AI 助理
文档备案控制台
官方文档
输入文档关键字查找
首页

EMR on ACK服务关联角色

更新时间:
复制为 MD 格式
产品详情
我的收藏

本文介绍EMR on ACK服务关联角色 AliyunServiceRoleForEMROnACK 的应用场景、权限说明以及删除该角色的方法,旨在帮助您在安全可控的前提下有效使用 EMR on ACK。

背景信息

EMR on ACK服务关联角色AliyunServiceRoleForEMROnACK,是EMR on ACK在特定情况下,为了实现其某些功能而需要获取其他云服务访问权限所提供的RAM角色。

服务关联角色的详细信息,请参见服务关联角色

应用场景

EMR on ACK需要访问容器服务Kubernetes版、内网DNS解析、专有网络VPC、私网连接以及云服务器ECS等云服务的资源时,可以通过自动创建的EMR on ACK服务关联角色AliyunServiceRoleForEMROnACK获取相应的访问权限。

权限说明

AliyunServiceRoleForEMROnACK具备以下云服务的访问权限。

容器服务Kubernetes版的访问权限

 {
      "Action": [
        "cs:CreateCluster",
        "cs:GetClusterById",
        "cs:GetClusters",
        "cs:DeleteCluster",
        "cs:ModifyCluster",
        "cs:DescribeClusterResources",
        "cs:DescribeClusterInnerServiceKubeconfig",
        "cs:RevokeClusterInnerServiceKubeconfig",
        "cs:CreateClusterNodePool",
        "cs:DeleteClusterNodepool",
        "cs:DescribeClusterNodePoolDetail",
        "cs:DescribeClusterNodePools",
        "cs:ModifyClusterNodePool",
        "cs:ScaleClusterNodePool",
        "cs:AttachInstancesToNodePool",
        "cs:RemoveNodePoolNodes",
        "cs:SyncClusterNodePool",
        "cs:DescribeClusterAttachScripts",
        "cs:CreateAutoscalingConfig",
        "cs:InstallClusterAddons",
        "cs:UnInstallClusterAddons",
        "cs:ListClusterAddonInstances",
        "cs:ListAddons",
        "cs:DescribeAddon",
        "cs:DescribeKubernetesVersionMetadata",
        "cs:DescribeClusterNodes"
      ],
      "Resource": "*",
      "Effect": "Allow"
    }

内网DNS解析的访问权限

{
      "Action": [
        "pvtz:DescribeZones",
        "pvtz:DescribeZoneRecords",
        "pvtz:DescribeZoneInfo",
        "pvtz:AddZone",
        "pvtz:DescribeUserServiceStatus",
        "pvtz:AddZoneRecord",
        "pvtz:UpdateZoneRecord",
        "pvtz:BindZoneVpc"
      ],
      "Resource": "*",
      "Effect": "Allow"
    }

专有网络VPC的访问权限

{
      "Action": [
        "vpc:DescribeVSwitches",
        "vpc:DescribeVpcs",
        "vpc:DescribeVSwitchAttributes",
        "vpc:DescribeVpcAttribute",
        "vpc:ListTagResources",
        "vpc:TagResources",
        "vpc:UnTagResources",
        "vpc:CreateVpc",
        "vpc:CreateDefaultVpc",
        "vpc:DescribeVpcAttribute",
        "vpc:DeleteVpc",
        "vpc:CreateVSwitch",
        "vpc:DescribeVSwitchAttributes",
        "vpc:DeleteVSwitch"
      ],
      "Resource": "*",
      "Effect": "Allow"
    }

私网连接的访问权限

{
      "Action": [
        "privatelink:CheckProductOpen",
        "privatelink:ListVpcEndpoints",
        "privatelink:ListVpcEndpointZones",
        "privatelink:AddZoneToVpcEndpoint",
        "privatelink:RemoveZoneFromVpcEndpoint",
        "privatelink:GetVpcEndpointAttribute",
        "privatelink:GetVpcEndpointServiceAttribute",
        "privatelink:ListVpcEndpointServicesByEndUser",
        "privatelink:ListVpcEndpointServices",
        "privatelink:ListVpcEndpointServiceUsers",
        "privatelink:AddUserToVpcEndpointService",
        "privatelink:RemoveUserFromVpcEndpointService",
        "privatelink:CreateVpcEndpointService",
        "privatelink:DeleteVpcEndpointService",
        "privatelink:CreateVpcEndpoint",
        "privatelink:DeleteVpcEndpoint",
        "privatelink:ListVpcEndpointServiceResources"
      ],
      "Resource": "*",
      "Effect": "Allow"
    }

