Copied.
Permissions Required for Data Collection over the Internet
The tables below describe the permissions required for collecting resource details from supported cloud platforms over the Internet.
Data Collection from Alibaba Cloud
The following table lists the permissions required for collecting data of Alibaba Cloud resources.
|
Resource Type |
Cloud Service |
Action |
Minimal Permission Policy |
|---|---|---|---|
|
Servers |
ECS |
ecs:DescribeInstances |
Read |
|
ecs:DescribeDisks |
List |
||
|
ecs:DescribeMetricData |
List |
||
|
Storage |
NAS |
nas:DescribeFileSystems |
Read |
|
OSS |
ListBuckets |
oss:ListBuckets |
|
|
oss:DescribeMetricData |
List |
||
|
Databases |
RDS |
rds:DescribeDBInstances |
Read |
|
rds:DescribeDBInstanceAttribute |
Read |
||
|
MongoDB |
rds:DescribeDBInstances |
Read |
|
|
rds:DescribeDBInstanceAttribute |
Read |
||
|
Middleware |
Redis |
kvstore:DescribeInstances |
List |
|
kvstore:DescribeInstanceAttribute |
Read |
||
|
kvstore:DescribeMetricData |
List |
||
|
Kafka |
alikafka:ListInstance |
Read |
|
|
kafka::DescribeMetricData |
List |
||
|
RocketMQ |
rocketmq:GetInstance |
Read |
|
|
rocketmq::DescribeMetricData |
List |
||
|
Containers |
K8S ACK |
cs:GetClusters |
Read |
|
cs:DescribeClusterDetail |
Read |
||
|
k8s::DescribeMetricData |
List |
||
|
Big data clusters |
EMR |
emr:ListClusters |
List |
|
Networking |
CEN |
cen:ListTransitRouters |
Read |
|
cen:DescribeCenPrivateZoneRoutes |
Read |
||
|
cen:DescribeRouteServicesInCen |
Read |
||
|
cen:ListTransitRouterVpcAttachments |
List |
||
|
cen:ListTransitRouterVbrAttachments |
List |
||
|
cen:ListTransitRouterVpnAttachments |
List |
||
|
cen:DescribeCenAttachedChildInstances |
Read |
||
|
cen:DescribeCenAttachedChildInstanceAttribute |
Read |
||
|
cen:ListTransitRouterPeerAttachments |
Read |
||
|
cen:ListTransitRouterRouteTables |
Read |
||
|
cen:ListTransitRouterRouteEntries |
Read |
||
|
cen:ListTransitRouterRouteTableAssociations |
Read |
||
|
cen:ListTransitRouterPrefixListAssociation |
Read |
||
|
cen:DescribeCenRouteMaps |
Read |
||
|
cen:ListTransitRouterRouteTables |
Read |
||
|
cen:DescribeCenRegionDomainRouteEntries |
Read |
||
|
cen:ListTransitRouters |
Read |
||
|
cen:DescribeCens |
Read |
||
|
ALB |
alb:ListLoadBalancers |
Read |
|
|
alb:ListServerGroupServers |
Read |
||
|
CLB |
slb:DescribeLoadBalancers |
Read |
|
|
slb:DescribeLoadBalancerListeners |
Read |
||
|
slb:DescribeVServerGroupAttribute |
Read |
||
|
slb:DescribeMasterSlaveServerGroupAttribute |
Read |
||
|
slb:DescribeHealthStatus |
Read |
||
|
slb:DescribeMasterSlaveServerGroupAttribute |
Read |
||
|
slb:DescribeMasterSlaveServerGroups |
Read |
||
|
VPC |
vpc:DescribePhysicalConnections |
Read |
|
|
vpc:DescribeVirtualBorderRouters |
Read |
||
|
vpc:DescribeRouteTables |
Read |
||
|
vpc:DescribeRouteTableList |
List |
||
|
DNS |
alidns:DescribeDomainRecords |
Read |
|
|
alidns:DescribeDomains |
Read |
||
|
Private Zone |
pvtz:DescribeZoneVpcTree |
Read |
|
|
pvtz:DescribeZoneRecords |
Read |
||
|
EIP |
ens:DescribeEipAddresses |
Read |
|
|
NAT gateway |
ens:DescribeNatGateways |
Read |
|
|
ens:DescribeSnatTableEntries |
List |
||
|
ens:DescribeForwardTableEntries |
List |
Data Collection from Huawei Cloud
The following table lists the permissions required for collecting data of Huawei Cloud resources.
