文档

使用服务关联角色

更新时间:

使用负载均衡访问其他云资源时,负载均衡会在获得您的授权后,创建一个对应的服务关联角色,用于允许负载均衡访问其他云资源。本文为您分别介绍ALB、NLB和CLB产品的服务关联角色。

多数情况下,在您使用特定功能时,关联的云服务会在您的授权下自动创建或删除服务关联角色,不需要您主动创建或删除。通过服务关联角色可以更好地配置云服务正常操作所必需的权限,避免误操作带来的风险。

重要

服务关联角色会占用您的RAM角色配额。当RAM角色数量超限时,您仍然可以成功创建服务关联角色,但无法创建其他类型的角色。关于RAM角色支持的数量,请参见使用限制

子产品

服务关联角色

作用

ALB

AliyunServiceRoleForAlb

允许ALB服务访问您的弹性网卡、安全组、弹性公网IP(Elastic IP Address,简称EIP)和共享带宽包等服务。

AliyunServiceRoleForAlbLogDelivery

允许阿里云ALB访问您的日志服务SLS。

AliyunServiceRoleForAlbClone

允许ALB-CloneCLB使用此角色来访问您在其他云产品中的资源。

NLB

AliyunServiceRoleForNlb

允许NLB服务访问您在其他云产品中的资源,例如,云服务器ECS(Elastic Compute Service)、专有网络VPC(Virtual Private Cloud)、弹性网卡ENI(Elastic Network Interface)、弹性公网IP(Elastic IP Address,简称EIP)、共享带宽包等服务资源。

CLB

AliyunServiceRoleForSlbLogDelivery

允许CLB服务访问您的日志服务(SLS)和OSS服务。

AliyunServiceRoleForSlbHealthDiagnose

允许CLB服务访问您的ECS服务。

ALB服务关联角色

AliyunServiceRoleForAlb

项目

说明

角色名称

AliyunServiceRoleForAlb

角色权限策略

AliyunServiceRolePolicyForAlb

权限说明

允许ALB服务访问您的弹性网卡、安全组、弹性公网IP(Elastic IP Address,简称EIP)和共享带宽包等服务。

ALB的创建、删除和变配等功能需要通过云服务器ECS(Elastic Compute Service)和专有网络VPC(Virtual Private Cloud)等云产品来实现。

授权策略

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "ecs:CreateNetworkInterface",
                "ecs:DeleteNetworkInterface",
                "ecs:DescribeNetworkInterfaces",
                "ecs:CreateSecurityGroup",
                "ecs:DeleteSecurityGroup",
                "ecs:DescribeSecurityGroups",
                "ecs:AuthorizeSecurityGroup",
                "vpc:RemoveCommonBandwidthPackageIp",
                "vpc:AddCommonBandwidthPackageIp",
                "vpc:DeleteCommonBandwidthPackage",
                "vpc:CreateCommonBandwidthPackage",
                "vpc:DescribeCommonBandwidthPackages",
                "vpc:ModifyCommonBandwidthPackageSpec",
                "vpc:ModifyCommonBandwidthPackageChargeType",
                "vpc:ReleaseEipAddress",
                "vpc:AllocateEipAddress",
                "vpc:AssociateEipAddress",
                "vpc:UnassociateEipAddress",
                "vpc:DescribeEipAddresses",
                "vpc:ModifyEipAddressAttribute",
                "vpc:DeleteIpv6InternetBandwidth",
                "vpc:AllocateIpv6InternetBandwidth",
                "vpc:DescribeIpv6Addresses",
                "vpc:DescribeIpv6Gateways",
                "vpc:MoveResourceGroup",
                "vpc:TagResources",
                "cas:DescribeCACertificate",
                "yundun-waf:DescribeInstanceCompatible",
                "yundun-waf:CreateInstance",
                "eipanycast:AllocateAnycastEipAddress",
                "eipanycast:ModifyAnycastEipAddressAttribute",
                "eipanycast:ReleaseAnycastEipAddress",
                "eipanycast:AssociateAnycastEipAddress",
                "eipanycast:UnassociateAnycastEipAddress",
                "eipanycast:DescribeAnycastEipAddress",
                "eipanycast:ListAnycastEipAddresses"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "alb.aliyuncs.com"
                }
            }
        },
        {
            "Action": [
                "oss:GetBucketInfo",
                "oss:PutObject",
                "oss:GetObject",
                "oss:PutBucket",
                "oss:PutBucketVersioning",
                "oss:GetBucketVersioning",
                "oss:GetObjectVersion",
                "oss:PutBucketCors"
            ],
            "Effect": "Allow",
            "Resource": [
                "acs:oss:*:*:alb-res-backup-*",
                "acs:oss:*:*:alb-res-backup-*/*"
            ]
        }
    ]
}

