文档

AIoT开放平台服务关联角色

更新时间:
一键部署

本文介绍AIoT开放平台服务关联角色AliyunServiceRoleForIoTAppHosting以及如何删除该角色。

背景信息

AIoT开放平台服务关联角色AliyunServiceRoleForIoTAppHosting是开放平台在某些情况下,为了完成自身的某个功能,需要获取其他云服务的访问权限而提供的RAM角色。更多关于服务关联角色的信息请参见服务关联角色

AliyunServiceRoleForIoTAppHosting应用场景

开放平台应用托管功能需要访问容器服务ACK容器镜像服务云服务器ECS云监控云数据库RDS日志服务SLSEDAS应用实时监控ARMSRedis云数据库负载均衡SLB等资源的权限云服务的资源时,可通过自动创建的AIoT开放平台服务关联角色AliyunServiceRoleForIoTAppHosting获取访问权限。

AliyunServiceRoleForIoTAppHosting权限说明

AliyunServiceRoleForIoTAppHosting具备以下云服务的访问权限:容器服务ACK的访问权限:

{
  "Action": [
    "cs:CreateCluster",
    "cs:ScaleOutCluster",
    "cs:AttachInstances",
    "cs:DescribeClusterAttachScripts",
    "cs:DescribeClusterUserKubeconfig",
    "cs:ModifyClusterTags",
    "cs:DescribeClusterDetail",
    "cs:DescribeClusters",
    "cs:DeleteClusterNodes",
    "cs:DeleteCluster",
    "cs:DescribeClusterAddonUpgradeStatus",
    "cs:UnInstallClusterAddons",
    "cs:DescribeClusterAddonsVersion",
    "cs:ListTagResources",
    "cs:CancelClusterUpgrade",
    "cs:CreateTemplate",
    "cs:DeleteTemplate",
    "cs:CreateTriggerHook",
    "cs:DeleteTriggerHook",
    "cs:DescribeClusterLogs",
    "cs:DescribeExternalAgent",
    "cs:DescribeTemplates",
    "cs:DescribeUserQuota",
    "cs:GetUpgradeStatus",
    "cs:InstallClusterAddons",
    "cs:ModifyCluster",
    "cs:PauseClusterUpgrade",
    "cs:RemoveClusterNodes",
    "cs:ResumeUpgradeCluster",
    "cs:UpdateTemplate",
    "cs:UpgradeCluster",
    "cs:DescribeClusterNodes",
    "cs:UpgradeClusterAddons"
  ],
  "Resource": "*",
  "Effect": "Allow"
}

容器镜像服务的访问权限:

{
  "Action": [
    "cr:DeleteNamespace",
    "cr:GetNamespace",
    "cr:UpdateNamespace",
    "cr:ListNamespace",
    "cr:CreateRepository",
    "cr:DeleteRepository",
    "cr:UpdateRepository",
    "cr:GetRepository",
    "cr:ListRepository",
    "cr:ListRepositoryTag",
    "cr:DeleteRepositoryTag",
    "cr:GetRepositoryManifest",
    "cr:GetRepositoryLayers",
    "cr:GetAuthorizationToken",
    "cr:PullRepository",
    "cr:PushRepository",
    "cr:CreateNamespace"
  ],
  "Resource": "*",
  "Effect": "Allow"
}

云服务器ECS的访问权限:

{
  "Action": [
    "ecs:CreateInstance",
    "ecs:RunInstances",
    "ecs:StartInstance",
    "ecs:StopInstance",
    "ecs:StopInstance",
    "ecs:RebootInstance",
    "ecs:DeleteInstance",
    "ecs:RenewInstance"
  ],
  "Resource": "*",
  "Effect": "Allow"
}

云监控的访问权限:

{
  "Action": [
    "cms:PutMetricAlarm",
    "cms:DeleteAlarm",
    "cms:GetMyGroups",
    "cms:QueryMetricList",
    "cms:PutContactGroup",
    "cms:DescribeContactListByContactGroup",
    "cms:ModifyMonitorGroup",
    "cms:DescribeMonitorGroups",
    "cms:CreateMonitorGroup",
    "cms:DeleteMonitorGroup"
  ],
  "Resource": "*",
  "Effect": "Allow"
}

云数据库RDS的访问权限:

{
  "Action": [
    "rds:CreateDBInstance",
    "rds:DeleteDBInstance",
    "rds:RestartDBInstance",
    "rds:DescribeDBInstances",
    "rds:SwitchDBInstanceNetType",
    "rds:ModifyDBInstanceDescription",
    "rds:PurgeDBInstanceLog",
    "rds:CreateDatabase",
    "rds:DeleteDatabase",
    "rds:DescribeDatabases",
    "rds:ModifyDBDescription",
    "rds:ResetAccountPassword",
    "rds:RevokeAccountPrivilege",
    "rds:CreateAccount",
    "rds:DeleteAccount",
    "rds:GrantAccountPrivilege",
    "rds:DescribeAccounts",
    "rds:CreatePrepaidDBInstanceForChannel",
    "rds:ModifyPrepaidDBInstanceSpec",
    "rds:CreatePostpaidDBInstanceForChannel",
    "rds:ModifyPostpaidDBInstanceSpec",
    "rds:DescribeDBInstanceAttribute"
  ],
  "Resource": "*",
  "Effect": "Allow"
}

