本文介绍消息队列Kafka版服务关联角色的背景信息、策略内容、注意事项和常见问题。
背景信息
服务关联角色是某个云服务在某些情况下,为了完成自身的某个功能,需要获取其他云服务的访问权限而提供的RAM角色。您在该云服务的控制台首次使用该功能时,系统会提示您完成服务关联角色的自动创建。更多服务关联角色相关信息,请参见服务关联角色。
消息队列Kafka版提供以下服务关联角色:
- AliyunServiceRoleForAlikafka:消息队列Kafka版访问您所拥有的其他阿里云资源的角色。如果您是在消息队列Kafka版控制台首次开通消息队列Kafka版服务,系统会提示您完成AliyunServiceRoleForAlikafka的自动创建。
-
AliyunServiceRoleForAlikafkaConnector:消息队列Kafka版通过扮演该RAM角色,获取各类与Connector相关的产品的访问权限,以实现Connector的功能。如果您是在消息队列Kafka版控制台首次创建Connector,系统会提示您完成AliyunServiceRoleForAlikafkaConnector的自动创建。更多信息,请参见创建FC Sink Connector。
- AliyunServiceRoleForAlikafkaInstanceEncryption:消息队列Kafka版通过扮演该RAM角色,获取KMS的访问与加密权限,以实现您实例的加密功能。目前实例加密功能暂时只通过OpenAPI开放,控制台功能后续才会放出。如果您通过消息队列Kafka版OpenAPI StartInstance首次部署加密实例,系统会为您完成AliyunServiceRoleForAlikafkaInstanceEncryption的自动创建。
- AliyunServiceRoleForAlikafkaETL:消息队列Kafka版通过扮演该RAM角色,创建数据加工ETL(Extract Transform Load)任务,通过ETL进行数据分析。如果您是在消息队列Kafka版控制台首次开通ETL服务,系统会提示您完成AliyunServiceRoleForAlikafkaETL的自动创建。
策略内容
- AliyunServiceRoleForAlikafka的权限策略如下:
{ "Version": "1", "Statement": [ { "Action": [ "ecs:CreateNetworkInterface", "ecs:DeleteNetworkInterface", "ecs:DescribeNetworkInterfaces", "ecs:CreateNetworkInterfacePermission", "ecs:DescribeNetworkInterfacePermissions", "ecs:DeleteNetworkInterfacePermission", "ecs:CreateSecurityGroup", "ecs:AuthorizeSecurityGroup", "ecs:DescribeSecurityGroupAttribute", "ecs:RevokeSecurityGroup", "ecs:DeleteSecurityGroup", "ecs:DescribeSecurityGroups" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "vpc:DescribeVSwitches", "vpc:DescribeVpcs" ], "Resource": "*", "Effect": "Allow" }, { "Effect": "Allow", "Action": "ram:DeleteServiceLinkedRole", "Resource": "*", "Condition": { "StringEquals": { "ram:ServiceName": "alikafka.aliyuncs.com" } } } ] } - AliyunServiceRoleForAlikafkaConnector的权限策略如下:
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "fc:InvokeFunction", "fc:GetFunction", "fc:ListServices", "fc:ListFunctions", "fc:ListServiceVersions", "fc:ListAliases", "fc:CreateService", "fc:DeleteService", "fc:CreateFunction", "fc:DeleteFunction", "fc:CreateLayerVersion", "fc:ListLayers" ], "Resource": "*" }, { "Action": [ "rds:DescribeDatabases" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "oss:ListBuckets", "oss:GetBucketAcl" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "elasticsearch:DescribeInstance", "elasticsearch:ListInstance" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "dataworks:CreateRealTimeProcess", "dataworks:QueryRealTimeProcessStatus" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "eventbridge:CreateEventStreaming", "eventbridge:UpdateEventStreaming", "eventbridge:GetEventStreaming", "eventbridge:DeleteEventStreaming", "eventbridge:ListEventStreamings", "eventbridge:StartEventStreaming", "eventbridge:PauseEventStreaming", "eventbridge:ListEventStreamingMetrics" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "ots:GetInstance", "ots:ListInstance", "ots:ListTable", "ots:CreateTable", "ots:UpdateTable", "ots:DescribeTable", "ots:GetRow", "ots:PutRow", "ots:UpdateRow", "ots:DeleteRow", "ots:GetRange", "ots:BatchGetRow", "ots:BatchWriteRow", "ots:BulkImport", "ots:Search", "ots:OpenOtsService", "ots:GetOtsServiceStatus", "ots:InsertInstance", "ots:DeleteTable", "ots:CreateSearchIndex", "ots:DeleteSearchIndex", "ots:UpdateSearchIndex" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "gpdb:DescribeDBInstances", "gpdb:DescribeDBInstanceAttribute" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "adb:DescribeDBClusters", "adb:DescribeSchemas", "adb:DescribeTables" ], "Resource": "*", "Effect": "Allow" }, { "Effect": "Allow", "Action": "ram:DeleteServiceLinkedRole", "Resource": "*", "Condition": { "StringEquals": { "ram:ServiceName": "connector.alikafka.aliyuncs.com" } } } ] } - AliyunServiceRoleForAlikafkaInstanceEncryption的权限策略如下:
