如何授权办公安全平台访问云资源_办公安全平台(SASE)-阿里云帮助中心

首次使用办公安全平台前，您需要先授予办公安全平台访问云资源的权限。本文介绍如何授权。

前提条件

您已开通办公安全平台。
您使用的是阿里云主账号或拥有创建和删除服务关联角色权限的RAM账号。

背景信息

首次使用办公安全平台时，阿里云会自动创建办公安全平台的关联角色AliyunServiceRoleForCsas，授权办公安全平台访问其他关联的阿里云服务。服务关联角色无需您手动创建或做任何修改。相关内容请参见服务关联角色。

操作步骤

登录办公安全平台控制台。
在欢迎使用SASE对话框，单击确认创建。
您开通办公安全平台后，首次登录控制台时，办公安全平台会提示您创建服务关联角色的流程。
当您单击确认创建后，阿里云将自动为您创建SASE的服务关联角色AliyunServiceRoleForCsas。您可以在RAM控制台的RAM角色管理页面查看阿里云为SASE自动创建的服务关联角色。只有创建服务关联角色完成后，您的SASE实例才能访问IDaaS、SAG等云服务的资源。

办公安全平台关联角色介绍

以下是办公安全平台关联角色的介绍：

角色名称：AliyunServiceRoleForCsas
权限策略名称：AliyunServiceRolePolicyForCsas
说明该权限策略为系统默认提供的策略，其策略名称和策略内容都不支持修改。

权限策略示例：

{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "ecs:DescribeInstances",
        "ecs:CreateSecurityGroup",
        "ecs:DeleteSecurityGroup",
        "ecs:AuthorizeSecurityGroup",
        "ecs:DescribeSecurityGroups",
        "ecs:DescribeSecurityGroupReferences",
        "ecs:ModifySecurityGroupPolicy",
        "ecs:ModifySecurityGroupRule",
        "ecs:ModifySecurityGroupEgressRule",
        "ecs:CreateNetworkInterface",
        "ecs:DeleteNetworkInterface",
        "ecs:DescribeNetworkInterfaces",
        "ecs:CreateNetworkInterfacePermission",
        "ecs:DescribeNetworkInterfacePermissions",
        "ecs:DeleteNetworkInterfacePermission",
        "ecs:AttachNetworkInterface",
        "ecs:DetachNetworkInterface",
        "ecs:RevokeSecurityGroup"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "rds:DescribeDBInstances",
        "rds:DescribeSecurityGroupConfiguration",
        "rds:ModifySecurityGroupConfiguration",
        "rds:DescribeDBInstanceIPArrayList",
        "rds:ModifySecurityIps"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "kvstore:DescribeInstances",
        "kvstore:DescribeGlobalDistributeCache",
        "kvstore:DescribeSecurityIps",
        "kvstore:ModifySecurityIps",
        "kvstore:DescribeSecurityGroupConfiguration",
        "kvstore:ModifySecurityGroupConfiguration"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "dds:DescribeDBInstances",
        "dds:DescribeSecurityIps",
        "dds:ModifySecurityIps",
        "dds:DescribeSecurityGroupConfiguration",
        "dds:ModifySecurityGroupConfiguration"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "polardb:DescribeDBClusters",
        "polardb:DescribeDBClusterAccessWhitelist",
        "polardb:ModifyDBClusterAccessWhitelist"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "vpc:DescribeVpcs",
        "vpc:DescribeVSwitches",
        "vpc:CreateVpc",
        "vpc:DeleteVpc",
        "vpc:CreateVSwitch",
        "vpc:DeleteVSwitch",
        "vpc:DescribeZones",
        "vpc:DescribePhysicalConnections",
        "vpc:DescribeVirtualBorderRouters",
        "vpc:DescribeVirtualBorderRoutersForPhysicalConnection",
        "vpc:DescribeVpnGateways",
        "vpc:DescribeVpnGateway",
        "vpc:DescribeCustomerGateways",
        "vpc:DescribeVpnConnections",
        "vpc:DescribeVpcAttribute",
        "vpc:DescribeRouteTables",
        "vpc:DescribeRouteTableList",
        "vpc:DescribeRouteEntryList"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "cen:DescribeCens",
        "cen:DescribeCenAttachedChildInstances",
        "cen:DescribeCenAttachedChildInstanceAttribute",
        "cen:AttachCenChildInstance",
        "cen:DetachCenChildInstance",
        "cen:GrantInstanceToCen",
        "cen:RevokeInstanceFromCen"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "smartag:CreateSmartAGTrafficService",
        "smartag:UpdateSmartAGTrafficService",
        "smartag:DeleteSmartAGTrafficSerivce",
        "smartag:ListSmartAGTrafficService",
        "smartag:DescribeSmartAccessGateways",
        "smartag:DescribeCloudConnectNetworks",
        "smartag:CreateCloudConnectNetwork",
        "smartag:ModifyCloudConnectNetwork",
        "smartag:DeleteCloudConnectNetwork",
        "smartag:CreateSmartAccessGatewaySoftware",
        "smartag:UpgradeSmartAccessGatewaySoftware",
        "smartag:DowngradeSmartAccessGatewaySoftware",
        "smartag:BindSmartAccessGateway",
        "smartag:UnbindSmartAccessGateway"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "log:PostLogStoreLogs",
        "log:GetProject",
        "log:ListProject",
        "log:GetLogStore",
        "log:ListLogStores",
        "log:CreateLogStore",
        "log:CreateProject",
        "log:GetIndex",
        "log:CreateIndex",
        "log:UpdateIndex",
        "log:CreateDashboard",
        "log:ClearLogStoreStorage",
        "log:UpdateLogStore",
        "log:UpdateDashboard",
        "log:CreateSavedSearch",
        "log:UpdateSavedSearch",
        "log:DeleteLogStore",
        "log:DeleteSavedSearch",
        "log:GetSavedSearch",
        "log:ListSavedSearch",
        "log:DeleteDashboard",
        "log:GetDashboard",
        "log:ListDashboard"
      ],
      "Resource": "acs:log:*:*:project/csas-project-*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "pvtz:DescribeZones",
        "pvtz:DescribeZoneInfo",
        "pvtz:DescribeZoneRecords"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "csas.aliyuncs.com"
        }
      }
    }
  ]
}

授权SASE访问云资源

前提条件

背景信息

操作步骤

办公安全平台关联角色介绍

相关问题