|
Resource Type |
Cloud Service |
Action |
Minimal Permission Policy |
|---|---|---|---|
|
Servers |
ECS |
ecs:ListServersDetails ces:BatchListMetricData evs:ListVolumes eip:ListPublicips |
|
|
Containers |
CCE |
cce:ListNodes cce:ListClusters aom:ShowMetricsData |
|
|
Big data clusters |
MRS |
mrs:ListClusters mrs:ListHosts |
MRS ReadOnlyAccess |
|
Databases |
DDS |
dds:ListInstances dds:ListFlavors |
DDS ReadOnlyAccess |
|
RDS |
rds:ListInstances |
RDS ReadOnlyAccess |
|
|
Middleware |
DMS for Kafka |
dms:ListInstances dms:ShowInstance dms:ListAvailableZones dms:ShowCluster ces:BatchListMetricData |
DMS ReadOnlyAccess |
|
DCS |
dcs:ListInstances dcs:ListFlavors dcs:ListGroupReplicationInfo ces:BatchListMetricData |
DCS ReadOnlyAccess |
|
|
Storage |
OBS |
obs:ListBuckets obs:GetBucketPolicy obs:GetBucketAcl obs:GetBucketLifecycle obs:GetBucketMetadata obs:GetBucketVersioning obs:GetBucketStorageInfo obs:GetBucketStoragePolicy ces:BatchListMetricData |
You need to create custom policies for actions that are not included in the preceding two policies. |
|
SFS Turbo |
sfsturbo:ListShares |
SFS Turbo ReadOnlyAccess |
|
|
Networking |
ELB |
elb:ListListeners elb:ListLoadbalancers elb:ListPools elb:ListL7policies elb:ListL7rules elb:ListMembers elb:ListFlavors vpc:ListSubnets |
ELB ReadOnlyAccess |
|
DNS |
dns:ListPublicZones dns:ListPrivateZones dns:ListRecordSetsByZone |
DNS ReadOnlyAccess |
|
|
EIP |
eip:ListPublicips |
EIP ReadOnlyAccess |
|
|
NAT Gateway |
nat:ListNatGateways nat:ListNatGatewayDnatRules nat:ListNatGatewaySnatRules vpc:ShowPort vpc:ShowSubnet vpc:ListSubnets |
NAT ReadOnlyAccess |
|
|
VPC |
vpc:ListRouteTables vpc:ShowRouteTable vpc:ListVpcs vpc:ListSecurityGroups vpc:ListSecurityGroupRules vpc:ListSubnets |
VPC ReadOnlyAccess |
Data Collection from AWS
The following table lists the permissions required for collecting data of AWS resources.
|
Resource Type |
Cloud Service |
Action |
Minimal Permission Policy |
|---|---|---|---|
|
Servers |
EC2 |
ec2:DescribeInstances |
AmazonEC2ReadOnlyAccess |
|
ec2:DescribeAddresses |
|||
|
ec2:DescribeImages |
|||
|
ec2:DescribeVolumes |
|||
|
cloudwatch:GetMetricStatistics |
|||
|
Storage |
EFS |
elasticfilesystem:DescribeFileSystems |
AmazonElasticFileSystemReadOnlyAccess |
|
elasticfilesystem:DescribeMountTargets |
|||
|
cloudwatch:GetMetricStatistics |
|||
|
S3 |
s3:GetBucketPolicy |
AmazonS3ReadOnlyAccess |
|
|
s3:GetBucketLocation |
|||
|
s3:GetBucketAcl |
|||
|
s3:GetBucketVersioning |
|||
|
s3:ListAllMyBuckets |
|||
|
s3:GetLifecycleConfiguration |
|||
|
cloudwatch:GetMetricStatistics |
CloudWatchReadOnlyAccess |
||
|
Databases |
RDS |
rds:DescribeDBClusters |
AmazonRDSReadOnlyAccess |
|
rds:DescribeDBInstances |
|||
|
ec2:DescribeSecurityGroups |
|||
|
Middleware |
ElastiCache |
elasticache:DescribeCacheClusters |
AmazonElastiCacheReadOnlyAccess |
|
elasticache:DescribeReplicationGroups |
|||
|
cloudwatch:GetMetricStatistics |
|||
|
