全部产品
云市场
云游戏

AIoT开放平台服务关联角色

更新时间:2020-07-29 17:42:39

本文介绍AIoT开放平台服务关联角色AliyunServiceRoleForIoTAppHosting以及如何删除该角色。

背景信息

AIoT开放平台服务关联角色AliyunServiceRoleForIoTAppHosting是开放平台在某些情况下,为了完成自身的某个功能,需要获取其他云服务的访问权限而提供的RAM角色。更多关于服务关联角色的信息请参见服务关联角色

AliyunServiceRoleForIoTAppHosting应用场景

开放平台应用托管功能需要访问容器服务ACK容器镜像服务云服务器ECS云监控云数据库RDS日志服务SLSEDAS应用实时监控ARMSRedis云数据库负载均衡SLB等资源的权限云服务的资源时,可通过自动创建的AIoT开放平台服务关联角色AliyunServiceRoleForIoTAppHosting获取访问权限。

AliyunServiceRoleForIoTAppHosting权限说明

AliyunServiceRoleForIoTAppHosting具备以下云服务的访问权限:
容器服务ACK的访问权限:

  1. {
  2. "Action": [
  3. "cs:CreateCluster",
  4. "cs:ScaleOutCluster",
  5. "cs:AttachInstances",
  6. "cs:DescribeClusterAttachScripts",
  7. "cs:DescribeClusterUserKubeconfig",
  8. "cs:ModifyClusterTags",
  9. "cs:DescribeClusterDetail",
  10. "cs:DescribeClusters",
  11. "cs:DeleteClusterNodes",
  12. "cs:DeleteCluster",
  13. "cs:DescribeClusterAddonUpgradeStatus",
  14. "cs:UnInstallClusterAddons",
  15. "cs:DescribeClusterAddonsVersion",
  16. "cs:ListTagResources",
  17. "cs:CancelClusterUpgrade",
  18. "cs:CreateTemplate",
  19. "cs:DeleteTemplate",
  20. "cs:CreateTriggerHook",
  21. "cs:DeleteTriggerHook",
  22. "cs:DescribeClusterLogs",
  23. "cs:DescribeExternalAgent",
  24. "cs:DescribeTemplates",
  25. "cs:DescribeUserQuota",
  26. "cs:GetUpgradeStatus",
  27. "cs:InstallClusterAddons",
  28. "cs:ModifyCluster",
  29. "cs:PauseClusterUpgrade",
  30. "cs:RemoveClusterNodes",
  31. "cs:ResumeUpgradeCluster",
  32. "cs:UpdateTemplate",
  33. "cs:UpgradeCluster",
  34. "cs:DescribeClusterNodes",
  35. "cs:UpgradeClusterAddons"
  36. ],
  37. "Resource": "*",
  38. "Effect": "Allow"
  39. }

容器镜像服务的访问权限:

  1. {
  2. "Action": [
  3. "cr:DeleteNamespace",
  4. "cr:GetNamespace",
  5. "cr:UpdateNamespace",
  6. "cr:ListNamespace",
  7. "cr:CreateRepository",
  8. "cr:DeleteRepository",
  9. "cr:UpdateRepository",
  10. "cr:GetRepository",
  11. "cr:ListRepository",
  12. "cr:ListRepositoryTag",
  13. "cr:DeleteRepositoryTag",
  14. "cr:GetRepositoryManifest",
  15. "cr:GetRepositoryLayers",
  16. "cr:GetAuthorizationToken",
  17. "cr:PullRepository",
  18. "cr:PushRepository",
  19. "cr:CreateNamespace"
  20. ],
  21. "Resource": "*",
  22. "Effect": "Allow"
  23. }

云服务器ECS的访问权限:

  1. {
  2. "Action": [
  3. "ecs:CreateInstance",
  4. "ecs:RunInstances",
  5. "ecs:StartInstance",
  6. "ecs:StopInstance",
  7. "ecs:StopInstance",
  8. "ecs:RebootInstance",
  9. "ecs:DeleteInstance",
  10. "ecs:RenewInstance"
  11. ],
  12. "Resource": "*",
  13. "Effect": "Allow"
  14. }

云监控的访问权限:

  1. {
  2. "Action": [
  3. "cms:PutMetricAlarm",
  4. "cms:DeleteAlarm",
  5. "cms:GetMyGroups",
  6. "cms:QueryMetricList",
  7. "cms:PutContactGroup",
  8. "cms:DescribeContactListByContactGroup",
  9. "cms:ModifyMonitorGroup",
  10. "cms:DescribeMonitorGroups",
  11. "cms:CreateMonitorGroup",
  12. "cms:DeleteMonitorGroup"
  13. ],
  14. "Resource": "*",
  15. "Effect": "Allow"
  16. }

云数据库RDS的访问权限:

  1. {
  2. "Action": [
  3. "rds:CreateDBInstance",
  4. "rds:DeleteDBInstance",
  5. "rds:RestartDBInstance",
  6. "rds:DescribeDBInstances",
  7. "rds:SwitchDBInstanceNetType",
  8. "rds:ModifyDBInstanceDescription",
  9. "rds:PurgeDBInstanceLog",
  10. "rds:CreateDatabase",
  11. "rds:DeleteDatabase",
  12. "rds:DescribeDatabases",
  13. "rds:ModifyDBDescription",
  14. "rds:ResetAccountPassword",
  15. "rds:RevokeAccountPrivilege",
  16. "rds:CreateAccount",
  17. "rds:DeleteAccount",
  18. "rds:GrantAccountPrivilege",
  19. "rds:DescribeAccounts",
  20. "rds:CreatePrepaidDBInstanceForChannel",
  21. "rds:ModifyPrepaidDBInstanceSpec",
  22. "rds:CreatePostpaidDBInstanceForChannel",
  23. "rds:ModifyPostpaidDBInstanceSpec",
  24. "rds:DescribeDBInstanceAttribute"
  25. ],
  26. "Resource": "*",
  27. "Effect": "Allow"
  28. }

