本文介绍事件总线EventBridge服务关联角色的背景信息、策略内容、注意事项和常见问题。

背景信息

事件总线EventBridge在某些情况下,为了完成自身的某个功能,需要获取其他云服务的访问权限。更多关于服务关联角色的信息,请参见服务关联角色

事件总线EventBridge支持自动创建以下服务关联角色:

AliyunServiceRoleForEventBridgeSendToFC

服务关联角色AliyunServiceRoleForEventBridgeSendToFC可以获取访问函数计算的权限,以实现调用函数相关功能。

服务关联角色AliyunServiceRoleForEventBridgeSendToFC授权的权限策略AliyunServiceRolePolicyForEventBridgeSendToFC的策略内容如下:

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "fc:InvokeFunction",
                "fc:ListServices",
                "fc:ListFunctions"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "sendevent-fc.eventbridge.aliyuncs.com"
                }
            }
        }
    ]
}

AliyunServiceRoleForEventBridgeSendToMNS

服务关联角色AliyunServiceRoleForEventBridgeSendToMNS可以获取访问消息服务的权限,以实现发送消息、发布消息相关功能。

服务关联角色AliyunServiceRoleForEventBridgeSendToMNS授权的权限策略AliyunServiceRolePolicyForEventBridgeSendToMNS的策略内容如下:

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "mns:SendMessage",
                "mns:PublishMessage",
                "mns:ListQueue",
                "mns:ListTopic"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "sendevent-mns.eventbridge.aliyuncs.com"
                }
            }
        }
    ]
}

AliyunServiceRoleForEventBridgeSendToSMS

服务关联角色AliyunServiceRoleForEventBridgeSendToSMS可以获取访问短信服务的权限,以实现发送短信相关功能。

服务关联角色AliyunServiceRoleForEventBridgeSendToSMS授权的权限策略AliyunServiceRolePolicyForEventBridgeSendToSMS的策略内容如下:

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "dysms:SendSms",
                "dysms:SendBatchSms",
                "dysms:QuerySendDetails",
                "dysms:QuerySmsSign",
                "dysms:QuerySmsTemplate"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "sendevent-sms.eventbridge.aliyuncs.com"
                }
            }
        }
    ]
}

AliyunServiceRoleForEventBridgeSendToDirectMail

服务关联角色AliyunServiceRoleForEventBridgeSendToDirectMail可以获取访问邮件推送服务的权限,以实现发送邮件相关功能。

服务关联角色AliyunServiceRoleForEventBridgeSendToDirectMail授权的权限策略AliyunServiceRolePolicyForEventBridgeSendToDirectMail的策略内容如下:

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "dm:SingleSendMail",
                "dm:BatchSendMail",
                "dm:QueryMailAddressByParam"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "sendevent-directmail.eventbridge.aliyuncs.com"
                }
            }
        }
    ]
}

AliyunServiceRoleForEventBridgeSourceRocketMQ

服务关联角色AliyunServiceRoleForEventBridgeSourceRocketMQ可以获取访问消息队列RocketMQ版的权限,以实现访问资源的相关功能。

服务关联角色AliyunServiceRoleForEventBridgeSourceRocketMQ授权的权限策略AliyunServiceRolePolicyForEventBridgeSourceRocketMQ的策略内容如下:

{
    "Version":"1",
    "Statement":[
        {
            "Action":[
                "mq:QueryInstanceBaseInfo",
                "mq:SUB"
            ],
            "Resource":"*",
            "Effect":"Allow"
        },
        {
            "Action":"ram:DeleteServiceLinkedRole",
            "Resource":"*",
            "Effect":"Allow",
            "Condition":{
                "StringEquals":{
                    "ram:ServiceName":"source-rocketmq.eventbridge.aliyuncs.com"
                }
            }
        }
    ]
}

AliyunServiceRoleForEventBridgeSendToRocketMQ

服务关联角色AliyunServiceRoleForEventBridgeSendToRocketMQ可以获取访问消息队列RocketMQ版的权限,以实现发布消息相关功能。