memorydb:DescribeClusters |
AmazonMemoryDBReadOnlyAccess |
||
|
MSK |
kafka:ListClustersV2 |
AmazonMSKReadOnlyAccess |
|
|
cloudwatch:GetMetricStatistics |
|||
|
Containers |
EKS |
eks:DescribeCluster |
No corresponding permission policy is available. You need to create one. |
|
eks:ListClusters |
|||
|
ec2:DescribeInstances |
|||
|
ec2:DescribeSubnets |
|||
|
cloudwatch:GetMetricStatistics |
|||
|
Big data clusters |
EMR |
elasticmapreduce:DescribeCluster |
AmazonEMRReadOnlyAccessPolicy_v2 |
|
elasticmapreduce:ListClusters |
|||
|
elasticmapreduce:ListInstanceGroups |
|||
|
elasticmapreduce:ListInstances |
|||
|
ec2:DescribeInstances |
AmazonEC2ReadOnlyAccess |
||
|
Networking |
EIP |
ec2:DescribeAddresses |
AmazonEC2ReadOnlyAccess |
|
ELB |
elasticloadbalancing:DescribeLoadBalancers |
ElasticLoadBalancingReadOnly |
|
|
NAT gateway |
ec2:DescribeNatGateways |
AmazonEC2ReadOnlyAccess |
|
|
Route 53 (public domains) |
route53:ListHostedZones |
AmazonRoute53ReadOnlyAccess |
|
|
route53:ListResourceRecordSets |
|||
|
Route tables |
ec2:DescribeRouteTables |
AmazonEC2ReadOnlyAccess |
|
|
Security groups |
ec2:DescribeSecurityGroups |
AmazonEC2ReadOnlyAccess |
|
|
ec2:DescribeSecurityGroupRules |
|||
|
Route 53 (VPC domains) |
route53:GetHostedZone |
AmazonRoute53ReadOnlyAccess |
|
|
route53:ListHostedZones |
|||
|
route53:ListResourceRecordSets |
|||
|
VPC |
ec2:DescribeSubnets |
AmazonEC2ReadOnlyAccess |
|
|
ec2:DescribeVpcs |
Data Collection from Tencent Cloud
The following table lists the permissions required for collecting data of Tencent Cloud resources.
|
Resource Type |
Cloud Service |
Action |
Minimal Permission Policy |
|---|---|---|---|
|
Servers |
CVM |
cvm: DescribeInstances cvm: DescribeImages cvm:DescribeSecurityGroups cbs: DescribeDisks vpc: DescribeAddresses vpc: DescribeNetworkInterfaces vpc: DescribeSubnets monitor:GetMonitorData |
QcloudCVMReadOnlyAccess |
|
Databases |
CDB |
cdb:DescribeDBInstances |
QcloudCDBReadOnlyAccess |
|
PostgreSQL |
postgres:DescribeDBInstances |
QcloudPostgreSQLReadOnlyAccess |
|
|
MongoDB |
mongodb:DescribeDBInstances mongodb:DescribeDBInstanceNodeProperty |
QcloudMongoDBReadOnlyAccess |
|
|
SQL Server |
sqlserver:DescribeDBInstances sqlserver:DescribeReadOnlyGroupList |
QcloudSQLServerReadOnlyAccess |
|
|
Storage |
COS |
cos:GetService cos:GetBucketACL cos:GetBucketLifecycle cos:GetBucketVersioning monitor:GetMonitorData |
QcloudCOSReadOnlyAccess |
|
CFS |
cfs:DescribeCfsFileSystems cfs:DescribeMountTargets |
QcloudCFSReadOnlyAccess |
|
|
Networking |
DNSPod |
dnspod:DescribeDomainList dnspod:DescribeRecordList |
QcloudDNSPodReadOnlyAccess |
|
WAF |
waf:DescribeDomains waf:DescribeInstances |
QcloudWAFReadOnlyAccess |
|
|
CLB |
clb:DescribeLoadBalancersDetail clb:DescribeTargets cvm: DescribeInstances |
QcloudCLBReadOnlyAccess QcloudCVMReadOnlyAccess |
Data Collection from Azure
The following table lists the permissions required for collecting data of Azure resources.
