服務關聯角色
更新時間:
本節介紹阿里云AIoT能力中心服務關聯角色AliyunServiceRoleForIoTAppHosting,及其使用操作。
背景信息
AIoT能力中心服務關聯角色AliyunServiceRoleForIoTAppHosting是為實現某個功能需獲取其他云服務的訪問權限而提供的RAM角色。更多關于服務關聯角色的信息請參見服務關聯角色。
AliyunServiceRoleForIoTAppHosting應用場景
開放平臺應用托管功能需要訪問容器服務ACK、容器鏡像服務、云服務器ECS、云監控、云數據庫RDS、 日志服務SLS、EDAS、應用實時監控ARMS、Redis云數據庫和負載均衡SLB等資源的權限云服務的資源時,可通過自動創建的AIoT能力中心服務關聯角色AliyunServiceRoleForIoTAppHosting獲取訪問權限。
AliyunServiceRoleForIoTAppHosting權限說明
AliyunServiceRoleForIoTAppHosting具備以下云服務的訪問權限: 容器服務ACK的訪問權限:
{
"Action":[
"cs:CreateCluster",
"cs:ScaleOutCluster",
"cs:AttachInstances",
"cs:DescribeClusterAttachScripts",
"cs:DescribeClusterUserKubeconfig",
"cs:ModifyClusterTags",
"cs:DescribeClusterDetail",
"cs:DescribeClusters",
"cs:DeleteClusterNodes",
"cs:DeleteCluster",
"cs:DescribeClusterAddonUpgradeStatus",
"cs:UnInstallClusterAddons",
"cs:DescribeClusterAddonsVersion",
"cs:ListTagResources",
"cs:CancelClusterUpgrade",
"cs:CreateTemplate",
"cs:DeleteTemplate",
"cs:CreateTriggerHook",
"cs:DeleteTriggerHook",
"cs:DescribeClusterLogs",
"cs:DescribeExternalAgent",
"cs:DescribeTemplates",
"cs:DescribeUserQuota",
"cs:GetUpgradeStatus",
"cs:InstallClusterAddons",
"cs:ModifyCluster",
"cs:PauseClusterUpgrade",
"cs:RemoveClusterNodes",
"cs:ResumeUpgradeCluster",
"cs:UpdateTemplate",
"cs:UpgradeCluster",
"cs:DescribeClusterNodes",
"cs:UpgradeClusterAddons"
],
"Resource":"*",
"Effect":"Allow"
}
容器鏡像服務的訪問權限:
{
"Action":[
"cr:DeleteNamespace",
"cr:GetNamespace",
"cr:UpdateNamespace",
"cr:ListNamespace",
"cr:CreateRepository",
"cr:DeleteRepository",
"cr:UpdateRepository",
"cr:GetRepository",
"cr:ListRepository",
"cr:ListRepositoryTag",
"cr:DeleteRepositoryTag",
"cr:GetRepositoryManifest",
"cr:GetRepositoryLayers",
"cr:GetAuthorizationToken",
"cr:PullRepository",
"cr:PushRepository",
"cr:CreateNamespace"
],
"Resource":"*",
"Effect":"Allow"
}云服務器ECS的訪問權限:
{
"Action":[
"ecs:CreateInstance",
"ecs:RunInstances",
"ecs:StartInstance",
"ecs:StopInstance",
"ecs:StopInstance",
"ecs:RebootInstance",
"ecs:DeleteInstance",
"ecs:RenewInstance"
],
"Resource":"*",
"Effect":"Allow"
}云監控的訪問權限:
{
"Action":[
"cms:PutMetricAlarm",
"cms:DeleteAlarm",
"cms:GetMyGroups",
"cms:QueryMetricList",
"cms:PutContactGroup",
"cms:DescribeContactListByContactGroup",
"cms:ModifyMonitorGroup",
"cms:DescribeMonitorGroups",
"cms:CreateMonitorGroup",
"cms:DeleteMonitorGroup"
],
"Resource":"*",
"Effect":"Allow"
}云數據庫RDS的訪問權限:
{
"Action":[
"rds:CreateDBInstance",
"rds:DeleteDBInstance",
"rds:RestartDBInstance",
"rds:DescribeDBInstances",
"rds:SwitchDBInstanceNetType",
"rds:ModifyDBInstanceDescription",
"rds:PurgeDBInstanceLog",
"rds:CreateDatabase",
"rds:DeleteDatabase",
"rds:DescribeDatabases",
"rds:ModifyDBDescription",
"rds:ResetAccountPassword",
"rds:RevokeAccountPrivilege",
"rds:CreateAccount",
"rds:DeleteAccount",
"rds:GrantAccountPrivilege",
"rds:DescribeAccounts",
