服務關聯角色
本文介紹云消息隊列 RabbitMQ 版服務關聯角色的背景信息,權限策略、注意事項和常見問題。
背景信息
服務關聯角色是某個云服務在某些情況下,為了完成自身的某個功能,需要獲取其他云服務的訪問權限而提供的RAM角色。您在該云服務的控制臺首次使用該功能時,系統會提示您完成服務關聯角色的自動創建。更多服務關聯角色相關信息,請參見服務關聯角色。
云消息隊列 RabbitMQ 版提供以下服務關聯角色:
服務關聯角色 | 內容 |
AliyunServiceRoleForAmqpMonitoring | 云消息隊列 RabbitMQ 版通過扮演該RAM角色,獲取云監控和阿里云應用實時監控服務ARMS的權限,以實現自身的監控報警和Dashboard功能。您在云消息隊列 RabbitMQ 版控制臺首次使用監控報警和Dashboard時,系統會提示您完成AliyunServiceRoleForAmqpMonitoring的自動創建。更多信息,請參見監控指標和Dashboard。 |
AliyunServiceRoleForAmqpLogDelivery | 云消息隊列 RabbitMQ 版通過扮演該RAM角色,獲取日志服務的訪問權限,以實現自身的消息日志功能。您在云消息隊列 RabbitMQ 版控制臺首次使用消息日志時,系統會提示您完成AliyunServiceRoleForAmqpLogDelivery的自動創建。更多信息,請參見配置消息日志。 |
AliyunServiceRoleForAmqpNetwork | 允許云消息隊列 RabbitMQ 版使用此角色訪問您的私網連接(PrivateLink)服務完成專有網絡VPC相關功能。您在云消息隊列 RabbitMQ 版控制臺首次使用私網連接接入點時,系統會提示您完成創建。 |
權限策略
AliyunServiceRoleForAmqpMonitoring的權限策略如下:
{ "Version": "1", "Statement": [ { "Action": [ "cms:DescribeMetricRuleList", "cms:DescribeMetricList", "cms:DescribeMetricData" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "arms:OpenVCluster", "arms:ListDashboards", "arms:CheckServiceStatus" ], "Resource": "*", "Effect": "Allow" }, { "Action": "ram:DeleteServiceLinkedRole", "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "ram:ServiceName": "monitoring.amqp.aliyuncs.com" } } } ] }
AliyunServiceRoleForAmqpLogDelivery的權限策略如下:
{ "Version": "1", "Statement": [ { "Action": [ "log:ListProject", "log:ListLogStores", "log:PostLogStoreLogs" ], "Resource": "*", "Effect": "Allow" }, { "Action": "ram:DeleteServiceLinkedRole", "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "ram:ServiceName": "logdelivery.amqp.aliyuncs.com" } } } ] }
AliyunServiceRoleForAmqpNetwork的權限策略如下:
{ "Version": "1", "Statement": [ { "Action": [ "privatelink:GetVpcEndpointServiceAttribute", "privatelink:ListVpcEndpointServices", "privatelink:DeleteVpcEndpoint", "privatelink:CreateVpcEndpoint", "privatelink:UpdateVpcEndpointAttribute", "privatelink:ListVpcEndpoints", "privatelink:GetVpcEndpointAttribute", "privatelink:ListVpcEndpointServicesByEndUser", "privatelink:AddZoneToVpcEndpoint", "privatelink:ListVpcEndpointZones", "privatelink:RemoveZoneFromVpcEndpoint", "privatelink:AttachSecurityGroupToVpcEndpoint", "privatelink:ListVpcEndpointSecurityGroups", "privatelink:DetachSecurityGroupFromVpcEndpoint", "privatelink:UpdateVpcEndpointZoneConnectionResourceAttribute" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "vpc:DescribeVpcAttribute", "vpc:DescribeVpcs", "vpc:ListVSwitchCidrReservations", "vpc:GetVSwitchCidrReservationUsage", "vpc:DescribeVSwitches", "vpc:DescribeVSwitchAttributes", "Ecs:CreateSecurityGroup", "Ecs:DeleteSecurityGroup", "Ecs:DescribeSecurityGroupAttribute", "Ecs:DescribeSecurityGroups" ], "Resource": "*", "Effect": "Allow" }, { "Action": "ram:DeleteServiceLinkedRole", "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "ram:ServiceName": "network.amqp.aliyuncs.com" } } }, { "Action": "ram:CreateServiceLinkedRole", "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "ram:ServiceName": "privatelink.aliyuncs.com" } } } ] }
注意事項
如果您刪除了自動創建的服務關聯角色,該服務關聯角色相關的功能由于權限不足將無法再被使用,請謹慎操作。如需重新創建該服務關聯角色并為其授權,請參見創建可信實體為阿里云服務的RAM角色和為RAM角色授權。
常見問題
為什么我的RAM用戶無法自動創建云消息隊列 RabbitMQ 版服務關聯角色AliyunServiceRoleForAmqpMonitoring或AliyunServiceRoleForAmqpLogDelivery?
如果您的阿里云賬號已經創建了服務關聯角色,您的RAM用戶就會繼承該阿里云賬號的服務關聯角色。如果沒有繼承,請登錄訪問控制控制臺為RAM用戶添加自定義權限策略,權限策略內容如下:
{
"Statement": [
{
"Action": [
"ram:CreateServiceLinkedRole"
],
"Resource": "acs:ram:*:${accountid}:role/*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": [
"logdelivery.amqp.aliyuncs.com",
"monitoring.amqp.aliyuncs.com",
"network.amqp.aliyuncs.com"
]
}
}
}
],
"Version": "1"
}
請將${accountid}替換為您的阿里云賬號ID。
如果您的RAM用戶被授予該權限策略后,仍然無法自動創建服務關聯角色,請為該RAM用戶授予權限策略AliyunAMQPFullAccess。具體操作,請參見為RAM用戶授權。