文档

服务关联角色

更新时间:

Serverless 应用引擎 SAE(Serverless App Engine)通过服务关联角色SLR(Service Linked Role)来获取其他云资源的访问权限。本文介绍SLR的应用场景以及如何创建及删除SLR。

什么是SLR

某些场景下,SAE为了完成自身的某个功能,需要获取其他云服务的访问权限。例如创建应用时要获取您的专有网络VPC(Virtual Private Cloud)等信息,就可以通过SLR获取VPC等产品的访问权限。通过SLR可以更好地配置云服务正常操作所必须的权限,避免误操作带来的风险。SLR的权限策略由关联的云服务定义和使用,您不能修改或删除权限策略,也不能为SLR添加或移除权限。更多信息,请参见服务关联角色

SLR权限说明

角色名称:AliyunServiceRoleForSAE

角色权限策略:AliyunServiceRolePolicyForSAE

权限说明:

json{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "alb:TagResources",
                "alb:UnTagResources",
                "alb:ListServerGroups",
                "alb:ListServerGroupServers",
                "alb:AddServersToServerGroup",
                "alb:RemoveServersFromServerGroup",
                "alb:ReplaceServersInServerGroup",
                "alb:CreateLoadBalancer",
                "alb:DeleteLoadBalancer",
                "alb:UpdateLoadBalancerAttribute",
                "alb:UpdateLoadBalancerEdition",
                "alb:EnableLoadBalancerAccessLog",
                "alb:DisableLoadBalancerAccessLog",
                "alb:EnableDeletionProtection",
                "alb:DisableDeletionProtection",
                "alb:ListLoadBalancers",
                "alb:GetLoadBalancerAttribute",
                "alb:ListListeners",
                "alb:CreateListener",
                "alb:GetListenerAttribute",
                "alb:UpdateListenerAttribute",
                "alb:ListListenerCertificates",
                "alb:AssociateAdditionalCertificatesWithListener",
                "alb:DissociateAdditionalCertificatesFromListener",
                "alb:DeleteListener",
                "alb:CreateRule",
                "alb:DeleteRule",
                "alb:UpdateRuleAttribute",
                "alb:CreateRules",
                "alb:UpdateRulesAttribute",
                "alb:DeleteRules",
                "alb:ListRules",
                "alb:CreateServerGroup",
                "alb:DeleteServerGroup",
                "alb:UpdateServerGroupAttribute",
                "alb:DescribeZones"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "ecs:ListTagResources",
                "ecs:TagResources",
                "ecs:UnTagResources",
                "ecs:CreateNetworkInterface",
                "ecs:DeleteNetworkInterface",
                "ecs:DescribeNetworkInterfaces",
                "ecs:AttachNetworkInterface",
                "ecs:DetachNetworkInterface",
                "ecs:CreateNetworkInterfacePermission",
                "ecs:DescribeNetworkInterfacePermissions",
                "ecs:DeleteNetworkInterfacePermission",
                "ecs:ModifyNetworkInterfaceAttribute",
                "ecs:JoinSecurityGroup",
                "ecs:LeaveSecurityGroup",
                "ecs:CreateSecurityGroup",
                "ecs:AuthorizeSecurityGroup",
                "ecs:DescribeSecurityGroupAttribute",
                "ecs:DescribeSecurityGroups",
                "ecs:RevokeSecurityGroup",
                "ecs:DeleteSecurityGroup",
                "ecs:ModifySecurityGroupAttribute",
                "ecs:AuthorizeSecurityGroupEgress",
                "ecs:RevokeSecurityGroupEgress",
                "ecs:ModifySecurityGroupRule",
                "ecs:DescribeSecurityGroupReferences",
                "ecs:ModifySecurityGroupPolicy"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "slb:AddTags",
                "slb:RemoveTags",
                "slb:CreateLoadBalancer",
                "slb:ModifyLoadBalancerInternetSpec",
                "slb:DeleteLoadBalancer",
                "slb:SetLoadBalancerStatus",
                "slb:SetLoadBalancerName",
                "slb:DescribeLoadBalancers",
                "slb:DescribeLoadBalancerAttribute",
                "slb:ModifyLoadBalancerPayType",
                "slb:ModifyLoadBalancerInstanceSpec",
                "slb:CreateLoadBalancerHTTPListener",
                "slb:CreateLoadBalancerHTTPSListener",
                "slb:CreateLoadBalancerTCPListener",
                "slb:CreateLoadBalancerUDPListener",
                "slb:DeleteLoadBalancerListener",
                "slb:StartLoadBalancerListener",
                "slb:StopLoadBalancerListener",
                "slb:DescribeLoadBalancerListeners",
                "slb:SetLoadBalancerHTTPListenerAttribute",
                "slb:SetLoadBalancerHTTPSListenerAttribute",
