服务关联角色

更新时间:

本文介绍云消息队列 RabbitMQ 版服务关联角色的背景信息,权限策略、注意事项和常见问题。

背景信息

服务关联角色是某个云服务在某些情况下,为了完成自身的某个功能,需要获取其他云服务的访问权限而提供的RAM角色。您在该云服务的控制台首次使用该功能时,系统会提示您完成服务关联角色的自动创建。更多服务关联角色相关信息,请参见服务关联角色

云消息队列 RabbitMQ 版提供以下服务关联角色:

服务关联角色

ServiceName

内容

AliyunServiceRoleForAmqpMonitoring

monitoring.amqp.aliyuncs.com

云消息队列 RabbitMQ 版通过扮演该RAM角色,获取云监控和阿里云应用实时监控服务ARMS的权限,以实现自身的监控报警和Dashboard功能。您在云消息队列 RabbitMQ 版控制台首次使用监控报警和Dashboard时,系统会提示您完成AliyunServiceRoleForAmqpMonitoring的自动创建。更多信息,请参见监控指标Dashboard

AliyunServiceRoleForAmqpLogDelivery

logdelivery.amqp.aliyuncs.com

云消息队列 RabbitMQ 版通过扮演该RAM角色,获取日志服务的访问权限,以实现自身的消息日志功能。您在云消息队列 RabbitMQ 版控制台首次使用消息日志时,系统会提示您完成AliyunServiceRoleForAmqpLogDelivery的自动创建。更多信息,请参见配置消息日志

AliyunServiceRoleForAmqpNetwork

network.amqp.aliyuncs.com

允许云消息队列 RabbitMQ 版使用此角色访问您的私网连接(PrivateLink)服务完成专有网络VPC相关功能。您在云消息队列 RabbitMQ 版控制台首次使用私网连接接入点时,系统会提示您完成创建。

AliyunServiceRoleForAmqpEncrypt

encrypt.amqp.aliyuncs.com

允许云消息队列 RabbitMQ 版使用此角色访问您的KMS服务完成存储加密相关功能。您在云消息队列 RabbitMQ 版控制台购买独享加密实例时,系统会提示您完成创建。如果您为RAM用户,也可以在OpenAPI使用CreateServiceLinkedRole接口创建。

权限策略

  • AliyunServiceRoleForAmqpMonitoring的权限策略如下:

    {
        "Version": "1",
        "Statement": [
            {
                "Action": [
                    "cms:DescribeMetricRuleList",
                    "cms:DescribeMetricList",
                    "cms:DescribeMetricData"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "arms:OpenVCluster",
                    "arms:ListDashboards",
                    "arms:CheckServiceStatus"
                   ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": "ram:DeleteServiceLinkedRole",
                "Resource": "*",
                "Effect": "Allow",
                "Condition": {
                    "StringEquals": {
                        "ram:ServiceName": "monitoring.amqp.aliyuncs.com"
                    }
                }
            }
        ]
    }
  • AliyunServiceRoleForAmqpLogDelivery的权限策略如下:

    {
      "Version": "1",
      "Statement": [
        {
          "Action": [
            "log:ListProject",
            "log:ListLogStores",
            "log:PostLogStoreLogs"
          ],
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Action": "ram:DeleteServiceLinkedRole",
          "Resource": "*",
          "Effect": "Allow",
          "Condition": {
            "StringEquals": {
              "ram:ServiceName": "logdelivery.amqp.aliyuncs.com"
            }
          }
        }
      ]
    }
  • AliyunServiceRoleForAmqpNetwork的权限策略如下:

