服务关联角色

更新时间:

本节介绍阿里云AIoT能力中心服务关联角色AliyunServiceRoleForIoTAppHosting,及其使用操作。

背景信息

AIoT能力中心服务关联角色AliyunServiceRoleForIoTAppHosting是为实现某个功能需获取其他云服务的访问权限而提供的RAM角色。更多关于服务关联角色的信息请参见服务关联角色

AliyunServiceRoleForIoTAppHosting应用场景

开放平台应用托管功能需要访问容器服务ACK容器镜像服务云服务器ECS云监控云数据库RDS日志服务SLSEDAS应用实时监控ARMSRedis云数据库负载均衡SLB等资源的权限云服务的资源时,可通过自动创建的AIoT能力中心服务关联角色AliyunServiceRoleForIoTAppHosting获取访问权限。

AliyunServiceRoleForIoTAppHosting权限说明

AliyunServiceRoleForIoTAppHosting具备以下云服务的访问权限: 容器服务ACK的访问权限:

{ 
"Action":[ 
"cs:CreateCluster", 
"cs:ScaleOutCluster", 
"cs:AttachInstances", 
"cs:DescribeClusterAttachScripts", 
"cs:DescribeClusterUserKubeconfig", 
"cs:ModifyClusterTags", 
"cs:DescribeClusterDetail", 
"cs:DescribeClusters", 
"cs:DeleteClusterNodes", 
"cs:DeleteCluster", 
"cs:DescribeClusterAddonUpgradeStatus", 
"cs:UnInstallClusterAddons", 
"cs:DescribeClusterAddonsVersion", 
"cs:ListTagResources", 
"cs:CancelClusterUpgrade", 
"cs:CreateTemplate", 
"cs:DeleteTemplate", 
"cs:CreateTriggerHook", 
"cs:DeleteTriggerHook", 
"cs:DescribeClusterLogs", 
"cs:DescribeExternalAgent", 
"cs:DescribeTemplates", 
"cs:DescribeUserQuota", 
"cs:GetUpgradeStatus", 
"cs:InstallClusterAddons", 
"cs:ModifyCluster", 
"cs:PauseClusterUpgrade", 
"cs:RemoveClusterNodes", 
"cs:ResumeUpgradeCluster", 
"cs:UpdateTemplate", 
"cs:UpgradeCluster", 
"cs:DescribeClusterNodes", 
"cs:UpgradeClusterAddons" 
], 
"Resource":"*", 
"Effect":"Allow" 
}

容器镜像服务的访问权限:

{ 
"Action":[ 
"cr:DeleteNamespace", 
"cr:GetNamespace", 
"cr:UpdateNamespace", 
"cr:ListNamespace", 
"cr:CreateRepository", 
"cr:DeleteRepository", 
"cr:UpdateRepository", 
"cr:GetRepository", 
"cr:ListRepository", 
"cr:ListRepositoryTag", 
"cr:DeleteRepositoryTag", 
"cr:GetRepositoryManifest", 
"cr:GetRepositoryLayers", 
"cr:GetAuthorizationToken", 
"cr:PullRepository", 
"cr:PushRepository", 
"cr:CreateNamespace" 
], 
"Resource":"*", 
"Effect":"Allow" 
}

云服务器ECS的访问权限:

{ 
"Action":[ 
"ecs:CreateInstance", 
"ecs:RunInstances", 
"ecs:StartInstance", 
"ecs:StopInstance", 
"ecs:StopInstance", 
"ecs:RebootInstance", 
"ecs:DeleteInstance", 
"ecs:RenewInstance" 
], 
"Resource":"*", 
"Effect":"Allow" 
}
云监控的访问权限:
{ 
"Action":[ 
"cms:PutMetricAlarm", 
"cms:DeleteAlarm", 
"cms:GetMyGroups", 
"cms:QueryMetricList", 
"cms:PutContactGroup", 
"cms:DescribeContactListByContactGroup", 
"cms:ModifyMonitorGroup", 
"cms:DescribeMonitorGroups", 
"cms:CreateMonitorGroup", 
"cms:DeleteMonitorGroup" 
], 
"Resource":"*", 
"Effect":"Allow" 
}
云数据库RDS的访问权限:
{ 
"Action":[ 
"rds:CreateDBInstance", 
"rds:DeleteDBInstance", 
"rds:RestartDBInstance", 
"rds:DescribeDBInstances", 
"rds:SwitchDBInstanceNetType", 
"rds:ModifyDBInstanceDescription", 
"rds:PurgeDBInstanceLog", 
"rds:CreateDatabase", 
"rds:DeleteDatabase", 
"rds:DescribeDatabases", 
"rds:ModifyDBDescription", 
"rds:ResetAccountPassword", 
"rds:RevokeAccountPrivilege", 
"rds:CreateAccount", 
"rds:DeleteAccount", 
"rds:GrantAccountPrivilege", 
"rds:DescribeAccounts", 
"rds:CreatePrepaidDBInstanceForChannel", 
"rds:ModifyPrepaidDBInstanceSpec", 
"rds:CreatePostpaidDBInstanceForChannel", 
"rds:ModifyPostpaidDBInstanceSpec", 
"rds:DescribeDBInstanceAttribute" 
], 
"Resource":"*", 
"Effect":"Allow" 
}

