PTS服务关联角色

本文介绍PTS服务关联角色AliyunServiceRoleForPts以及如何删除该角色。

背景信息

PTS服务关联角色AliyunServiceRoleForPts是PTS在某些情况下,为了完成自身的某个功能,需要获取其他云服务的访问权限而提供的RAM角色。更多关于服务关联角色的信息,请参见服务关联角色

AliyunServiceRoleForPts应用场景

PTS需要访问应用实时监控服务ARMS什么是消息队列 Kafka 版微服务引擎MSE企业级分布式应用服务EDAS等云服务的资源时,可通过自动创建的PTS服务关联角色AliyunServiceRoleForPts获取访问权限。

AliyunServiceRoleForPts权限说明

AliyunServiceRoleForPts具备以下云服务的访问权限:

应用实时监控服务ARMS的访问权限

 {
   "Action": [
     "arms:GetPrometheusApiToken",
     "arms:OpenVCluster",
     "arms:OpenArmsService",
     "arms:CheckServiceStatus",
     "arms:ListDashboards",
     "arms:GetExploreUrl"
   ],
   "Resource": "*",
   "Effect": "Allow"
 } 

云消息队列 Kafka 版的访问权限

{
  "Action": [
    "alikafka:GetInstanceList",
    "alikafka:GetTopicList"
  ],
  "Resource": "*",
  "Effect": "Allow"
}

云数据库 Tair(兼容 Redis)的访问权限

{
  "Action": [
    "kvsrote:DescribeInstanceAttribute",
    "kvstore:DescribeInstances"
  ],
  "Resource": "*",
  "Effect": "Allow"
}        

云原生数据库PolarDB的访问权限

{
  "Action": [
    "polardb:DescribeDBClusters",
    "polardb:DescribeDatabases",
    "polardb:DescribeDBClusterEndpoints",
    "polardb:DescribeAccounts"
  ],
  "Resource": "*",
  "Effect": "Allow"
}

微服务引擎MSE的访问权限

 {
  "Action": [
    "mse:GetServiceListPage",
    "mse:GetServiceProvidersPage",
    "mse:GetServiceDetail",
    "mse:ListGatewayRoute"
  ],
  "Resource": "*",
  "Effect": "Allow"
}

企业级分布式应用服务EDAS的访问权限

 {
  "Action": [
    "edas:GetServiceListPage",
    "edas:GetServiceProvidersPage",
    "edas:GetServiceMethodPage"
  ],
  "Resource": "*",
  "Effect": "Allow"
}

日志服务SLS的访问权限

 {
  "Action": [
    "log:ListLogStores",
    "log:GetLogs",
    "log:GetLogStoreLogs"
  ],
  "Resource": "*",
  "Effect": "Allow"
}

云监控服务的访问权限

 {
  "Action": [
    "cms:NodeList",
    "cms:QueryMetricList",
    "cms:NodeStatusList",
    "cms:ListNodeStatus",
    "cms:GetNodeStatus",
    "cms:ListNode",
    "cms:ListNodeProcesses",
    "cms:CreateAgentInstallTask",
    "cms:GetProfile",
  ],
  "Resource": "*",
  "Effect": "Allow"
}

DDoS防护服务的访问权限

 {
  "Action": [
    "ecs:DescribeInstances",
    "ecs:DescribeInstances",
    "ecs:DescribeInstanceMonitorData",
    "ecs:DescribeInstanceAttribute",
    "ecs:DescribeInstanceTypes",
    "ecs:DescribeInstanceDisks",
    "ecs:AuthorizeSecurityGroup",
    "ecs:RevokeSecurityGroup",
    "ecs:DescribeRegions",
    "ecs:DescribeSecurityGroups",
    "ecs:CreateNetworkInterface",
    "ecs:DeleteNetworkInterface",
    "ecs:DescribeNetworkInterfaces",
    "ecs:CreateNetworkInterfacePermission",
    "ecs:DescribeNetworkInterfacePermissions",
    "ecs:DeleteNetworkInterfacePermission"
  ],
  "Resource": "*",
  "Effect": "Allow"
}

