HBR服务关联角色
本文介绍混合云备份HBR服务包含的服务关联角色,以及如何删除已创建的角色。
背景信息
HBR服务关联角色是指HBR在某些情况下,为了完成自身的某个功能,需要获取其他云服务的访问权限而提供的RAM角色。更多关于服务关联角色的信息请参见服务关联角色。
HBR需要访问云服务器ECS、专有网络VPC、对象存储OSS、文件存储NAS和云存储网关CSG等云服务的资源时,可通过自动创建的HBR服务关联角色获取对应的访问权限。
AliyunServiceRoleForHbrEcsBackup
HBR ECS备份功能需要访问云服务器ECS和专有网络VPC云服务的资源时,可通过自动创建的HBR服务关联角色AliyunServiceRoleForHbrEcsBackup获取访问权限。
AliyunServiceRoleForHbrOssBackup
HBR OSS备份功能需要访问对象存储OSS云服务的资源时,可通过自动创建的HBR服务关联角色AliyunServiceRoleForHbrOssBackup获取访问权限。
AliyunServiceRoleForHbrNasBackup
HBR NAS备份功能需要访问文件存储NAS云服务的资源时,可通过自动创建的HBR服务关联角色AliyunServiceRoleForHbrNasBackup获取访问权限。
AliyunServiceRoleForHbrCsgBackup
HBR云存储网关备份功能需要访问云存储网关CSG云服务的资源时,可通过自动创建的HBR服务关联角色AliyunServiceRoleForHbrCsgBackup获取访问权限。
AliyunServiceRoleForHbrVaultEncryption
HBR使用KMS密钥加密备份库功能需要访问密钥管理服务KMS云服务的资源时,可通过自动创建的HBR服务关联角色AliyunServiceRoleForHbrVaultEncryption获取访问权限。
AliyunServiceRoleForHbrOtsBackup
HBR表格存储备份功能需要访问表格存储的资源时,可通过自动创建的HBR服务关联角色AliyunServiceRoleForHbrOtsBackup获取访问权限。
AliyunServiceRoleForHbrCrossAccountBackup
跨账号备份功能需要访问跨账号的资源时,可通过自动创建的HBR服务关联角色AliyunServiceRoleForHbrCrossAccountBackup获取访问权限。
权限说明
HBR服务关联角色的权限内容如下:
通过AliyunServiceRoleForHbrEcsBackup获取访问ECS的权限
{ "Action": [ "ecs:RunCommand", "ecs:CreateCommand", "ecs:InvokeCommand", "ecs:DeleteCommand", "ecs:DescribeCommands", "ecs:StopInvocation", "ecs:DescribeInvocationResults", "ecs:DescribeCloudAssistantStatus", "ecs:DescribeInstances", "ecs:DescribeInstanceRamRole", "ecs:DescribeInvocations" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "ecs:AttachInstanceRamRole", "ecs:DetachInstanceRamRole" ], "Resource": [ "acs:ecs:*:*:instance/*", "acs:ram:*:*:role/aliyunecsaccessinghbrrole" ], "Effect": "Allow" }, { "Action": [ "ram:GetRole", "ram:GetPolicy", "ram:ListPoliciesForRole" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "ram:PassRole" ], "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "acs:Service": [ "ecs.aliyuncs.com" ] } } }, { "Action": [ "ecs:DescribeSecurityGroups", "ecs:DescribeImages", "ecs:CreateImage", "ecs:DeleteImage", "ecs:DescribeSnapshots", "ecs:CreateSnapshot", "ecs:DeleteSnapshot", "ecs:DescribeSnapshotLinks", "ecs:DescribeAvailableResource", "ecs:ModifyInstanceAttribute", "ecs:CreateInstance", "ecs:DeleteInstance", "ecs:AllocatePublicIpAddress", "ecs:CreateDisk", "ecs:DescribeDisks", "ecs:AttachDisk", "ecs:DetachDisk", "ecs:DeleteDisk", "ecs:ResetDisk", "ecs:StartInstance", "ecs:StopInstance", "ecs:ReplaceSystemDisk", "ecs:ModifyResourceMeta" ], "Resource": "*", "Effect": "Allow" }通过AliyunServiceRoleForHbrEcsBackup获取访问VPC的权限
{ "Action": [ "vpc:DescribeVpcs", "vpc:DescribeVSwitches" ], "Resource": "*", "Effect": "Allow" }通过AliyunServiceRoleForHbrOssBackup获取访问OSS的权限