删除服务关联角色条件

如果您要删除ALB服务关联角色AliyunServiceRoleForAlb,例如不需要创建和管理ALB资源等,可以删除ALB所使用的服务关联角色AliyunServiceRoleForAlb。删除AliyunServiceRoleForAlb时,需先确保当前账号下没有ALB实例。

AliyunServiceRoleForAlbLogDelivery

项目

说明

角色名称

AliyunServiceRoleForAlbLogDelivery

角色权限策略

AliyunServiceRolePolicyForAlbLogDelivery

权限说明

允许阿里云ALB访问您的日志服务SLS。

启用实例的访问日志,ALB会将底层采集到的日志传送到用户指定的日志库(LogStore)。

授权策略

{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "log:PostLogStoreLogs"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "logdelivery.alb.aliyuncs.com"
        }
      }
    }
  ]
}

删除服务关联角色条件

如果您要删除ALB服务关联角色AliyunServiceRoleForAlbLogDelivery,需先关闭该实例的访问日志功能。具体操作,请参见DisableLoadBalancerAccessLog

AliyunServiceRoleForAlbClone

项目

说明

角色名称

AliyunServiceRoleForALbClone

角色权限策略

AliyunServiceRolePolicyForALbClone

权限说明

用于应用型负载均衡-复制传统型负载均衡(ALB-CloneCLB)的服务关联角色。

允许ALB-CloneCLB使用此角色来访问您在其他云产品中的资源。

授权策略

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "ros:CreateTemplateScratch",
                "ros:GetTemplateScratch",
                "ros:GenerateTemplateByScratch",
                "ros:DeleteTemplateScratch",
                "ros:PreviewStack",
                "ros:CreateStack",
                "ros:DeleteStack",
                "ros:GetStack",
                "ros:ListStacks",
                "ros:ListStackResources",
                "ros:GetStackResource"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "alb:CreateLoadBalancer",
                "alb:DeleteLoadBalancer",
                "alb:UpdateLoadBalancerAttribute",
                "alb:GetLoadBalancerAttribute",
                "alb:AttachCommonBandwidthPackageToLoadBalancer",
                "alb:DetachCommonBandwidthPackageFromLoadBalancer",
                "alb:EnableLoadBalancerAccessLog",
                "alb:DisableLoadBalancerAccessLog",
                "alb:EnableLoadBalancerIpv6Internet",
                "alb:DisableLoadBalancerIpv6Internet",
                "alb:DisableDeletionProtection",
                "alb:EnableDeletionProtection",
                "alb:CreateListener",
                "alb:DeleteListener",
                "alb:GetListenerAttribute",
                "alb:UpdateListenerAttribute",
                "alb:StartListener",
                "alb:StopListener",
                "alb:ListListenerCertificates",
                "alb:AssociateAclsWithListener",
                "alb:DissociateAclsFromListener",
                "alb:AssociateAdditionalCertificatesWithListener",
                "alb:DissociateAdditionalCertificatesFromListener",
                "alb:CreateRule",
                "alb:CreateRules",
                "alb:DeleteRules",
                "alb:DeleteRule",
                "alb:UpdateRuleAttribute",
                "alb:UpdateRulesAttribute",
                "alb:ListRules",
                "alb:DeleteAcl",
                "alb:CreateAcl",
                "alb:ListAcls",
                "alb:AddEntriesToAcl",
                "alb:RemoveEntriesFromAcl",
                "alb:ListAclEntries",
                "alb:ListAclRelations",
                "alb:ListServerGroupServers",
                "alb:ListServerGroups",
                "alb:CreateServerGroup",
                "alb:DeleteServerGroup",
                "alb:UpdateServerGroupAttribute",
                "alb:UpdateServerGroupServersAttribute",
                "alb:AddServersToServerGroup",
                "alb:RemoveServersFromServerGroup",
                "alb:CreateHealthCheckTemplate",
                "alb:DeleteHealthCheckTemplates",
                "alb:UpdateHealthCheckTemplateAttribute",
                "alb:GetHealthCheckTemplateAttribute",
                "alb:ListTagResources",
                "alb:UnTagResources",
                "alb:TagResources",
                "alb:DescribeZones",
                "alb:ListAsynJobs"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "slb:Describe*",
                "slb:ListTagResources"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "vpc:DescribeVpcs",
                "vpc:DescribeVSwitches"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "tag:TagResources",
                "tag:UntagResources"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "clone.alb.aliyuncs.com"
                }
            }
        }
    ]
}

