本文为您介绍资源元数据中心服务关联角色(AliyunServiceRoleForResourceMetaCenter)的应用场景、权限策略、创建及删除操作。

应用场景

资源元数据中心通过服务关联角色(AliyunServiceRoleForResourceMetaCenter)访问其他云服务中的资源,进而获取资源元数据(资源名称、IP地址或标签)信息,然后根据资源元数据搜索资源。

关于服务关联角色的更多信息,请参见服务关联角色

权限说明

角色名称:AliyunServiceRoleForResourceMetaCenter。

权限策略:AliyunServiceRolePolicyForResourceMetaCenter。

权限说明:允许访问其他云服务的权限、允许创建和删除服务关联角色的权限。

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "ecs:Describe*",
                "ess:Describe*",
                "vpc:Describe*",
                "vpc:List*",
                "vpc:Get*",
                "rds:DescribeDBInstance*",
                "rds:DescribeRegions",
                "rds:DescribeBackup*",
                "rds:DescribeParameters",
                "rds:DescribeSQLCollector*",
                "rds:DescribeParameterGroup*",
                "rds:DescribeGadInstance*",
                "slb:Describe*",
                "*:DescribeTags",
                "oss:GetService",
                "oss:GetBucket*",
                "oss:ListBuckets",
                "oss:ListObjects",
                "ram:List*",
                "ram:Get*",
                "actiontrail:LookupEvents",
                "actiontrail:Describe*",
                "actiontrail:Get*",
                "actiontrail:List*",
                "ots:BatchGet*",
                "ots:Describe*",
                "ots:Get*",
                "ots:List*",
                "ocs:Describe*",
                "cms:Get*",
                "cms:List*",
                "cms:Query*",
                "cms:BatchQuery*",
                "cms:Describe*",
                "kvstore:Describe*",
                "fc:Get*",
                "fc:List*",
                "kms:DescribeKey",
                "kms:DescribeRegions",
                "kms:ListAliases",
                "kms:ListAliasesByKeyId",
                "kms:ListKeys",
                "kms:DescribeKeyVersion",
                "kms:ListKeyVersions",
                "kms:ListSecrets",
                "kms:ListResourceTags",
                "kms:DescribeSecret",
                "cdn:Describe*",
                "yundun*:Get*",
                "yundun*:Describe*",
                "yundun*:Query*",
                "yundun*:List*",
                "polardb:Describe*",
                "dds:Describe*",
                "cen:Describe*",
                "mns:List*",
                "mns:Get*",
                "resourcemanager:Get*",
                "resourcemanager:List*",
                "composer:GetFlow",
                "composer:DescribeFlow",
                "nas:Describe*",
                "hbase:Describe*",
                "hbase:Get*",
                "hbase:List*",
                "hbase:Query*",
                "cs:Get*",
                "cs:List*",
                "dms:List*",
                "dms:Get*",
                "mq:OnsInstanceInServiceList",
                "mq:OnsInstanceBaseInfo",
                "mq:OnsTopicList",
                "mq:OnsGroupList",
                "mq:QueryInstanceBaseInfo",
                "mq:List*",
                "alidns:Describe*",
                "alidns:List*",
                "mse:Query*",
                "mse:List*",
                "mse:Get*",
                "ros:Describe*",
                "ros:Get*",
                "ros:List*",
                "elasticsearch:List*",
                "elasticsearch:Describe*",
                "dcdn:Describe*",
                "hcs-sgw:Describe*",
                "eci:Describe*",
                "privatelink:List*",
                "privatelink:Get*",
                "yundun-antiddosbag:Describe*",
                "yundun-cert:Describe*",
                "brain-industrial:List*",
                "brain-industrial:Get*",
                "imagesearch:List*",
                "imagesearch:Describe*",
                "hitsdb:Describe*",
                "apigateway:Describe*",
                "cmn:List*",
                "cmn:Get*",
                "ledgerdb:Describe*",
                "pvtz:Describe*",
                "oos:Search*",
                "oos:List*",
                "oos:Get*",
                "adb:Describe*",
                "edas:Read*",
                "drds:Describe*",
                "gpdb:Describe*",
                "log:ListProject",
                "log:GetProject",
                "log:ListLogStores",
                "log:GetLogStore",
                "eventbridge:Get*",
                "eventbridge:List*",
                "*:ListTagResources",
                "emr:List*",
                "emr:Describe*",
                "iot:List*",
                "iot:Get*",
                "iot:Query*",
                "smartag:Describe*",
                "smartag:List*",
                "alb:List*",
                "alb:Get*",
                "opensearch:List*",
                "opensearch:Describe*",
                "oceanbase:Describe*",
                "oceanbase:List*",
                "bpstudio:Get*",
                "bpstudio:List*",
                "cr:List*",
                "cr:GetInstance",
                "cr:GetNamespace",
                "cr:GetRepository",
                "alikafka:List*",
                "alikafka:Get*",
                "dts:Describe*",
                "arms:Get*",
                "arms:List*",
                "arms:Describe*",
                "polardbx:Describe*",
                "hbr:Describe*",
                "live:Describe*",
                "vod:Describe*",
                "vod:List*",
                "vod:Get*",
                "lindorm:Get*",
                "ga:List*",
                "ga:Get*",
                "ga:Describe*",
                "searchengine:Get*",
                "searchengine:List*",
                "smc:Describe*",
                "dysms:QuerySmsTemplate*",
                "dysms:ListTagResources",
                "ddi:List*",
                "ddi:Describe*",
                "cloudsso:List*",
                "cloudsso:Get*",
                "baas:DescribeFabricOrganizations",
                "baas:DescribeFabricOrganization",
                "baas:DescribeFabricConsortiums",
                "cloudphone:List*",
                "scdn:Describe*",
                "config:List*",
                "config:Get*",
                "composer:List*",
                "composer:Get*",
                "dm:QueryTemplate*",
                "dm:DescTemplate*",
                "dm:QueryDomain*",
                "dm:DescDomain*",
                "resourcesharing:List*",
                "domain:Query*",
                "dyvms:List",
                "fnf:List*",
                "fnf:Describe*",
                "ebs:Describe*",
                "rocketmq:List*",
                "rocketmq:Get*",
                "dbs:Describe*",
                "clickhouse:Describe*",
                "dhs:List*",
                "dhs:Get*",
                "gdb:Describe*",
                "eipanycast:List*",
                "eipanycast:Describe*",
                "eais:Describe*",
                "odps:List*",
                "odps:Get*",
                "dataworks:List*",
                "dataworks:Get*"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "rmc.resourcemanager.aliyuncs.com"
                }
            }
        },
        {
            "Action": "ram:CreateServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "rmc.resourcemanager.aliyuncs.com"
                }
            }
        },
        {
            "Action": [
                "arms:GetPrometheusApiToken"
            ],
            "Effect": "Deny",
            "Resource": "*"
        }
    ]
}

创建服务关联角色

当您使用资源元数据(资源名称、IP地址或标签)搜索资源时,您需要开启资源元数据中心服务。开启过程中,系统会自动创建该服务关联角色。具体操作,请参见搜索资源组中的资源跨资源组搜索资源

删除服务关联角色

当您不需要使用资源元数据(资源名称、IP地址或标签)搜索功能时,您可以在RAM控制台手动删除该服务关联角色。具体操作,请参见删除RAM角色