"rds:CreatePrepaidDBInstanceForChannel",
"rds:ModifyPrepaidDBInstanceSpec",
"rds:CreatePostpaidDBInstanceForChannel",
"rds:ModifyPostpaidDBInstanceSpec",
"rds:DescribeDBInstanceAttribute"
],
"Resource":"*",
"Effect":"Allow"
}日志服務SLS的訪問權限:
{
"Action":[
"log:GetProject",
"log:GetMachineGroup",
"log:GetLogStoreLogs",
"log:GetLogStoreHistogram",
"log:GetLogStore",
"log:ListLogStores",
"log:GetCursorOrData",
"log:GetConfig",
"log:ListConfig",
"log:ListMachineGroup",
"log:ListMachines",
"log:GetAppliedMachineGroups",
"log:GetAppliedConfigs",
"log:ListConsumerGroup",
"log:GetDashboard",
"log:ListDashboard",
"log:CreateProject",
"log:DeleteProject",
"log:CreateLogStore",
"log:DeleteLogStore",
"log:UpdateLogStore",
"log:PostLogStoreLogs",
"log:CreateConfig",
"log:UpdateConfig",
"log:DeleteConfig",
"log:CreateMachineGroup",
"log:UpdateMachineGroup",
"log:DeleteMachineGroup",
"log:ApplyConfigToGroup",
"log:ApplyConfigToMachineGroup",
"log:RemoveConfigFromGroup",
"log:CreateIndex",
"log:DeleteIndex",
"log:UpdateIndex",
"log:GetIndex",
"log:CreateSavedSearch",
"log:UpdateSavedSearch",
"log:DeleteSavedSearch",
"log:CreateDashboard",
"log:UpdateDashboard",
"log:DeleteDashboard",
"log:ListShards",
"log:ListSavedSearch",
"log:GetSavedSearch",
"log:ListProject"
],
"Resource":"*",
"Effect":"Allow"
}EDAS的訪問權限:
{
"Action":[
"edas:ReadApplication",
"edas:ManageApplicationp"
],
"Resource":"*",
"Effect":"Allow"
}應用實時監控ARMS的訪問權限:
{
"Action":[
"arms:AddGrafana",
"arms:AddIntegration",
"arms:GetPrometheusApiToken",
"arms:ListCluster",
"arms:ListClusterFromGrafana",
"arms:ListDashboards"
],
"Resource":"*",
"Effect":"Allow"
}Redis云數據庫的訪問權限:
{
"Action":[
"kvstore:CreateInstance",
"kvstore:DescribeInstanceAttribute",
"kvstore:ModifyInstanceAttribute",
"kvstore:DeleteInstance",
"kvstore:DescribeInstances",
"kvstore:DescribeRegions"
],
"Resource":"*",
"Effect":"Allow"
}負載均衡SLB的訪問權限:
{
"Action":[
"slb:UploadServerCertificate",
"slb:DescribeServerCertificates",
"slb:CreateLoadBalancerHTTPSListener",
"slb:SetLoadBalancerTCPListenerAttribute",
"slb:CreateVServerGroup",
"slb:DeleteVServerGroup",
"slb:DeleteLoadBalancerListener",
"slb:DescribeLoadBalancerAttribute",
"slb:CreateLoadBalancer",
"slb:DeleteLoadBalancer",
"slb:AssociateEipAddress",
"slb:CreateAccessControlList",
"slb:DescribeAccessControlLists",
"slb:AddAccessControlListEntry",
"slb:DescribeLoadBalancers"
],
"Resource":"*",
"Effect":"Allow"
}刪除AliyunServiceRoleForIoTAppHosting
如果您使用了AIoT能力中心的應用托管功能,然后需要刪除服務關聯角色AliyunServiceRoleForIoTAppHosting,例如您出于安全考慮,需要刪除該角色,則需要先明確刪除后的影響:刪除AliyunServiceRoleForIoTAppHosting后,系統將失去對集群的管理能力(包括應用的管理、資源的管理等)。 刪除AliyunServiceRoleForIoTAppHosting的操作步驟如下:
登錄RAM控制臺,在左側導航欄中單擊RAM角色管理。
在RAM角色管理頁面的搜索框中,輸入AliyunServiceRoleForIoTAppHosting,自動搜索到名稱為AliyunServiceRoleForIoTAppHosting的RAM角色。
在右側操作列,單擊刪除。
在刪除RAM角色對話框,單擊確定。
文檔內容是否對您有幫助?