日志服务SLS的访问权限:

{ 
"Action":[ 
"log:GetProject", 
"log:GetMachineGroup", 
"log:GetLogStoreLogs", 
"log:GetLogStoreHistogram", 
"log:GetLogStore", 
"log:ListLogStores", 
"log:GetCursorOrData", 
"log:GetConfig", 
"log:ListConfig", 
"log:ListMachineGroup", 
"log:ListMachines", 
"log:GetAppliedMachineGroups", 
"log:GetAppliedConfigs", 
"log:ListConsumerGroup", 
"log:GetDashboard", 
"log:ListDashboard", 
"log:CreateProject", 
"log:DeleteProject", 
"log:CreateLogStore", 
"log:DeleteLogStore", 
"log:UpdateLogStore", 
"log:PostLogStoreLogs", 
"log:CreateConfig", 
"log:UpdateConfig", 
"log:DeleteConfig", 
"log:CreateMachineGroup", 
"log:UpdateMachineGroup", 
"log:DeleteMachineGroup", 
"log:ApplyConfigToGroup", 
"log:ApplyConfigToMachineGroup", 
"log:RemoveConfigFromGroup", 
"log:CreateIndex", 
"log:DeleteIndex", 
"log:UpdateIndex", 
"log:GetIndex", 
"log:CreateSavedSearch", 
"log:UpdateSavedSearch", 
"log:DeleteSavedSearch", 
"log:CreateDashboard", 
"log:UpdateDashboard", 
"log:DeleteDashboard", 
"log:ListShards", 
"log:ListSavedSearch", 
"log:GetSavedSearch", 
"log:ListProject" 
], 
"Resource":"*", 
"Effect":"Allow" 
}
EDAS的访问权限:
{ 
"Action":[ 
"edas:ReadApplication", 
"edas:ManageApplicationp" 
], 
"Resource":"*", 
"Effect":"Allow" 
}
应用实时监控ARMS的访问权限:
{ 
"Action":[ 
"arms:AddGrafana", 
"arms:AddIntegration", 
"arms:GetPrometheusApiToken", 
"arms:ListCluster", 
"arms:ListClusterFromGrafana", 
"arms:ListDashboards" 
], 
"Resource":"*", 
"Effect":"Allow" 
}
Redis云数据库的访问权限:
{ 
"Action":[ 
"kvstore:CreateInstance", 
"kvstore:DescribeInstanceAttribute", 
"kvstore:ModifyInstanceAttribute", 
"kvstore:DeleteInstance", 
"kvstore:DescribeInstances", 
"kvstore:DescribeRegions" 
], 
"Resource":"*", 
"Effect":"Allow" 
}
负载均衡SLB的访问权限:
{ 
"Action":[ 
"slb:UploadServerCertificate", 
"slb:DescribeServerCertificates", 
"slb:CreateLoadBalancerHTTPSListener", 
"slb:SetLoadBalancerTCPListenerAttribute", 
"slb:CreateVServerGroup", 
"slb:DeleteVServerGroup", 
"slb:DeleteLoadBalancerListener", 
"slb:DescribeLoadBalancerAttribute", 
"slb:CreateLoadBalancer", 
"slb:DeleteLoadBalancer", 
"slb:AssociateEipAddress", 
"slb:CreateAccessControlList", 
"slb:DescribeAccessControlLists", 
"slb:AddAccessControlListEntry", 
"slb:DescribeLoadBalancers" 
], 
"Resource":"*", 
"Effect":"Allow" 
}

删除AliyunServiceRoleForIoTAppHosting

如果您使用了AIoT能力中心的应用托管功能,然后需要删除服务关联角色AliyunServiceRoleForIoTAppHosting,例如您出于安全考虑,需要删除该角色,则需要先明确删除后的影响:删除AliyunServiceRoleForIoTAppHosting后,系统将失去对集群的管理能力(包括应用的管理、资源的管理等)。 删除AliyunServiceRoleForIoTAppHosting的操作步骤如下:

  1. 登录RAM控制台,在左侧导航栏中单击RAM角色管理

  2. RAM角色管理页面的搜索框中,输入AliyunServiceRoleForIoTAppHosting,自动搜索到名称为AliyunServiceRoleForIoTAppHostingRAM角色。

  3. 在右侧操作列,单击删除

  4. 删除RAM角色对话框,单击确定