链接复制成功!
公网采集权限要求
通过公网采集各云平台资源所需的权限如下:
阿里云资源采集
采集阿里云各类资源所需的权限参见下表。
|
资源类型 |
云服务 |
Action |
最小权限策略 |
|---|---|---|---|
|
主机 |
ECS |
ecs:DescribeInstances |
Read |
|
ecs:DescribeDisks |
List |
||
|
ecs:DescribeMetricData |
List |
||
|
存储 |
NAS |
nas:DescribeFileSystems |
Read |
|
OSS |
ListBuckets |
oss:ListBuckets |
|
|
oss:DescribeMetricData |
List |
||
|
数据库 |
RDS |
rds:DescribeDBInstances |
Read |
|
rds:DescribeDBInstanceAttribute |
Read |
||
|
MongoDB |
rds:DescribeDBInstances |
Read |
|
|
rds:DescribeDBInstanceAttribute |
Read |
||
|
中间件 |
Redis |
kvstore:DescribeInstances |
List |
|
kvstore:DescribeInstanceAttribute |
Read |
||
|
kvstore:DescribeMetricData |
List |
||
|
Kafka |
alikafka:ListInstance |
Read |
|
|
kafka::DescribeMetricData |
List |
||
|
RocketMQ |
rocketmq:GetInstance |
Read |
|
|
rocketmq::DescribeMetricData |
List |
||
|
容器 |
K8S ACK |
cs:GetClusters |
Read |
|
cs:DescribeClusterDetail |
Read |
||
|
k8s::DescribeMetricData |
List |
||
|
大数据 |
EMR |
emr:ListClusters |
List |
|
网络 |
CEN |
cen:ListTransitRouters |
Read |
|
cen:DescribeCenPrivateZoneRoutes |
Read |
||
|
cen:DescribeRouteServicesInCen |
Read |
||
|
cen:ListTransitRouterVpcAttachments |
List |
||
|
cen:ListTransitRouterVbrAttachments |
List |
||
|
cen:ListTransitRouterVpnAttachments |
List |
||
|
cen:DescribeCenAttachedChildInstances |
Read |
||
|
cen:DescribeCenAttachedChildInstanceAttribute |
Read |
||
|
cen:ListTransitRouterPeerAttachments |
Read |
||
|
cen:ListTransitRouterRouteTables |
Read |
||
|
cen:ListTransitRouterRouteEntries |
Read |
||
|
cen:ListTransitRouterRouteTableAssociations |
Read |
||
|
cen:ListTransitRouterPrefixListAssociation |
Read |
||
|
cen:DescribeCenRouteMaps |
Read |
||
|
cen:ListTransitRouterRouteTables |
Read |
||
|
cen:DescribeCenRegionDomainRouteEntries |
Read |
||
|
cen:ListTransitRouters |
Read |
||
|
cen:DescribeCens |
Read |
||
|
ALB |
alb:ListLoadBalancers |
Read |
|
|
alb:ListServerGroupServers |
Read |
||
|
CLB |
slb:DescribeLoadBalancers |
Read |
|
|
slb:DescribeLoadBalancerListeners |
Read |
||
|
slb:DescribeVServerGroupAttribute |
Read |
||
|
slb:DescribeMasterSlaveServerGroupAttribute |
Read |
||
|
slb:DescribeHealthStatus |
Read |
||
|
slb:DescribeMasterSlaveServerGroupAttribute |
Read |
||
|
slb:DescribeMasterSlaveServerGroups |
Read |
||
|
VPC |
vpc:DescribePhysicalConnections |
Read |
|
|
vpc:DescribeVirtualBorderRouters |
Read |
||
|
vpc:DescribeRouteTables |
Read |
||
|
vpc:DescribeRouteTableList |
List |
||
|
DNS |
alidns:DescribeDomainRecords |
Read |
|
|
alidns:DescribeDomains |
Read |
||
|
Private Zone |
pvtz:DescribeZoneVpcTree |
Read |
|
|
pvtz:DescribeZoneRecords |
Read |
||
|
EIP |
ens:DescribeEipAddresses |
Read |
|
|
NAT |
ens:DescribeNatGateways |
Read |
|
|
ens:DescribeSnatTableEntries |
List |
||
|
ens:DescribeForwardTableEntries |
List |
华为云资源采集
采集华为云各类资源所需的权限参见下表。
|
资源类型 |
云服务 |
Action |
最小权限策略 |
|---|---|---|---|
|
主机 |
ECS |
ecs:ListServersDetails ces:BatchListMetricData evs:ListVolumes eip:ListPublicips |
|
|
容器 |
CCE |
cce:ListNodes cce:ListClusters aom:ShowMetricsData |
|
|
大数据 |