云服务器ECS的访问权限

{
      "Action": [
        "ecs:AssociateEipAddress",
        "ecs:AttachNetworkInterface",
        "ecs:AuthorizeSecurityGroup",
        "ecs:AuthorizeSecurityGroupEgress",
        "ecs:CreateNetworkInterface",
        "ecs:CreateNetworkInterfacePermission",
        "ecs:CreateSecurityGroup",
        "ecs:DeleteNetworkInterface",
        "ecs:DeleteNetworkInterfacePermission",
        "ecs:DeleteSecurityGroup",
        "ecs:DescribeNetworkInterfacePermissions",
        "ecs:DescribeNetworkInterfaces",
        "ecs:DescribeSecurityGroupAttribute",
        "ecs:DescribeSecurityGroupReferences",
        "ecs:DescribeSecurityGroups",
        "ecs:DetachNetworkInterface",
        "ecs:JoinSecurityGroup",
        "ecs:LeaveSecurityGroup",
        "ecs:ModifyNetworkInterfaceAttribute",
        "ecs:ModifySecurityGroupAttribute",
        "ecs:ModifySecurityGroupPolicy",
        "ecs:ModifySecurityGroupPolicy",
        "ecs:ModifySecurityGroupRule",
        "ecs:RevokeSecurityGroup",
        "ecs:RevokeSecurityGroupEgress",
        "ecs:UnassociateEipAddress",
        "ecs:AssignIpv6Addresses",
        "ecs:AssignPrivateIpAddresses",
        "ecs:DescribeInstanceAttribute",
        "ecs:DescribeInstances",
        "ecs:ListTagResources",
        "ecs:ModifySecurityGroupEgressRule",
        "ecs:TagResources",
        "ecs:UnassignIpv6Addresses",
        "ecs:UnassignPrivateIpAddresses",
        "ecs:UntagResources",
        "ecs:DescribePrice"
      ],
      "Resource": "*",
      "Effect": "Allow"
    }

删除服务关联角色

重要

删除AliyunServiceRoleForEMRonACK后,您将无法使用EMR on ACK控制台的相关功能。

  1. 使用RAM管理员登录RAM控制台

  2. 在左侧导航栏,选择身份管理 > 角色

  3. 角色页面的搜索框中,输入AliyunServiceRoleForEMROnACK进行搜索。

  4. 单击目标角色操作列的删除角色

  5. 在弹出的对话框中输入角色名称,单击删除角色

    • 如果当前账号下没有正在使用的EMR on ACK实例,则可以直接删除AliyunServiceRoleForEMROnACK。

    • 如果当前账号下存在正在使用的EMR on ACK实例,则必须首先删除该实例,才能继续删除AliyunServiceRoleForEMROnACK,否则将提示删除失败。

常见问题

Q:为什么我的 RAM 用户无法自动创建服务关联角色?

A: 因为您的 RAM 用户缺少创建服务关联角色的权限。您需要联系 RAM 管理员,为该 RAM 用户授予 ram:CreateServiceLinkedRole 权限。具体操作,请参见管理RAM角色的权限

推荐的最小化授权策略如下,请将 阿里云账号ID 替换为您实际的阿里云账号 ID。

{
    "Statement": [
        {
            "Action": [
                "ram:CreateServiceLinkedRole"
            ],
            "Resource": "acs:ram:*:阿里云账号ID:role/*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": [
                        "onack.emr.aliyuncs.com"
                    ]
                }
            }
        }
    ],
    "Version": "1"
}
上一篇:阿里云账号角色授权下一篇:授予OSS和DLF权限