服務關聯角色
本文為您介紹服務關聯角色(AliyunServiceRoleForBizWorks)的背景信息和應用場景,以及如何刪除服務關聯角色和RAM用戶(子賬號)創建服務關聯角色所需的權限。
背景信息
在某些場景下,為了實現BizWorks集群管理和鏡像倉庫管理功能,您需要獲取其他云服務的訪問權限。阿里云提供了服務關聯角色 SLR(Service Linked Role)來滿足此類場景的需求。
更多關于服務關聯角色的信息,請參見服務關聯角色。
應用場景
BizWorks需要訪問企業級分布式應用服務EDAS(Enterprise Distributed Application Service)、容器服務Kubernetes版ACK(Alibaba Cloud Container Service for Kubernetes)、阿里云容器鏡像服務ACR(Alibaba Cloud Container Registry)和私網連接(PrivateLink)等相關的資源,通過服務關聯角色能夠獲取訪問權限。
AliyunServiceRoleForBizWorks介紹
角色名稱:AliyunServiceRoleForBizWorks。
角色權限策略:AliyunServiceRolePolicyForBizWorks。
權限說明:允許BizWorks服務訪問您EDAS、ACK、ACR和PrivateLink等資源中的數據,例如:獲取EDAS集群服務。
{ "Version": "1", "Statement": [ { "Action": [ "privatelink:ListVpcEndpointServicesByEndUser", "privatelink:CreateVpcEndpoint", "privatelink:ListVpcEndpoints", "privatelink:UpdateVpcEndpointAttribute", "privatelink:GetVpcEndpointAttribute", "privatelink:ListVpcEndpointSecurityGroups", "privatelink:AttachSecurityGroupToVpcEndpoint", "privatelink:DetachSecurityGroupFromVpcEndpoint", "privatelink:AddZoneToVpcEndpoint", "privatelink:RemoveZoneFromVpcEndpoint", "privatelink:ListVpcEndpointZones", "privatelink:DeleteVpcEndpoint" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "ecs:CreateSecurityGroup", "ecs:AuthorizeSecurityGroup", "ecs:DescribeSecurityGroupAttribute", "ecs:DescribeSecurityGroups", "ecs:RevokeSecurityGroup", "ecs:DeleteSecurityGroup", "ecs:ModifySecurityGroupAttribute", "ecs:AuthorizeSecurityGroupEgress", "ecs:RevokeSecurityGroupEgress", "ecs:ModifySecurityGroupRule", "ecs:DescribeSecurityGroupReferences", "ecs:ModifySecurityGroupPolicy" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "vpc:DescribeVSwitchAttributes", "vpc:DescribeVSwitches", "vpc:DescribeVpcs" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "cr:GetInstance", "cr:ListInstanceRegion", "cr:ListInstance", "cr:GetInstanceEndpoint", "cr:GetNamespace", "cr:ListNamespace", "cr:CreateRepository", "cr:GetRepository", "cr:ListRepository", "cr:GetRepoTag", "cr:ListRepositoryTag", "cr:GetAuthorizationToken", "cr:PullRepository", "cr:PushRepository" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "cr:GetRegionList", "cr:GetNamespace", "cr:GetNamespaceList", "cr:GetRepoTag", "cr:CreateRepo", "cr:GetRepo", "cr:GetRepoList", "cr:GetRepoListByNamespace", "cr:GetRepoTags", "cr:GetImageManifest", "cr:GetAuthorizationToken", "cr:PullRepository", "cr:PushRepository" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "cs:DescribeClusters", "cs:GetClusters", "cs:DescribeClusterDetail", "cs:DescribeClusterUserKubeconfig", "cs:DescribeUserPermission", "cs:DescribeClusterInnerServiceKubeconfig", "cs:RevokeClusterInnerServiceKubeconfig" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "edas:CreateApplication", "edas:ReadApplication", "edas:DeleteApplication", "edas:ManageApplication", "edas:ConfigApplication", "edas:ManageAppLog" ], "Resource": "acs:edas:*:*:namespace/*/application/*", "Effect": "Allow" }, { "Action": [ "edas:CreateNamespace", "edas:ReadNamespace", "edas:DeleteNamespace", "edas:ManageNamespace" ], "Resource": "acs:edas:*:*:namespace/*", "Effect": "Allow" }, { "Action": "ram:DeleteServiceLinkedRole", "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "ram:ServiceName": "bizworks.aliyuncs.com" } } }, { "Action": "ram:CreateServiceLinkedRole", "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "ram:ServiceName": "privatelink.aliyuncs.com" } } } ] }
刪除服務關聯角色
如果您需要刪除AliyunServiceRoleForBizWorks(服務關聯角色),請先確保您賬號下沒有集群和鏡像倉庫正在使用該角色。具體操作,請參見刪除服務關聯角色。
RAM用戶創建服務關聯角色所需的權限
如果您是RAM用戶,您需要擁有指定的權限,才能創建服務關聯角色。
阿里云賬號(主賬號)和AliyunBizWorksFullAccess權限策略都可以創建服務關聯角色。
允許為BizWorks創建服務關聯角色的權限策略示例如下:
{
"Action": "ram:CreateServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "bizworks.aliyuncs.com"
}
}
}