DataWorks服务关联角色

首次使用独享资源组时,系统会自动创建AliyunServiceRoleForDataWorks服务关联角色,用来访问专有网络VPC(Virtual Private Cloud)、弹性网卡ENI(Elastic Network Interface)及安全组中的资源。本文为您介绍如何查看该角色详情并使用RAM用户创建该服务关联角色。

背景信息

更多服务关联角色的介绍,详情请参见服务关联角色

查看AliyunServiceRoleForDataWorks服务关联角色的权限策略

您可登录RAM控制台,按照下图所示步骤进入AliyunServiceRoleForDataWorks服务关联角色的详情页,查看角色名称、创建时间等基本信息。查看角色详情

说明

如果无需使用AliyunServiceRoleForDataWorks角色,则可将其删除。删除后,将无法为独享资源组绑定专有网络VPC,但已绑定的网络链路不受影响。

AliyunServiceRoleForDataWorks角色详情页的权限管理页签,可查看该角色被授予的权限策略详情,具体如下。

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "ecs:AttachNetworkInterface",
                "ecs:AuthorizeSecurityGroup",
                "ecs:AuthorizeSecurityGroupEgress",
                "ecs:CreateNetworkInterface",
                "ecs:CreateNetworkInterfacePermission",
                "ecs:CreateSecurityGroup",
                "ecs:DeleteNetworkInterface",
                "ecs:DeleteNetworkInterfacePermission",
                "ecs:DeleteSecurityGroup",
                "ecs:DescribeNetworkInterfacePermissions",
                "ecs:DescribeNetworkInterfaces",
                "ecs:DescribeSecurityGroupAttribute",
                "ecs:DescribeSecurityGroupReferences",
                "ecs:DescribeSecurityGroups",
                "ecs:DetachNetworkInterface",
                "ecs:JoinSecurityGroup",
                "ecs:LeaveSecurityGroup",
                "ecs:ModifyNetworkInterfaceAttribute",
                "ecs:ModifySecurityGroupAttribute",
                "ecs:ModifySecurityGroupPolicy",
                "ecs:ModifySecurityGroupRule",
                "ecs:RevokeSecurityGroup",
                "ecs:RevokeSecurityGroupEgress",
                "ecs:AssignIpv6Addresses",
                "ecs:UnassignIpv6Addresses"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "vpc:DescribeVpcs",
                "vpc:DescribeVpcAttribute",
                "vpc:DescribeVSwitches",
                "vpc:DescribeVSwitchAttributes"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "dataworks.aliyuncs.com"
                }
            }
        }
    ]
}

RAM用户创建AliyunServiceRoleForDataWorks服务关联角色的权限说明

RAM用户如需创建AliyunServiceRoleForDataWorks服务关联角色,则需被授权AliyunDataWorksFullAccess权限策略或下文代码所示的指定策略。

说明

创建权限策略并授权给目标RAM用户,操作详情请参见创建自定义权限策略为RAM用户授权

{
    "Version": "1",
    "Statement": [
        {
            "Action": "dataworks:*",
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:CreateServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": [
                        "dataworks.aliyuncs.com"
                    ]
                }
            }
        }
    ]
}