本文为您介绍服务关联角色(AliyunServiceRoleForBizWorks)的背景信息和应用场景,以及如何删除服务关联角色和RAM用户(子账号)创建服务关联角色所需的权限。
背景信息
在某些场景下,为了实现BizWorks集群管理和镜像仓库管理功能,您需要获取其他云服务的访问权限。阿里云提供了服务关联角色 SLR(Service Linked Role)来满足此类场景的需求。
更多关于服务关联角色的信息,请参见服务关联角色。
应用场景
BizWorks需要访问企业级分布式应用服务EDAS(Enterprise Distributed Application Service)、容器服务Kubernetes版ACK(Alibaba Cloud Container Service for Kubernetes)、阿里云容器镜像服务ACR(Alibaba Cloud Container Registry)和私网连接(PrivateLink)等相关的资源,通过服务关联角色能够获取访问权限。
AliyunServiceRoleForBizWorks介绍
角色名称:AliyunServiceRoleForBizWorks。
角色权限策略:AliyunServiceRolePolicyForBizWorks。
权限说明:允许BizWorks服务访问您EDAS、ACK、ACR和PrivateLink等资源中的数据,例如:获取EDAS集群服务。
{ "Version": "1", "Statement": [ { "Action": [ "privatelink:ListVpcEndpointServicesByEndUser", "privatelink:CreateVpcEndpoint", "privatelink:ListVpcEndpoints", "privatelink:UpdateVpcEndpointAttribute", "privatelink:GetVpcEndpointAttribute", "privatelink:ListVpcEndpointSecurityGroups", "privatelink:AttachSecurityGroupToVpcEndpoint", "privatelink:DetachSecurityGroupFromVpcEndpoint", "privatelink:AddZoneToVpcEndpoint", "privatelink:RemoveZoneFromVpcEndpoint", "privatelink:ListVpcEndpointZones", "privatelink:DeleteVpcEndpoint" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "ecs:CreateSecurityGroup", "ecs:AuthorizeSecurityGroup", "ecs:DescribeSecurityGroupAttribute", "ecs:DescribeSecurityGroups", "ecs:RevokeSecurityGroup", "ecs:DeleteSecurityGroup", "ecs:ModifySecurityGroupAttribute", "ecs:AuthorizeSecurityGroupEgress", "ecs:RevokeSecurityGroupEgress", "ecs:ModifySecurityGroupRule", "ecs:DescribeSecurityGroupReferences", "ecs:ModifySecurityGroupPolicy" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "vpc:DescribeVSwitchAttributes", "vpc:DescribeVSwitches", "vpc:DescribeVpcs" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "cr:GetInstance", "cr:ListInstanceRegion", "cr:ListInstance", "cr:GetInstanceEndpoint", "cr:GetNamespace", "cr:ListNamespace", "cr:CreateRepository", "cr:GetRepository", "cr:ListRepository", "cr:GetRepoTag", "cr:ListRepositoryTag", "cr:GetAuthorizationToken", "cr:PullRepository", "cr:PushRepository" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "cr:GetRegionList", "cr:GetNamespace", "cr:GetNamespaceList", "cr:GetRepoTag", "cr:CreateRepo", "cr:GetRepo", "cr:GetRepoList", "cr:GetRepoListByNamespace", "cr:GetRepoTags", "cr:GetImageManifest", "cr:GetAuthorizationToken", "cr:PullRepository", "cr:PushRepository" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "cs:DescribeClusters", "cs:GetClusters", "cs:DescribeClusterDetail", "cs:DescribeClusterUserKubeconfig", "cs:DescribeUserPermission", "cs:DescribeClusterInnerServiceKubeconfig", "cs:RevokeClusterInnerServiceKubeconfig" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "edas:CreateApplication", "edas:ReadApplication", "edas:DeleteApplication", "edas:ManageApplication", "edas:ConfigApplication", "edas:ManageAppLog" ], "Resource": "acs:edas:*:*:namespace/*/application/*", "Effect": "Allow" }, { "Action": [ "edas:CreateNamespace", "edas:ReadNamespace", "edas:DeleteNamespace", "edas:ManageNamespace" ], "Resource": "acs:edas:*:*:namespace/*", "Effect": "Allow" }, { "Action": "ram:DeleteServiceLinkedRole", "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "ram:ServiceName": "bizworks.aliyuncs.com" } } }, { "Action": "ram:CreateServiceLinkedRole", "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "ram:ServiceName": "privatelink.aliyuncs.com" } } } ] }
删除服务关联角色
如果您需要删除AliyunServiceRoleForBizWorks(服务关联角色),请先确保您账号下没有集群和镜像仓库正在使用该角色。具体操作,请参见删除服务关联角色。
RAM用户创建服务关联角色所需的权限
如果您是RAM用户,您需要拥有指定的权限,才能创建服务关联角色。
阿里云账号(主账号)和AliyunBizWorksFullAccess权限策略都可以创建服务关联角色。
允许为BizWorks创建服务关联角色的权限策略示例如下:
{
"Action": "ram:CreateServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "bizworks.aliyuncs.com"
}
}
}