tencent cloud

All product documents
Cloud Access Management
DocumentationCloud Access ManagementCAM-Enabled RoleContainerTencent Kubernetes Engine
Tencent Kubernetes Engine
Download PDF
Last updated: 2025-03-26 10:08:51
Tencent Kubernetes Engine
Last updated: 2025-03-26 10:08:51
Download PDF

Service roles and service-linked roles are predefined by Tencent Cloud services and, upon user authorization, the corresponding services can access and use resources by assuming these service-linked roles. This document provides detailed information on the use cases and associated authorization policies of these specific service-linked roles.

Product Role Name Role Types Role Entity
Tencent Kubernetes Engine TKE_QCSLinkedRoleInTDCC Service-Related Roles cvm.qcloud.com
tdcc.tke.cloud.tencent.com
Tencent Kubernetes Engine TKE_QCSLinkedRoleInEKSLog Service-Related Roles cvm.qcloud.com
ekslog.tke.cloud.tencent.com
Tencent Kubernetes Engine TKE_QCSLinkedRoleInEtcdService Service-Related Roles cvm.qcloud.com
etcdservice.tke.cloud.tencent.com
Tencent Kubernetes Engine TKE_QCSLinkedRoleInEKSCostMaster Service-Related Roles cvm.qcloud.com
ekscostmaster.tke.cloud.tencent.com
Tencent Kubernetes Engine TKE_QCSLinkedRoleInPrometheusService Service-Related Roles cvm.qcloud.com
prometheusservice.tke.cloud.tencent.com

TKE_QCSLinkedRoleInTDCC

Use Cases: The current role is the TKE service linked role, which will access your other service resources within the scope of the permissions of the associated policy.
Authorization Polices

  • Policy Name: QcloudAccessForTKELinkedRoleInTDCC
  • Policy Information:
{
    "version": "2.0",
    "statement": [
        {
            "effect": "allow",
            "action": [
                "cls:listTopic",
                "cls:getTopic",
                "cls:createTopic",
                "cls:modifyTopic",
                "cls:listMachineGroup",
                "cls:getMachineGroup",
                "cls:createMachineGroup",
                "cls:modifyMachineGroup",
                "cls:deleteMachineGroup",
                "cls:getMachineStatus",
                "cls:pushLog",
                "cls:agentHeartBeat",
                "cls:getConfig",
                "cls:getIndex",
                "cls:modifyIndex",
                "cls:ApplyConfigToMachineGroup",
                "cls:CreateConfig",
                "cls:CreateIndex",
                "cls:CreateLogset",
                "cls:CreateMachineGroup",
                "cls:CreateTopic",
                "cls:DeleteConfig",
                "cls:DeleteConfigFromMachineGroup",
                "cls:DeleteLogset",
                "cls:DeleteMachineGroup",
                "cls:DeleteTopic",
                "cls:DescribeConfigMachineGroups",
                "cls:DescribeConfigs",
                "cls:DescribeLogsets",
                "cls:DescribeMachineGroupConfigs",
                "cls:DescribeMachineGroups",
                "cls:DescribeTopics",
                "cls:ModifyConfig",
                "cls:ModifyIndex",
                "cls:ModifyMachineGroup",
                "cls:ModifyTopic"
            ],
            "resource": [
                "*"
            ]
        }
    ]
}

TKE_QCSLinkedRoleInEKSLog

Use Cases: The current role is the TKE service role, which will access your other service resources within the scope of the permissions of the associated policy.
Authorization Polices

  • Policy Name: QcloudAccessForTKELinkedRoleInEKSLog
  • Policy Information:
{
    "version": "2.0",
    "statement": [
        {
            "effect": "allow",
            "action": [
                "cls:pushLog",
                "cls:agentHeartBeat",
                "cls:getConfig"
            ],
            "resource": [
                "*"
            ]
        }
    ]
}

TKE_QCSLinkedRoleInEtcdService

Use Cases: The current role is the TKE service role, which will access your other service resources within the scope of the permissions of the associated policy.
Authorization Polices

  • Policy Name: QcloudAccessForTKELinkedRoleInEtcdService
  • Policy Information:
{
    "version": "2.0",
    "statement": [
        {
            "effect": "allow",
            "resource": [
                "*"
            ],
            "action": [
                "cos:DeleteBucket",
                "cos:GetBucket",
                "cos:PutBucket",
                "cos:HeadBucket",
                "cos:GetObject",
                "cos:HeadObject",
                "cos:PutObject",
                "cos:DeleteObject",
                "cos:DeleteMultipleObjects",
                "cos:ListMultipartUploads",
                "cos:AbortMultipartUpload"
            ]
        }
    ]
}

