服务关联角色AliyunServiceRoleForXtrace的权限说明与删除方法-可观测链路 OpenTelemetry 版-阿里云

本文介绍可观测链路 OpenTelemetry 版服务关联角色AliyunServiceRoleForXtrace以及如何删除该角色。

背景信息

可观测链路 OpenTelemetry 版服务关联角色AliyunServiceRoleForXtrace是可观测链路 OpenTelemetry 版在某些情况下，为了完成自身的某个功能，需要获取其他云服务的访问权限而提供的RAM角色。更多关于服务关联角色的信息，请参见服务关联角色。

AliyunServiceRoleForXtrace应用场景

可观测链路 OpenTelemetry 版监控功能需要访问容器服务ACK、日志服务SLS、云服务器ECS和专有网络VPC云服务的资源时，可通过自动创建的可观测链路 OpenTelemetry 版服务关联角色AliyunServiceRoleForXtrace获取访问权限。

AliyunServiceRoleForXtrace权限说明

AliyunServiceRoleForXtrace具备以下云服务的访问权限。

容器服务ACK的访问权限

{
            "Action": [
                "cs:ScaleCluster",
                "cs:GetClusterById",
                "cs:GetClusters",
                "cs:GetUserConfig",
                "cs:CheckKritisInstall",
                "cs:GetKritisAttestationAuthority",
                "cs:GetKritisGenericAttestationPolicy",
                "cs:AttachInstances",
                "cs:InstallKritis",
                "cs:InstallKritisAttestationAuthority",
                "cs:InstallKritisGenericAttestationPolicy",
                "cs:UpdateClusterTags",
                "cs:UninstallKritis",
                "cs:DeleteKritisAttestationAuthority",
                "cs:DeleteKritisGenericAttestationPolicy",
                "cs:UpdateKritisAttestationAuthority",
                "cs:UpdateKritisGenericAttestationPolicy",
                "cs:UpgradeCluster",
                "cs:GetClusterLogs"
            ],
            "Resource": [
              "acs:cs:*:*:cluster/*"
            ],
            "Effect": "Allow"
        }

日志服务SLS的访问权限

{
       "Action": [
        "log:CreateProject",
        "log:GetProject",
        "log:GetLogStoreLogs",
        "log:GetHistograms",
        "log:GetLogStoreHistogram",
        "log:GetLogStore",
        "log:ListLogStores",
        "log:EnableService",
        "log:DescribeService",
        "log:CreateLogStore",
        "log:DeleteLogStore",
        "log:UpdateLogStore",
        "log:GetCursorOrData",
        "log:GetCursor",
        "log:PullLogs",
        "log:ListShards",
        "log:PostLogStoreLogs",
        "log:CreateConfig",
        "log:UpdateConfig",
        "log:DeleteConfig",
        "log:GetConfig",
        "log:ListConfig",
        "log:CreateMachineGroup",
        "log:UpdateMachineGroup",
        "log:DeleteMachineGroup",
        "log:GetMachineGroup",
        "log:ListMachineGroup",
        "log:ListMachines",
        "log:ApplyConfigToGroup",
        "log:RemoveConfigFromGroup",
        "log:GetAppliedMachineGroups",
        "log:GetAppliedConfigs",
        "log:GetShipperStatus",
        "log:RetryShipperTask",
        "log:CreateConsumerGroup",
        "log:UpdateConsumerGroup",
        "log:DeleteConsumerGroup",
        "log:ListConsumerGroup",
        "log:UpdateCheckPoint",
        "log:HeartBeat",
        "log:GetCheckPoint",
        "log:CreateIndex",
        "log:DeleteIndex",
        "log:GetIndex",
        "log:UpdateIndex",
        "log:CreateSavedSearch",
        "log:UpdateSavedSearch",
        "log:GetSavedSearch",
        "log:DeleteSavedSearch",
        "log:ListSavedSearch",
        "log:CreateDashboard",
        "log:UpdateDashboard",
        "log:GetDashboard",
        "log:DeleteDashboard",
        "log:ListDashboard",
        "log:CreateJob",
        "log:UpdateJob"
       }
]

