云迁移中心服务关联角色

本文为您介绍CMH服务关联角色(AliyunServiceRoleForCMH)的应用场景以及如何删除服务关联角色。

应用场景

云迁移中心服务关联角色(AliyunServiceRoleForCMH)的应用场景如下:

  • 访问服务器迁移中心SMC(Server Migration Center)当您打开迁移-迁移工具-服务器迁移工具的“链接”功能时,云迁移中心会将您在SMC中创建的任务同步过来,需要通过服务关联角色获取查询SMC的权限。

  • 访问数据传输服务DTS(Data Transmission Service)当您打开迁移-迁移工具-数据库迁移工具的“链接”功能时,云迁移中心会将您在DTS中创建的任务同步过来,需要通过服务关联角色获取查询DTS的权限。

  • 配置审计(Config)当您打开评估-资源调研-阿里云导入的“链接”功能时,云迁移中心会将您在阿里云指定区域购买过的资源列表同步过来,需要通过服务关联角色获取查询资源列表及详情的权限。

  • 自动化服务台(IaC Service)当您打开准备-资源创建-选择某个迁移计划详情-批量创建资源的“链接”功能时,云迁移中心会使用自动化服务台提供的资源导出和创建功能,实现阿里云上资源的导出和创建,需要通过服务关联角色获取管理自动化服务台的权限。注:本权限仅包含自动化服务台的权限,在该场景下导出和创建您的阿里云资源需要您的登录账号具备相关资源的管理权限。

  • 阿里云资源迁移场景。当您使用准备-迁移计划-创建迁移计划-阿里云跨可用区迁移模板时,云迁移中心会完成您相关资源的迁移任务,实现阿里云资源的跨可用区迁移。需要通过服务关联角色获取您的资源查询和迁移相关的权限,当前支持的云产品类型:云服务器ECS,云数据库RDS,云数据库 Tair(兼容 Redis),SLB负载均衡,VPC交换机。

关于服务关联角色的更多信息,请参见服务关联角色

权限说明

角色名称:AliyunServiceRoleForCMH

角色权限策略:AliyunServiceRolePolicyForCMH

权限说明:云迁移中心默认使用此角色来访问您的SMC、DTS、配置审计等云产品资源。

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "oss:ListImportJob",
        "oss:ListImportAddress",
        "oss:ListBuckets"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "smc:DescribeSourceServers",
        "smc:DescribeReplicationJobs",
        "smc:CreateReplicationJob",
        "smc:StartReplicationJob"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "dts:DescribeDtsJobs",
        "dts:ConfigureDtsJob",
        "dts:StartDtsJob",
        "dts:CreateDtsInstance",
        "dts:DescribeDatabases",
        "dts:DescribePreCheckStatus"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "config:ListDiscoveredResources",
        "config:GetDiscoveredResource",
        "config:GetDiscoveredResourceCountsGroupByResourceType",
        "config:GetDiscoveredResourceCountsGroupByRegion"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "rds:DescribeDBInstanceAttribute",
        "rds:MigrateToOtherZone",
        "rds:DescribeAvailableClasses",
        "rds:DescribeAvailableZones",
        "rds:ModifySecurityIps",
        "rds:DescribeDatabases"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "kvstore:DescribeInstances",
        "kvstore:MigrateToOtherZone",
        "kvstore:DescribeAvailableResource",
        "kvstore:DescribeDBInstanceNetInfo",
        "kvstore:ModifySecurityIps"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "oos:StartExecution",
        "oos:ListExecutions"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "iacservice:CreateModule",
        "iacservice:ListModules",
        "iacservice:UpdateModuleAttribute",
        "iacservice:GetModule",
        "iacservice:CreateModuleVersion",
        "iacservice:ListModuleVersion",
        "iacservice:GetModuleVersion",
        "iacservice:CreateTask",
        "iacservice:GetTask",
        "iacservice:ListTasks",
        "iacservice:UpdateTaskAttribute",
        "iacservice:CreateJob",
        "iacservice:ListJobs",
        "iacservice:GetJob",
        "iacservice:OperateJob",
        "iacservice:CreateParameterSet",
        "iacservice:UpdateParameterSetAttribute",
        "iacservice:GetParameterSet",
        "iacservice:ListParameterSets",
        "iacservice:AssociateParameterSet",
        "iacservice:DissociateParameterSet",
        "iacservice:CreateRabbitmqPublisher",
        "iacservice:ListRabbitmqPublishers",
        "iacservice:UpdateRabbitmqPublisherAttribute",
        "iacservice:GetRabbitmqPublisher",
        "iacservice:AttachRabbitmqPublisher",
        "iacservice:DetachRabbitmqPublisher",
        "iacservice:CheckResourceName",
        "iacservice:CreateResourceExportTask",
        "iacservice:ExecuteResourceExportTask",
        "iacservice:CancelResourceExportTask",
        "iacservice:GetResourceExportTask",
        "iacservice:ListResourceExportTaskVersions",
        "iacservice:ListResourceExportTasks",
        "iacservice:UpdateResourceExportTaskAttribute",
        "iacservice:ListResources"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "vpc:DescribeVpcs",
        "vpc:DescribeVSwitches",
        "ecs:DescribeAvailableResource",
        "ecs:CloneInstanceWithIncrementSnapshot",
        "ecs:DescribeDisks",
        "ecs:DescribeAvailableResource",
        "ecs:StartInstance",
        "ecs:DescribeVSwitches",
        "ecs:StopInstance",
        "ecs:DeleteImage",
        "ecs:DeleteSnapshot",
        "ecs:RunInstances",
        "ecs:DescribeSnapshots",
        "ecs:CreateImage",
        "ecs:DescribeInstances",
        "ecs:DescribeImages",
        "ecs:CreateSnapshot",
        "ecs:DescribePrice",
        "ecs:AuthorizeSecurityGroup",
        "ecs:DescribeSecurityGroups",
        "ecs:DescribeSecurityGroupAttribute",
        "slb:DescribeAvailableResource",
        "slb:DescribeAccessControlLists",
        "slb:DescribeAccessControlListAttribute",
        "slb:AddAccessControlListEntry"
      ],
      "Resource": "*"
    }
  ]
}

创建服务关联角色

系统会在以下场景中自动创建服务关联角色(AliyunServiceRoleForCMH):

  • 当您调用InitializeCMHTools接口首次创建跟踪时,会自动创建服务关联角色。

  • 当您在云迁移中心首次点击“迁移-迁移工具—服务器迁移工具—链接”,“迁移-迁移工具—数据库迁移工具—链接”或者“评估-资源调研—阿里云调研—链接”时,会自动创建服务关联角色(如果使用阿里云调研功能,需要先确保您的配置审计已启用:配置审计控制台,如果您已启用请忽略)。

删除服务关联角色

您可以在RAM控制台删除服务关联角色。具体操作,请参见删除RAM角色