默认角色

本文描述云原生应用开发平台的两个重要的 RAM 角色, 并详细介绍这两个角色的作用及权限。

AliyunDevsCustomRole

AliyunDevsCustomRole 是用于部署服务时使用的默认角色,云原生应用开发平台通过扮演该角色帮助用户部署项目包含的云资源, 因此,需要用户授信云原生应用开发平台相关的云产品权限,从而实现服务的顺利部署。

AliyunDevsCustomRole这个角色的授信体是云原生应用开发平台。

{
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "devs.aliyuncs.com"
        ]
      }
    }
  ],
  "Version": "1"
}

用户第一次登录云原生应用开发平台,会引导用户完成授权,授权的权限有 AliyunFnFFullAccess、AliyunRDSFullAccess、AliyunSAEFullAccess、AliyunDevsFullAccess、AliyunFCFullAccess和AliyunFCServerlessDevsRolePolicy,有了这些权限,云原生应用开发平台支持的所有服务类型和案例模板都不会因为权限问题而部署失败。

AliyunDevsDefaultRole

云原生应用开发平台通过扮演 AliyunDevsDefaultRole,完成依赖其他云产品的平台功能,这些平台功能涉及用户FC/OSS/NAS等云资源的管控,例如:

  1. 绑定代码仓库的自建GitLab能力中,用户账号下的辅助函数的创建

  2. 部署任务缓存能力中,用户账号下的 OSS Bucket读写

  3. 模型下载能力中,用户账号下的 NAS 挂载

AliyunDevsDefaultRole这个角色的授信体是云原生应用开发平台。

{
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "devs.aliyuncs.com"
        ]
      }
    }
  ],
  "Version": "1"
}

其中策略内容详细如下:

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "fc:GetService",
                "fc:CreateService",
                "fc:UpdateService",
                "fc:DeleteService",
                "fc:ListServices",
                "fc:DeleteFunction",
                "fc:UpdateFunction",
                "fc:GetFunction",
                "fc:CreateFunction",
                "fc:GetStatefulAsyncInvocation",
                "fc:PutFunctionAsyncInvokeConfig",
                "fc:InvokeFunction"
            ],
            "Effect": "Allow",
            "Resource": "acs:fc:*:*:services/_appcenter*"
        },
        {
            "Action": [
                "devs:ListTasks",
                "devs:GetPipeline",
                "devs:PutPipelineStatus",
                "devs:GetPipelineTemplate",
                "devs:CreateTask",
                "devs:GetTask",
                "devs:PutTaskStatus",
                "devs:GetTaskTemplate",
                "devs:StartTask"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "oss:ListObjects",
                "oss:GetObject",
                "oss:PutObject"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ecs:CreateNetworkInterface",
                "ecs:DeleteNetworkInterface",
                "ecs:CreateNetworkInterfacePermission",
                "ecs:DeleteNetworkInterfacePermission",
                "ecs:DescribeNetworkInterfaceAttribute",
                "ecs:DescribeNetworkInterfacePermissions",
                "ecs:DescribeNetworkInterfaces"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "vpc:DescribeVSwitchAttributes",
            "Resource": "*"
        }
    ]
}