云服务器ECS的访问权限

 {
  "Action": [
    "yundun-ddoscoo:DescribeInstances",
    "yundun-ddoscoo:DescribeInstanceDetails",
    "yundun-ddoscoo:DescribeInstanceList",
    "yundun-ddoscoo:DescribeInstanceSpecs",
    "yundun-ddoscoo:DescribeDomains",
    "yundun-ddoscoo:DescribeLayer7InstanceRelations"
  ],
  "Resource": "*",
  "Effect": "Allow"
}

弹性公网IP的访问权限

 {
  "Action": [
    "eip:DescribeEipAddresses",
    "eip:DescribeEipMonitorData"
  ],
  "Resource": "*",
  "Effect": "Allow"
}

云数据库RDS MySQL版的访问权限

 {
  "Action": [
    "rds:DescribeDatabases",
    "rds:DescribeDBInstanceDetail",
    "rds:DescribeDBInstances",
    "rds:DescribeDBInstanceAttribute",
    "rds:DescribeSlowLogs",
    "rds:DescribeSlowLogRecords",
    "rds:DescribeErrorLogs",
    "rds:DescribeRegions"
  ],
  "Resource": "*",
  "Effect": "Allow"
}

负载均衡SLB的访问权限

 {
  "Action": [
    "slb:DescribeLoadBalancers",
    "slb:DescribeLoadBalancerAttribute",
    "slb:DescribeHealthStatus",
    "slb:DescribeRegions"
  ],
  "Resource": "*",
  "Effect": "Allow"
}

Web应用防火墙WAF的访问权限

 {
  "Action": [
    "yundun-waf:DescribePayInfo",
    "yundun-waf:DescribeDomainNames",
    "yundun-waf:DescribeDomainConfig"
  ],
  "Resource": "*",
  "Effect": "Allow"
}

专有网络VPC的访问权限

 {
  "Action": [
    "vpc:DescribeVpcs",
    "vpc:DescribeVSwitches",
    "vpc:DescribeVSwitchAttributes"
  ],
  "Resource": "*",
  "Effect": "Allow"
}

阿里云容器服务的访问权限

 {
  "Action": [
    "cs:ListClusters",
    "cs:GetClusterById",
    "cs:DescribeClusterInnerServiceKubeconfig",
    "cs:RevokeClusterInnerServiceKubeconfig"
  ],
  "Resource": "*",
  "Effect": "Allow"
}

数据管理服务DMS的访问权限

 {
  "Action": [
    "dms:SearchDatabase",
    "dms:ListTables",
    "dms:GetMetaTableDetailInfo",
    "dms:CreateStructSyncOrder",
    "dms:GetOrderBaseInfo"
  ],
  "Resource": "*",
  "Effect": "Allow"
}

bss的访问权限

 {
  "Action": [
    "bss:CreateOrder"
  ],
  "Resource": "*",
  "Effect": "Allow"
}

删除AliyunServiceRoleForPts

如果您使用了PTS功能,然后需要删除PTS服务关联角色AliyunServiceRoleForPts,例如出于安全考虑,需要删除该角色,则需要先明确删除后的影响:删除AliyunServiceRoleForPts后,无法使用服务测试、服务压测功能。

删除AliyunServiceRoleForPts的操作步骤如下:

  1. 使用阿里云账号登录RAM控制台,在左侧导航栏中单击身份管理 > 角色

  2. 角色页面创建角色右侧的搜索框中,输入AliyunServiceRoleForPts,自动搜索到PTS的服务关联角色AliyunServiceRoleForPts。

  3. 在AliyunServiceRoleForPts的操作列单击删除

  4. 删除角色对话框,单击确定

常见问题

为什么我的RAM用户无法自动创建PTS服务关联角色AliyunServiceRoleForPts?

您需要拥有指定的权限,才能自动创建或删除AliyunServiceRoleForPts。因此,在RAM用户无法自动创建AliyunServiceRoleForPts时,您需为其添加以下权限策略。

{
    "Statement": [
        {
            "Action": [
                "ram:CreateServiceLinkedRole"
            ],
            "Resource": "acs:ram:*:主账号ID:role/*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": [
                        "pts.aliyuncs.com"
                    ]
                }
            }
        }
    ],
    "Version": "1"
}
说明

请将主账号ID替换为您实际的阿里云账号ID。