SAE通过服务关联角色SLR(Service Linked Role)来获取其他云资源的访问权限。本文为您介绍SLR的应用场景以及如何创建及删除SLR的步骤。

什么是SLR

某些场景下,SAE为了完成自身的某个功能,需要获取其他云服务的访问权限。例如创建应用时要获取您的VPC等信息,就可以通过SLR获取VPC等产品的访问权限。通过SLR可以更好地配置云服务正常操作所必须的权限,避免误操作带来的风险。SLR的权限策略由关联的云服务定义和使用,您不能修改或删除权限策略,也不能为SLR添加或移除权限。关于SLR的更多详细信息请参见服务关联角色

SLR权限说明

角色名称:AliyunServiceRoleForSAE

角色权限策略:AliyunServiceRolePolicyForSAE

权限说明:
{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "ecs:CreateNetworkInterface",
        "ecs:DeleteNetworkInterface",
        "ecs:DescribeNetworkInterfaces",
        "ecs:AttachNetworkInterface",
        "ecs:DetachNetworkInterface",
        "ecs:CreateNetworkInterfacePermission",
        "ecs:DescribeNetworkInterfacePermissions",
        "ecs:DeleteNetworkInterfacePermission",
        "ecs:ModifyNetworkInterfaceAttribute",
        "ecs:JoinSecurityGroup",
        "ecs:LeaveSecurityGroup",
        "ecs:CreateSecurityGroup",
        "ecs:AuthorizeSecurityGroup",
        "ecs:DescribeSecurityGroupAttribute",
        "ecs:DescribeSecurityGroups",
        "ecs:RevokeSecurityGroup",
        "ecs:DeleteSecurityGroup",
        "ecs:ModifySecurityGroupAttribute",
        "ecs:AuthorizeSecurityGroupEgress",
        "ecs:RevokeSecurityGroupEgress",
        "ecs:ModifySecurityGroupRule",
        "ecs:DescribeSecurityGroupReferences",
        "ecs:ModifySecurityGroupPolicy"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "slb:AddTags",
        "slb:CreateLoadBalancer",
        "slb:ModifyLoadBalancerInternetSpec",
        "slb:DeleteLoadBalancer",
        "slb:SetLoadBalancerStatus",
        "slb:SetLoadBalancerName",
        "slb:DescribeLoadBalancers",
        "slb:DescribeLoadBalancerAttribute",
        "slb:ModifyLoadBalancerPayType",
        "slb:ModifyLoadBalancerInstanceSpec",
        "slb:CreateLoadBalancerHTTPListener",
        "slb:CreateLoadBalancerHTTPSListener",
        "slb:CreateLoadBalancerTCPListener",
        "slb:CreateLoadBalancerUDPListener",
        "slb:DeleteLoadBalancerListener",
        "slb:StartLoadBalancerListener",
        "slb:StopLoadBalancerListener",
        "slb:SetLoadBalancerHTTPListenerAttribute",
        "slb:SetLoadBalancerHTTPSListenerAttribute",
        "slb:SetLoadBalancerTCPListenerAttribute",
        "slb:SetLoadBalancerUDPListenerAttribute",
        "slb:SetListenerAccessControlStatus",
        "slb:DescribeLoadBalancerHTTPListenerAttribute",
        "slb:DescribeLoadBalancerHTTPListenerAttributes",
        "slb:DescribeLoadBalancerHTTPSListenerAttribute",
        "slb:DescribeLoadBalancerTCPListenerAttribute",
        "slb:DescribeLoadBalancerUDPListenerAttribute",
        "slb:DescribeListenerAccessControlAttribute",
        "slb:AddListenerWhiteListItem",
        "slb:RemoveListenerWhiteListItem",
        "slb:AddBackendServers",
        "slb:RemoveBackendServers",
        "slb:SetBackendServers",
        "slb:DescribeHealthStatus",
        "slb:UploadServerCertificate",
        "slb:DeleteServerCertificate",
        "slb:DescribeServerCertificates",
        "slb:SetServerCertificateName",
        "slb:DescribeRegions",
        "slb:CreateVServerGroup",
        "slb:DescribeVServerGroupAttribute",
        "slb:DescribeVServerGroups",
        "slb:AddVServerGroupBackendServers",
        "slb:SetVServerGroupAttribute",
        "slb:RemoveVServerGroupBackendServers",
        "slb:DescribeRules",
        "slb:SetRule",
        "slb:CreateRules",
