data of Huawei Cloud resources.
Resource Type |
Cloud Service |
Action |
Minimum Permission Policy |
---|---|---|---|
Servers |
ECS |
ecs:ListServersDetails ces:BatchListMetricData evs:ListVolumes eip:ListPublicips |
|
Containers |
CCE |
cce:ListNodes cce:ListClusters aom:ShowMetricsData |
|
Big data clusters |
MRS |
mrs:ListClusters mrs:ListHosts |
MRS ReadOnlyAccess |
Databases |
DDS |
dds:ListInstances dds:ListFlavors |
DDS ReadOnlyAccess |
RDS |
rds:ListInstances |
RDS ReadOnlyAccess |
|
Middleware |
Distributed Message Service (DMS) for Kafka |
dms:ListInstances dms:ShowInstance dms:ListAvailableZones dms:ShowCluster ces:BatchListMetricData |
DMS ReadOnlyAccess |
Distributed Cache Service (DCS) |
dcs:ListInstances dcs:ListFlavors dcs:ListGroupReplicationInfo ces:BatchListMetricData |
DCS ReadOnlyAccess |
|
Storage |
OBS |
obs:ListBuckets obs:GetBucketPolicy obs:GetBucketAcl obs:GetBucketLifecycle obs:GetBucketMetadata obs:GetBucketVersioning obs:GetBucketStorageInfo obs:GetBucketStoragePolicy ces:BatchListMetricData |
You need to create custom policies for actions that are not included in the preceding two policies. |
SFS Turbo |
sfsturbo:ListShares |
SFS Turbo ReadOnlyAccess |
|
Networks |
ELB |
elb:ListListeners elb:ListLoadbalancers elb:ListPools elb:ListL7policies elb:ListL7rules elb:ListMembers elb:ListFlavors vpc:ListSubnets |
ELB ReadOnlyAccess |
DNS |
dns:ListPublicZones dns:ListPrivateZones dns:ListRecordSetsByZone |
DNS ReadOnlyAccess |
|
EIP |
eip:ListPublicips |
EIP ReadOnlyAccess |
|
NAT |
nat:ListNatGateways nat:ListNatGatewayDnatRules nat:ListNatGatewaySnatRules vpc:ShowPort vpc:ShowSubnet vpc:ListSubnets |
NAT ReadOnlyAccess |
|
VPC |
vpc:ListRouteTables vpc:ShowRouteTable vpc:ListVpcs vpc:ListSecurityGroups vpc:ListSecurityGroupRules vpc:ListSubnets |
VPC ReadOnlyAccess |
AWS Data Collection
The following table lists the permissions required for collecting data of AWS resources.
Resource Type |
Cloud Service |
Action |
Minimum Permission Policy |
---|---|---|---|
Servers |
Elastic Compute Cloud (EC2) |
ec2:DescribeInstances |
AmazonEC2ReadOnlyAccess |
ec2:DescribeAddresses |
|||
ec2:DescribeImages |
|||
ec2:DescribeVolumes |
|||
cloudwatch:GetMetricStatistics |
|||
Storage |
Elastic File System (EFS) |
elasticfilesystem:DescribeFileSystems |
AmazonElasticFileSystemReadOnlyAccess |
elasticfilesystem:DescribeMountTargets |
|||
cloudwatch:GetMetricStatistics |
|||
S3 |
s3:ListObjectsV2 |
AmazonS3ReadOnlyAccess |
|
cloudwatch:GetMetricStatistics |
|||
Databases |
Relational Database Service (RDS) |
rds:DescribeDBClusters |
AmazonRDSReadOnlyAccess |
rds:DescribeDBInstances |
|||
ec2:DescribeSecurityGroups |
|||
Middleware |
ElastiCache |
elasticache:DescribeCacheClusters |
AmazonElastiCacheReadOnlyAccess |
elasticache:DescribeReplicationGroups |
|||
cloudwatch:GetMetricStatistics |
|||
Managed Streaming for Apache Kafka (MSK) |