日志服务SLS的访问权限:

  1. {
  2. "Action": [
  3. "log:GetProject",
  4. "log:GetMachineGroup",
  5. "log:GetLogStoreLogs",
  6. "log:GetLogStoreHistogram",
  7. "log:GetLogStore",
  8. "log:ListLogStores",
  9. "log:GetCursorOrData",
  10. "log:GetConfig",
  11. "log:ListConfig",
  12. "log:ListMachineGroup",
  13. "log:ListMachines",
  14. "log:GetAppliedMachineGroups",
  15. "log:GetAppliedConfigs",
  16. "log:ListConsumerGroup",
  17. "log:GetDashboard",
  18. "log:ListDashboard",
  19. "log:CreateProject",
  20. "log:DeleteProject",
  21. "log:CreateLogStore",
  22. "log:DeleteLogStore",
  23. "log:UpdateLogStore",
  24. "log:PostLogStoreLogs",
  25. "log:CreateConfig",
  26. "log:UpdateConfig",
  27. "log:DeleteConfig",
  28. "log:CreateMachineGroup",
  29. "log:UpdateMachineGroup",
  30. "log:DeleteMachineGroup",
  31. "log:ApplyConfigToGroup",
  32. "log:ApplyConfigToMachineGroup",
  33. "log:RemoveConfigFromGroup",
  34. "log:CreateIndex",
  35. "log:DeleteIndex",
  36. "log:UpdateIndex",
  37. "log:GetIndex",
  38. "log:CreateSavedSearch",
  39. "log:UpdateSavedSearch",
  40. "log:DeleteSavedSearch",
  41. "log:CreateDashboard",
  42. "log:UpdateDashboard",
  43. "log:DeleteDashboard",
  44. "log:ListShards",
  45. "log:ListSavedSearch",
  46. "log:GetSavedSearch",
  47. "log:ListProject"
  48. ],
  49. "Resource": "*",
  50. "Effect": "Allow"
  51. }

EDAS的访问权限:

  1. {
  2. "Action": [
  3. "edas:ReadApplication",
  4. "edas:ManageApplicationp"
  5. ],
  6. "Resource": "*",
  7. "Effect": "Allow"
  8. }

应用实时监控ARMS的访问权限:

  1. {
  2. "Action": [
  3. "arms:AddGrafana",
  4. "arms:AddIntegration",
  5. "arms:GetPrometheusApiToken",
  6. "arms:ListCluster",
  7. "arms:ListClusterFromGrafana",
  8. "arms:ListDashboards"
  9. ],
  10. "Resource": "*",
  11. "Effect": "Allow"
  12. }

Redis云数据库的访问权限:

  1. {
  2. "Action": [
  3. "kvstore:CreateInstance",
  4. "kvstore:DescribeInstanceAttribute",
  5. "kvstore:ModifyInstanceAttribute",
  6. "kvstore:DeleteInstance",
  7. "kvstore:DescribeInstances",
  8. "kvstore:DescribeRegions"
  9. ],
  10. "Resource": "*",
  11. "Effect": "Allow"
  12. }

负载均衡SLB的访问权限:

  1. {
  2. "Action": [
  3. "slb:UploadServerCertificate",
  4. "slb:DescribeServerCertificates",
  5. "slb:CreateLoadBalancerHTTPSListener",
  6. "slb:SetLoadBalancerTCPListenerAttribute",
  7. "slb:CreateVServerGroup",
  8. "slb:DeleteVServerGroup",
  9. "slb:DeleteLoadBalancerListener",
  10. "slb:DescribeLoadBalancerAttribute",
  11. "slb:CreateLoadBalancer",
  12. "slb:DeleteLoadBalancer",
  13. "slb:AssociateEipAddress",
  14. "slb:CreateAccessControlList",
  15. "slb:DescribeAccessControlLists",
  16. "slb:AddAccessControlListEntry",
  17. "slb:DescribeLoadBalancers"
  18. ],
  19. "Resource": "*",
  20. "Effect": "Allow"
  21. }

删除AliyunServiceRoleForIoTAppHosting

如果您使用了开放平台应用托管功能,然后需要删除服务关联角色AliyunServiceRoleForIoTAppHosting,例如您出于安全考虑,需要删除该角色,则需要先明确删除后的影响:删除AliyunServiceRoleForIoTAppHosting后,系统将失去对集群的管理能力(包括应用的管理、资源的管理等)。
删除AliyunServiceRoleForIoTAppHosting的操作步骤如下:

  1. 登录RAM控制台,在左侧导航栏中单击RAM角色管理
  2. RAM角色管理页面的搜索框中,输入AliyunServiceRoleForIoTAppHosting,自动搜索到名称为AliyunServiceRoleForIoTAppHosting的RAM角色。
  3. 在右侧操作列,单击删除
  4. 删除RAM角色对话框,单击确定