                "slb:SetLoadBalancerTCPListenerAttribute",
                "slb:SetLoadBalancerUDPListenerAttribute",
                "slb:SetListenerAccessControlStatus",
                "slb:DescribeLoadBalancerHTTPListenerAttribute",
                "slb:DescribeLoadBalancerHTTPListenerAttributes",
                "slb:DescribeLoadBalancerHTTPSListenerAttribute",
                "slb:DescribeLoadBalancerTCPListenerAttribute",
                "slb:DescribeLoadBalancerUDPListenerAttribute",
                "slb:DescribeListenerAccessControlAttribute",
                "slb:AddListenerWhiteListItem",
                "slb:RemoveListenerWhiteListItem",
                "slb:AddBackendServers",
                "slb:RemoveBackendServers",
                "slb:SetBackendServers",
                "slb:DescribeHealthStatus",
                "slb:UploadServerCertificate",
                "slb:DeleteServerCertificate",
                "slb:DescribeServerCertificates",
                "slb:SetServerCertificateName",
                "slb:DescribeRegions",
                "slb:CreateVServerGroup",
                "slb:DescribeVServerGroupAttribute",
                "slb:DescribeVServerGroups",
                "slb:AddVServerGroupBackendServers",
                "slb:SetVServerGroupAttribute",
                "slb:ModifyVServerGroupBackendServers",
                "slb:RemoveVServerGroupBackendServers",
                "slb:DescribeRules",
                "slb:SetRule",
                "slb:CreateRules",
                "slb:DeleteRules",
                "slb:DescribeTags",
                "slb:DeleteVServerGroup"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "nas:DescribeRegions",
                "nas:CreateFileSystem",
                "nas:DeleteFileSystem",
                "nas:DescribeFileSystems",
                "nas:ModifyFileSystem",
                "nas:CreateMountTarget",
                "nas:DeleteMountTarget",
                "nas:DescribeMountTargets",
                "nas:ModifyMountTarget",
                "nas:CreateAccessGroup",
                "nas:DeleteAccessGroup",
                "nas:DescribeAccessGroups",
                "nas:ModifyAccessGroup",
                "nas:CreateAccessRule",
                "nas:DeleteAccessRule",
                "nas:DescribeAccessRules",
                "nas:ModifyAccessRule",
                "nas:SetUserVolumeCountLimit"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "vpc:DescribeVSwitches",
                "vpc:DescribeVpcs",
                "vpc:CreateVpc",
                "vpc:DescribeZones",
                "vpc:CreateVSwitch",
                "vpc:DescribeVSwitchAttributes",
                "vpc:DescribeEipAddresses",
                "vpc:AssociateEipAddress",
                "vpc:UnassociateEipAddress",
                "vpc:AllocateEipAddress",
                "vpc:ReleaseEipAddress"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "cr:GetUserInfo",
                "cr:GetRegionList",
                "cr:GetNamespaceList",
                "cr:GetRepoListByNamespace",
                "cr:GetRepoTags",
                "cr:GetRepoList",
                "cr:GetRepo",
                "cr:GetInstanceVpcEndpoint",
                "cr:ListNamespace",
                "cr:ListInstanceEndpoint",
                "cr:CreateNamespace",
                "cr:DeleteNamespace",
                "cr:UpdateNamespace",
                "cr:GetNamespace",
                "cr:CreateRepository",
                "cr:DeleteRepository",
                "cr:UpdateRepository",
                "cr:GetRepository",
                "cr:ListRepository",
                "cr:ListRepositoryTag",
                "cr:DeleteRepositoryTag",
                "cr:GetRepositoryManifest",
                "cr:GetRepositoryLayers",
                "cr:PullRepository",
                "cr:PushRepository",
                "cr:GetAuthorizationToken"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "ram:GetRole"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:PassRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "acs:Service": "oos.aliyuncs.com"
                }
            }
        },
        {
            "Action": [
                "log:GetLogStore",
                "log:ListLogStores",
                "log:CreateLogStore",
                "log:DeleteLogStore",
