服务关联角色
本节介绍阿里云AIoT能力中心服务关联角色AliyunServiceRoleForIoTAppHosting,及其使用操作。
背景信息
AIoT能力中心服务关联角色AliyunServiceRoleForIoTAppHosting是为实现某个功能需获取其他云服务的访问权限而提供的RAM角色。更多关于服务关联角色的信息请参见服务关联角色。
AliyunServiceRoleForIoTAppHosting应用场景
开放平台应用托管功能需要访问容器服务ACK、容器镜像服务、云服务器ECS、云监控、云数据库RDS、 日志服务SLS、EDAS、应用实时监控ARMS、Redis云数据库和负载均衡SLB等资源的权限云服务的资源时,可通过自动创建的AIoT能力中心服务关联角色AliyunServiceRoleForIoTAppHosting获取访问权限。
AliyunServiceRoleForIoTAppHosting权限说明
AliyunServiceRoleForIoTAppHosting具备以下云服务的访问权限: 容器服务ACK的访问权限:
{
"Action":[
"cs:CreateCluster",
"cs:ScaleOutCluster",
"cs:AttachInstances",
"cs:DescribeClusterAttachScripts",
"cs:DescribeClusterUserKubeconfig",
"cs:ModifyClusterTags",
"cs:DescribeClusterDetail",
"cs:DescribeClusters",
"cs:DeleteClusterNodes",
"cs:DeleteCluster",
"cs:DescribeClusterAddonUpgradeStatus",
"cs:UnInstallClusterAddons",
"cs:DescribeClusterAddonsVersion",
"cs:ListTagResources",
"cs:CancelClusterUpgrade",
"cs:CreateTemplate",
"cs:DeleteTemplate",
"cs:CreateTriggerHook",
"cs:DeleteTriggerHook",
"cs:DescribeClusterLogs",
"cs:DescribeExternalAgent",
"cs:DescribeTemplates",
"cs:DescribeUserQuota",
"cs:GetUpgradeStatus",
"cs:InstallClusterAddons",
"cs:ModifyCluster",
"cs:PauseClusterUpgrade",
"cs:RemoveClusterNodes",
"cs:ResumeUpgradeCluster",
"cs:UpdateTemplate",
"cs:UpgradeCluster",
"cs:DescribeClusterNodes",
"cs:UpgradeClusterAddons"
],
"Resource":"*",
"Effect":"Allow"
}
容器镜像服务的访问权限:
{
"Action":[
"cr:DeleteNamespace",
"cr:GetNamespace",
"cr:UpdateNamespace",
"cr:ListNamespace",
"cr:CreateRepository",
"cr:DeleteRepository",
"cr:UpdateRepository",
"cr:GetRepository",
"cr:ListRepository",
"cr:ListRepositoryTag",
"cr:DeleteRepositoryTag",
"cr:GetRepositoryManifest",
"cr:GetRepositoryLayers",
"cr:GetAuthorizationToken",
"cr:PullRepository",
"cr:PushRepository",
"cr:CreateNamespace"
],
"Resource":"*",
"Effect":"Allow"
}
云服务器ECS的访问权限:
{
"Action":[
"ecs:CreateInstance",
"ecs:RunInstances",
"ecs:StartInstance",
"ecs:StopInstance",
"ecs:StopInstance",
"ecs:RebootInstance",
"ecs:DeleteInstance",
"ecs:RenewInstance"
],
"Resource":"*",
"Effect":"Allow"
}
{
"Action":[
"cms:PutMetricAlarm",
"cms:DeleteAlarm",
"cms:GetMyGroups",
"cms:QueryMetricList",
"cms:PutContactGroup",
"cms:DescribeContactListByContactGroup",
"cms:ModifyMonitorGroup",
"cms:DescribeMonitorGroups",
"cms:CreateMonitorGroup",
"cms:DeleteMonitorGroup"
],
"Resource":"*",
"Effect":"Allow"
}
{
"Action":[
"rds:CreateDBInstance",
"rds:DeleteDBInstance",
"rds:RestartDBInstance",
"rds:DescribeDBInstances",
"rds:SwitchDBInstanceNetType",
"rds:ModifyDBInstanceDescription",
"rds:PurgeDBInstanceLog",
"rds:CreateDatabase",
"rds:DeleteDatabase",
"rds:DescribeDatabases",
"rds:ModifyDBDescription",
"rds:ResetAccountPassword",
"rds:RevokeAccountPrivilege",
"rds:CreateAccount",
"rds:DeleteAccount",
"rds:GrantAccountPrivilege",
