大数据平台访问其他云服务的权限-EMR StarRocks服务关联角色-开源大数据平台 E-MapReduce-阿里云

本文介绍EMR StarRocks服务关联角色AliyunServiceRoleForEMRStarRocks以及如何删除该角色。

背景信息

EMR StarRocks服务关联角色AliyunServiceRoleForEMRStarRocks是EMR StarRocks在某些情况下，为了完成自身的某个功能，需要获取其他云服务的访问权限而提供的RAM角色。

服务关联角色的详细信息，请参见服务关联角色。

AliyunServiceRoleForEMRStarRocks应用场景

当EMR StarRocks需要访问负载均衡、云服务器ECS、专有网络VPC云服务的资源时，可以通过自动创建的EMR StarRocks服务关联角色AliyunServiceRoleForEMRStarRocks获取访问权限。

AliyunServiceRoleForEMRStarRocks权限说明

AliyunServiceRoleForEMRStarRocks具备以下云服务的访问权限。

负载均衡SLB的访问权限

{
  "Action": [
    "slb:AddBackendServers",
    "slb:AddListenerWhiteListItem",
    "slb:AddTags",
    "slb:AddVServerGroupBackendServers",
    "slb:CreateLoadBalancer",
    "slb:CreateLoadBalancerHTTPListener",
    "slb:CreateLoadBalancerHTTPSListener",
    "slb:CreateLoadBalancerTCPListener",
    "slb:CreateLoadBalancerUDPListener",
    "slb:CreateRules",
    "slb:CreateVServerGroup",
    "slb:DeleteLoadBalancer",
    "slb:DeleteLoadBalancerListener",
    "slb:DeleteRules",
    "slb:DeleteVServerGroup",
    "slb:DescribeHealthStatus",
    "slb:DescribeListenerAccessControlAttribute",
    "slb:DescribeLoadBalancerAttribute",
    "slb:DescribeLoadBalancerHTTPListenerAttribute",
    "slb:DescribeLoadBalancerHTTPListenerAttributes",
    "slb:DescribeLoadBalancerHTTPSListenerAttribute",
    "slb:DescribeLoadBalancerTCPListenerAttribute",
    "slb:DescribeLoadBalancerUDPListenerAttribute",
    "slb:DescribeLoadBalancers",
    "slb:DescribeRegions",
    "slb:DescribeRules",
    "slb:DescribeTags",
    "slb:DescribeVServerGroupAttribute",
    "slb:DescribeVServerGroups",
    "slb:ModifyLoadBalancerInstanceSpec",
    "slb:ModifyLoadBalancerInternetSpec",
    "slb:ModifyLoadBalancerInstanceChargeType",
    "slb:ModifyLoadBalancerPayType",
    "slb:RemoveBackendServers",
    "slb:RemoveListenerWhiteListItem",
    "slb:RemoveVServerGroupBackendServers",
    "slb:SetBackendServers",
    "slb:SetListenerAccessControlStatus",
    "slb:SetLoadBalancerHTTPListenerAttribute",
    "slb:SetLoadBalancerHTTPSListenerAttribute",
    "slb:SetLoadBalancerName",
    "slb:SetLoadBalancerStatus",
    "slb:SetLoadBalancerTCPListenerAttribute",
    "slb:SetLoadBalancerUDPListenerAttribute",
    "slb:SetRule",
    "slb:SetServerCertificateName",
    "slb:SetVServerGroupAttribute",
    "slb:StartLoadBalancerListener",
    "slb:StopLoadBalancerListener",
    "slb:SetLoadBalancerDeleteProtection",
    "slb:RemoveTags",
    "slb:DescribeLoadBalancerListeners",
    "slb:ModifyVServerGroupBackendServers",
    "slb:SetLoadBalancerModificationProtection",
    "slb:CreateLoadBalancerForCloudService"
  ],
  "Resource": "*",
  "Effect": "Allow"
}

云服务ECS的访问权限

{
  "Action": [
    "ecs:AssociateEipAddress",
    "ecs:AttachNetworkInterface",
    "ecs:AuthorizeSecurityGroup",
    "ecs:AuthorizeSecurityGroupEgress",
    "ecs:CreateNetworkInterface",
    "ecs:CreateNetworkInterfacePermission",
    "ecs:CreateSecurityGroup",
    "ecs:DeleteNetworkInterface",
    "ecs:DeleteNetworkInterfacePermission",
    "ecs:DeleteSecurityGroup",
    "ecs:DescribeNetworkInterfacePermissions",
    "ecs:DescribeNetworkInterfaces",
    "ecs:DescribeSecurityGroupAttribute",
    "ecs:DescribeSecurityGroupReferences",
    "ecs:DescribeSecurityGroups",
    "ecs:DetachNetworkInterface",
    "ecs:JoinSecurityGroup",
    "ecs:LeaveSecurityGroup",
    "ecs:ModifyNetworkInterfaceAttribute",
    "ecs:ModifySecurityGroupAttribute",
    "ecs:ModifySecurityGroupPolicy",
    "ecs:ModifySecurityGroupRule",
    "ecs:RevokeSecurityGroup",
    "ecs:RevokeSecurityGroupEgress",
    "ecs:UnassociateEipAddress"
  ],
  "Resource": "*",
  "Effect": "Allow"
}

专有网络VPC的访问权限

{
  "Action": [
    "vpc:DescribeVpcAttribute",
    "vpc:DescribeVpcs",
    "vpc:DescribeVSwitchAttributes",
    "vpc:DescribeVSwitches",
    "vpc:DescribeRouteTableList",
    "vpc:DescribeRouteTables",
    "vpc:DescribeRouteEntryList",
    "vpc:DescribeRouterInterfaceAttribute",
    "vpc:DescribeRouterInterfaces",
    "vpc:DescribeVRouters",
    "vpc:ModifyBypassToaAttribute"
  ],
  "Resource": "*",
  "Effect": "Allow"
}

应用实时监控服务ARMS的访问权限

{
    "Action":[
        "arms:ListDashboards",
        "arms:CreateContact",
        "arms:DeleteContact",
        "arms:SearchContact",
        "arms:UpdateContact",
        "arms:CreateContactGroup",
        "arms:DeleteContactGroup",
        "arms:SearchContactGroup",
        "arms:UpdateContactGroup",
        "arms:SearchAlertRules",
        "arms:CreateAlertRules",
        "arms:UpdateAlertRules",
        "arms:DeleteAlertRules",
        "arms:StartAlertRule",
        "arms:StopAlertRule",
        "arms:SearchAlarmHistories",
        "arms:OpenArmsService",
        "arms:CreateWebhook",
        "arms:UpdateWebhook",
        "arms:CreateDispatchRule",
        "arms:ListDispatchRule",
        "arms:DeleteDispatchRule",
        "arms:UpdateDispatchRule",
        "arms:DescribeDispatchRule"
    ],
    "Resource":"*",
    "Effect":"Allow"
}

删除AliyunServiceRoleForEMRStarRocks

重要

删除AliyunServiceRoleForEMRStarRocks后，您将无法使用EMR Serverless StarRocks控制台的相关功能。

使用RAM管理员登录RAM控制台。
在左侧导航栏，选择身份管理 > 角色。
在角色页面的搜索框中，输入AliyunServiceRoleForEMRStarRocks，自动搜索到名称为AliyunServiceRoleForEMRStarRocks的RAM角色。
单击AliyunServiceRoleForEMRStarRocks角色操作列的删除角色。
在弹出的对话框中输入角色名称，单击删除角色。
- 如果当前账号下没有正在使用中的EMR StarRocks实例，则可直接删除AliyunServiceRoleForEMRStarRocks。
- 如果当前账号下有正在使用中的EMR StarRocks实例，则需先退订EMR StarRocks实例才能删除AliyunServiceRoleForEMRStarRocks，否则提示删除失败。

常见问题

Q：为什么我的RAM用户无法自动创建EMR StarRocks服务关联角色AliyunServiceRoleForEMRStarRocks？

A：您需要拥有指定的权限，才能自动创建或删除AliyunServiceRoleForEMRStarRocks。当RAM用户无法自动创建AliyunServiceRoleForEMRStarRocks时，您需为其添加以下权限策略。具体操作，请参见为RAM角色授权。

{
    "Statement": [
        {
            "Action": [
                "ram:CreateServiceLinkedRole"
            ],
            "Resource": "acs:ram:*:阿里云账号ID:role/*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": [
                        "starrocks.aliyuncs.com"
                    ]
                }
            }
        }
    ],
    "Version": "1"
}

说明

阿里云账号ID：需要替换为您实际的阿里云账号ID。