MRS |
mrs:ListClusters mrs:ListHosts |
MRS ReadOnlyAccess |
|
数据库 |
DDS |
dds:ListInstances dds:ListFlavors |
DDS ReadOnlyAccess |
|
RDS |
rds:ListInstances |
RDS ReadOnlyAccess |
|
|
中间件 |
分布式消息服务Kafka版 |
dms:ListInstances dms:ShowInstance dms:ListAvailableZones dms:ShowCluster ces:BatchListMetricData |
DMS ReadOnlyAccess |
|
分布式缓存服务 DCS |
dcs:ListInstances dcs:ListFlavors dcs:ListGroupReplicationInfo ces:BatchListMetricData |
DCS ReadOnlyAccess |
|
|
存储 |
OBS |
obs:ListBuckets obs:GetBucketPolicy obs:GetBucketAcl obs:GetBucketLifecycle obs:GetBucketMetadata obs:GetBucketVersioning obs:GetBucketStorageInfo obs:GetBucketStoragePolicy ces:BatchListMetricData |
以上两个策略不包含的action需要创建自定义策略 |
|
SFS Turbo |
sfsturbo:ListShares |
SFS Turbo ReadOnlyAccess |
|
|
网络 |
ELB |
elb:ListListeners elb:ListLoadbalancers elb:ListPools elb:ListL7policies elb:ListL7rules elb:ListMembers elb:ListFlavors vpc:ListSubnets |
ELB ReadOnlyAccess |
|
DNS |
dns:ListPublicZones dns:ListPrivateZones dns:ListRecordSetsByZone |
DNS ReadOnlyAccess |
|
|
EIP |
eip:ListPublicips |
EIP ReadOnlyAccess |
|
|
NAT |
nat:ListNatGateways nat:ListNatGatewayDnatRules nat:ListNatGatewaySnatRules vpc:ShowPort vpc:ShowSubnet vpc:ListSubnets |
NAT ReadOnlyAccess |
|
|
VPC |
vpc:ListRouteTables vpc:ShowRouteTable vpc:ListVpcs vpc:ListSecurityGroups vpc:ListSecurityGroupRules vpc:ListSubnets |
VPC ReadOnlyAccess |
AWS资源采集
采集AWS各类资源所需的权限参见下表。
|
资源类型 |
云服务 |
Action |
最小权限策略 |
|---|---|---|---|
|
主机 |
EC2 |
ec2:DescribeInstances |
AmazonEC2ReadOnlyAccess |
|
ec2:DescribeAddresses |
|||
|
ec2:DescribeImages |
|||
|
ec2:DescribeVolumes |
|||
|
cloudwatch:GetMetricStatistics |
|||
|
存储 |
EFS |
elasticfilesystem:DescribeFileSystems |
AmazonElasticFileSystemReadOnlyAccess |
|
elasticfilesystem:DescribeMountTargets |
|||
|
cloudwatch:GetMetricStatistics |
|||
|
S3 |
s3:GetBucketPolicy |
AmazonS3ReadOnlyAccess |
|
|
s3:GetBucketLocation |
|||
|
s3:GetBucketAcl |
|||
|
s3:GetBucketVersioning |
|||
|
s3:ListAllMyBuckets |
|||
|
s3:GetLifecycleConfiguration |
|||
|
cloudwatch:GetMetricStatistics |
CloudWatchReadOnlyAccess |
||
|
数据库 |
RDS |
rds:DescribeDBClusters |
AmazonRDSReadOnlyAccess |
|
rds:DescribeDBInstances |
|||
|
ec2:DescribeSecurityGroups |
|||
|
中间件 |
ElastiCache |
elasticache:DescribeCacheClusters |
AmazonElastiCacheReadOnlyAccess |
|
elasticache:DescribeReplicationGroups |
|||
|
cloudwatch:GetMetricStatistics |
|||
|
memorydb:DescribeClusters |
AmazonMemoryDBReadOnlyAccess |
||
|
MSK |
kafka:ListClustersV2 |
AmazonMSKReadOnlyAccess |
|
|
cloudwatch:GetMetricStatistics |
|||
|
容器 |
EKS |
eks:DescribeCluster |
无对应的权限策略,需自定义策略 |
|
eks:ListClusters |
|||
|
ec2:DescribeInstances |
|||
|
ec2:DescribeSubnets |
|||
|
cloudwatch:GetMetricStatistics |
|||
|
大数据 |
EMR |
elasticmapreduce:DescribeCluster |
AmazonEMRReadOnlyAccessPolicy_v2 |
|
elasticmapreduce:ListClusters |
|||
|
elasticmapreduce:ListInstanceGroups |
|||
|
elasticmapreduce:ListInstances |
|||
|
ec2:DescribeInstances |
AmazonEC2ReadOnlyAccess |
||
|
网络 |
EIP |
ec2:DescribeAddresses |
AmazonEC2ReadOnlyAccess |
|
ELB |
