本文介绍Advisor服务关联角色AliyunServiceRoleForAdvisor以及如何删除该角色。
背景信息
Advisor服务关联角色AliyunServiceRoleForAdvisor是Advisor为了完成自身的某个功能,需要获取其他云服务的访问权限而提供的RAM角色。更多关于服务关联角色的信息请参见服务关联角色。
应用场景
Advisor需要访问负载均衡SLB(Server Load Balancer)、专有网络VPC(Virtual Private Cloud)、云服务器ECS(Elastic Compute Service)等云服务的资源时,可通过自动创建的Advisor服务关联角色AliyunServiceRoleForAdvisor获取访问权限。
权限说明
AliyunServiceRoleForAdvisor具备的云服务的访问权限如下所示,更多权限说明请参见权限策略管理。
{
"Action": [
"ecs:DescribeInstances",
"ecs:DescribeTags",
"ecs:DescribeDisks",
"ecs:DescribeRegions",
"ecs:DescribeInstanceMonitorData",
"ecs:DescribeDiskMonitorData",
"ecs:ValidateSecurityGroup",
"ecs:DescribeCommands",
"ecs:DescribeDisksFullStatus",
"ecs:DescribeDeploymentSets",
"ecs:DescribeAccountAttributes",
"ecs:DescribeNetworkInterfaces",
"ecs:DescribeSecurityGroups",
"ecs:DescribeAccountAttributes",
"ecs:DescribeDedicatedHosts",
"ecs:DescribeDedicatedHostAutoRenew",
"ecs:DescribeSecurityGroupAttribute",
"ecs:DescribeSnapshots",
"ecs:CreateDiagnosticReport",
"ecs:DescribeDiagnosticReports",
"ecs:DescribePrice",
"ecs:DescribeResourcesModification",
"ecs:DescribeInstanceTypes",
"ecsinc:DescribeResourceStatusDiagnosis",
"ecs:DescribeSceneResourceRecommend"
],
"Resource": "*",
"Effect": "Allow"
}
{
"Action": [
"slb:DescribeLoadBalancers",
"slb:DescribeRegions",
"slb:DescribeLoadBalancerAttribute",
"slb:DescribeHealthStatus",
"slb:DescribeLoadBalancerTCPListenerAttribute",
"slb:DescribeLoadBalancerUDPListenerAttribute",
"slb:DescribeLoadBalancerHTTPListenerAttribute",
"slb:DescribeLoadBalancerHTTPSListenerAttribute",
"slb:DescribeLoadBalancerListeners",
"slb:DescribeVServerGroupAttribute",
"slb:DescribeMasterSlaveServerGroupAttribute",
"slb:DescribeAccessControlLists",
"slb:DescribeAccessControlListAttribute",
"slb:DescribeMasterSlaveServerGroups"
],
"Resource": "*",
"Effect": "Allow"
}
{
"Action": [
"rds:DescribeDBInstances",
"rds:DescribeDBInstanceNetInfo",
"rds:DescribeRenewalPrice",
"rds:DescribeDBInstanceAttribute",
"rds:DescribeRegions",
"rds:DescribeSQLCollectorPolicy",
"rds:DescribeDBInstancePerformance",
"rds:DescribeDBInstanceIPArrayList",
"rds:DescribeSlowLogs",
"rds:DescribeSlowLogRecords",
"rds:DescribeDBInstanceProxyConfiguration",
"rds:DescribeReplicas",
"rds:DescribeErrorLogs",
"rds:DescribeHASwitchConfig",
"rds:DescribeAccounts",
"rds:DescribeBackups",
"rds:DescribeDBInstanceHAConfig",
"rds:DescribeAvailableClasses",
"rds:ListClasses",
"rds:DescribePrice"
],
"Resource": "*",
"Effect": "Allow"
}
{
"Action": [
"cdn:DescribeUserDomains",
"cdn:DescribeDomainReqHitRateData",
"cdn:DescribeCdnDomainDetail",
"cdn:DescribeCdnDomai nConfigs",
"cdn:DescribeRefreshQuota",
"cdn:DescribeDomainCertificateInfo",
"cdn:DescribeCdnUserQuota",
"cdn:DescribeDomainHttpCodeData",
"cdn:DescribeDomainRealTimeReqHitRateData",
"cdn:DescribeDomainQpsData"
],
"Resource": "*",
"Effect": "Allow"
}
{
"Action": [
"alb:ListServerGroupServers",
"alb:GetLoadBalancerAttribute",
"alb:ListListeners",
"alb:ListLoadBalancers",
"alb:GetListenerHealthStatus",
"alb:ListListenerCertificates",
"alb:ListServerGroups",
"alb:ListRules",
"alb:GetListenerAttribute",
"alb:ListAcls",
"alb:ListAclEntries",
"alb:ListAclRelations"
],
