首次使用云安全访问服务(CSAS)前,您需要先完成允许CSAS访问云资源的授权。本文介绍如何进行云资源授权。

前提条件

  • 您已开通CSAS服务。
  • 您使用的是阿里云主账号或拥有创建和删除服务关联角色权限的RAM账号。

背景信息

首次使用CSAS服务时,阿里云会自动创建CSAS的服务关联角色AliyunServiceRoleForCsas,授权CSAS访问其他关联的阿里云服务。服务关联角色无需您手动创建或做任何修改。相关内容请参见服务关联角色

操作步骤

  1. 登录云安全访问服务控制台
  2. 欢迎使用CSAS对话框中单击确认创建
    您开通CSAS服务后,首次登录CSAS控制台时,CSAS会提示您创建服务关联角色的流程。
    当您单击 确认创建后,阿里云将自动为您创建CSAS的服务关联角色 AliyunServiceRoleForCsas。您可以在 RAM控制台RAM角色管理页面查看阿里云为CSAS自动创建的服务关联角色。只有创建服务关联角色完成后,您的CSAS实例才能访问IDaaS、SAG等云服务的资源。

CSAS服务关联角色介绍

以下是CSAS服务关联角色的介绍:

  • 角色名称:AliyunServiceRoleForCsas
  • 权限策略名称:AliyunServiceRolePolicyForCsas
    说明 该权限策略为系统默认提供的策略,其策略名称和策略内容都不支持修改。
  • 权限策略示例:
    {
      "Version": "1",
      "Statement": [
        {
          "Action": [
            "ecs:DescribeInstances",
            "ecs:CreateSecurityGroup",
            "ecs:DeleteSecurityGroup",
            "ecs:AuthorizeSecurityGroup",
            "ecs:DescribeSecurityGroups",
            "ecs:DescribeSecurityGroupReferences",
            "ecs:ModifySecurityGroupPolicy",
            "ecs:ModifySecurityGroupRule",
            "ecs:ModifySecurityGroupEgressRule",
            "ecs:CreateNetworkInterface",
            "ecs:DeleteNetworkInterface",
            "ecs:DescribeNetworkInterfaces",
            "ecs:CreateNetworkInterfacePermission",
            "ecs:DescribeNetworkInterfacePermissions",
            "ecs:DeleteNetworkInterfacePermission",
            "ecs:AttachNetworkInterface",
            "ecs:DetachNetworkInterface",
            "ecs:RevokeSecurityGroup"
          ],
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "rds:DescribeDBInstances",
            "rds:DescribeSecurityGroupConfiguration",
            "rds:ModifySecurityGroupConfiguration",
            "rds:DescribeDBInstanceIPArrayList",
            "rds:ModifySecurityIps"
          ],
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "kvstore:DescribeInstances",
            "kvstore:DescribeGlobalDistributeCache",
            "kvstore:DescribeSecurityIps",
            "kvstore:ModifySecurityIps",
            "kvstore:DescribeSecurityGroupConfiguration",
            "kvstore:ModifySecurityGroupConfiguration"
          ],
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "dds:DescribeDBInstances",
            "dds:DescribeSecurityIps",
            "dds:ModifySecurityIps",
            "dds:DescribeSecurityGroupConfiguration",
            "dds:ModifySecurityGroupConfiguration"
          ],
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "polardb:DescribeDBClusters",
            "polardb:DescribeDBClusterAccessWhitelist",
            "polardb:ModifyDBClusterAccessWhitelist"
          ],
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "vpc:DescribeVpcs",
            "vpc:DescribeVSwitches",
            "vpc:CreateVpc",
            "vpc:DeleteVpc",
            "vpc:CreateVSwitch",
            "vpc:DeleteVSwitch",
            "vpc:DescribeZones",
            "vpc:DescribePhysicalConnections",
            "vpc:DescribeVirtualBorderRouters",
            "vpc:DescribeVirtualBorderRoutersForPhysicalConnection",
            "vpc:DescribeVpnGateways",
            "vpc:DescribeVpnGateway",
            "vpc:DescribeCustomerGateways",
            "vpc:DescribeVpnConnections",
            "vpc:DescribeVpcAttribute",
            "vpc:DescribeRouteTables",
            "vpc:DescribeRouteTableList",
            "vpc:DescribeRouteEntryList"
          ],
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "cen:DescribeCens",
            "cen:DescribeCenAttachedChildInstances",
            "cen:DescribeCenAttachedChildInstanceAttribute",
            "cen:AttachCenChildInstance",
            "cen:DetachCenChildInstance",
            "cen:GrantInstanceToCen",
            "cen:RevokeInstanceFromCen"
          ],
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "smartag:CreateSmartAGTrafficService",
            "smartag:UpdateSmartAGTrafficService",
            "smartag:DeleteSmartAGTrafficSerivce",
            "smartag:ListSmartAGTrafficService",
            "smartag:DescribeSmartAccessGateways",
            "smartag:DescribeCloudConnectNetworks",
            "smartag:CreateCloudConnectNetwork",
            "smartag:ModifyCloudConnectNetwork",
            "smartag:DeleteCloudConnectNetwork",
            "smartag:CreateSmartAccessGatewaySoftware",
            "smartag:UpgradeSmartAccessGatewaySoftware",
            "smartag:DowngradeSmartAccessGatewaySoftware",
            "smartag:BindSmartAccessGateway",
            "smartag:UnbindSmartAccessGateway"
          ],
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "log:PostLogStoreLogs",
            "log:GetProject",
            "log:ListProject",
            "log:GetLogStore",
            "log:ListLogStores",
            "log:CreateLogStore",
            "log:CreateProject",
            "log:GetIndex",
            "log:CreateIndex",
            "log:UpdateIndex",
            "log:CreateDashboard",
            "log:ClearLogStoreStorage",
            "log:UpdateLogStore",
            "log:UpdateDashboard",
            "log:CreateSavedSearch",
            "log:UpdateSavedSearch",
            "log:DeleteLogStore",
            "log:DeleteSavedSearch",
            "log:GetSavedSearch",
            "log:ListSavedSearch",
            "log:DeleteDashboard",
            "log:GetDashboard",
            "log:ListDashboard"
          ],
          "Resource": "acs:log:*:*:project/csas-project-*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "pvtz:DescribeZones",
            "pvtz:DescribeZoneInfo",
            "pvtz:DescribeZoneRecords"
          ],
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Action": "ram:DeleteServiceLinkedRole",
          "Resource": "*",
          "Effect": "Allow",
          "Condition": {
            "StringEquals": {
              "ram:ServiceName": "csas.aliyuncs.com"
            }
          }
        }
      ]
    }

相关问题

为什么我使用RAM用户无法自动创建CSAS服务关联角色?

RAM用户需要拥有指定的权限,才能自动创建或删除服务关联角色。您需为RAM用户添加以下权限策略:
{
    "Statement": [
        {
            "Action": [
                "ram:CreateServiceLinkedRole"
            ],
            "Resource": "acs:ram:*:主账号ID:role/*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": [
                        "csas.aliyuncs.com"
                    ]
                }
            }
        }
    ],
    "Version": "1"
}
说明 详细操作步骤指导,请参见 为RAM角色授权