云服务器ECS的访问权限

{
       "Action": [
        "ecs:DescribeInstanceAutoRenewAttribute",
        "ecs:DescribeInstances",
        "ecs:DescribeInstanceStatus",
        "ecs:DescribeInstanceVncUrl",
        "ecs:DescribeSpotPriceHistory",
        "ecs:DescribeUserdata",
        "ecs:DescribeInstanceRamRole",
        "ecs:DescribeDisks",
        "ecs:DescribeSnapshots",
        "ecs:DescribeAutoSnapshotPolicy",
        "ecs:DescribeSnapshotLinks",
        "ecs:DescribeImages",
        "ecs:DescribeImageSharePermission",
        "ecs:DescribeClassicLinkInstances",
        "ecs:AuthorizeSecurityGroup",
        "ecs:DescribeSecurityGroupAttribute",
        "ecs:DescribeSecurityGroups",
        "ecs:AuthorizeSecurityGroupEgress",
        "ecs:DescribeSecurityGroupReferences",
        "ecs:RevokeSecurityGroup",
        "ecs:DescribeNetworkInterfaces",
        "ecs:DescribeTags",
        "ecs:DescribeRegions",
        "ecs:DescribeZones",
        "ecs:DescribeInstanceMonitorData",
        "ecs:DescribeEipMonitorData",
        "ecs:DescribeDiskMonitorData",
        "ecs:DescribeInstanceTypes",
        "ecs:DescribeInstanceTypeFamilies",
        "ecs:DescribeTasks",
        "ecs:DescribeTaskAttribute",
        "ecs:DescribeInstanceAttribute",
        "ecs:InvokeCommand",
        "ecs:CreateCommand",
        "ecs:StopInvocation",
        "ecs:DeleteCommand",
        "ecs:DescribeCommands",
        "ecs:DescribeInvocations",
        "ecs:DescribeInvocationResults",
        "ecs:ModifyCommand",
        "ecs:InstallCloudAssistant"
         ],
      "Resource": "*",
      "Effect": "Allow"
    }

专有网络VPC的访问权限

{
       "Action": [
        "vpc:DescribeVpcs",
        "vpc:DescribeVSwitches",
        "vpc:DescribeEipAddresses",
        "vpc:DescribeRouterInterfaces",
        "vpc:DescribeGlobalAccelerationInstances",
        "vpc:DescribeVpnGateways",
        "vpc:DescribeNatGateways"
       ],
       "Resource": "*",
       "Effect": "Allow"
}

SLB的访问和配置权限

{
       "Action": [
        "slb:DescribeLoadBalancers",
        "slb:DescribeLoadBalancerAttribute",
        "slb:SetLoadbalancerListenerAttributeEx",
        "slb:DescribeLoadbalancerListenersEx",
        "slb:DescribeLoadbalancerListenersEx",
        "slb:SetAccessLogsDownloadAttribute",
        "slb:DeleteAccessLogsDownloadAttribute",
        "slb:DescribeAccessLogsDownloadAttribute"
       ],
       "Resource": "*",
       "Effect": "Allow"
}

删除AliyunServiceRoleForXtrace

如果您使用了可观测链路 OpenTelemetry 版的监控功能，然后需要删除可观测链路 OpenTelemetry 版服务关联角色AliyunServiceRoleForXtrace，例如您出于安全考虑，需要删除该角色，则需要先明确删除后的影响：删除AliyunServiceRoleForXtrace后，无法将当前账号下的数据进行存储和展示。

删除AliyunServiceRoleForXtrace的操作步骤如下：

说明

如果当前账号下还有应用数据，则需先删除所有应用后才能删除AliyunServiceRoleForXtrace。

登录RAM控制台，在左侧导航栏中选择身份管理 > 角色。
在角色页面的搜索框中，输入AliyunServiceRoleForXtrace，自动搜索到名称为AliyunServiceRoleForXtrace的RAM角色。
在右侧操作列，单击删除角色。
在删除角色对话框，确认信息并单击删除角色。
- 如果当前账号下还有可观测链路 OpenTelemetry 版的应用，则需先删除所有应用才能删除AliyunServiceRoleForXtrace，否则提示删除失败。
- 如果当前账号下所有应用已经删除，则可直接删除AliyunServiceRoleForXtrace。

常见问题

为什么我的XTRACE用户无法自动创建ARMS服务关联角色AliyunServiceRoleForXtrace？

您需要拥有指定的权限，才能自动创建或删除AliyunServiceRoleForXtrace。因此，在RAM用户无法自动创建AliyunServiceRoleForXtrace时，您需为其添加以下权限策略。

{
    "Statement": [
        {
            "Action": [
                "ram:CreateServiceLinkedRole"
            ],
            "Resource": "acs:ram:*:主账号ID:role/*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": [
                        "xtrace.aliyuncs.com"
                    ]
                }
            }
        }
    ],
    "Version": "1"
}