日志服务SLS的访问权限:

{
  "Action": [
    "log:GetProject",
    "log:GetMachineGroup",
    "log:GetLogStoreLogs",
    "log:GetLogStoreHistogram",
    "log:GetLogStore",
    "log:ListLogStores",
    "log:GetCursorOrData",
    "log:GetConfig",
    "log:ListConfig",
    "log:ListMachineGroup",
    "log:ListMachines",
    "log:GetAppliedMachineGroups",
    "log:GetAppliedConfigs",
    "log:ListConsumerGroup",
    "log:GetDashboard",
    "log:ListDashboard",
    "log:CreateProject",
    "log:DeleteProject",
    "log:CreateLogStore",
    "log:DeleteLogStore",
    "log:UpdateLogStore",
    "log:PostLogStoreLogs",
    "log:CreateConfig",
    "log:UpdateConfig",
    "log:DeleteConfig",
    "log:CreateMachineGroup",
    "log:UpdateMachineGroup",
    "log:DeleteMachineGroup",
    "log:ApplyConfigToGroup",
    "log:ApplyConfigToMachineGroup",
    "log:RemoveConfigFromGroup",
    "log:CreateIndex",
    "log:DeleteIndex",
    "log:UpdateIndex",
    "log:GetIndex",
    "log:CreateSavedSearch",
    "log:UpdateSavedSearch",
    "log:DeleteSavedSearch",
    "log:CreateDashboard",
    "log:UpdateDashboard",
    "log:DeleteDashboard",
    "log:ListShards",
    "log:ListSavedSearch",
    "log:GetSavedSearch",
    "log:ListProject"
  ],
  "Resource": "*",
  "Effect": "Allow"
}

EDAS的访问权限:

{
  "Action": [
    "edas:ReadApplication",
    "edas:ManageApplicationp"
  ],
  "Resource": "*",
  "Effect": "Allow"
}

应用实时监控ARMS的访问权限:

{
  "Action": [
    "arms:AddGrafana",
    "arms:AddIntegration",
    "arms:GetPrometheusApiToken",
    "arms:ListCluster",
    "arms:ListClusterFromGrafana",
    "arms:ListDashboards"
  ],
  "Resource": "*",
  "Effect": "Allow"
}

Redis云数据库的访问权限:

{
  "Action": [
    "kvstore:CreateInstance",
    "kvstore:DescribeInstanceAttribute",
    "kvstore:ModifyInstanceAttribute",
    "kvstore:DeleteInstance",
    "kvstore:DescribeInstances",
    "kvstore:DescribeRegions"
  ],
  "Resource": "*",
  "Effect": "Allow"
}

负载均衡SLB的访问权限:

{
  "Action": [
    "slb:UploadServerCertificate",
    "slb:DescribeServerCertificates",
    "slb:CreateLoadBalancerHTTPSListener",
    "slb:SetLoadBalancerTCPListenerAttribute",
    "slb:CreateVServerGroup",
    "slb:DeleteVServerGroup",
    "slb:DeleteLoadBalancerListener",
    "slb:DescribeLoadBalancerAttribute",
    "slb:CreateLoadBalancer",
    "slb:DeleteLoadBalancer",
    "slb:AssociateEipAddress",
    "slb:CreateAccessControlList",
    "slb:DescribeAccessControlLists",
    "slb:AddAccessControlListEntry",
    "slb:DescribeLoadBalancers"
  ],
  "Resource": "*",
  "Effect": "Allow"
}

删除AliyunServiceRoleForIoTAppHosting

如果您使用了开放平台应用托管功能,然后需要删除服务关联角色AliyunServiceRoleForIoTAppHosting,例如您出于安全考虑,需要删除该角色,则需要先明确删除后的影响:删除AliyunServiceRoleForIoTAppHosting后,系统将失去对集群的管理能力(包括应用的管理、资源的管理等)。删除AliyunServiceRoleForIoTAppHosting的操作步骤如下:

  1. 登录RAM控制台,在左侧导航栏中单击角色

  2. RAM角色管理页面的搜索框中,输入AliyunServiceRoleForIoTAppHosting,自动搜索到名称为AliyunServiceRoleForIoTAppHosting的RAM角色。

  3. 在右侧操作列,单击删除

  4. 删除RAM角色对话框,单击确定

  • 本页导读 (0)
文档反馈