服务关联角色AliyunServiceRoleForEventBridgeSendToRocketMQ授权的权限策略AliyunServiceRolePolicyForEventBridgeSendToRocketMQ的策略内容如下:

{
    "Version":"1",
    "Statement":[
        {
            "Action":[
                "mq:PUB",
                "mq:QueryInstanceBaseInfo",
                "mq:QueryTopicStatus",
                "mq:QueryConsumerAccumulate",
                "mq:QueryConsumerStatus"
            ],
            "Resource":"*",
            "Effect":"Allow"
        },
        {
            "Action":"ram:DeleteServiceLinkedRole",
            "Resource":"*",
            "Effect":"Allow",
            "Condition":{
                "StringEquals":{
                    "ram:ServiceName":"sendevent-rocketmq.eventbridge.aliyuncs.com"
                }
            }
        }
    ]
}

AliyunServiceRoleForEventBridgeConnectVPC

服务关联角色AliyunServiceRoleForEventBridgeConnectVPC可以获取访问专有网络VPC的权限,以实现访问资源的相关功能。

服务关联角色AliyunServiceRoleForEventBridgeConnectVPC授权的权限策略AliyunServiceRolePolicyForEventBridgeConnectVPC的策略内容如下:

{
    "Version":"1",
    "Statement":[
        {
            "Action":[
                "vpc:DescribeVpcs",
                "vpc:DescribeVSwitches",
                "vpc:DescribeVSwitchAttributes"
            ],
            "Resource":"*",
            "Effect":"Allow"
        },
        {
            "Action":[
                "ecs:DescribeSecurityGroups",
                "ecs:CreateNetworkInterface",
                "ecs:DeleteNetworkInterface",
                "ecs:DescribeNetworkInterfaces",
                "ecs:CreateNetworkInterfacePermission",
                "ecs:DescribeNetworkInterfacePermissions",
                "ecs:DeleteNetworkInterfacePermission"
            ],
            "Resource":"*",
            "Effect":"Allow"
        },
        {
            "Action":"ram:DeleteServiceLinkedRole",
            "Resource":"*",
            "Effect":"Allow",
            "Condition":{
                "StringEquals":{
                    "ram:ServiceName":"connect-vpc.eventbridge.aliyuncs.com"
                }
            }
        }
    ]
}

AliyunServiceRoleForEventBridgeSourceActionTrail

服务关联角色AliyunServiceRoleForEventBridgeSourceActionTrail可以获取访问操作审计的权限,以实现查询和投递操作记录的相关功能。

服务关联角色AliyunServiceRoleForEventBridgeSourceActionTrail授权的权限策略AliyunServiceRolePolicyForEventBridgeSourceActionTrail的策略内容如下:

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "actiontrail:CreateServiceTrail",
                "actiontrail:DeleteServiceTrail"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "source-actiontrail.eventbridge.aliyuncs.com"
                }
            }
        }
    ]
}

AliyunServiceRoleForEventBridgeSourceRabbitMQ

服务关联角色AliyunServiceRoleForEventBridgeSourceRabbitMQ可以获取访问消息队列RabbitMQ版的权限,以实现访问资源的相关功能。

服务关联角色AliyunServiceRoleForEventBridgeSourceRabbitMQ授权的权限策略AliyunServiceRolePolicyForEventBridgeSourceRabbitMQ的策略内容如下:

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "amqp:GetVhost",
                "amqp:BasicRecover",
                "amqp:BasicCancel",
                "amqp:BasicConsume",
                "amqp:BasicAck",
                "amqp:BasicNack",
                "amqp:BasicReject",
                "amqp:QueuePurge",
                "amqp:BasicGet"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "source-rabbitmq.eventbridge.aliyuncs.com"
                }
            }
        }
    ]
}

AliyunServiceRoleForEventBridgeSendToRabbitMQ

服务关联角色AliyunServiceRoleForEventBridgeSendToRabbitMQ可以获取访问消息队列RabbitMQ版的权限,以实现发布消息相关功能。

服务关联角色AliyunServiceRoleForEventBridgeSendToRabbitMQ授权的权限策略AliyunServiceRolePolicyForEventBridgeSendToRabbitMQ的策略内容如下:

{
    "Version":"1",
    "Statement":[
        {
            "Action":[
                "amqp:ListInstance",
                "amqp:ListVhost",
                "amqp:ListExchange",
                "amqp:GetVhost",
                "amqp:CreateExchange",
                "amqp:GetExchange",
                "amqp:CreateQueue",
                "amqp:GetQueue",
                "amqp:BasicRecover",
                "amqp:BasicPublish",
                "amqp:BasicAck",
                "amqp:BasicNack"
            ],
            "Resource":"*",
            "Effect":"Allow"
        },
        {
            "Action":"ram:DeleteServiceLinkedRole",
            "Resource":"*",
            "Effect":"Allow",
            "Condition":{
                "StringEquals":{
                    "ram:ServiceName":"sendevent-rabbitmq.eventbridge.aliyuncs.com"
                }
            }
        }
    ]
}

AliyunServiceRoleForEventBridgeSourceKafka

服务关联角色AliyunServiceRoleForEventBridgeSourceKafka可以获取访问消息队列Kafka版的权限,以实现访问资源的相关功能。

服务关联角色AliyunServiceRoleForEventBridgeSourceKafka授权的权限策略AliyunServiceRolePolicyForEventBridgeSourceKafka的策略内容如下:

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "alikafka:ListInstance",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "source-kafka.eventbridge.aliyuncs.com"
                }
            }
        }
    ]
}

AliyunServiceRoleForEventBridgeSendToKafka

服务关联角色AliyunServiceRoleForEventBridgeSendToKafka可以获取访问消息队列Kafka版的权限,以实现发布消息相关功能。

服务关联角色AliyunServiceRoleForEventBridgeSendToKafka授权的权限策略AliyunServiceRolePolicyForEventBridgeSendToKafka的策略内容如下:

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "alikafka:ListInstance",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "sendevent-kafka.eventbridge.aliyuncs.com"
                }
            }
        }
    ]
}

注意事项

服务关联角色删除后,事件总线EventBridge将无法发布事件到对应的阿里云服务,请谨慎操作。如需再次使用相关功能,则需重新创建该角色。创建步骤请参见创建服务关联角色

删除服务关联角色的具体操作请参见删除服务关联角色

常见问题

为什么我的RAM用户无法自动创建事件总线EventBridge服务关联角色?

如果阿里云账号已经创建了服务关联角色,RAM用户就会继承该阿里云账号的服务关联角色。如果没有继承,请登录RAM 控制台为RAM用户添加自定义权限策略,权限策略内容如下:

{
    "Version":"1",
    "Statement":[
        {
            "Action":"ram:CreateServiceLinkedRole",
            "Resource":"acs:ram:*:阿里云账号ID:role/*",
            "Effect":"Allow",
            "Condition":{
                "StringEquals":{
                    "ram:ServiceName":[
                        "sendevent-fc.eventbridge.aliyuncs.com",
                        "sendevent-mns.eventbridge.aliyuncs.com",
                        "sendevent-sms.eventbridge.aliyuncs.com",
                        "sendevent-directmail.eventbridge.aliyuncs.com",
                        "source-rocketmq.eventbridge.aliyuncs.com",
                        "sendevent-rocketmq.eventbridge.aliyuncs.com",
                        "connect-vpc.eventbridge.aliyuncs.com",
                        "source-actiontrail.eventbridge.aliyuncs.com",
                        "source-rabbitmq.eventbridge.aliyuncs.com",                      
                        "sendevent-rabbitmq.eventbridge.aliyuncs.com",
                        "source-kafka.eventbridge.aliyuncs.com"
                        "sendevent-kafka.eventbridge.aliyuncs.com"
                    ]
                }
            }
        }
    ]
}
说明 请将阿里云账号ID替换为您实际的阿里云账号ID。

如果您的RAM用户被授予该权限策略后,仍然无法自动创建服务关联角色,请为该RAM用户授予权限策略AliyunEventBridgeFullAccess。更多权限策略的详细说明请参见权限策略和示例