                "log:UpdateLogStore",
                "log:GetCursorOrData",
                "log:ListShards",
                "log:PostLogStoreLogs",
                "log:CreateConfig",
                "log:UpdateConfig",
                "log:DeleteConfig",
                "log:GetConfig",
                "log:ListConfig",
                "log:CreateMachineGroup",
                "log:UpdateMachineGroup",
                "log:DeleteMachineGroup",
                "log:GetMachineGroup",
                "log:ListMachineGroup",
                "log:ListMachines",
                "log:ApplyConfigToGroup",
                "log:RemoveConfigFromGroup",
                "log:GetAppliedMachineGroups",
                "log:GetAppliedConfigs",
                "log:GetLogStoreLogs",
                "log:GetLogStoreHistogram",
                "log:CreateProject",
                "log:GetProject",
                "log:GetIndex",
                "log:CreateIndex",
                "log:DeleteIndex",
                "log:UpdateIndex",
                "log:GetMachineGroups",
                "log:RemoveConfigFromMachineGroup",
                "log:DeleteProject"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "yundun-cert:DescribeUserCertificateList",
                "yundun-cert:DescribeUserCertificateDetail"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "bss:DescribePrice",
                "bss:DescribeInstances"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "arms:QueryMetric",
                "arms:ListDashboards",
                "arms:OpenArmsService",
                "arms:ListServerlessTopNApps",
                "arms:CreateAlertContact",
                "arms:SearchAlertContact",
                "arms:UpdateAlertContact",
                "arms:DeleteAlertContact",
                "arms:CreateAlertContactGroup",
                "arms:SearchAlertContactGroup",
                "arms:UpdateAlertContactGroup",
                "arms:DeleteAlertContactGroup"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "oos:ListExecutions",
                "oos:StartExecution",
                "oos:DeleteExecutions",
                "oos:CancelExecution",
                "oos:GetTemplate",
                "oos:CreateTemplate",
                "oos:UpdateTemplate"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "mse:CreateApplication",
                "mse:RemoveApplication",
                "mse:FetchRoutePolicyList",
                "mse:AddRoutePolicy",
                "mse:UpdateRoutePolicy",
                "mse:RemoveRoutePolicy",
                "mse:GetServiceDetail",
                "mse:GetServiceListPage",
                "mse:GetServiceList"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "eventbridge:CreateEventBus",
                "eventbridge:GetEventBus",
                "eventbridge:DeleteEventBus",
                "eventbridge:ListEventBuses",
                "eventbridge:CreateRule",
                "eventbridge:GetRule",
                "eventbridge:UpdateRule",
                "eventbridge:EnableRule",
                "eventbridge:DisableRule",
                "eventbridge:DeleteRule",
                "eventbridge:ListRules",
                "eventbridge:UpdateTargets",
                "eventbridge:DeleteTargets",
                "eventbridge:ListTargets",
                "eventbridge:PutEvents",
                "eventbridge:CreateEventSource",
                "eventbridge:UpdateEventSource",
                "eventbridge:DeleteEventSource",
                "eventbridge:ListAliyunOfficialEventSources",
                "eventbridge:ListUserDefinedEventSources"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "alikafka:ListInstance",
                "alikafka:ListTopic"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "sae.aliyuncs.com"
                }
            }
        },
        {
            "Action": "ram:CreateServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "eipaccess.slb.aliyuncs.com"
                }
            }
        }
    ]
}

创建SLR

SAE支持SLR的自动创建。如果您未创建SLR,登录SAE控制台时会弹出欢迎使用Serverless应用引擎SAE对话框,单击确认创建即可完成SLR的创建。

SAE创建SLR角色

说明

如果您未创建SLR,登录SAE控制台时会持续显示欢迎使用Serverless应用引擎SAE对话框,直至您完成SLR的创建。

删除SLR

如果您需要删除SLR,需要先删除该阿里云账号在SAE上部署的所有应用。

重要
  • 删除SLR后,您将无法使用SAE产品,请谨慎操作。

  • 如果您在删除SLR后仍需要再次使用SAE,请登录SAE控制台重新创建SLR角色。具体操作,请参见创建SLR

  • 本页导读 (1)
文档反馈