附录:灵骏连接服务关联角色说明

开通灵骏连接后,用户可通过灵骏连接访问阿里云其他云产品(例如,访问VPC、创建专线、创建弹性网卡等),进行此类操作时需通过服务关联角色获取对应云产品的访问权限。本文为您介绍灵骏连接实例关联角色(AliyunServiceRoleForEfloVcc)的应用场景以及如何删除服务关联角色。

背景信息

灵骏连接服务关联角色(AliyunServiceRoleForEfloVcc)是在某些情况下,为了完成灵骏连接自身的某个功能,需要获取其他云服务的访问权限,而提供的RAM角色。更多关于服务关联角色的信息请参见服务关联角色

权限说明

  • 角色名称:AliyunServiceRoleForEfloVcc

  • 角色权限策略:

    {
      "Version": "1",
      "Statement": [
        {
          "Action": [
            "ecs:CreateNetworkInterface",
            "ecs:AttachNetworkInterface",
            "ecs:DetachNetworkInterface",
            "ecs:DeleteNetworkInterface",
            "ecs:DescribeNetworkInterfaces",
            "ecs:CreateSecurityGroup",
            "ecs:DeleteSecurityGroup",
            "ecs:AuthorizeSecurityGroup",
            "ecs:AuthorizeSecurityGroupEgress",
            "ecs:RevokeSecurityGroup",
            "ecs:RevokeSecurityGroupEgress",
            "ecs:DescribeSecurityGroups",
            "ecs:DescribeSecurityGroupAttribute",
            "ecs:ModifyInstanceAttribute"
          ],
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "vpc:DescribeVpcs",
            "vpc:DescribeVSwitches",
            "vpc:ConfirmPhysicalConnection",
            "vpc:CreateVirtualBorderRouter",
            "vpc:DeleteVirtualBorderRouter",
            "vpc:DescribeVirtualBorderRouters",
            "vpc:CreateBgpGroup",
            "vpc:DeleteBgpGroup",
            "vpc:DescribeBgpGroups",
            "vpc:CreateBgpPeer",
            "vpc:DeleteBgpPeer",
            "vpc:DescribeBgpPeers",
            "cen:AttachCenChildInstance",
            "cen:DetachCenChildInstance",
            "vpc:DescribeRouteEntryList",
            "vpc:AddBgpNetwork",
            "vpc:DeleteBgpNetwork",
            "vpc:DescribeBgpNetworks",
            "vpc:TerminatePhysicalConnection",
            "vpc:RecoverPhysicalConnection",
            "vpc:DeletePhysicalConnection",
            "vpc:OpenPhysicalConnectionService",
            "vpc:GetPhysicalConnectionServiceStatus",
            "vpc:DescribePhysicalConnections",
            "vpc:CreatePhysicalConnectionOccupancyOrder",
            "vpc:UpdateVirtualPhysicalConnection",
            "vpc:CreateRouterInterface",
            "vpc:DeleteRouterInterface",
            "vpc:DeactivateRouterInterface",
            "vpc:DescribeRouterInterfaces",
            "vpc:DescribeRouteTableList",
            "vpc:CreateRouteEntries",
            "vpc:DeleteRouteEntries",
            "vpc:CreateRouteEntry",
            "vpc:DeleteRouteEntry",
            "vpc:DescribeGrantRulesToCen",
            "vpc:GrantInstanceToCen",
            "vpc:RevokeInstanceFromCen",
            "vpc:CreatePhysicalConnectionNew",
            "vpc:ModifyVirtualBorderRouterAttribute",
            "vpc:AssociatePhysicalConnectionToVirtualBorderRouter",
            "vpc:UnassociatePhysicalConnectionFromVirtualBorderRouter",
            "bssapi:SetRenewal",
            "vpc:CancelPhysicalConnection"
          ],
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "cen:CreateTransitRouterRouteEntry",
            "cen:ListTransitRouterRouteEntries",
            "cen:DeleteTransitRouterRouteEntry",
            "cen:ResolveAndRouteServiceInCen",
            "cen:DescribeRouteServicesInCen",
            "cen:DeleteRouteServiceInCen",
            "cen:CreateTransitRouterVbrAttachment",
            "cen:DeleteTransitRouterVbrAttachment",
            "cen:ListTransitRouterVbrAttachments",
            "cen:ListTransitRouterVpcAttachments",
            "cen:DisableTransitRouterRouteTablePropagation",
            "cen:EnableTransitRouterRouteTablePropagation",
            "cen:ListTransitRouterRouteTablePropagations",
            "cen:AssociateTransitRouterAttachmentWithRouteTable",
            "cen:DissociateTransitRouterAttachmentFromRouteTable",
            "cen:ListTransitRouterRouteTableAssociations",
            "cen:ListTransitRouterRouteTables",
            "cen:ListTransitRouters",
            "cen:ListTransitRouterAvailableResource",
            "cen:ResolveAndRouteServiceInCen",
            "cen:DescribeRouteServicesInCen",
            "cen:DeleteRouteServiceInCen",
            "cen:DescribeCenAttachedChildInstances",
            "cen:DescribeCenAttachedChildInstanceAttribute",
            "cen:DescribeCens"
          ],
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "ros:ListStacks",
            "ros:GetStack",
            "ros:ListStackEvents",
            "ros:ListStackResources",
            "ros:GetStackResource",
            "ros:CreateStack",
            "ros:DeleteStack",
            "ros:PreviewStack"
          ],
          "Resource": [
            "*"
          ],
          "Effect": "Allow"
        },
        {
          "Action": "ram:DeleteServiceLinkedRole",
          "Resource": "*",
          "Effect": "Allow",
          "Condition": {
            "StringEquals": {
              "ram:ServiceName": "vcc.eflo.aliyuncs.com"
            }
          }
        }
      ]
    }

创建服务关联角色

当您第一次创建集群,进行网络配置,您需要单击授权服务角色创建按钮,一键创建服务关联角色(AliyunServiceRoleForEfloVcc)。

删除服务关联角色

如果您需要删除AliyunServiceRoleForEfloVcc(服务关联角色),需要先释放依赖这个服务关联角色的灵骏连接。

  • 释放灵骏连接可等云服务实例到期自动释放。

  • 删除服务关联角色具体操作请参见删除服务关联角色