子账号权限不足解决方案
出现的问题
用户在使用子账号配置RDS数据源时有报错:
背景:在OpenSearch上配置数据源,需要OpenSearch访问云服务Rds/PolarDB/DRDS的资源,但是访问这些资源需要一些权限校验,为了方便用户配置,这里可以通过服务关联角色功能获取访问权限。详情可参考OpenSearch服务关联角色
上述案例的解决方法:可以通过主账号添加AliyunServiceRoleForOpenSearch 角色,获取访问RDS数据源的权限。操作步骤如下:
首先通过主账号登录阿里云,并且进入访问控制:
在角色中搜索AliyunServiceRoleForOpenSearch :
如果已存在,直接添加此角色即可:
如果不存在,需要手动创建:
手动创建AliyunServiceRoleForOpenSearch 角色:(可选)
3.1.身份管理>角色>创建角色:
3.2.选择阿里云服务点击下一步:
3.3.选择服务关联角色,搜索开放搜索,点击完成:
创建完成后,就可以在角色中搜索到AliyunServiceRoleForOpenSearch :
其中该角色的权限就是关于数据源相关操作的:
{
"Version": "1",
"Statement": [
{
"Action": [
"rds:DescribeDBInstanceAttribute",
"rds:DescribeDBInstances",
"rds:DescribeDatabases",
"rds:DescribeDBInstanceIPArrayList",
"rds:DescribeAccounts",
"rds:DescribeAbnormalDBInstances",
"rds:ModifySecurityIps",
"rds:DescribeResourceUsage"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"polardb:DescribeDBClusterAttribute",
"polardb:DescribeDBClusterEndpoints",
"polardb:ModifyDBClusterAccessWhitelist",
"polardb:DescribeDBClusterAccessWhitelist",
"polardb:DescribeDBClusterParameters"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"drds:DescribeDrdsInstance",
"drds:ModifyDrdsIpWhiteList",
"drds:DescribeDrdsDBIpWhiteList",
"drds:DescribeRdsList",
"drds:DescribeDrdsDB"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"dts:ConfigureSubscriptionInstance",
"dts:CreateConsumerGroup",
"dts:StartSubscriptionInstance",
"dts:DescribeSubscriptionInstanceStatus",
"dts:DescribeConsumerGroup",
"dts:DeleteConsumerGroup"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "opensearch.aliyuncs.com"
}
}
}
]
}文档内容是否对您有帮助?