服务关联角色

本文介绍事件总线EventBridge服务关联角色的背景信息、策略内容、注意事项和常见问题。

背景信息

事件总线EventBridge在某些情况下,为了完成自身的某个功能,需要获取其他云服务的访问权限。此时,事件总线EventBridge可以创建与某个云服务关联的角色,即服务关联角色。更多信息,请参见服务关联角色

事件总线EventBridge支持自动创建以下服务关联角色:

AliyunServiceRoleForEventBridgeSendToFC

服务关联角色AliyunServiceRoleForEventBridgeSendToFC可以获取访问函数计算的权限,以实现调用函数相关功能。

服务关联角色AliyunServiceRoleForEventBridgeSendToFC被授予的权限策略AliyunServiceRolePolicyForEventBridgeSendToFC的策略内容如下:

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "fc:InvokeFunction",
                "fc:ListServices",
                "fc:ListFunctions"
                "fc:ListServiceVersions",
                "fc:ListAliases",
                "fc:RegisterEventSource",
                "fc:DeregisterEventSource",
                "fc:ListEventSources"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "sendevent-fc.eventbridge.aliyuncs.com"
                }
            }
        }
    ]
}

AliyunServiceRoleForEventBridgeSendToMNS

服务关联角色AliyunServiceRoleForEventBridgeSendToMNS可以获取访问轻量消息队列(原 MNS)的权限,以实现发送消息、发布消息相关功能。

服务关联角色AliyunServiceRoleForEventBridgeSendToMNS被授予的权限策略AliyunServiceRolePolicyForEventBridgeSendToMNS的策略内容如下:

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "mns:SendMessage",
                "mns:GetQueueAttributes",
                "mns:PublishMessage",
                "mns:ListQueue",
                "mns:ListTopic",
                "mns:ReceiveMessage",
                "mns:BatchReceiveMessage",
                "mns:PeekMessage",
                "mns:BatchPeekMessage",
                "mns:ChangeMessageVisibility",
                "mns:DeleteMessage"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "sendevent-mns.eventbridge.aliyuncs.com"
                }
            }
        }
    ]
}

AliyunServiceRoleForEventBridgeSendToSMS

服务关联角色AliyunServiceRoleForEventBridgeSendToSMS可以获取访问短信服务的权限,以实现发送短信相关功能。

服务关联角色AliyunServiceRoleForEventBridgeSendToSMS被授予的权限策略AliyunServiceRolePolicyForEventBridgeSendToSMS的策略内容如下:

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "dysms:SendSms",
                "dysms:SendBatchSms",
                "dysms:QuerySendDetails",
                "dysms:QuerySmsSign",
                "dysms:QuerySmsTemplate"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "sendevent-sms.eventbridge.aliyuncs.com"
                }
            }
        }
    ]
}

AliyunServiceRoleForEventBridgeSendToDirectMail

服务关联角色AliyunServiceRoleForEventBridgeSendToDirectMail可以获取访问邮件推送服务的权限,以实现发送邮件相关功能。

服务关联角色AliyunServiceRoleForEventBridgeSendToDirectMail被授予的权限策略AliyunServiceRolePolicyForEventBridgeSendToDirectMail的策略内容如下:

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "dm:SingleSendMail",
                "dm:BatchSendMail",
                "dm:QueryMailAddressByParam"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "sendevent-directmail.eventbridge.aliyuncs.com"
                }
            }
        }
    ]
}

AliyunServiceRoleForEventBridgeSourceRocketMQ

服务关联角色AliyunServiceRoleForEventBridgeSourceRocketMQ可以获取访问云消息队列 RocketMQ 版的权限,以实现访问资源的相关功能。

服务关联角色AliyunServiceRoleForEventBridgeSourceRocketMQ被授予的权限策略AliyunServiceRolePolicyForEventBridgeSourceRocketMQ的策略内容如下:

{
    "Version":"1",
    "Statement":[
        {
            "Action":[
                "mq:QueryInstanceBaseInfo",
                "mq:QueryConsumerStatus",
                "mq:SUB"
            ],
            "Resource":"*",
            "Effect":"Allow"
        },
        {
            "Action":"ram:DeleteServiceLinkedRole",
            "Resource":"*",
            "Effect":"Allow",
            "Condition":{
                "StringEquals":{
                    "ram:ServiceName":"source-rocketmq.eventbridge.aliyuncs.com"
                }
            }
        }
    ]
}

AliyunServiceRoleForEventBridgeSourceMNS

服务关联角色AliyunServiceRoleForEventBridgeSourceMNS可以获取访问轻量消息队列(原 MNS)的权限,以实现访问资源的功能。

服务关联角色AliyunServiceRoleForEventBridgeSourceMNS被授予的权限策略AliyunServiceRolePolicyForEventBridgeSourceMNS的策略内容如下:

{
    "Version":"1",
    "Statement":[
        {
            "Action":[
                "mns:ListQueue",
                "mns:ReceiveMessage",
                "mns:BatchReceiveMessage",
                "mns:PeekMessage",
                "mns:BatchPeekMessage",
                "mns:ChangeMessageVisibility"
            ],
            "Resource":"*",
            "Effect":"Allow"
        },
        {
            "Action":"ram:DeleteServiceLinkedRole",
            "Resource":"*",
            "Effect":"Allow",
            "Condition":{
                "StringEquals":{
                    "ram:ServiceName":"source-mns.eventbridge.aliyuncs.com"
                }
            }
        }
    ]
}

AliyunServiceRoleForEventBridgeSendToRocketMQ

服务关联角色AliyunServiceRoleForEventBridgeSendToRocketMQ可以获取访问云消息队列 RocketMQ 版的权限,以实现发布消息相关功能。

服务关联角色AliyunServiceRoleForEventBridgeSendToRocketMQ被授予的权限策略AliyunServiceRolePolicyForEventBridgeSendToRocketMQ的策略内容如下:

{
    "Version":"1",
    "Statement":[
        {
            "Action":[
                "mq:PUB",
                "mq:QueryInstanceBaseInfo",
                "mq:QueryTopicStatus",
                "mq:QueryConsumerAccumulate",
                "mq:QueryConsumerStatus"
            ],
            "Resource":"*",
            "Effect":"Allow"
        },
        {
            "Action":"ram:DeleteServiceLinkedRole",
            "Resource":"*",
            "Effect":"Allow",
            "Condition":{
                "StringEquals":{
                    "ram:ServiceName":"sendevent-rocketmq.eventbridge.aliyuncs.com"
                }
            }
        }
    ]
}

AliyunServiceRoleForEventBridgeConnectVPC

服务关联角色AliyunServiceRoleForEventBridgeConnectVPC可以获取访问专有网络VPC的权限,以实现访问资源的相关功能。

服务关联角色AliyunServiceRoleForEventBridgeConnectVPC被授予的权限策略AliyunServiceRolePolicyForEventBridgeConnectVPC的策略内容如下:

{
    "Version":"1",
    "Statement":[
        {
            "Action":[
                "vpc:DescribeVpcs",
                "vpc:DescribeVSwitches",
                "vpc:DescribeVSwitchAttributes"
            ],
            "Resource":"*",
            "Effect":"Allow"
        },
        {
            "Action":[
                "ecs:DescribeSecurityGroups",
                "ecs:CreateSecurityGroup",
                "ecs:CreateNetworkInterface",
                "ecs:DeleteNetworkInterface",
                "ecs:DescribeNetworkInterfaces",
                "ecs:CreateNetworkInterfacePermission",
                "ecs:DescribeNetworkInterfacePermissions",
                "ecs:DeleteNetworkInterfacePermission"
            ],
            "Resource":"*",
            "Effect":"Allow"
        },
        {
            "Action":"ram:DeleteServiceLinkedRole",
            "Resource":"*",
            "Effect":"Allow",
            "Condition":{
                "StringEquals":{
                    "ram:ServiceName":"connect-vpc.eventbridge.aliyuncs.com"
                }
            }
        }
    ]
}

AliyunServiceRoleForEventBridgeSourceActionTrail

服务关联角色AliyunServiceRoleForEventBridgeSourceActionTrail可以获取访问操作审计的权限,以实现查询和投递操作记录的相关功能。

服务关联角色AliyunServiceRoleForEventBridgeSourceActionTrail被授予的权限策略AliyunServiceRolePolicyForEventBridgeSourceActionTrail的策略内容如下:

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "actiontrail:CreateServiceTrail",
                "actiontrail:DeleteServiceTrail"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "source-actiontrail.eventbridge.aliyuncs.com"
                }
            }
        }
    ]
}

AliyunServiceRoleForEventBridgeSourceRabbitMQ

服务关联角色AliyunServiceRoleForEventBridgeSourceRabbitMQ可以获取访问云消息队列 RabbitMQ 版的权限,以实现访问资源的相关功能。

服务关联角色AliyunServiceRoleForEventBridgeSourceRabbitMQ被授予的权限策略AliyunServiceRolePolicyForEventBridgeSourceRabbitMQ的策略内容如下:

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "amqp:ListInstance",
                "amqp:ListVhost",
                "amqp:ListExchange",
                "amqp:GetVhost",
                "amqp:GetExchange",
                "amqp:GetQueue",
                "amqp:BasicRecover",
                "amqp:BasicCancel",
                "amqp:BasicConsume",
                "amqp:BasicAck",
                "amqp:BasicNack",
                "amqp:BasicReject",
                "amqp:QueuePurge",
                "amqp:BasicGet"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "source-rabbitmq.eventbridge.aliyuncs.com"
                }
            }
        }
    ]
}

AliyunServiceRoleForEventBridgeSendToRabbitMQ

服务关联角色AliyunServiceRoleForEventBridgeSendToRabbitMQ可以获取访问云消息队列 RabbitMQ 版的权限,以实现发布消息相关功能。

服务关联角色AliyunServiceRoleForEventBridgeSendToRabbitMQ被授予的权限策略AliyunServiceRolePolicyForEventBridgeSendToRabbitMQ的策略内容如下:

{
    "Version":"1",
    "Statement":[
        {
            "Action":[
                "amqp:ListInstance",
                "amqp:ListVhost",
                "amqp:ListExchange",
                "amqp:GetVhost",
                "amqp:CreateExchange",
                "amqp:GetExchange",
                "amqp:CreateQueue",
                "amqp:GetQueue",
                "amqp:BasicRecover",
                "amqp:BasicPublish",
                "amqp:BasicAck",
                "amqp:BasicNack"
            ],
            "Resource":"*",
            "Effect":"Allow"
        },
        {
            "Action":"ram:DeleteServiceLinkedRole",
            "Resource":"*",
            "Effect":"Allow",
            "Condition":{
                "StringEquals":{
                    "ram:ServiceName":"sendevent-rabbitmq.eventbridge.aliyuncs.com"
                }
            }
        }
    ]
}

AliyunServiceRoleForEventBridgeSourceKafka

服务关联角色AliyunServiceRoleForEventBridgeSourceKafka可以获取访问云消息队列 Kafka 版的权限,以实现访问资源的相关功能。

服务关联角色AliyunServiceRoleForEventBridgeSourceKafka被授予的权限策略AliyunServiceRolePolicyForEventBridgeSourceKafka的策略内容如下:

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "alikafka:ListInstance",
        "alikafka:ListSaslUser"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "source-kafka.eventbridge.aliyuncs.com"
        }
      }
    }
  ]
}

AliyunServiceRoleForEventBridgeSendToKafka

服务关联角色AliyunServiceRoleForEventBridgeSendToKafka可以获取访问云消息队列 Kafka 版的权限,以实现发布消息相关功能。

服务关联角色AliyunServiceRoleForEventBridgeSendToKafka被授予的权限策略AliyunServiceRolePolicyForEventBridgeSendToKafka的策略内容如下:

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "alikafka:ListInstance",
        "alikafka:ListSaslUser"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "sendevent-kafka.eventbridge.aliyuncs.com"
        }
      }
    }
  ]
}

AliyunServiceRoleForEventBridgeSendToRDS

服务关联角色AliyunServiceRoleForEventBridgeSendToRDS可以获取访问云数据库RDS的权限,以实现数据投递至RDS相关功能。

服务关联角色AliyunServiceRoleForEventBridgeSendToRDS被授予的权限策略AliyunServiceRolePolicyForEventBridgeSendToRDS的策略内容如下:

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "rds:DescribeDBInstanceAttribute",
                "rds:DescribeDatabases",
                "rds:DescribeAccounts"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "sendevent-rds.eventbridge.aliyuncs.com"
                }
            }
        }
    ]
}

AliyunServiceRoleForEventBridgeSourceCMS

服务关联角色AliyunServiceRoleForEventBridgeSourceCMS可以获取访问云监控源CMS的权限,以实现访问资源的相关功能。

服务关联角色AliyunServiceRoleForEventBridgeSourceCMS被授予的权限策略AliyunServiceRolePolicyForEventBridgeSourceCMS的策略内容如下:

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "cms:DescribeSystemEventAttribute",
                "cms:DescribeSystemEventCount",
                "cms:DescribeSystemEventHistogram"
            ],
            "Resource": "*"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "source-cms.eventbridge.aliyuncs.com"
                }
            }
        }
    ]
}

