文档

MSE服务关联角色

更新时间:

MSE服务关联角色AliyunServiceRoleForMSE是为了实现特定功能而设计的一个预定义RAM角色。在使用MSE时,某些功能需要访问或管理用户账户下的其他阿里云服务资源,例如VPC、SLB、ACK等,以确保微服务架构下的各项能力正常运作。通过创建并授权给MSE这个服务关联角色,可以自动获取和管理这些服务的权限,避免手动逐个分配复杂且容易出错的权限策略,简化了权限管理流程,并增强了安全性。本文介绍MSE服务关联角色AliyunServiceRoleForMSE以及如何删除该角色。

AliyunServiceRoleForMSE应用场景

MSE需要访问云服务器ECS专有网络VPC证书服务SSL应用实时监控服务ARMS负载均衡服务SLB容器服务ACK企业级分布式应用服务EDAS服务网格ASM等云服务的资源时,可通过自动创建的MSE服务关联角色AliyunServiceRoleForMSE获取访问权限。

AliyunServiceRoleForMSE权限说明

AliyunServiceRoleForMSE具备以下云服务的访问权限:

云服务器ECS的访问权限

{
  "Action": [
    "ecs:CreateNetworkInterfacePermission",
    "ecs:DeleteNetworkInterfacePermission",
    "ecs:CreateNetworkInterface",
    "ecs:DescribeNetworkInterfaces",
    "ecs:DescribeSecurityGroups",
    "ecs:CreateSecurityGroup"
  ],
  "Resource": "*",
  "Effect": "Allow"
}
      

专有网络VPC的访问权限

{
  "Action": [
    "vpc:DescribeVSwitches",
    "vpc:DescribeVpcs",
    "vpc:CreateVSwitch",
  ],
  "Resource": "*",
  "Effect": "Allow"
},

证书服务SSL的访问权限

        {
            "Action": [
                "yundun-cert:DescribeSSLCertificatePublicKeyDetail",
                "yundun-cert:DescribeSSLCertificatePrivateKey",
                "yundun-cert:DescribeSSLCertificateList",
                "yundun-cert:DescribeSSLCertificateMatchDomainList"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
                

应用实时监控服务ARMS的访问权限

   {
            "Action": [
                "arms:OpenArmsService",
                "arms:OpenArmsServiceSecondVersion",
                "arms:CheckServiceStatus",
                "arms:OpenVCluster",
                "arms:GetPrometheusApiToken",
                "arms:ListDashboards"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },

负载均衡服务SLB的访问权限

  {
            "Action": [
                "slb:CreateLoadBalancer",
                "slb:AddBackendServers",
                "slb:SetBackendServers",
                "slb:RemoveBackendServers",
                "slb:CreateLoadBalancerTCPListener",
                "slb:DescribeLoadBalancerTCPListenerAttribute",
                "slb:SetLoadBalancerTCPListenerAttribute",
                "slb:CreateLoadBalancerHTTPListener",
                "slb:DescribeLoadBalancerHTTPListenerAttribute",
                "slb:SetLoadBalancerHTTPListenerAttribute",
                "slb:CreateLoadBalancerHTTPSListener",
                "slb:DescribeLoadBalancerHTTPSListenerAttribute",
                "slb:SetLoadBalancerHTTPSListenerAttribute",
                "slb:StartLoadBalancerListener",
                "slb:StopLoadBalancerListener",
                "slb:DeleteLoadBalancerListener",
                "slb:DescribeLoadBalancers",
                "slb:DescribeLoadBalancerAttribute",
                "slb:DescribeHealthStatus",
                "slb:CreateLoadBalancerForCloudService",
                "slb:DeleteLoadBalancer",
                "slb:ModifyLoadBalancerInternetSpec",
                "slb:RemoveTags",
                "slb:AddTags",
                "slb:SetLoadBalancerUDPListenerAttribute",
                "slb:CreateLoadBalancerUDPListener",
                "slb:CreateVServerGroup",
                "slb:DeleteVServerGroup",
                "slb:SetVServerGroupAttribute",
                "slb:ModifyVServerGroupBackendServers",
                "slb:AddVServerGroupBackendServers",
                "slb:ModifyLoadBalancerInstanceSpec",
                "slb:ModifyLoadBalancerInternetSpec",
                "slb:RemoveVServerGroupBackendServers",
                "slb:SetLoadBalancerModificationProtection",
                "slb:SetLoadBalancerDeleteProtection",
                "slb:DescribeLoadBalancerUDPListenerAttribute  ",
                "slb:DescribeTags",
                "slb:DescribeVServerGroups",
                "slb:DescribeVServerGroupAttribute",
                "slb:DescribeLoadBalancerListeners"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },

容器服务ACK的访问权限

   {
            "Action": [
                "cs:DescribeClusterInnerServiceKubeconfig",
                "cs:RevokeClusterInnerServiceKubeconfig",
                "cs:GetUserConfig",
                "cs:DescribeClusterUserKubeconfig",
                "cs:GetClusterById",
                "cs:GetClustersByUid",
                "cs:GetClusters",
                "cs:ListClusters",
                "cs:DescribeClusterNodes"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },

企业级分布式应用服务EDAS的访问权限

 {
            "Action": [
                "edas:ReadApplication",
                "edas:ReadCluster",
                "edas:ReadNamespace",
                "edas:ReadService",
                "edas:ListUserDefineRegion",
                "edas:GetSecureToken"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },

服务网格ASM的访问权限

   {
            "Action": [
                "servicemesh:CreateServiceMesh",
                "servicemesh:DeleteServiceMesh",
                "servicemesh:DescribeServiceMeshDetail",
                "servicemesh:DescribeServiceMeshKubeconfig",
                "servicemesh:AddClusterIntoServiceMesh",
                "servicemesh:RemoveClusterFromServiceMesh",
                "servicemesh:InitializeASMRole",
                "servicemesh:InvokeApiServer"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },

删除AliyunServiceRoleForMSE

说明

如果您使用了MSE功能,然后删除MSE服务关联角色AliyunServiceRoleForMSE,您将无法使用服务测试和压测功能。

  1. 使用阿里云账号登录RAM控制台,在左侧导航栏中单击身份管理 > 角色

  2. 角色页面的搜索框中输入AliyunServiceRoleForMSE进行搜索。

  3. 在AliyunServiceRoleForMSE的操作列下单击删除角色

  4. 删除角色对话框中输入角色名称进行确认,然后单击删除角色

常见问题

为什么我的RAM用户无法自动创建MSE服务关联角色AliyunServiceRoleForMSE?

您需要拥有指定的权限,才能自动创建或删除AliyunServiceRoleForMSE。因此,在RAM用户无法自动创建AliyunServiceRoleForMSE时,您需要为其添加以下权限策略。

{
    "Statement": [
        {
            "Action": [
                "ram:CreateServiceLinkedRole"
            ],
            "Resource": "acs:ram:*:主账号ID:role/*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": [
                        "mse.aliyuncs.com"
                    ]
                }
            }
        }
    ],
    "Version": "1"
}
说明

请将主账号ID替换为您实际的阿里云账号ID。