文档

TPP服务关联角色

更新时间:

本文介绍TPP服务关联角色(ServiceLinkRole,简称SLR)AliyunServiceRoleForAIRecTPP以及如何删除该角色。

背景知识

TPP在某些情况下,为了完成自身功能,需要获取其他云服务的访问权限。我们将这些访问权限打包,放到服务关联角色AliyunServiceRoleForAIRecTPP下,用户添加该角色后,TPP通过扮演RAM角色来访问其他的云资源。更多关于服务关联角色的信息请参见服务关联角色

例如:自动创建TPP服务集群时,需要获得用户VPC的网段信息。这里的VPC就是一个云服务,TPP通过扮演AliyunServiceRoleForAIRecTPP来访问用户VPC的资源。

应用场景

TPP 实例资源管理功能需要访问日志服务SLS云服务器ECS专有网络VPC(包括开通PrivateLink)云服务的资源时,可通过自动创建的TPP服务关联角色AliyunServiceRoleForAIRecTPP获取访问权限。

权限说明

AliyunServiceRoleForAIRecTPP具备以下云服务的访问权限:

专有网络VPC的访问权限

{

"Action": [

"privatelink:UpdateVpcEndpointServiceAttribute",

"privatelink:GetVpcEndpointServiceAttribute",

"privatelink:AttachResourceToVpcEndpointService",

"privatelink:ListVpcEndpointConnections",

"privatelink:UpdateVpcEndpointConnectionAttribute",

"privatelink:EnableVpcEndpointConnection",

"privatelink:DisableVpcEndpointConnection",

"privatelink:CreateVpcEndpoint",

"privatelink:ListVpcEndpoints",

"privatelink:UpdateVpcEndpointAttribute",

"privatelink:GetVpcEndpointAttribute",

"privatelink:AddZoneToVpcEndpoint",

"privatelink:ListVpcEndpointSecurityGroups",

"privatelink:AttachSecurityGroupToVpcEndpoint",

"privatelink:DetachSecurityGroupFromVpcEndpoint",

"privatelink:ListVpcEndpointZones",

"vpc:DescribeVpcs",

"vpc:DescribeVpcAttribute",

"ecs:DescribeSecurityGroups",

"ecs:DescribeSecurityGroupAttribute",

"vpc:DescribeVSwitches",

"vpc:DescribeVSwitchAttributes",

"slb:DescribeLoadBalancers"

],

"Resource": "*",

"Effect": "Allow"

}

云服务器ECS的访问权限

{

"Action": [

"ecs:DescribeNetworkInterfaces",

"ecs:CreateRouteEntry",

"ecs:DeleteRouteEntry",

"ecs:CreateNetworkInterface",

"ecs:DeleteNetworkInterface",

"ecs:CreateNetworkInterfacePermission",

"ecs:DeleteNetworkInterfacePermission",

"ecs:DescribeSecurityGroups",

"ecs:DescribeSecurityGroupAttribute",

],

"Resource": [

"*"

],

"Effect": "Allow"

}

日志服务SLS的访问权限

{

"Action": [

"log:CreateProject",

"log:GetProject",

"log:GetLogStoreLogs",

"log:GetHistograms",

"log:GetLogStoreHistogram",

"log:GetLogStore",

"log:ListLogStores",

"log:CreateLogStore",

"log:DeleteLogStore",

"log:UpdateLogStore",

"log:GetCursorOrData",

"log:GetCursor",

"log:PullLogs",

"log:ListShards",

"log:PostLogStoreLogs",

"log:CreateConfig",

"log:UpdateConfig",

"log:DeleteConfig",

"log:GetConfig",

"log:ListConfig",

"log:CreateMachineGroup",

"log:UpdateMachineGroup",

"log:DeleteMachineGroup",

"log:GetMachineGroup",

"log:ListMachineGroup",

"log:ListMachines",

"log:ApplyConfigToGroup",

"log:RemoveConfigFromGroup",

"log:GetAppliedMachineGroups",

"log:GetAppliedConfigs",

"log:GetShipperStatus",

"log:RetryShipperTask",

"log:CreateConsumerGroup",

"log:UpdateConsumerGroup",

"log:DeleteConsumerGroup",

"log:ListConsumerGroup",

"log:UpdateCheckPoint",

"log:HeartBeat",

"log:GetCheckPoint",

"log:CreateIndex",

"log:DeleteIndex",

"log:GetIndex",

"log:UpdateIndex",

"log:CreateSavedSearch",

"log:UpdateSavedSearch",

"log:GetSavedSearch",

"log:DeleteSavedSearch",

"log:ListSavedSearch",

"log:CreateDashboard",

"log:UpdateDashboard",

"log:GetDashboard",

"log:DeleteDashboard",

"log:ListDashboard",

"log:CreateJob",

"log:UpdateJob"

],

"Resource": "*",

"Effect": "Allow"

}

PrivateLink云服务SLR的创建权限

{

"Action": [

"ram:CreateServiceLinkedRole"

],

"Resource": "acs:ram:*:*:role/*",

"Condition": {

"StringEquals": {

"ram:ServiceName": "privatelink.aliyuncs.com"

}

},

"Effect": "Allow"

}

创建AliyunServiceRoleForAIRecTPP

用户在购买TPP实例时,点击‘创建关联角色’,会自动为用户创建该角色

image

创建成功后,您可以在RAM控制台查看角色

image

删除AliyunServiceRoleForAIRecTPP

如果您已经成功购买了TPP实例,您将无法删除AliyunServiceRoleForAIRecTPP角色,除非您释放掉账号下所有的TPP实例。删除AliyunServiceRoleForAIRecTPP后,无法创建TPP服务集群,进而无法正常使用TPP个性化计算平台功能。

image

如果您一定要删掉此角色,必须先删除or释放账号下所有的TPP实例,然后再到RAM控制台查看角色并删除。

image

  • 本页导读 (0)
文档反馈