删除服务关联角色条件

如果您不再需要将CLB一键迁移至ALB,您可以删除ALB服务关联角色AliyunServiceRoleForAlbClone。关于删除服务关联角色,请参见删除RAM角色

NLB服务关联角色

AliyunServiceRoleForNlb

项目

说明

角色名称

AliyunServiceRoleForNlb

角色权限策略

AliyunServiceRolePolicyForNlb

权限说明

允许NLB服务访问您在其他云产品中的资源,例如,云服务器ECS(Elastic Compute Service)、专有网络VPC(Virtual Private Cloud)、弹性网卡ENI(Elastic Network Interface)、弹性公网IP(Elastic IP Address,简称EIP)、共享带宽包等服务资源。

应用场景

NLB需要访问其他云服务资源时,通过服务关联角色功能获取访问权限。

NLB的创建、删除和变配等功能需要通过ECS和VPC等云产品来实现。

授权策略

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "ecs:CreateNetworkInterface",
                "ecs:DeleteNetworkInterface",
                "ecs:DescribeNetworkInterfaces",
                "ecs:AttachNetworkInterface",
                "ecs:DetachNetworkInterface",
                "ecs:DescribeNetworkInterfaces",
                "ecs:ModifyNetworkInterfaceAttribute",
                "ecs:CreateNetworkInterfacePermission",
                "ecs:DescribeNetworkInterfacePermissions",
                "ecs:DeleteNetworkInterfacePermission",
                "ecs:AttachNetworkInterfacePermissions",
                "ecs:DetachNetworkInterfacePermissions",
                "ecs:AssignPrivateIpAddresses",
                "ecs:UnassignPrivateIpAddresses",
                "ecs:DescribeNetworkInterfaceAttribute",
                "ecs:CreateSecurityGroup",
                "ecs:DeleteSecurityGroup",
                "ecs:DescribeSecurityGroups",
                "ecs:DescribeSecurityGroupAttribute",
                "ecs:AuthorizeSecurityGroup",
                "ecs:AuthorizeSecurityGroupEgress",
                "ecs:RevokeSecurityGroup",
                "ecs:RevokeSecurityGroupEgress",
                "ecs:AuthorizeSecurityGroupPermission",
                "ecs:RevokeSecurityGroupPermission",
                "ecs:DeleteSecurityGroupPermission",
                "ecs:JoinSecurityGroupPermission",
                "ecs:DeleteSecurityGroupPermission",
                "ecs:LeaveSecurityGroupPermission",
                "ecs:DescribeSecurityGroupPermissions",
                "vpc:RemoveCommonBandwidthPackageIp",
                "vpc:AddCommonBandwidthPackageIp",
                "vpc:DeleteCommonBandwidthPackage",
                "vpc:CreateCommonBandwidthPackage",
                "vpc:DescribeCommonBandwidthPackages",
                "vpc:ModifyCommonBandwidthPackageSpec",
                "vpc:ModifyCommonBandwidthPackageChargeType",
                "vpc:ReleaseEipAddress",
                "vpc:AllocateEipAddress",
                "vpc:AssociateEipAddress",
                "vpc:UnassociateEipAddress",
                "vpc:DescribeEipAddresses",
                "vpc:ModifyEipAddressAttribute",
                "vpc:DeleteIpv6InternetBandwidth",
                "vpc:AllocateIpv6InternetBandwidth",
                "vpc:DescribeIpv6Addresses",
                "vpc:DescribeIpv6Gateways",
                "vpc:DescribeVSwitchAttributes",
                "vpc:MoveResourceGroup",
                "vpc:TagResources",
                "cas:DescribeCACertificate",
                "eipanycast:AllocateAnycastEipAddress",
                "eipanycast:ListAnycastEipAddresses",
                "eipanycast:AssociateAnycastEipAddress",
                "eipanycast:UnassociateAnycastEipAddress",
                "eipanycast:ReleaseAnycastEipAddress"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "nlb.aliyuncs.com"
                }
            }
        },
        {
            "Action": [
                "oss:GetBucketInfo",
                "oss:PutObject",
                "oss:GetObject",
                "oss:PutBucket",
                "oss:PutBucketVersioning",
                "oss:GetBucketVersioning",
                "oss:GetObjectVersion",
                "oss:PutBucketCors"
            ],
            "Effect": "Allow",
            "Resource": [
                "acs:oss:*:*:nlb-res-backup-*",
                "acs:oss:*:*:nlb-res-backup-*/*"
            ]
        }
    ]
}