elasticloadbalancing:DescribeLoadBalancers |
ElasticLoadBalancingReadOnly |
|
|
NAT |
ec2:DescribeNatGateways |
AmazonEC2ReadOnlyAccess |
|
|
Route53(PublicDomain) |
route53:ListHostedZones |
AmazonRoute53ReadOnlyAccess |
|
|
route53:ListResourceRecordSets |
|||
|
RouteTable |
ec2:DescribeRouteTables |
AmazonEC2ReadOnlyAccess |
|
|
SecurityGroup |
ec2:DescribeSecurityGroups |
AmazonEC2ReadOnlyAccess |
|
|
ec2:DescribeSecurityGroupRules |
|||
|
Route53(VpcDomain) |
route53:GetHostedZone |
AmazonRoute53ReadOnlyAccess |
|
|
route53:ListHostedZones |
|||
|
route53:ListResourceRecordSets |
|||
|
VPC |
ec2:DescribeSubnets |
AmazonEC2ReadOnlyAccess |
|
|
ec2:DescribeVpcs |
腾讯云资源采集
采集腾讯云各类资源所需的权限参见下表。
|
资源类型 |
云服务 |
Action |
最小权限策略 |
|---|---|---|---|
|
主机 |
CVM |
cvm: DescribeInstances cvm: DescribeImages cvm:DescribeSecurityGroups cbs: DescribeDisks vpc: DescribeAddresses vpc: DescribeNetworkInterfaces vpc: DescribeSubnets monitor:GetMonitorData |
QcloudCVMReadOnlyAccess |
|
数据库 |
CDB |
cdb:DescribeDBInstances |
QcloudCDBReadOnlyAccess |
|
PostgreSQL |
postgres:DescribeDBInstances |
QcloudPostgreSQLReadOnlyAccess |
|
|
MongoDB |
mongodb:DescribeDBInstances mongodb:DescribeDBInstanceNodeProperty |
QcloudMongoDBReadOnlyAccess |
|
|
SQLServer |
sqlserver:DescribeDBInstances sqlserver:DescribeReadOnlyGroupList |
QcloudSQLServerReadOnlyAccess |
|
|
存储 |
COS |
cos:GetService cos:GetBucketACL cos:GetBucketLifecycle cos:GetBucketVersioning monitor:GetMonitorData |
QcloudCOSReadOnlyAccess |
|
CFS |
cfs:DescribeCfsFileSystems cfs:DescribeMountTargets |
QcloudCFSReadOnlyAccess |
|
|
网络 |
DNSPod |
dnspod:DescribeDomainList dnspod:DescribeRecordList |
QcloudDNSPodReadOnlyAccess |
|
WAF |
waf:DescribeDomains waf:DescribeInstances |
QcloudWAFReadOnlyAccess |
|
|
CLB |
clb:DescribeLoadBalancersDetail clb:DescribeTargets cvm: DescribeInstances |
QcloudCLBReadOnlyAccess QcloudCVMReadOnlyAccess |
Azure资源采集
采集Azure各类资源所需的权限参见下表。
|
资源类型 |
云服务 |
服务 |
最小权限策略 |
|---|---|---|---|
|
主机 |
Virtual Machines |
Microsoft Classic Compute |
Microsoft.ClassicCompute/virtualMachines/read |
|
Microsoft Azure Monitor |
Microsoft.Insights/MetricDefinitions/Read |
||
|
Microsoft Network |
Microsoft.Network/networkInterfaces/read |
||
|
存储 |
Storage Accounts |
Microsoft Azure Monitor |
Microsoft.Insights/MetricDefinitions/Read |
|
Microsoft Classic Storage |
Microsoft.ClassicStorage/storageAccounts/read |
||
|
数据库 |
Azure Database for PostgreSQL Flexible Server |
Microsoft Management |
Microsoft.Management/getEntities/action |
|
Azure Database for PostgreSQL |
Microsoft Management |
Microsoft.Management/getEntities/action |
|
|
Azure Database for MySQL |
Microsoft Management |
Microsoft.Management/getEntities/action |
|
|
Azure Database for MySQL Flexible Server |
Microsoft Management |
Microsoft.Management/getEntities/action |
|
|
SQL servers |
Microsoft Azure Arc Data |
Microsoft.AzureArcData/sqlServerInstances/read |
|
|
Microsoft Management |
Microsoft.Management/getEntities/action |
||
|
中间件 |
Azure Cache for Redis |
Microsoft Management |
Microsoft.Management/getEntities/action |
|