"Resource": "*",
"Effect": "Allow"
}
{
"Action": [
"nlb:DescribeRegions",
"nlb:GetListenerAttribute",
"nlb:GetListenerHealthStatus",
"nlb:GetLoadBalancerAttribute",
"nlb:ListListenerCertificates",
"nlb:ListListeners",
"nlb:ListLoadBalancers",
"nlb:ListSecurityPolicy",
"nlb:ListServerGroups",
"nlb:ListServerGroupServers"
],
"Resource": "*",
"Effect": "Allow"
}
{
"Action": [
"scdn:DescribeScdnDomainDetail",
"scdn:DescribeScdnUserDomains"
],
"Resource": "*",
"Effect": "Allow"
}
{
"Action": [
"dcdn:DescribeDcdnDomainDetail",
"dcdn:DescribeDcdnUserDomains"
],
"Resource": "*",
"Effect": "Allow"
}
{
"Action": [
"nas:DescribeRegions",
"nas:DescribeFileSystems"
],
"Resource": "*",
"Effect": "Allow"
}
{
"Action": [
"vpc:DescribeVpcs",
"vpc:DescribeVSwitches",
"vpc:DescribeEipAddresses",
"vpc:DescribeRegions",
"vpc:DescribeEipMonitorData",
"vpc:DescribePhysicalConnections",
"vpc:DescribeVpnGateways",
"vpc:DescribeVpnConnections",
"vpc:DescribeCustomerGateways",
"vpc:DescribeSslVpnClientCerts",
"vpc:DescribeVpnPbrRouteEntries",
"vpc:DescribeVpnRouteEntries",
"vpc:DescribeRouteTableList",
"vpc:DescribeRouteEntryList",
"vpc:DescribeNatGateways",
"vpc:DescribeBandwidthPackages",
"vpc:DescribeSnatTableEntries",
"vpc:DescribeForwardTableEntries",
"vpc:DescribeCommonBandwidthPackages",
"vpc:DescribeVirtualBorderRouters",
"vpc:DescribeRouterInterfaces",
"vpc:DescribeGlobalAccelerationInstances"
],
"Resource": "*",
"Effect": "Allow"
}
{
"Action": [
"oss:ListBuckets",
"oss:GetBucketInfo",
"oss:GetBucketAcl",
"oss:GetBucketLogging",
"oss:GetBucketEncryption",
"oss:GetBucketReplication",
"oss:GetBucketVersioning",
"oss:GetBucketReferer",
"oss:GetBucketPolicy",
"oss:ListObjects"
],
"Resource": "*",
"Effect": "Allow"
}
{
"Action": [
"alidns:DescribeDomains",
"alidns:DescribeDomainRecords",
"alidns:DescribeSubDomainRecords"
],
"Resource": "*",
"Effect": "Allow"
}
{
"Action": [
"yundun-waf:DescribePayInfo",
"yundun-waf:DescribeDomainConfig",
"yundun-waf:DescribeDomainNames",
"yundun-ddos:DescribeInstanceSpecs",
"yundun-ddos:DescribeDdosEventList",
"yundun-ddoscoo:DescribeInstanceSpecs",
"yundun-ddoscoo:DescribeDomains",
"yundun-ddoscoo:DescribeInstanceIds",
"yundun-ddoscoo:DescribeAutoCcWhitelist",
"yundun-ddoscoo:DescribeAutoCcBlacklist",
"yundun-ddoscoo:DescribeDomainAttackEvents",
"yundun-cert:DescribeSSLCertificatePublicKeyDetail",
"yundun-cert:ListCertificateOrder"
],
"Resource": "*",
"Effect": "Allow"
}
{
"Action": [
"cen:DescribePublishedRouteEntries",
"cen:DescribeCenAttachedChildInstances",
"cen:DescribeCens",
"cen:DescribeCenVbrHealthCheck"
],
"Resource": "*",
"Effect": "Allow"
}
{
"Action": [
"cms:DescribeMetricData",
"cms:DescribeMetricList",
"cms:DescribeSystemEventAttribute",
"cms:DescribeMetricLast",
"cms:QueryMetricData",
"cms:QueryMetricList",
"cms:DescribeMonitoringAgentStatuses",
"cms:QueryMonitoringAgentStatuses",
],
"Resource": "*",
"Effect": "Allow"
}
{
"Action": [
"polardb:DescribeRegions",
"polardb:DescribeDBClusters",
"polardb:DescribeDBClusterAttribute",
"polardb:DescribeDBClusters"
],
"Resource": "*",
"Effect": "Allow"
}
{
"Action": [
"dds:DescribeDBInstances",
"dds:DescribeDBInstanceAttribute",
"dds:DescribeRegions"