        "slb:DeleteRules",
        "slb:DescribeTags",
        "slb:DeleteVServerGroup"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "nas:DescribeRegions",
        "nas:CreateFileSystem",
        "nas:DeleteFileSystem",
        "nas:DescribeFileSystems",
        "nas:ModifyFileSystem",
        "nas:CreateMountTarget",
        "nas:DeleteMountTarget",
        "nas:DescribeMountTargets",
        "nas:ModifyMountTarget",
        "nas:CreateAccessGroup",
        "nas:DeleteAccessGroup",
        "nas:DescribeAccessGroups",
        "nas:ModifyAccessGroup",
        "nas:CreateAccessRule",
        "nas:DeleteAccessRule",
        "nas:DescribeAccessRules",
        "nas:ModifyAccessRule",
        "nas:SetUserVolumeCountLimit"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "vpc:DescribeVSwitches",
        "vpc:DescribeVpcs"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "cr:GetUserInfo",
        "cr:GetRegionList",
        "cr:GetNamespaceList",
        "cr:GetRepoListByNamespace",
        "cr:GetRepoTags",
        "cr:GetRepoList",
        "cr:GetRepo",
        "cr:GetAuthorizationToken",
        "cr:PullRepository",
        "cr:CreateRepository",
        "cr:DeleteRepositoryTag",
        "cr:PushRepository",
        "cr:DeleteRepository",
        "cr:UpdateRepository"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "ram:GetRole"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "log:GetLogStore",
        "log:ListLogStores",
        "log:CreateLogStore",
        "log:DeleteLogStore",
        "log:UpdateLogStore",
        "log:GetCursorOrData",
        "log:ListShards",
        "log:PostLogStoreLogs",
        "log:CreateConfig",
        "log:UpdateConfig",
        "log:DeleteConfig",
        "log:GetConfig",
        "log:ListConfig",
        "log:CreateMachineGroup",
        "log:UpdateMachineGroup",
        "log:DeleteMachineGroup",
        "log:GetMachineGroup",
        "log:ListMachineGroup",
        "log:ListMachines",
        "log:ApplyConfigToGroup",
        "log:RemoveConfigFromGroup",
        "log:GetAppliedMachineGroups",
        "log:GetAppliedConfigs",
        "log:GetLogStoreLogs",
        "log:GetLogStoreHistogram",
        "log:CreateProject",
        "log:GetProject",
        "log:GetIndex",
        "log:CreateIndex",
        "log:DeleteIndex",
        "log:UpdateIndex",
        "log:GetMachineGroups",
        "log:RemoveConfigFromMachineGroup",
        "log:DeleteProject"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "yundun-cert:DescribeUserCertificateList",
        "yundun-cert:DescribeUserCertificateDetail"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "bss:DescribePrice",
        "bss:DescribeInstances"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "arms:QueryMetric"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "oos:ListExecutions",
        "oos:StartExecution",
        "oos:DeleteExecutions",
        "oos:CancelExecution",
        "oos:GetTemplate",
        "oos:CreateTemplate",
        "oos:UpdateTemplate"
      ],
      "Resource": "*",
      "Effect": "Allow"
    }
  ]
}

创建SLR

SAE支持SLR的自动创建,当您未创建SLR时,登录SAE控制台时会弹出欢迎使用Serverless应用引擎SAE对话框,单击确认创建即可完成SLR的创建。

SAE创建SLR角色
说明 当您未创建SLR时,登录SAE控制台会持续显示欢迎使用Serverless应用引擎SAE对话框直至您完成SLR的创建。

删除SLR

如果您需要删除SLR,需要先删除该账号(主账号)在SAE上部署的所有应用。

注意
  • 删除SLR后您将无法使用SAE产品,请谨慎操作。
  • 如果您在删除SLR后仍需要再次使用SAE,请登录SAE控制台重新创建SLR角色,详细操作请参见创建SLR