本文介绍TPP服务关联角色(ServiceLinkRole,简称SLR)AliyunServiceRoleForAIRecTPP以及如何删除该角色。
背景知识
TPP在某些情况下,为了完成自身功能,需要获取其他云服务的访问权限。我们将这些访问权限打包,放到服务关联角色AliyunServiceRoleForAIRecTPP下,用户添加该角色后,TPP通过扮演RAM角色来访问其他的云资源。更多关于服务关联角色的信息请参见服务关联角色。
例如:自动创建TPP服务集群时,需要获得用户VPC的网段信息。这里的VPC就是一个云服务,TPP通过扮演AliyunServiceRoleForAIRecTPP来访问用户VPC的资源。
应用场景
TPP 实例资源管理功能需要访问日志服务SLS、云服务器ECS和专有网络VPC(包括开通PrivateLink)云服务的资源时,可通过自动创建的TPP服务关联角色AliyunServiceRoleForAIRecTPP获取访问权限。
权限说明
AliyunServiceRoleForAIRecTPP具备以下云服务的访问权限:
专有网络VPC的访问权限 | { "Action": [ "privatelink:UpdateVpcEndpointServiceAttribute", "privatelink:GetVpcEndpointServiceAttribute", "privatelink:AttachResourceToVpcEndpointService", "privatelink:ListVpcEndpointConnections", "privatelink:UpdateVpcEndpointConnectionAttribute", "privatelink:EnableVpcEndpointConnection", "privatelink:DisableVpcEndpointConnection", "privatelink:CreateVpcEndpoint", "privatelink:ListVpcEndpoints", "privatelink:UpdateVpcEndpointAttribute", "privatelink:GetVpcEndpointAttribute", "privatelink:AddZoneToVpcEndpoint", "privatelink:ListVpcEndpointSecurityGroups", "privatelink:AttachSecurityGroupToVpcEndpoint", "privatelink:DetachSecurityGroupFromVpcEndpoint", "privatelink:ListVpcEndpointZones", "vpc:DescribeVpcs", "vpc:DescribeVpcAttribute", "ecs:DescribeSecurityGroups", "ecs:DescribeSecurityGroupAttribute", "vpc:DescribeVSwitches", "vpc:DescribeVSwitchAttributes", "slb:DescribeLoadBalancers" ], "Resource": "*", "Effect": "Allow" } | |
云服务器ECS的访问权限 | { "Action": [ "ecs:DescribeNetworkInterfaces", "ecs:CreateRouteEntry", "ecs:DeleteRouteEntry", "ecs:CreateNetworkInterface", "ecs:DeleteNetworkInterface", "ecs:CreateNetworkInterfacePermission", "ecs:DeleteNetworkInterfacePermission", "ecs:DescribeSecurityGroups", "ecs:DescribeSecurityGroupAttribute", ], "Resource": [ "*" ], "Effect": "Allow" } | |
日志服务SLS的访问权限 | { "Action": [ "log:CreateProject", "log:GetProject", "log:GetLogStoreLogs", "log:GetHistograms", "log:GetLogStoreHistogram", "log:GetLogStore", "log:ListLogStores", "log:CreateLogStore", "log:DeleteLogStore", "log:UpdateLogStore", "log:GetCursorOrData", "log:GetCursor", "log:PullLogs", "log:ListShards", "log:PostLogStoreLogs", "log:CreateConfig", "log:UpdateConfig", "log:DeleteConfig", "log:GetConfig", "log:ListConfig", "log:CreateMachineGroup", "log:UpdateMachineGroup", "log:DeleteMachineGroup", "log:GetMachineGroup", "log:ListMachineGroup", "log:ListMachines", "log:ApplyConfigToGroup", "log:RemoveConfigFromGroup", "log:GetAppliedMachineGroups", "log:GetAppliedConfigs", "log:GetShipperStatus", "log:RetryShipperTask", "log:CreateConsumerGroup", "log:UpdateConsumerGroup", "log:DeleteConsumerGroup", "log:ListConsumerGroup", "log:UpdateCheckPoint", "log:HeartBeat", "log:GetCheckPoint", "log:CreateIndex", "log:DeleteIndex", "log:GetIndex", "log:UpdateIndex", "log:CreateSavedSearch", "log:UpdateSavedSearch", "log:GetSavedSearch", "log:DeleteSavedSearch", "log:ListSavedSearch", "log:CreateDashboard", "log:UpdateDashboard", "log:GetDashboard", "log:DeleteDashboard", "log:ListDashboard", "log:CreateJob", "log:UpdateJob" ], "Resource": "*", "Effect": "Allow" } | |
PrivateLink云服务SLR的创建权限 | { "Action": [ "ram:CreateServiceLinkedRole" ], "Resource": "acs:ram:*:*:role/*", "Condition": { "StringEquals": { "ram:ServiceName": "privatelink.aliyuncs.com" } }, "Effect": "Allow" } | |
创建AliyunServiceRoleForAIRecTPP
用户在购买TPP实例时,点击‘创建关联角色’,会自动为用户创建该角色
创建成功后,您可以在RAM控制台查看角色
删除AliyunServiceRoleForAIRecTPP
如果您已经成功购买了TPP实例,您将无法删除AliyunServiceRoleForAIRecTPP角色,除非您释放掉账号下所有的TPP实例。删除AliyunServiceRoleForAIRecTPP后,无法创建TPP服务集群,进而无法正常使用TPP个性化计算平台功能。
如果您一定要删掉此角色,必须先删除or释放账号下所有的TPP实例,然后再到RAM控制台查看角色并删除。
- 本页导读 (1)
- 背景知识
- 应用场景
- 权限说明
- 创建AliyunServiceRoleForAIRecTPP
- 删除AliyunServiceRoleForAIRecTPP