Event Hubs |
Microsoft Management |
Microsoft.Management/getEntities/action |
|
|
容器 |
Kubernetes services |
Microsoft Classic Compute |
Microsoft.ClassicCompute/virtualMachines/read |
|
Microsoft Azure Monitor |
Microsoft.Insights/MetricDefinitions/Read |
||
|
Microsoft Management |
Microsoft.Management/getEntities/action |
||
|
网络 |
Public IP addresses |
Microsoft Management |
Microsoft.Management/getEntities/action |
|
Load Balancer |
Microsoft Management |
Microsoft.Management/getEntities/action |
|
|
NAT gateways |
Microsoft Management |
Microsoft.Management/getEntities/action |
|
|
Route tables |
Microsoft Network |
Microsoft.Network/networkInterfaces/read |
|
|
Network security groups |
Microsoft Network |
Microsoft.Network/networkInterfaces/read |
|
|
Virtual networks |
Microsoft Network |
Microsoft.Network/networkInterfaces/read |
七牛云资源采集
采集七牛云存储资源所需的权限参见下表。
|
资源类型 |
云服务 |
Action |
最小权限策略 |
|---|---|---|---|
|
存储 |
对象存储(Kodo) |
kodo:buckets |
QiniuKodoReadOnlyAccess |
金山云资源采集
采集金山云存储资源所需的权限参见下表。
|
资源类型 |
云服务 |
Action |
最小权限策略 |
|---|---|---|---|
|
存储 |
对象存储(KS3) |
ks3:ListBuckets |
KS3ReadOnlyAccess |
谷歌云资源采集
采集谷歌云各类资源所需的权限参见下表。
|
资源类型 |
云服务 |
权限 |
角色(角色ID) |
|---|---|---|---|
|
主机 |
Compute Engine |
compute.instances.list |
Compute Viewer(roles/compute.viewer) |
|
compute.machineTypes.get |
|||
|
compute.disks.get |
|||
|
compute.networks.get |
|||
|
compute.regions.get |
|||
|
存储 |
Cloud Storage |
storage.buckets.list |
Storage Admin(roles/storage.admin) 或 Viewer(roles/viewer) |
|
storage.objects.list |
Storage Object Viewer(roles/storage.objectViewer) 或 Storage Admin(roles/storage.admin) |
||
|
Compute Engine(obs) |
compute.regions.get |
Compute Viewer(roles/compute.viewer) |
|
|
compute.networks.list |
|||
|
Cloud Filestore |
file.instances.list |
Cloud Filestore Viewer(roles/file.viewer) |
|
|
数据库 |
Cloud SQL |
cloudsql.instances.list |
Cloud SQL Viewer(roles/cloudsql.viewer) |
|
cloudsql.databases.list |
|||
|
cloudsql.tiers.list |
不需要角色 |
||
|
中间件 |
Memorystore Redis |
redisService.instances.list |
Cloud Memorystore Redis Viewer(roles/redis.viewer) |
|
redisService.clusters.list |
|||
|
容器 |
Kubernetes Engine |
container.clusters.list |
Kubernetes Engine Cluster Viewer(roles/container.clusterViewer) |
|
Compute Engine(k8s) |
compute.regions.get |
Compute Viewer(roles/compute.viewer) |
|
|
compute.networks.list |
|||
|
compute.subnetworks.list |
|||
|
网络 |
Compute Engine(clb) |
compute.firewalls.list |
Compute Viewer(roles/compute.viewer) |
|
compute.forwardingRules.list |
|||
|
compute.globalForwardingRules.list |
|||
|
compute.backendServices.get |
|||
|
compute.networks.list |
|||
|
compute.subnetworks.list |
|||
|
Compute Engine(eip) |
compute.addresses.list |
||
|
compute.globalAddresses.list |
|||
|
compute.regions.get |
|||
|
compute.instances.list |
|||
|
Compute Engine(route table) |
compute.routes.list |
||
|
compute.networks.list |
|||
|
compute.subnetworks.list |
|||
|
Compute Engine(vpc) |
compute.networks.list |
||
|
compute.subnetworks.list |
|||
|
Compute Engine(security group) |
compute.firewalls.list |