],
"Resource": "*",
"Effect": "Allow"
}
{
"Action": [
"netgateway:DescribeNatGateways"
],
"Resource": "*",
"Effect": "Allow"
}
{
"Action": [
"live:DescribeLiveUserDomains",
"live:DescribeLiveDomainConfigs",
"live:DescribeLiveStreamsOnlineList",
"live:DescribeLiveRecordConfig",
"live:DescribeLiveRecordNotifyConfig",
"live:DescribeLiveDomainDetail",
"live:DescribeLiveStreamsPublishList",
"live:DescribeLiveStreamMetricDetailData"
],
"Resource": "*",
"Effect": "Allow"
}
{
"Action": [
"kvstore:DescribeInstances",
"kvstore:DescribeHistoryMonitorValues",
"kvstore:DescribeInstanceAttribute",
"kvstore:DescribeSecurityIps",
"kvstore:DescribeInstanceSSL",
"kvstore:DescribeRegions"
],
"Resource": "*",
"Effect": "Allow"
}
{
"Action": [
"ram:DeleteServiceLinkedRole",
"ram:CreateServiceLinkedRole",
],
"Resource": "*",
"Effect": "Allow"
}
{
"Action": [
"polardbx:DescribeDrdsInstances",
],
"Resource": "*",
"Effect": "Allow"
}
{
"Action": [
"drds:DescribeDrdsInstances"
],
"Resource": "*",
"Effect": "Allow"
}
{
"Action": [
"mq:OnsInstanceInServiceList",
"mq:OnsRegionList",
"mq:OnsTopicList"
],
"Resource": "*",
"Effect": "Allow"
}
{
"Action": [
"mse:ListClusters",
"mse:ListAnsServices",
"mse:ListEurekaServices",
"mse:QueryClusterDetail"
],
"Resource": "*",
"Effect": "Allow"
}
{
"Action": [
"cs:DescribeClustersV1",
"cs:ListClusterReportSummary",
"cs:GetClusterCheckItem",
"cs:GetClusterBasicInfo",
"cs:GetClusterReportSummary",
"cs:DescribeClusterNodes",
"cs:GetClusters",
"cs:GetClusterCheckResult"
],
"Resource": "*",
"Effect": "Allow"
}
{
"Action": [
"ims:ListAccessKeys"
],
"Resource": "*",
"Effect": "Allow"
}
{
"Action": [
"tag:ListTagResources",
"tag:DescribeRegions"
],
"Resource": "*",
"Effect": "Allow"
}
{
"Action": [
"resourcemanager:GetResourceDirectory",
"resourcemanager:GetAccount",
"resourcemanager:GetFolder",
"resourcemanager:ListAccounts",
"resourcemanager:ListAccountsForParent",
"resourcemanager:ListFoldersForParent",
"resourcemanager:ListDelegatedAdministrators",
"resourcemanager:ListDelegatedServicesForAccount"
],
"Resource": "*",
"Effect": "Allow"
}
{
"Action": [
"kms:DescribeRegions",
"kms:ListKmsInstances",
"kms:GetKmsInstance"
],
"Resource": "*",
"Effect": "Allow"
}
{
"Action": [
"bssapi:DescribeInstanceBill",
"bssapi:GetPayAsYouGoPrice",
"bssapi:GetSubscriptionPrice",
"bssapi:QueryProductList",
"bssapi:QueryAvailableInstances",
"bssapi:DescribePricingModule"
],
"Resource": "*",
"Effect": "Allow"
}
删除Advisor服务关联角色
删除AliyunServiceRoleForAdvisor会影响Advisor获取数据,请谨慎操作。删除AliyunServiceRoleForAdvisor的操作步骤如下。
登录RAM控制台,在左侧导航栏中选择身份管理 > 角色。
在角色页面的搜索框中,输入AliyunServiceRoleForAdvisor,单击
图标进行搜索。在右侧操作列,单击删除角色。
在删除角色对话框,输入AliyunServiceRoleForAdvisor,单击删除角色。
恢复服务关联角色
若删除服务关联角色后仍需使用到云资源,系统会提示您创建服务关联角色。登录Advisor控制台,根据提示完成授权。
常见问题
问:为什么我的RAM用户无法自动创建AliyunServiceRoleForAdvisor?
答:您需要拥有指定的权限才能自动创建或删除AliyunServiceRoleForAdvisor。因此,在RAM用户无法自动创建AliyunServiceRoleForAdvisor时,您需为其添加以下权限策略。
{
"Statement": [
{
"Action": [
"ram:CreateServiceLinkedRole"
],
"Resource": "acs:ram:*:主账号ID:role/*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": [
"advisor.aliyuncs.com"
]
}
}
}
],
"Version": "1"
}说明
请将主账号ID替换为您实际的阿里云账号(主账号)ID。
该文章对您有帮助吗?