kafka:ListClustersV2 |
AmazonMSKReadOnlyAccess |
|
cloudwatch:GetMetricStatistics |
|||
Containers |
Elastic Kubernetes Service (EKS) |
eks:DescribeCluster |
No corresponding permission policy is available. You need to create one. |
eks:ListClusters |
|||
ec2:DescribeInstances |
|||
ec2:DescribeSubnets |
|||
cloudwatch:GetMetricStatistics |
|||
Big data clusters |
Elastic MapReduce (EMR) |
elasticmapreduce:DescribeCluster |
AmazonEMRReadOnlyAccessPolicy_v2 |
elasticmapreduce:ListClusters |
|||
elasticmapreduce:ListInstanceGroups |
|||
elasticmapreduce:ListInstances |
|||
ec2:DescribeInstances |
AmazonEC2ReadOnlyAccess |
||
Networks |
Elastic IP (EIP) |
ec2:DescribeAddresses |
AmazonEC2ReadOnlyAccess |
Elastic Load Balancing (ELB) |
elasticloadbalancing:DescribeLoadBalancers |
ElasticLoadBalancingReadOnly |
|
NAT Gateway |
ec2:DescribeNatGateways |
AmazonEC2ReadOnlyAccess |
|
Route53(PublicDomain) |
route53:ListHostedZones |
AmazonRoute53ReadOnlyAccess |
|
route53:ListResourceRecordSets |
|||
RouteTable |
ec2:DescribeRouteTables |
AmazonEC2ReadOnlyAccess |
|
SecurityGroup |
ec2:DescribeSecurityGroups |
AmazonEC2ReadOnlyAccess |
|
ec2:DescribeSecurityGroupRules |
|||
Route53(VpcDomain) |
route53:GetHostedZone |
AmazonRoute53ReadOnlyAccess |
|
route53:ListHostedZones |
|||
route53:ListResourceRecordSets |
|||
Virtual Private Cloud (VPC) |
ec2:DescribeSubnets |
AmazonEC2ReadOnlyAccess |
|
ec2:DescribeVpcs |
Tencent Cloud Data Collection
The following table lists the permissions required for collecting data of Tencent Cloud resources.
Resource Type |
Cloud Service |
Action |
Minimum Permission Policy |
---|---|---|---|
Servers |
CVM |
cvm: DescribeInstances cvm: DescribeImages cvm:DescribeSecurityGroups cbs: DescribeDisks vpc: DescribeAddresses vpc: DescribeNetworkInterfaces vpc: DescribeSubnets monitor:GetMonitorData |
QcloudCVMReadOnlyAccess |
Databases |
CDB |
cdb:DescribeDBInstances |
QcloudCDBReadOnlyAccess |
PostgreSQL |
postgres:DescribeDBInstances |
QcloudPostgreSQLReadOnlyAccess |
|
MongoDB |
mongodb:DescribeDBInstances mongodb:DescribeDBInstanceNodeProperty |
QcloudMongoDBReadOnlyAccess |
|
SQLServer |
sqlserver:DescribeDBInstances sqlserver:DescribeReadOnlyGroupList |
QcloudSQLServerReadOnlyAccess |
|
Storage |
COS |
cos:GetService cos:GetBucketACL cos:GetBucketLifecycle cos:GetBucketVersioning monitor:GetMonitorData |
QcloudCOSReadOnlyAccess |
CFS |
cfs:DescribeCfsFileSystems cfs:DescribeMountTargets |
QcloudCFSReadOnlyAccess |
|
Networks |
DNSPod |
dnspod:DescribeDomainList dnspod:DescribeRecordList |
QcloudDNSPodReadOnlyAccess |
WAF |
waf:DescribeDomains waf:DescribeInstances |
QcloudWAFReadOnlyAccess |
|
CLB |
clb:DescribeLoadBalancersDetail clb:DescribeTargets cvm: DescribeInstances |
QcloudCLBReadOnlyAccess QcloudCVMReadOnlyAccess |
Azure Data Collection
The following table lists the permissions required for collecting data from Azure resources.