"rds:DescribeAccounts",
"rds:CreatePrepaidDBInstanceForChannel",
"rds:ModifyPrepaidDBInstanceSpec",
"rds:CreatePostpaidDBInstanceForChannel",
"rds:ModifyPostpaidDBInstanceSpec",
"rds:DescribeDBInstanceAttribute"
],
"Resource":"*",
"Effect":"Allow"
}
日志服务SLS的访问权限:
{
"Action":[
"log:GetProject",
"log:GetMachineGroup",
"log:GetLogStoreLogs",
"log:GetLogStoreHistogram",
"log:GetLogStore",
"log:ListLogStores",
"log:GetCursorOrData",
"log:GetConfig",
"log:ListConfig",
"log:ListMachineGroup",
"log:ListMachines",
"log:GetAppliedMachineGroups",
"log:GetAppliedConfigs",
"log:ListConsumerGroup",
"log:GetDashboard",
"log:ListDashboard",
"log:CreateProject",
"log:DeleteProject",
"log:CreateLogStore",
"log:DeleteLogStore",
"log:UpdateLogStore",
"log:PostLogStoreLogs",
"log:CreateConfig",
"log:UpdateConfig",
"log:DeleteConfig",
"log:CreateMachineGroup",
"log:UpdateMachineGroup",
"log:DeleteMachineGroup",
"log:ApplyConfigToGroup",
"log:ApplyConfigToMachineGroup",
"log:RemoveConfigFromGroup",
"log:CreateIndex",
"log:DeleteIndex",
"log:UpdateIndex",
"log:GetIndex",
"log:CreateSavedSearch",
"log:UpdateSavedSearch",
"log:DeleteSavedSearch",
"log:CreateDashboard",
"log:UpdateDashboard",
"log:DeleteDashboard",
"log:ListShards",
"log:ListSavedSearch",
"log:GetSavedSearch",
"log:ListProject"
],
"Resource":"*",
"Effect":"Allow"
}
{
"Action":[
"edas:ReadApplication",
"edas:ManageApplicationp"
],
"Resource":"*",
"Effect":"Allow"
}
{
"Action":[
"arms:AddGrafana",
"arms:AddIntegration",
"arms:GetPrometheusApiToken",
"arms:ListCluster",
"arms:ListClusterFromGrafana",
"arms:ListDashboards"
],
"Resource":"*",
"Effect":"Allow"
}
{
"Action":[
"kvstore:CreateInstance",
"kvstore:DescribeInstanceAttribute",
"kvstore:ModifyInstanceAttribute",
"kvstore:DeleteInstance",
"kvstore:DescribeInstances",
"kvstore:DescribeRegions"
],
"Resource":"*",
"Effect":"Allow"
}
{
"Action":[
"slb:UploadServerCertificate",
"slb:DescribeServerCertificates",
"slb:CreateLoadBalancerHTTPSListener",
"slb:SetLoadBalancerTCPListenerAttribute",
"slb:CreateVServerGroup",
"slb:DeleteVServerGroup",
"slb:DeleteLoadBalancerListener",
"slb:DescribeLoadBalancerAttribute",
"slb:CreateLoadBalancer",
"slb:DeleteLoadBalancer",
"slb:AssociateEipAddress",
"slb:CreateAccessControlList",
"slb:DescribeAccessControlLists",
"slb:AddAccessControlListEntry",
"slb:DescribeLoadBalancers"
],
"Resource":"*",
"Effect":"Allow"
}
删除AliyunServiceRoleForIoTAppHosting
如果您使用了AIoT能力中心的应用托管功能,然后需要删除服务关联角色AliyunServiceRoleForIoTAppHosting,例如您出于安全考虑,需要删除该角色,则需要先明确删除后的影响:删除AliyunServiceRoleForIoTAppHosting后,系统将失去对集群的管理能力(包括应用的管理、资源的管理等)。 删除AliyunServiceRoleForIoTAppHosting的操作步骤如下:
登录RAM控制台,在左侧导航栏中单击RAM角色管理。
在RAM角色管理页面的搜索框中,输入AliyunServiceRoleForIoTAppHosting,自动搜索到名称为AliyunServiceRoleForIoTAppHosting的RAM角色。
在右侧操作列,单击删除。
在删除RAM角色对话框,单击确定。