{ "Action": [ "oss:ListObjects", "oss:HeadBucket", "oss:GetBucket", "oss:GetBucketAcl", "oss:GetBucketLocation", "oss:GetBucketInfo", "oss:PutObject", "oss:CopyObject", "oss:GetObject", "oss:AppendObject", "oss:GetObjectMeta", "oss:PutObjectACL", "oss:GetObjectACL", "oss:PutObjectTagging", "oss:GetObjectTagging", "oss:InitiateMultipartUpload", "oss:UploadPart", "oss:UploadPartCopy", "oss:CompleteMultipartUpload", "oss:AbortMultipartUpload", "oss:ListMultipartUploads", "oss:ListParts" ], "Resource": "*", "Effect": "Allow" }通过AliyunServiceRoleForHbrNasBackup获取访问NAS的权限
{ "Action": [ "nas:DescribeFileSystems", "nas:CreateMountTargetSpecial", "nas:DeleteMountTargetSpecial", "nas:CreateMountTarget", "nas:DeleteMountTarget", "nas:DescribeMountTargets", "nas:DescribeAccessGroups" ], "Resource": "*", "Effect": "Allow" }通过AliyunServiceRoleForHbrCsgBackup获取访问CSG的权限
{ "Action": [ "hcs-sgw:DescribeGateways" ], "Resource": "*", "Effect": "Allow" }通过AliyunServiceRoleForHbrVaultEncryption获取访问KMS的权限
{ "Statement": [ { "Action": "ram:DeleteServiceLinkedRole", "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "ram:ServiceName": "vaultencryption.hbr.aliyuncs.com" } } }, { "Action": [ "kms:Decrypt" ], "Resource": "*", "Effect": "Allow" } ], "Version": "1" }通过AliyunServiceRoleForHbrOtsBackup获取访问表格存储的权限
{ "Version": "1", "Statement": [ { "Action": "ram:DeleteServiceLinkedRole", "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "ram:ServiceName": "otsbackup.hbr.aliyuncs.com" } } }, { "Effect": "Allow", "Action": [ "ots:ListTable", "ots:CreateTable", "ots:UpdateTable", "ots:DescribeTable", "ots:BatchWriteRow", "ots:CreateTunnel", "ots:DeleteTunnel", "ots:ListTunnel", "ots:DescribeTunnel", "ots:ConsumeTunnel", "ots:GetRange", "ots:ListStream", "ots:DescribeStream" ], "Resource": "*" } ] }通过AliyunServiceRoleForHbrCrossAccountBackup获取跨账号备份权限
{ "Version": "1", "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": "*" }, { "Action": "ram:DeleteServiceLinkedRole", "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "ram:ServiceName": "crossbackup.hbr.aliyuncs.com" } } } ] }
删除服务关联角色
假设您已不再使用ECS备份功能,出于安全考虑,建议您删除该功能所使用的服务关联角色AliyunServiceRoleForHbrEcsBackup。
删除AliyunServiceRoleForHbrEcsBackup、AliyunServiceRoleForHbrOssBackup、AliyunServiceRoleForHbrNasBackup和AliyunServiceRoleForHbrCsgBackup等角色前,请确保当前账号下没有备份仓库,否则删除失败。
删除AliyunServiceRoleForHbrVaultEncryption前,请确保当前账号下没有使用KMS加密的备份仓库,否则删除失败。
例如,删除AliyunServiceRoleForHbrEcsBackup的操作步骤如下:
登录RAM控制台。
在左侧导航栏中选择身份管理>角色。
在角色管理页面的搜索框中,输入AliyunServiceRoleForHbrEcsBackup,自动搜索到名称为AliyunServiceRoleForHbrEcsBackup的RAM角色。
在右侧操作列,单击删除。
在删除RAM角色对话框,单击确定。
删除AliyunServiceRoleForHbrOssBackup、AliyunServiceRoleForHbrNasBackup和AliyunServiceRoleForHbrCsgBackup、AliyunServiceRoleForHbrVaultEncryption等服务关联角色与删除AliyunServiceRoleForHbrEcsBackup服务关联角色步骤类似,仅需替换为对应的RAM角色即可。