{ "Version":"1", "Statement":[ { "Action":[ "kms:Listkeys", "kms:Listaliases", "kms:ListResourceTags", "kms:DescribeKey", "kms:TagResource", "kms:UntagResource" ], "Resource":"*", "Effect":"Allow" }, { "Action":[ "kms:Encrypt", "kms:Decrypt", "kms:GenerateDataKey" ], "Resource":"*", "Effect":"Allow", "Condition":{ "StringEqualsIgnoreCase":{ "kms:tag/acs:alikafka:instance-encryption":"true" } } }, { "Action":"ram:DeleteServiceLinkedRole", "Resource":"*", "Effect":"Allow", "Condition":{ "StringEquals":{ "ram:ServiceName":"instanceencryption.alikafka.aliyuncs.com" } } } ] } - AliyunServiceRoleForAlikafkaETL的权限策略如下:
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "fc:InvokeFunction", "fc:GetFunction", "fc:ListServices", "fc:ListFunctions", "fc:ListServiceVersions", "fc:ListAliases", "fc:CreateService", "fc:DeleteService", "fc:CreateFunction", "fc:DeleteFunction" ], "Resource": "*" }, { "Effect": "Allow", "Action": "ram:DeleteServiceLinkedRole", "Resource": "*", "Condition": { "StringEquals": { "ram:ServiceName": "etl.alikafka.aliyuncs.com" } } }, { "Effect": "Allow", "Action": "ram:PassRole", "Resource": "acs:ram:*:*:role/aliyunfcdefaultrole", "Condition": { "StringEquals": { "acs:Service": "fc.aliyuncs.com" } } } ] }
注意事项
如果您删除了自动创建的服务关联角色,该服务关联角色相关的功能由于权限不足将无法再被使用,请谨慎操作。如需重新创建该服务关联角色并为其授权,请参见创建可信实体为阿里云服务的RAM角色和为RAM角色授权。
常见问题
- 为什么我的RAM用户无法自动创建消息队列Kafka版服务关联角色AliyunServiceRoleForAlikafka?
如果您的阿里云账号已经创建了服务关联角色,您的RAM用户就会继承该阿里云账号的服务关联角色。如果没有继承,请登录访问控制控制台为RAM用户添加自定义权限策略,权限策略内容如下:
{ "Statement": [ { "Action": [ "ram:CreateServiceLinkedRole" ], "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "ram:ServiceName": "alikafka.aliyuncs.com" } } } ], "Version": "1" } - 为什么我的RAM用户无法自动创建消息队列Kafka版服务关联角色AliyunServiceRoleForAlikafkaConnector?
如果您的阿里云账号已经创建了服务关联角色,您的RAM用户就会继承该阿里云账号的服务关联角色。如果没有继承,请登录访问控制控制台为RAM用户添加自定义权限策略,权限策略内容如下:
{ "Statement": [ { "Action": [ "ram:CreateServiceLinkedRole" ], "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "ram:ServiceName": "connector.alikafka.aliyuncs.com" } } } ], "Version": "1" } - 为什么我的RAM用户无法自动创建消息队列Kafka版服务关联角色AliyunServiceRoleForAlikafkaInstanceEncryption?
如果您的阿里云账号已经创建了服务关联角色,您的RAM用户就会继承该阿里云账号的服务关联角色。如果没有继承,请登录访问控制控制台为RAM用户添加自定义权限策略,权限策略内容如下:
{ "Statement":[ { "Action":[ "ram:CreateServiceLinkedRole" ], "Resource":"*", "Effect":"Allow", "Condition":{ "StringEquals":{ "ram:ServiceName":"instanceencryption.alikafka.aliyuncs.com" } } } ], "Version":"1" } - 为什么我的RAM用户无法自动创建消息队列Kafka版服务关联角色AliyunServiceRoleForAlikafkaETL?
如果您的阿里云账号已经创建了服务关联角色,您的RAM用户就会继承该阿里云账号的服务关联角色。如果没有继承,请登录访问控制控制台为RAM用户添加自定义权限策略,权限策略内容如下:
{ "Statement":[ { "Action":[ "ram:CreateServiceLinkedRole" ], "Resource":"*", "Effect":"Allow", "Condition":{ "StringEquals":{ "ram:ServiceName":"etl.alikafka.aliyuncs.com" } } } ], "Version":"1" }
如果您的RAM用户被授予该权限策略后,仍然无法自动创建服务关联角色,请为该RAM用户授予权限策略AliyunKafkaFullAccess。具体操作,请参见为RAM用户授权。