本文为您介绍什么是CPFS文件系统服务关联角色以及如何删除服务关联角色。

背景信息

CPFS文件系统服务关联角色(AliyunServiceRoleForNasCpfsNetwork和AliyunServiceRoleForNasCpfsClient)是指在某些情况下,为了完成CPFS文件系统自身的某个功能,需要获取其他云服务的访问权限,从而提供的RAM角色。例如,CPFS文件系统的创建需要访问VPC、ECS、弹性网卡、安全组等云服务的资源,通过服务关联角色功能可以获取相应访问权限。更多信息,请参见创建服务关联角色

AliyunServiceRoleForNasCpfsNetwork

  • 角色权限策略:AliyunServiceRoleForNasCpfsNetwork
  • 权限说明:CPFS文件系统创建或删除弹性网卡、安全组使用到的相关权限。
  • 角色权限策略内容:
    {
        "Version": "1",
        "Statement": [{
                "Action": [
                    "vpc:DescribeVSwitchAttributes",
                    "vpc:DescribeVpcs",
                    "vpc:DescribeVSwitches"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "ecs:CreateSecurityGroup",
                    "ecs:DescribeSecurityGroups",
                    "ecs:CreateNetworkInterface",
                    "ecs:DeleteNetworkInterface",
                    "ecs:DescribeNetworkInterfaces",
                    "ecs:CreateNetworkInterfacePermission",
                    "ecs:DescribeNetworkInterfacePermissions",
                    "ecs:DeleteNetworkInterfacePermission"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:DescribeSecurityGroupAttribute",
                    "ecs:DeleteSecurityGroup",
                    "ecs:AuthorizeSecurityGroup",
                    "ecs:AuthorizeSecurityGroupEgress",
                    "ecs:RevokeSecurityGroup",
                    "ecs:RevokeSecurityGroupEgress"
                ],
                "Resource": "acs:ecs:*:*:*/*",
                "Condition": {
                    "StringEqualsIgnoreCase": {
                        "ecs:tag/nas:cpfs": "true"
                    }
                }
            },
            {
                "Action": "ram:DeleteServiceLinkedRole",
                "Resource": "*",
                "Effect": "Allow",
                "Condition": {
                    "StringEquals": {
                        "ram:ServiceName": "cpfs-network.nas.aliyuncs.com"
                    }
                }
            }
        ]
    }
    

AliyunServiceRoleForNasCpfsClient

  • 角色权限策略:AliyunServiceRoleForNasCpfsClient
  • 权限说明:CPFS文件系统服务创建或删除ECS、云助手、授权、安全组使用到的相关权限。
  • 角色权限策略内容:
    {
      "Version": "1",
      "Statement": [
        {
          "Action": [
            "vpc:DescribeVSwitchAttributes",
            "vpc:DescribeVpcs",
            "vpc:DescribeVSwitches"
          ],
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "ecs:RunInstances",
            "ecs:CreateInstance",
            "ecs:DescribeInstances",
            "ecs:CreateSecurityGroup",
            "ecs:DescribeSecurityGroups",
            "ecs:InstallCloudAssistant",
            "ecs:DescribeInvocations"
          ],
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Effect": "Allow",
          "Action": [
            "ecs:StartInstances",
            "ecs:DeleteInstances",
            "ecs:RunCommand",
            "ecs:DescribeSecurityGroupAttribute",
            "ecs:DeleteSecurityGroup",
            "ecs:AuthorizeSecurityGroup",
            "ecs:AuthorizeSecurityGroupEgress",
            "ecs:RevokeSecurityGroup",
            "ecs:RevokeSecurityGroupEgress"
          ],
          "Resource": "acs:ecs:*:*:*/*",
          "Condition": {
            "StringEqualsIgnoreCase": {
              "ecs:tag/nas:cpfs": "true"
            }
          }
        },
        {
          "Action": "ram:DeleteServiceLinkedRole",
          "Resource": "*",
          "Effect": "Allow",
          "Condition": {
            "StringEquals": {
              "ram:ServiceName": "cpfs-client.nas.aliyuncs.com"
            }
          }
        }               

删除服务关联角色

如果您需要删除CPFS文件系统服务关联角色(AliyunServiceRoleForNasCpfsNetwork或AliyunServiceRoleForNasCpfsClient),您需要先删除CPFS文件系统服务下的所有CPFS文件系统实例。具体操作,请参见删除文件系统

删除服务关联角色具体操作,请参见删除服务关联角色