删除服务关联角色条件

如果您不再使用AliyunServiceRoleForNlb,例如不需要创建和管理NLB资源等,可以删除NLB所使用的服务关联角色AliyunServiceRoleForNlb。删除AliyunServiceRoleForNlb时,需先确保当前账号下没有NLB实例。

CLB服务关联角色

AliyunServiceRoleForSlbLogDelivery

项目

说明

服务名称

logdelivery.slb.aliyuncs.com

角色权限策略

AliyunServiceRolePolicyForSlbLogDelivery

权限说明

允许阿里云传统型负载均衡服务访问您的日志服务(SLS)和OSS服务。

使用场景

用户启用实例的日志投递功能,CLB会将用户日志投递到用户的SLS或者OSS服务。

创建时机

  • 用户通过控制台开启健康检查日志、访问日志、秒级监控功能。

  • 用户调用OpenAPI:SetLogsDownloadAttribute或SetAccessLogsDownloadAttribute。

授权策略

{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "log:PostLogStoreLogs",
        "oss:PutObject"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "logdelivery.slb.aliyuncs.com"
        }
      }
    }
  ]
}

删除服务关联角色条件

如果您不再使用AliyunServiceRoleForSlbLogDelivery,例如不需要使用CLB访问日志服务和OSS服务,可以删除该角色。删除AliyunServiceRoleForSlbLogDelivery时,需先确保当前账号下没有CLB实例。

AliyunServiceRoleForSlbHealthDiagnose

项目

说明

服务名称

healthdiagnose.slb.aliyuncs.com

角色权限策略

AliyunServiceRolePolicyForSlbHealthDiagnose

权限说明

允许阿里云传统型负载均衡服务访问您的ECS服务。

使用场景

CLB健康检查诊断功能的主要原理是根据CLB监听上的健康检查配置生成诊断脚本,通过ECS云助手在您的ECS上执行脚本得到健康诊断结果,并提供异常的产生原因和常见处理方法。

创建时机

  • 用户使用控制台的实例体检功能。

  • 用户调用OpenAPI:DiagnoseHealthCheckStatus或DetectHealthCheckStatus。

授权策略

{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "ecs:CreateCommand",
        "ecs:InvokeCommand",
        "ecs:StopInvocation",
        "ecs:DeleteCommand",
        "ecs:DescribeCloudAssistantStatus",
        "ecs:DescribeCommands",
        "ecs:DescribeInvocations",
        "ecs:DescribeInvocationResults",
        "ecs:ModifyCommand"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "healthdiagnose.slb.aliyuncs.com"
        }
      }
    }
  ]
}

删除服务关联角色条件

如果您不再使用AliyunServiceRoleForSlbHealthDiagnose,例如不需要使用CLB访问ECS时,可以删除该角色。删除AliyunServiceRoleForSlbHealthDiagnose时,需先确保当前账号下没有CLB实例。

  • 本页导读 (1)
文档反馈