AliyunServiceRoleForEventBridgeSendToSAE

服务关联角色AliyunServiceRoleForEventBridgeSendToSAE可以获取访问Serverless引用引擎的权限,以实现将数据投递至SAE相关功能。

服务关联角色AliyunServiceRoleForEventBridgeSendToSAE被授予的权限策略AliyunServiceRolePolicyForEventBridgeSendToSAE的策略内容如下:

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
              "sae:ExecJob"
            ],
            "Resource": "*"
            "Effect": "Allow"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "sendevent-sae.eventbridge.aliyuncs.com"
                }
            }
        }
    ]
}

AliyunServiceRoleForEventBridgeSourceMqtt

服务关联角色AliyunServiceRoleForEventBridgeSourceMqtt可以获取访问微消息队列MQTT的权限,以实现访问资源的相关功能。

关联角色AliyunServiceRoleForEventBridgeSourceMqtt被授予的权限策略AliyunServiceRolePolicyForEventBridgeSourceMqtt的策略内容如下:

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "mq:SUB"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "source-mqtt.eventbridge.aliyuncs.com"
                }
            }
        }
    ]
}

AliyunServiceRoleForEventBridgeSourceSLS

服务关联角色AliyunServiceRoleForEventBridgeSourceSLS可以获取访问日志服务SLS的权限,以实现访问资源的相关功能。

关联角色AliyunServiceRoleForEventBridgeSourceSLS被授予的权限策略AliyunServiceRolePolicyForEventBridgeSourceSLS的策略内容如下:

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "log:ListConsumerGroup",
                "log:GetConsumerGroupCheckPoint",
                "log:ConsumerGroupUpdateCheckPoint",
                "log:GetCursorOrData",
                "log:ListShards"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "source-sls.eventbridge.aliyuncs.com"
                }
            }
        }
    ]
}

注意事项

服务关联角色删除后,事件总线EventBridge将无法发布事件到对应的阿里云服务,请谨慎操作。如需再次使用相关功能,则需重新创建该角色。具体操作,请参见创建服务关联角色

关于删除服务关联角色的具体操作,请参见删除服务关联角色

常见问题

Q:为什么我的RAM用户无法自动创建事件总线EventBridge服务关联角色?

A:如果阿里云账号已经创建了服务关联角色,RAM用户就会继承该阿里云账号的服务关联角色。如果没有继承,请登录RAM 控制台为RAM用户添加自定义权限策略,权限策略内容如下:

{
    "Version":"1",
    "Statement":[
        {
            "Action":"ram:CreateServiceLinkedRole",
            "Resource":"acs:ram:*:阿里云账号ID:role/*",
            "Effect":"Allow",
            "Condition":{
                "StringEquals":{
                    "ram:ServiceName":[
                        "sendevent-fc.eventbridge.aliyuncs.com",
                        "sendevent-mns.eventbridge.aliyuncs.com",
                        "sendevent-sms.eventbridge.aliyuncs.com",
                        "sendevent-directmail.eventbridge.aliyuncs.com",
                        "source-rocketmq.eventbridge.aliyuncs.com",
                        "source-mns.eventbridge.aliyuncs.com",
                        "source-cms.eventbridge.aliyuncs.com",
                        "source-mqtt.eventbridge.aliyuncs.com",
                        "source-sls.eventbridge.aliyuncs.com",
                        "sendevent-sae.eventbridge.aliyuncs.com",
                        "sendevent-rocketmq.eventbridge.aliyuncs.com",
                        "connect-vpc.eventbridge.aliyuncs.com",
                        "source-actiontrail.eventbridge.aliyuncs.com",
                        "source-rabbitmq.eventbridge.aliyuncs.com",                      
                        "sendevent-rabbitmq.eventbridge.aliyuncs.com",
                        "source-kafka.eventbridge.aliyuncs.com",
                        "sendevent-kafka.eventbridge.aliyuncs.com",
                        "sendevent-rds.eventbridge.aliyuncs.com",
                        "sendevent-arms.eventbridge.aliyuncs.com"
                    ]
                }
            }
        }
    ]
}
说明

请将阿里云账号ID替换为您实际的阿里云账号ID。

如果您的RAM用户被授予该权限策略后,仍然无法自动创建服务关联角色,请为该RAM用户授予权限策略AliyunEventBridgeFullAccess。更多权限策略的详细说明,请参见权限策略和示例