    {
        "Version": "1",
        "Statement": [
            {
                "Action": [
                    "privatelink:GetVpcEndpointServiceAttribute",
                    "privatelink:ListVpcEndpointServices",
                    "privatelink:DeleteVpcEndpoint",
                    "privatelink:CreateVpcEndpoint",
                    "privatelink:UpdateVpcEndpointAttribute",
                    "privatelink:ListVpcEndpoints",
                    "privatelink:GetVpcEndpointAttribute",
                    "privatelink:ListVpcEndpointServicesByEndUser",
                    "privatelink:AddZoneToVpcEndpoint",
                    "privatelink:ListVpcEndpointZones",
                    "privatelink:RemoveZoneFromVpcEndpoint",
                    "privatelink:AttachSecurityGroupToVpcEndpoint",
                    "privatelink:ListVpcEndpointSecurityGroups",
                    "privatelink:DetachSecurityGroupFromVpcEndpoint",
                    "privatelink:UpdateVpcEndpointZoneConnectionResourceAttribute"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "vpc:DescribeVpcAttribute",
                    "vpc:DescribeVpcs",
                    "vpc:ListVSwitchCidrReservations",
                    "vpc:GetVSwitchCidrReservationUsage",
                    "vpc:DescribeVSwitches",
                    "vpc:DescribeVSwitchAttributes",
                    "Ecs:CreateSecurityGroup",
                    "Ecs:DeleteSecurityGroup",
                    "Ecs:DescribeSecurityGroupAttribute",
                    "Ecs:DescribeSecurityGroups"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": "ram:DeleteServiceLinkedRole",
                "Resource": "*",
                "Effect": "Allow",
                "Condition": {
                    "StringEquals": {
                        "ram:ServiceName": "network.amqp.aliyuncs.com"
                    }
                }
            },
            {
                "Action": "ram:CreateServiceLinkedRole",
                "Resource": "*",
                "Effect": "Allow",
                "Condition": {
                    "StringEquals": {
                        "ram:ServiceName": "privatelink.aliyuncs.com"
                    }
                }
            }
        ]
    }
  • AliyunServiceRoleForAmqpEncrypt的权限策略如下:

    {
      "Version": "1",
      "Statement": [
        {
          "Action": [
            "kms:List*",
            "kms:DescribeKey",
            "kms:TagResource",
            "kms:UntagResource"
          ],
          "Resource": [
            "acs:kms:*:*:*"
          ],
          "Effect": "Allow"
        },
        {
          "Action": [
            "kms:Encrypt",
            "kms:Decrypt",
            "kms:GenerateDataKey"
          ],
          "Resource": [
            "acs:kms:*:*:*"
          ],
          "Effect": "Allow",
          "Condition": {
            "StringEqualsIgnoreCase": {
              "kms:tag/acs:rabbitmq:instance-encryption": "true"
            }
          }
        },
        {
          "Action": "ram:DeleteServiceLinkedRole",
          "Resource": "*",
          "Effect": "Allow",
          "Condition": {
            "StringEquals": {
              "ram:ServiceName": "encrypt.amqp.aliyuncs.com"
            }
          }
        }
      ]
    }

注意事项

如果您删除了自动创建的服务关联角色,该服务关联角色相关的功能由于权限不足将无法再被使用,请谨慎操作。如需重新创建该服务关联角色并为其授权,请参见创建可信实体为阿里云服务的RAM角色为RAM角色授权

常见问题

为什么我的RAM用户无法自动创建云消息队列 RabbitMQ 版服务关联角色?

如果您的阿里云账号已经创建了服务关联角色,您的RAM用户就会继承该阿里云账号的服务关联角色。如果没有继承,请登录访问控制控制台为RAM用户添加自定义权限策略,权限策略内容如下:

{
    "Statement": [
        {
            "Action": [
                "ram:CreateServiceLinkedRole"
            ],
            "Resource": "acs:ram:*:${accountid}:role/*",
            "Effect": "Allow",
            "Condition": {
              "StringEquals": {
          "ram:ServiceName": [
            "logdelivery.amqp.aliyuncs.com",
            "monitoring.amqp.aliyuncs.com",
            "network.amqp.aliyuncs.com",
            "encrypt.amqp.aliyuncs.com"
          ]
                }
            }
        }
    ],
    "Version": "1"
}
说明

请将${accountid}替换为您的阿里云账号ID。

如果您的RAM用户被授予该权限策略后,仍然无法自动创建服务关联角色,请为该RAM用户授予权限策略AliyunAMQPFullAccess。具体操作,请参见为RAM用户授权