Resource Type |
Cloud Service |
Service |
Minimum Permission Policy |
---|---|---|---|
Servers |
Virtual Machines (VMs) |
Microsoft Classic Compute |
Microsoft.ClassicCompute/virtualMachines/read |
Microsoft Azure Monitor |
Microsoft.Insights/MetricDefinitions/Read |
||
Microsoft Network |
Microsoft.Network/networkInterfaces/read |
||
Storage |
Storage Accounts |
Microsoft Azure Monitor |
Microsoft.Insights/MetricDefinitions/Read |
Microsoft Classic Storage |
Microsoft.ClassicStorage/storageAccounts/read |
||
Databases |
Azure Database for PostgreSQL - Flexible Server |
Microsoft Management |
Microsoft.Management/getEntities/action |
Azure Database for PostgreSQL |
Microsoft Management |
Microsoft.Management/getEntities/action |
|
Azure Database for MySQL |
Microsoft Management |
Microsoft.Management/getEntities/action |
|
Azure Database for MySQL - Flexible Server |
Microsoft Management |
Microsoft.Management/getEntities/action |
|
SQL servers |
Microsoft Azure Arc Data |
Microsoft.AzureArcData/sqlServerInstances/read |
|
Microsoft Management |
Microsoft.Management/getEntities/action |
||
Middleware |
Azure Cache for Redis |
Microsoft Management |
Microsoft.Management/getEntities/action |
Event Hubs |
Microsoft Management |
Microsoft.Management/getEntities/action |
|
Containers |
Kubernetes services |
Microsoft Classic Compute |
Microsoft.ClassicCompute/virtualMachines/read |
Microsoft Azure Monitor |
Microsoft.Insights/MetricDefinitions/Read |
||
Microsoft Management |
Microsoft.Management/getEntities/action |
||
Networks |
Public IP addresses |
Microsoft Management |
Microsoft.Management/getEntities/action |
Load Balancer |
Microsoft Management |
Microsoft.Management/getEntities/action |
|
NAT gateways |
Microsoft Management |
Microsoft.Management/getEntities/action |
|
Route tables |
Microsoft Network |
Microsoft.Network/networkInterfaces/read |
|
Network security groups |
Microsoft Network |
Microsoft.Network/networkInterfaces/read |
|
Virtual networks |
Microsoft Network |
Microsoft.Network/networkInterfaces/read |
Qiniu Cloud Data Collection
The following table lists the permissions required for collecting data of Qiniu Cloud resources.
Resource Type |
Cloud Service |
Action |
Minimum Permission Policy |
---|---|---|---|
Storage |
Object storage (KODO) |
kodo:buckets |
QiniuKodoReadOnlyAccess |
Kingsoft Cloud Data Collection
The following table lists the permissions required for collecting data of Kingsoft Cloud resources.
Resource Type |
Cloud Service |
Action |
Minimum Permission Policy |
---|---|---|---|
Storage |
Kingsoft Cloud Standard Storage Service (KS3) |
ks3:ListBuckets |
KS3ReadOnlyAccess |
Google Cloud Data Collection
The following table lists the permissions required for collecting data of Google Cloud resources.
Resource Type |
Cloud Service |
Permission |
Role (Role ID) |
---|---|---|---|
Servers |
Compute Engine |
compute.instances.list |
Compute Viewer(roles/compute.viewer) |
compute.machineTypes.get |
|||
compute.disks.get |
|||
compute.networks.get |
|||
compute.regions.get |
|||
Storage |
Cloud Storage |
storage.buckets.list |
Storage Admin (roles/storage.admin) or Viewer (roles/viewer) |
storage.objects.list |
Storage Object Viewer (roles/storage.objectViewer) or Storage Admin (roles/storage.admin) |
||
Compute Engine(obs) |
compute.regions.get |
Compute Viewer(roles/compute.viewer) |
|
compute.networks.list |
|||
Cloud Filestore |
file.instances.list |
Cloud Filestore Viewer(roles/file.viewer) |
|
Databases |
Cloud SQL |
cloudsql.instances.list |
Cloud SQL Viewer(roles/cloudsql.viewer) |
cloudsql.databases.list |
|||
cloudsql.tiers.list |
No role is required. |
||
Middleware |
Memorystore Redis |
redisService.instances.list |
Cloud Memorystore Redis Viewer(roles/redis.viewer) |
redisService.clusters.list |
|||
Containers |
Kubernetes Engine |
container.clusters.list |
Kubernetes Engine Cluster Viewer(roles/container.clusterViewer) |
Compute Engine(k8s) |
compute.regions.get |
Compute Viewer(roles/compute.viewer) |
|
compute.networks.list |
|||
compute.subnetworks.list |
|||
Networks |
Compute Engine(clb) |
compute.firewalls.list |
Compute Viewer(roles/compute.viewer) |
compute.forwardingRules.list |
|||
compute.globalForwardingRules.list |
|||
compute.backendServices.get |
|||
compute.networks.list |
|||
compute.subnetworks.list |
|||
Compute Engine(eip) |
compute.addresses.list |
||
compute.globalAddresses.list |
|||
compute.regions.get |
|||
compute.instances.list |
|||
Compute Engine(route table) |
compute.routes.list |
||
compute.networks.list |
|||
compute.subnetworks.list |
|||
Compute Engine(vpc) |
compute.networks.list |
||
compute.subnetworks.list |
|||
Compute Engine(security group) |
compute.firewalls.list |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot