服务关联角色权限解析及管理-微服务引擎-阿里云

MSE服务关联角色是一系列为实现特定功能而设计的预定义RAM角色。通过创建并授权给MSE这些服务关联角色，可以自动获取和管理相关权限，避免手动逐个分配复杂且容易出错的权限策略，简化了权限管理流程，并增强了安全性。本文介绍MSE相关服务关联角色以及如何删除角色。

AliyunServiceRoleForMSE

应用场景

MSE需要访问云服务器ECS、专有网络VPC、证书服务SSL、应用实时监控服务ARMS、负载均衡服务SLB、容器服务ACK、企业级分布式应用服务EDAS、服务网格ASM等云服务的资源时，可通过自动创建的MSE服务关联角色AliyunServiceRoleForMSE获取访问权限。

权限说明

AliyunServiceRoleForMSE具备以下云服务的访问权限：

云服务器ECS的访问权限

{
  "Action": [
    "ecs:CreateNetworkInterfacePermission",
    "ecs:DeleteNetworkInterfacePermission",
    "ecs:CreateNetworkInterface",
    "ecs:DescribeNetworkInterfaces",
    "ecs:DescribeSecurityGroups",
    "ecs:CreateSecurityGroup"
  ],
  "Resource": "*",
  "Effect": "Allow"
}

专有网络VPC的访问权限

{
  "Action": [
    "vpc:DescribeVSwitches",
    "vpc:DescribeVpcs",
    "vpc:CreateVSwitch",
  ],
  "Resource": "*",
  "Effect": "Allow"
},

证书服务SSL的访问权限

        {
            "Action": [
                "yundun-cert:DescribeSSLCertificatePublicKeyDetail",
                "yundun-cert:DescribeSSLCertificatePrivateKey",
                "yundun-cert:DescribeSSLCertificateList",
                "yundun-cert:DescribeSSLCertificateMatchDomainList"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },

应用实时监控服务ARMS的访问权限

   {
            "Action": [
                "arms:OpenArmsService",
                "arms:OpenArmsServiceSecondVersion",
                "arms:CheckServiceStatus",
                "arms:OpenVCluster",
                "arms:GetPrometheusApiToken",
                "arms:ListDashboards"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },

负载均衡服务SLB的访问权限

  {
            "Action": [
                "slb:CreateLoadBalancer",
                "slb:AddBackendServers",
                "slb:SetBackendServers",
                "slb:RemoveBackendServers",
                "slb:CreateLoadBalancerTCPListener",
                "slb:DescribeLoadBalancerTCPListenerAttribute",
                "slb:SetLoadBalancerTCPListenerAttribute",
                "slb:CreateLoadBalancerHTTPListener",
                "slb:DescribeLoadBalancerHTTPListenerAttribute",
                "slb:SetLoadBalancerHTTPListenerAttribute",
                "slb:CreateLoadBalancerHTTPSListener",
                "slb:DescribeLoadBalancerHTTPSListenerAttribute",
                "slb:SetLoadBalancerHTTPSListenerAttribute",
                "slb:StartLoadBalancerListener",
                "slb:StopLoadBalancerListener",
                "slb:DeleteLoadBalancerListener",
                "slb:DescribeLoadBalancers",
                "slb:DescribeLoadBalancerAttribute",
                "slb:DescribeHealthStatus",
                "slb:CreateLoadBalancerForCloudService",
                "slb:DeleteLoadBalancer",
                "slb:ModifyLoadBalancerInternetSpec",
                "slb:RemoveTags",
                "slb:AddTags",
                "slb:SetLoadBalancerUDPListenerAttribute",
                "slb:CreateLoadBalancerUDPListener",
                "slb:CreateVServerGroup",
                "slb:DeleteVServerGroup",
                "slb:SetVServerGroupAttribute",
                "slb:ModifyVServerGroupBackendServers",
                "slb:AddVServerGroupBackendServers",
                "slb:ModifyLoadBalancerInstanceSpec",
                "slb:ModifyLoadBalancerInternetSpec",
                "slb:RemoveVServerGroupBackendServers",
                "slb:SetLoadBalancerModificationProtection",
                "slb:SetLoadBalancerDeleteProtection",
                "slb:DescribeLoadBalancerUDPListenerAttribute  ",
                "slb:DescribeTags",
                "slb:DescribeVServerGroups",
                "slb:DescribeVServerGroupAttribute",
                "slb:DescribeLoadBalancerListeners"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },

容器服务ACK的访问权限

   {
            "Action": [
                "cs:DescribeClusterInnerServiceKubeconfig",
                "cs:RevokeClusterInnerServiceKubeconfig",
                "cs:GetUserConfig",
                "cs:DescribeClusterUserKubeconfig",
                "cs:GetClusterById",
                "cs:GetClustersByUid",
                "cs:GetClusters",
                "cs:ListClusters",
                "cs:DescribeClusterNodes"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },

企业级分布式应用服务EDAS的访问权限

 {
            "Action": [
                "edas:ReadApplication",
                "edas:ReadCluster",
                "edas:ReadNamespace",
                "edas:ReadService",
                "edas:ListUserDefineRegion",
                "edas:GetSecureToken"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },

服务网格ASM的访问权限

   {
            "Action": [
                "servicemesh:CreateServiceMesh",
                "servicemesh:DeleteServiceMesh",
                "servicemesh:DescribeServiceMeshDetail",
                "servicemesh:DescribeServiceMeshKubeconfig",
                "servicemesh:AddClusterIntoServiceMesh",
                "servicemesh:RemoveClusterFromServiceMesh",
                "servicemesh:InitializeASMRole",
                "servicemesh:InvokeApiServer"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },

AliyunServiceRolePolicyForMSEEngineService

应用场景

当Nacos引擎侧需要集成安全护栏等其他云产品时，用户可以通过AliyunServiceRolePolicyForMSEEngineService角色便捷地完成接入操作。

权限说明

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "yundun-greenweb:MultiModalGuard",
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "engine-service.mse.aliyuncs.com"
        }
      }
    }
  ]
}

删除权限

重要

如果正在使用MSE功能，删除MSE服务关联角色将无法使用对应角色所提供的能力，可能造成业务影响，需要谨慎评估与操作。

使用阿里云账号登录RAM控制台，在左侧导航栏中单击身份管理 > 角色。
在角色页面的搜索框中输入权限名，如AliyunServiceRoleForMSE并进行搜索。
在搜索结果对应角色操作列下单击删除角色。
在删除角色对话框中输入角色名称进行确认，然后单击删除角色。

常见问题

为什么我的RAM用户无法自动创建MSE服务关联角色AliyunServiceRoleForMSE？

需要拥有指定的权限，才能自动创建或删除AliyunServiceRoleForMSE。因此，在RAM用户无法自动创建AliyunServiceRoleForMSE时，需要为其添加以下权限策略。

说明

将主账号ID替换为实际的阿里云账号ID。

{
    "Statement": [
        {
            "Action": [
                "ram:CreateServiceLinkedRole"
            ],
            "Resource": "acs:ram:*:主账号ID:role/*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": [
                        "mse.aliyuncs.com"
                    ]
                }
            }
        }
    ],
    "Version": "1"
}