|
Resource Type |
Cloud Service |
Service |
Minimal Permission Policy |
|---|---|---|---|
|
Servers |
Virtual Machines |
Microsoft Classic Compute |
Microsoft.ClassicCompute/virtualMachines/read |
|
Microsoft Azure Monitor |
Microsoft.Insights/MetricDefinitions/Read |
||
|
Microsoft Network |
Microsoft.Network/networkInterfaces/read |
||
|
Storage |
Storage Accounts |
Microsoft Azure Monitor |
Microsoft.Insights/MetricDefinitions/Read |
|
Microsoft Classic Storage |
Microsoft.ClassicStorage/storageAccounts/read |
||
|
Databases |
Azure Database for PostgreSQL - Flexible Server |
Microsoft Management |
Microsoft.Management/getEntities/action |
|
Azure Database for PostgreSQL |
Microsoft Management |
Microsoft.Management/getEntities/action |
|
|
Azure Database for MySQL |
Microsoft Management |
Microsoft.Management/getEntities/action |
|
|
Azure Database for MySQL - Flexible Server |
Microsoft Management |
Microsoft.Management/getEntities/action |
|
|
SQL Server |
Microsoft Azure Arc Data |
Microsoft.AzureArcData/sqlServerInstances/read |
|
|
Microsoft Management |
Microsoft.Management/getEntities/action |
||
|
Middleware |
Azure Cache for Redis |
Microsoft Management |
Microsoft.Management/getEntities/action |
|
Event Hubs |
Microsoft Management |
Microsoft.Management/getEntities/action |
|
|
Containers |
Kubernetes services |
Microsoft Classic Compute |
Microsoft.ClassicCompute/virtualMachines/read |
|
Microsoft Azure Monitor |
Microsoft.Insights/MetricDefinitions/Read |
||
|
Microsoft Management |
Microsoft.Management/getEntities/action |
||
|
Networking |
Public IP addresses |
Microsoft Management |
Microsoft.Management/getEntities/action |
|
Load Balancer |
Microsoft Management |
Microsoft.Management/getEntities/action |
|
|
NAT gateways |
Microsoft Management |
Microsoft.Management/getEntities/action |
|
|
Route tables |
Microsoft Network |
Microsoft.Network/networkInterfaces/read |
|
|
Network security groups |
Microsoft Network |
Microsoft.Network/networkInterfaces/read |
|
|
Virtual networks |
Microsoft Network |
Microsoft.Network/networkInterfaces/read |
Data Collection from Qiniu Cloud
The following table lists the permissions required for collecting data of Qiniu Cloud resources.
|
Resource Type |
Cloud Service |
Action |
Minimal Permission Policy |
|---|---|---|---|
|
Storage |
Object storage (KODO) |
kodo:buckets |
QiniuKodoReadOnlyAccess |
Data Collection from Kingsoft Cloud
The following table lists the permissions required for collecting data of Kingsoft Cloud resources.
|
Resource Type |
Cloud Service |
Action |
Minimal Permission Policy |
|---|---|---|---|
|
Storage |
Object storage (KS3) |
ks3:ListBuckets |
KS3ReadOnlyAccess |
Data Collection from Google Cloud
The following table lists the permissions required for collecting data of Google Cloud resources.
|
Resource Type |
Cloud Service |
Permission |
Role (Role ID) |
|---|---|---|---|
|
Servers |
Compute Engine |
compute.instances.list |
Compute Viewer (roles/compute.viewer) |
|
compute.machineTypes.get |
|||
|
compute.disks.get |
|||
|
compute.networks.get |
|||
|
compute.regions.get |
|||
|
Storage |
Cloud Storage |
storage.buckets.list |
Storage Admin (roles/storage.admin) or Viewer (roles/viewer) |
|
storage.objects.list |
Storage Object Viewer (roles/storage.objectViewer) or Storage Admin (roles/storage.admin) |
||
|
Compute Engine (OBS) |
compute.regions.get |
Compute Viewer (roles/compute.viewer) |
|
|
compute.networks.list |
|||
|
Cloud Filestore |
file.instances.list |
Cloud Filestore Viewer (roles/file.viewer) |
|
|
Databases |
Cloud SQL |
cloudsql.instances.list |
Cloud SQL Viewer (roles/cloudsql.viewer) |
|
cloudsql.databases.list |
|||
|
cloudsql.tiers.list |
No role is required. |
||
|
Middleware |
Memorystore Redis |
redisService.instances.list |
Cloud Memorystore Redis Viewer (roles/redis.viewer) |
|
redisService.clusters.list |
|||
|
Containers |
Kubernetes Engine |
container.clusters.list |
Kubernetes Engine Cluster Viewer(roles/container.clusterViewer) |
|
Compute Engine (Kubernetes) |
compute.regions.get |
Compute Viewer (roles/compute.viewer) |
|
|
compute.networks.list |
|||
|
compute.subnetworks.list |
|||
|
Networking |
Compute Engine (CLB) |
compute.firewalls.list |
Compute Viewer (roles/compute.viewer) |
|
compute.forwardingRules.list |
|||
|
compute.globalForwardingRules.list |
|||
|
compute.backendServices.get |
|||
|
compute.networks.list |
|||
|
compute.subnetworks.list |
|||
|
Compute Engine (EIP) |
compute.addresses.list |
||
|
compute.globalAddresses.list |
|||
|
compute.regions.get |
|||
|
compute.instances.list |
|||
|
Compute Engine (Route Table) |
compute.routes.list |
||
|
compute.networks.list |
|||
|
compute.subnetworks.list |
|||
|
Compute Engine (VPC) |
compute.networks.list |
||
|
compute.subnetworks.list |
|||
|
Compute Engine (Security Group) |
compute.firewalls.list |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
