本文介绍事件总线EventBridge服务关联角色的背景信息、策略内容、注意事项和常见问题。
背景信息
事件总线EventBridge在某些情况下,为了完成自身的某个功能,需要获取其他云服务的访问权限。此时,事件总线EventBridge可以创建与某个云服务关联的角色,即服务关联角色。更多信息,请参见服务关联角色。
事件总线EventBridge支持自动创建以下服务关联角色:
AliyunServiceRoleForEventBridgeSendToFC
服务关联角色AliyunServiceRoleForEventBridgeSendToFC可以获取访问函数计算的权限,以实现调用函数相关功能。
服务关联角色AliyunServiceRoleForEventBridgeSendToFC被授予的权限策略AliyunServiceRolePolicyForEventBridgeSendToFC的策略内容如下:
{
"Version": "1",
"Statement": [
{
"Action": [
"fc:InvokeFunction",
"fc:ListServices",
"fc:ListFunctions"
"fc:ListServiceVersions",
"fc:ListAliases",
"fc:RegisterEventSource",
"fc:DeregisterEventSource",
"fc:ListEventSources"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "sendevent-fc.eventbridge.aliyuncs.com"
}
}
}
]
}
AliyunServiceRoleForEventBridgeSendToMNS
服务关联角色AliyunServiceRoleForEventBridgeSendToMNS可以获取访问轻量消息队列(原 MNS) SMQ(Simple Message Queue (formerly MNS))的权限,以实现发送消息、发布消息相关功能。
服务关联角色AliyunServiceRoleForEventBridgeSendToMNS被授予的权限策略AliyunServiceRolePolicyForEventBridgeSendToMNS的策略内容如下:
{
"Version": "1",
"Statement": [
{
"Action": [
"mns:SendMessage",
"mns:GetQueueAttributes",
"mns:PublishMessage",
"mns:ListQueue",
"mns:ListTopic",
"mns:ReceiveMessage",
"mns:BatchReceiveMessage",
"mns:PeekMessage",
"mns:BatchPeekMessage",
"mns:ChangeMessageVisibility",
"mns:DeleteMessage"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "sendevent-mns.eventbridge.aliyuncs.com"
}
}
}
]
}
AliyunServiceRoleForEventBridgeSendToSMS
服务关联角色AliyunServiceRoleForEventBridgeSendToSMS可以获取访问短信服务的权限,以实现发送短信相关功能。
服务关联角色AliyunServiceRoleForEventBridgeSendToSMS被授予的权限策略AliyunServiceRolePolicyForEventBridgeSendToSMS的策略内容如下:
{
"Version": "1",
"Statement": [
{
"Action": [
"dysms:SendSms",
"dysms:SendBatchSms",
"dysms:QuerySendDetails",
"dysms:QuerySmsSign",
"dysms:QuerySmsTemplate"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "sendevent-sms.eventbridge.aliyuncs.com"
}
}
}
]
}
AliyunServiceRoleForEventBridgeSendToDirectMail
服务关联角色AliyunServiceRoleForEventBridgeSendToDirectMail可以获取访问邮件推送服务的权限,以实现发送邮件相关功能。
服务关联角色AliyunServiceRoleForEventBridgeSendToDirectMail被授予的权限策略AliyunServiceRolePolicyForEventBridgeSendToDirectMail的策略内容如下:
{
"Version": "1",
"Statement": [
{
"Action": [
"dm:SingleSendMail",
"dm:BatchSendMail",
"dm:QueryMailAddressByParam"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "sendevent-directmail.eventbridge.aliyuncs.com"
}
}
}
]
}
AliyunServiceRoleForEventBridgeSourceRocketMQ
服务关联角色AliyunServiceRoleForEventBridgeSourceRocketMQ可以获取访问云消息队列 RocketMQ 版的权限,以实现访问资源的相关功能。
服务关联角色AliyunServiceRoleForEventBridgeSourceRocketMQ被授予的权限策略AliyunServiceRolePolicyForEventBridgeSourceRocketMQ的策略内容如下:
{
"Version":"1",
"Statement":[
{
"Action":[
"mq:QueryInstanceBaseInfo",
"mq:QueryConsumerStatus",
"mq:SUB"
],
"Resource":"*",
"Effect":"Allow"
},
{
"Action":"ram:DeleteServiceLinkedRole",
"Resource":"*",
"Effect":"Allow",
"Condition":{
"StringEquals":{
"ram:ServiceName":"source-rocketmq.eventbridge.aliyuncs.com"
}
}
}
]
}
AliyunServiceRoleForEventBridgeSourceMNS
服务关联角色AliyunServiceRoleForEventBridgeSourceMNS可以获取访问轻量消息队列(原 MNS)的权限,以实现访问资源的功能。
服务关联角色AliyunServiceRoleForEventBridgeSourceMNS被授予的权限策略AliyunServiceRolePolicyForEventBridgeSourceMNS的策略内容如下:
{
"Version":"1",
"Statement":[
{
"Action":[
"mns:ListQueue",
"mns:ReceiveMessage",
"mns:BatchReceiveMessage",
"mns:PeekMessage",
"mns:BatchPeekMessage",
"mns:ChangeMessageVisibility"
],
"Resource":"*",
"Effect":"Allow"
},
{
"Action":"ram:DeleteServiceLinkedRole",
"Resource":"*",
"Effect":"Allow",
"Condition":{
"StringEquals":{
"ram:ServiceName":"source-mns.eventbridge.aliyuncs.com"
}
}
}
]
}
AliyunServiceRoleForEventBridgeSendToRocketMQ
服务关联角色AliyunServiceRoleForEventBridgeSendToRocketMQ可以获取访问云消息队列 RocketMQ 版的权限,以实现发布消息相关功能。
服务关联角色AliyunServiceRoleForEventBridgeSendToRocketMQ被授予的权限策略AliyunServiceRolePolicyForEventBridgeSendToRocketMQ的策略内容如下:
{
"Version":"1",
"Statement":[
{
"Action":[
"mq:PUB",
"mq:QueryInstanceBaseInfo",
"mq:QueryTopicStatus",
"mq:QueryConsumerAccumulate",
"mq:QueryConsumerStatus"
],
"Resource":"*",
"Effect":"Allow"
},
{
"Action":"ram:DeleteServiceLinkedRole",
"Resource":"*",
"Effect":"Allow",
"Condition":{
"StringEquals":{
"ram:ServiceName":"sendevent-rocketmq.eventbridge.aliyuncs.com"
}
}
}
]
}
AliyunServiceRoleForEventBridgeConnectVPC
服务关联角色AliyunServiceRoleForEventBridgeConnectVPC可以获取访问专有网络VPC的权限,以实现访问资源的相关功能。
服务关联角色AliyunServiceRoleForEventBridgeConnectVPC被授予的权限策略AliyunServiceRolePolicyForEventBridgeConnectVPC的策略内容如下:
{
"Version":"1",
"Statement":[
{
"Action":[
"vpc:DescribeVpcs",
"vpc:DescribeVSwitches",
"vpc:DescribeVSwitchAttributes"
],
"Resource":"*",
"Effect":"Allow"
},
{
"Action":[
"ecs:DescribeSecurityGroups",
"ecs:CreateSecurityGroup",
"ecs:CreateNetworkInterface",
"ecs:DeleteNetworkInterface",
"ecs:DescribeNetworkInterfaces",
"ecs:CreateNetworkInterfacePermission",
"ecs:DescribeNetworkInterfacePermissions",
"ecs:DeleteNetworkInterfacePermission"
],
"Resource":"*",
"Effect":"Allow"
},
{
"Action":"ram:DeleteServiceLinkedRole",
"Resource":"*",
"Effect":"Allow",
"Condition":{
"StringEquals":{
"ram:ServiceName":"connect-vpc.eventbridge.aliyuncs.com"
}
}
}
]
}
AliyunServiceRoleForEventBridgeSourceActionTrail
服务关联角色AliyunServiceRoleForEventBridgeSourceActionTrail可以获取访问操作审计的权限,以实现查询和投递操作记录的相关功能。
服务关联角色AliyunServiceRoleForEventBridgeSourceActionTrail被授予的权限策略AliyunServiceRolePolicyForEventBridgeSourceActionTrail的策略内容如下:
{
"Version": "1",
"Statement": [
{
"Action": [
"actiontrail:CreateServiceTrail",
"actiontrail:DeleteServiceTrail"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "source-actiontrail.eventbridge.aliyuncs.com"
}
}
}
]
}
AliyunServiceRoleForEventBridgeSourceRabbitMQ
服务关联角色AliyunServiceRoleForEventBridgeSourceRabbitMQ可以获取访问云消息队列 RabbitMQ 版的权限,以实现访问资源的相关功能。
服务关联角色AliyunServiceRoleForEventBridgeSourceRabbitMQ被授予的权限策略AliyunServiceRolePolicyForEventBridgeSourceRabbitMQ的策略内容如下:
{
"Version": "1",
"Statement": [
{
"Action": [
"amqp:ListInstance",
"amqp:ListVhost",
"amqp:ListExchange",
"amqp:GetVhost",
"amqp:GetExchange",
"amqp:GetQueue",
"amqp:BasicRecover",
"amqp:BasicCancel",
"amqp:BasicConsume",
"amqp:BasicAck",
"amqp:BasicNack",
"amqp:BasicReject",
"amqp:QueuePurge",
"amqp:BasicGet"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "source-rabbitmq.eventbridge.aliyuncs.com"
}
}
}
]
}
AliyunServiceRoleForEventBridgeSendToRabbitMQ
服务关联角色AliyunServiceRoleForEventBridgeSendToRabbitMQ可以获取访问云消息队列 RabbitMQ 版的权限,以实现发布消息相关功能。
服务关联角色AliyunServiceRoleForEventBridgeSendToRabbitMQ被授予的权限策略AliyunServiceRolePolicyForEventBridgeSendToRabbitMQ的策略内容如下:
{
"Version":"1",
"Statement":[
{
"Action":[
"amqp:ListInstance",
"amqp:ListVhost",
"amqp:ListExchange",
"amqp:GetVhost",
"amqp:CreateExchange",
"amqp:GetExchange",
"amqp:CreateQueue",
"amqp:GetQueue",
"amqp:BasicRecover",
"amqp:BasicPublish",
"amqp:BasicAck",
"amqp:BasicNack"
],
"Resource":"*",
"Effect":"Allow"
},
{
"Action":"ram:DeleteServiceLinkedRole",
"Resource":"*",
"Effect":"Allow",
"Condition":{
"StringEquals":{
"ram:ServiceName":"sendevent-rabbitmq.eventbridge.aliyuncs.com"
}
}
}
]
}
AliyunServiceRoleForEventBridgeSourceKafka
服务关联角色AliyunServiceRoleForEventBridgeSourceKafka可以获取访问云消息队列 Kafka 版的权限,以实现访问资源的相关功能。
服务关联角色AliyunServiceRoleForEventBridgeSourceKafka被授予的权限策略AliyunServiceRolePolicyForEventBridgeSourceKafka的策略内容如下:
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"alikafka:ListInstance",
"alikafka:ListSaslUser"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"ram:ServiceName": "source-kafka.eventbridge.aliyuncs.com"
}
}
}
]
}
AliyunServiceRoleForEventBridgeSendToKafka
服务关联角色AliyunServiceRoleForEventBridgeSendToKafka可以获取访问云消息队列 Kafka 版的权限,以实现发布消息相关功能。
服务关联角色AliyunServiceRoleForEventBridgeSendToKafka被授予的权限策略AliyunServiceRolePolicyForEventBridgeSendToKafka的策略内容如下:
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"alikafka:ListInstance",
"alikafka:ListSaslUser"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"ram:ServiceName": "sendevent-kafka.eventbridge.aliyuncs.com"
}
}
}
]
}
AliyunServiceRoleForEventBridgeSendToRDS
服务关联角色AliyunServiceRoleForEventBridgeSendToRDS可以获取访问云数据库RDS的权限,以实现数据投递至RDS相关功能。
服务关联角色AliyunServiceRoleForEventBridgeSendToRDS被授予的权限策略AliyunServiceRolePolicyForEventBridgeSendToRDS的策略内容如下:
{
"Version": "1",
"Statement": [
{
"Action": [
"rds:DescribeDBInstanceAttribute",
"rds:DescribeDatabases",
"rds:DescribeAccounts"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "sendevent-rds.eventbridge.aliyuncs.com"
}
}
}
]
}
AliyunServiceRoleForEventBridgeSourceCMS
服务关联角色AliyunServiceRoleForEventBridgeSourceCMS可以获取访问云监控源CMS的权限,以实现访问资源的相关功能。
服务关联角色AliyunServiceRoleForEventBridgeSourceCMS被授予的权限策略AliyunServiceRolePolicyForEventBridgeSourceCMS的策略内容如下:
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cms:DescribeSystemEventAttribute",
"cms:DescribeSystemEventCount",
"cms:DescribeSystemEventHistogram"
],
"Resource": "*"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "source-cms.eventbridge.aliyuncs.com"
}
}
}
]
}
AliyunServiceRoleForEventBridgeSendToSAE
服务关联角色AliyunServiceRoleForEventBridgeSendToSAE可以获取访问Serverless引用引擎的权限,以实现将数据投递至SAE相关功能。
服务关联角色AliyunServiceRoleForEventBridgeSendToSAE被授予的权限策略AliyunServiceRolePolicyForEventBridgeSendToSAE的策略内容如下:
{
"Version": "1",
"Statement": [
{
"Action": [
"sae:ExecJob"
],
"Resource": "*"
"Effect": "Allow"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "sendevent-sae.eventbridge.aliyuncs.com"
}
}
}
]
}
AliyunServiceRoleForEventBridgeSourceMqtt
服务关联角色AliyunServiceRoleForEventBridgeSourceMqtt可以获取访问微消息队列MQTT的权限,以实现访问资源的相关功能。
关联角色AliyunServiceRoleForEventBridgeSourceMqtt被授予的权限策略AliyunServiceRolePolicyForEventBridgeSourceMqtt的策略内容如下:
{
"Version": "1",
"Statement": [
{
"Action": [
"mq:SUB"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "source-mqtt.eventbridge.aliyuncs.com"
}
}
}
]
}
AliyunServiceRoleForEventBridgeSourceSLS
服务关联角色AliyunServiceRoleForEventBridgeSourceSLS可以获取访问日志服务SLS的权限,以实现访问资源的相关功能。
关联角色AliyunServiceRoleForEventBridgeSourceSLS被授予的权限策略AliyunServiceRolePolicyForEventBridgeSourceSLS的策略内容如下:
{
"Version": "1",
"Statement": [
{
"Action": [
"log:ListConsumerGroup",
"log:GetConsumerGroupCheckPoint",
"log:ConsumerGroupUpdateCheckPoint",
"log:GetCursorOrData",
"log:ListShards"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "source-sls.eventbridge.aliyuncs.com"
}
}
}
]
}
注意事项
服务关联角色删除后,事件总线EventBridge将无法发布事件到对应的阿里云服务,请谨慎操作。如需再次使用相关功能,则需重新创建该角色。具体操作,请参见创建服务关联角色。
关于删除服务关联角色的具体操作,请参见删除服务关联角色。
常见问题
Q:为什么我的RAM用户无法自动创建事件总线EventBridge服务关联角色?
A:如果阿里云账号已经创建了服务关联角色,RAM用户就会继承该阿里云账号的服务关联角色。如果没有继承,请登录RAM 控制台为RAM用户添加自定义权限策略,权限策略内容如下:
{
"Version":"1",
"Statement":[
{
"Action":"ram:CreateServiceLinkedRole",
"Resource":"acs:ram:*:阿里云账号ID:role/*",
"Effect":"Allow",
"Condition":{
"StringEquals":{
"ram:ServiceName":[
"sendevent-fc.eventbridge.aliyuncs.com",
"sendevent-mns.eventbridge.aliyuncs.com",
"sendevent-sms.eventbridge.aliyuncs.com",
"sendevent-directmail.eventbridge.aliyuncs.com",
"source-rocketmq.eventbridge.aliyuncs.com",
"source-mns.eventbridge.aliyuncs.com",
"source-cms.eventbridge.aliyuncs.com",
"source-mqtt.eventbridge.aliyuncs.com",
"source-sls.eventbridge.aliyuncs.com",
"sendevent-sae.eventbridge.aliyuncs.com",
"sendevent-rocketmq.eventbridge.aliyuncs.com",
"connect-vpc.eventbridge.aliyuncs.com",
"source-actiontrail.eventbridge.aliyuncs.com",
"source-rabbitmq.eventbridge.aliyuncs.com",
"sendevent-rabbitmq.eventbridge.aliyuncs.com",
"source-kafka.eventbridge.aliyuncs.com",
"sendevent-kafka.eventbridge.aliyuncs.com",
"sendevent-rds.eventbridge.aliyuncs.com",
"sendevent-arms.eventbridge.aliyuncs.com"
]
}
}
}
]
}
请将阿里云账号ID替换为您实际的阿里云账号ID。
如果您的RAM用户被授予该权限策略后,仍然无法自动创建服务关联角色,请为该RAM用户授予权限策略AliyunEventBridgeFullAccess。更多权限策略的详细说明,请参见权限策略和示例。