TKE_QCSLinkedRoleInEKSCostMaster

Use Cases: The current role is the TKE service linked role, which will access your other service resources within the scope of the permissions of the associated policy.
Authorization Polices

  • Policy Name: QcloudAccessForTKELinkedRoleInEKSCostMaster
  • Policy Information:
{
    "version": "2.0",
    "statement": [
        {
            "action": [
                "monitor:DescribeMidDimensionValueList",
                "monitor:DescribeStatisticData",
                "monitor:GetMonitorData"
            ],
            "resource": "*",
            "effect": "allow"
        }
    ]
}

TKE_QCSLinkedRoleInPrometheusService

Use Cases: The current role is the TKE service role, which will access your other service resources within the scope of the permissions of the associated policy.
Authorization Polices

  • Policy Name: QcloudAccessForTKELinkedRoleInPrometheusService
  • Policy Information:
{
    "statement": [
        {
            "action": [
                "cos:DeleteBucket",
                "cos:GetBucket",
                "cos:PutBucket",
                "cos:HeadBucket",
                "cos:GetObject",
                "cos:HeadObject",
                "cos:PutObject",
                "cos:DeleteObject",
                "cos:DeleteMultipleObjects",
                "cos:ListMultipartUploads",
                "cos:AbortMultipartUpload",
                "cos:AbortMultipartUpload",
                "cos:ListMultipartUploads",
                "monitor:DescribePrometheusInstances",
                "monitor:DescribeRecordingRules",
                "monitor:DescribeAlertRules",
                "monitor:DescribeAlarmNotice",
                "monitor:DescribeAlarmNotices",
                "monitor:DescribeAlarmNoticeCallbacks",
                "monitor:DescribeAlarmHistories",
                "monitor:CreatePrometheusMultiTenantInstance",
                "monitor:TerminatePrometheusInstances",
                "monitor:ModifyPrometheusInstanceAttributes",
                "monitor:CreateRecordingRule",
                "monitor:DeleteRecordingRules",
                "monitor:UpdateRecordingRule",
                "monitor:CreateAlertRule",
                "monitor:DeleteAlertRules",
                "monitor:UpdateAlertRule",
                "monitor:UpdateAlertRuleState",
                "monitor:CreateAlarmNotice",
                "monitor:DeleteAlarmNotices",
                "monitor:ModifyAlarmNotice",
                "monitor:ModifyAlarmPolicyNotice",
                "monitor:CreateManagedEKSAgent",
                "monitor:DescribeManagedEKSAgent",
                "monitor:CreateAlertRuleReceiverNotRequired",
                "monitor:UpdateAlertRuleReceiverNotRequired",
                "monitor:DescribeExporterIntegrations",
                "monitor:CreateExporterIntegration",
                "monitor:UpdateExporterIntegration",
                "monitor:DeleteExporterIntegration",
                "monitor:CreateGrafanaInstance",
                "monitor:CreatePrometheusMultiTenantInstancePostPayMode",
                "monitor:BindPrometheusManagedGrafana",
                "monitor:DescribeGrafanaInstances",
                "tdcc:DescribeExternalClusters",
                "tdcc:DescribeExternalClusterCredential",
                "monitor:UpgradeGrafanaDashboard",
                "monitor:UninstallGrafanaDashboard",
                "monitor:DescribePrometheusAlertGroups",
                "monitor:CreatePrometheusAlertGroup",
                "monitor:UpdatePrometheusAlertGroup",
                "monitor:DeletePrometheusAlertGroups",
                "monitor:UpdatePrometheusAlertGroupState",
                "tke:DescribeTKEEdgeExternalKubeconfig",
                "tke:DescribeTKEEdgeClusterCredential",
                "tke:DescribeTKEEdgeClusters",
                "tke:DescribeClusters",
                "tke:DescribeClusterSecurity"
            ],
            "effect": "allow",
            "resource": [
                "*"
            ]
        }
    ],
    "version": "2.0"
}
Was this page helpful?
You can also Contact Sales or Submit a Ticket for help.
Yes
No

Feedback

Contact Us

Contact our sales team or business advisors to help your business.

Contact Us
Technical Support

Open a ticket if you're looking for further assistance. Our Ticket is 7x24 available.

Submit a Ticket
7x24 Phone Support
Hong Kong, China
+852 800 906 020 (Toll Free)
United States
+1 844 606 0804 (Toll Free)
United Kingdom
+44 808 196 4551 (Toll Free)
Canada
+1 888 605 7930 (Toll Free)
Australia
+61 1300 986 386 (Toll Free)
EdgeOne hotline
+852 300 80699
More local hotlines coming soon