授权PAM访问云资源

前提条件

您使用的是阿里云账号（即主账号），或拥有创建和删除服务关联角色权限的RAM用户（即子账号）。

对于RAM用户，创建和删除服务关联角色权限需要的权限策略如下：

{
    "Action": [
        "ram:CreateServiceLinkedRole",
        "ram:DeleteServiceLinkedRole"
    ],
    "Resource": "*",
    "Effect": "Allow",
    "Condition": {
        "StringEquals": {
            "ram:ServiceName": "pam.aliyuncs.com"
        }
    }
}

背景信息

服务关联角色是指与某个云服务关联的RAM角色。在某些场景下，为了完成云服务的某个功能，需要获取其他云服务的访问权限。更多信息，请参见服务关联角色。

创建服务关联角色

您在首次登录PAM控制台并完成资产授权后，PAM将为您自动创建服务关联角色，无需您手动生成或做任何修改。该角色创建完成后，PAM才可以访问云资源，并对ECS服务器进行运维等操作。

服务关联角色创建完成后，您可以前往RAM控制台，在角色页面，查看自动创建的服务关联角色AliyunServiceRoleForBastionhostPam。具体操作，请参见查看RAM角色。

以下是PAM服务关联角色的介绍：

• 角色名称：AliyunServiceRoleForBastionhostPam

• 权限策略名称：AliyunServiceRolePolicyForBastionhostPam

  说明

  该权限策略为系统默认提供的策略，其策略名称和策略内容都不支持修改。

• 权限策略示例：

  {
      "Statement": [
          {
              "Action": [
                  "ecs:DescribeRegions",
                  "ecs:DescribeInstances",
                  "ecs:DescribeSecurityGroups",
                  "ecs:CreateSecurityGroup",
                  "ecs:DescribeSecurityGroupReferences",
                  "ecs:AuthorizeSecurityGroup",
                  "ecs:RevokeSecurityGroup",
                  "ecs:DeleteSecurityGroup",
                  "cs:DescribeClustersV1",
                  "cs:GetClusters",
                  "cs:DescribeClusterDetail",
                  "vpc:DescribeVpcs",
                  "vpc:DescribeVpcAttribute",
                  "vpc:DescribeVSwitches",
                  "vpc:DescribeVSwitchAttributes",
                  "yundun-idaas:DescribeInstances",
                  "yundun-idaas:DescribeApplicationDefaults",
                  "yundun-idaas:CreateApplication",
                  "yundun-idaas:UpdateApplicationAPIStatus",
                  "yundun-idaas:DescribeApplicationDetail",
                  "yundun-idaas:DescribeAppApiDetail",
                  "yundun-idaas:ListApplicationAuthAccount",
                  "yundun-idaas:DeleteSelectedApplication",
                  "yundun-idaas:VerifyUserPassword",
                  "yundun-idaas:VerifyUserOTP",
                  "yundun-idaas:VerifySmsCode",
                  "yundun-idaas:ObtainSmsCode",
                  "yundun-idaas:DescribeUser2FactorStatus",
                  "yundun-idaas:DescribeIndexUserDetails",
                  "yundun-idaas:DescribeUsersInOU",
                  "yundun-sas:DescribeVersionConfig",
                  "yundun-sas:DescribeExposedInstanceList",
                  "privatelink:CheckProductOpen",
                  "privatelink:OpenPrivateLinkService",
                  "privatelink:ListVpcEndpoints",
                  "privatelink:CreateVpcEndpoint",
                  "privatelink:ListVpcEndpointZones",
                  "privatelink:RemoveZoneFromVpcEndpoint",
                  "privatelink:DeleteVpcEndpoint",
                  "ecs:DescribeNetworkInterfaces",
                  "ecs:DescribeSecurityGroupAttribute",
                  "privatelink:GetVpcEndpointAttribute",
                  "privatelink:AddZoneToVpcEndpoint"
              ],
              "Resource": "*",
              "Effect": "Allow"
          },
          {
              "Action": "ram:DeleteServiceLinkedRole",
              "Resource": "*",
              "Effect": "Allow",
              "Condition": {
                  "StringEquals": {
                      "ram:ServiceName": "pam.aliyuncs.com"
                  }
              }
          },
          {
              "Action": [
                  "ram:CreateServiceLinkedRole"
              ],
              "Resource": "acs:ram:*:*:role/*",
              "Condition": {
                  "StringEquals": {
                      "ram:ServiceName": "privatelink.aliyuncs.com"
                  }
              },
              "Effect": "Allow"
          }
      ],
      "Version": "1"
  }

删除服务关联角色

如果后续不再使用PAM服务，可以删除PAM服务关联角色AliyunServiceRoleForBastionhostPam。在删除服务关联角色前您需要先释放已有的PAM实例。具体操作，请参见释放PAM实例。

在释放已有的PAM实例后，您即可删除PAM服务关联角色。具体操作，请参见详删除RAM角色。