当您需要访问其他阿里云服务的时候,系统会自动创建一个无影云电脑服务关联角色(AliyunServiceRoleForGws),本文为您介绍无影云电脑(原来叫做图形工作站GWS)服务关联角色(AliyunServiceRoleForGws)的应用场景、权限策略及其相关操作。
背景信息
服务关联角色是与特定的云服务关联的角色。多数情况下,在您使用特定功能时,关联的云服务会自动创建或删除服务关联角色。通过服务关联角色可以更好地配置云服务正常操作所必须的权限,避免误操作带来的风险。更多关于服务关联角色的信息,请参见服务关联角色。
应用场景
当您执行创建、停止、启动无影云电脑或者创建、删除镜像等操作,需要通过访问云服务器 ECS或者专有网络 VPC等云产品来实现,可以通过服务关联角色(AliyunServiceRoleForGws)来获取权限。
权限说明
角色名称:AliyunServiceRoleForGws
权限策略:AliyunServiceRolePolicyForGws
权限说明:无影云电脑使用此角色来访问跨云产品服务。
该权限策略包含的云服务访问权限如下:
{
"Version": "1",
"Statement": [
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "gws.aliyuncs.com"
}
}
},
{
"Action": "ram:CreateServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "privatelink.aliyuncs.com"
}
}
},
{
"Action": "acm:DescribePrice",
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ecs:StopInstance",
"ecs:CreateInstance",
"ecs:DeleteInstance",
"ecs:StartInstance",
"ecs:RebootInstance",
"ecs:DescribeInstances",
"ecs:DescribeInstanceAttribute",
"ecs:CreateImage",
"ecs:DeleteImage",
"ecs:DescribeImages",
"ecs:ModifyImageAttribute",
"ecs:AllocatePublicIpAddress",
"ecs:DescribeZones",
"ecs:DescribeAvailableResource",
"ecs:DescribeSecurityGroups",
"ecs:AuthorizeSecurityGroup",
"ecs:RevokeSecurityGroup",
"ecs:CreateSecurityGroup",
"ecs:DeleteSecurityGroup",
"ecs:DescribeUserData",
"ecs:TagResources",
"ecs:ModifyInstanceAttribute",
"ecs:ModifyInstanceVncPasswd",
"ecs:RunCommand",
"ecs:DescribeInvocationResults",
"ecs:AuthorizeSecurityGroupEgress",
"ecs:RevokeSecurityGroupEgress",
"ecs:CreateNetworkInterface",
"ecs:DescribeNetworkInterfaces",
"ecs:AttachNetworkInterface",
"ecs:DetachNetworkInterface"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"vpc:CreateVSwitch",
"vpc:CreateVpc",
"vpc:DescribeVpcs",
"vpc:DescribeVSwitches",
"vpc:CreateNatGateway",
"vpc:DeleteNatGateway",
"vpc:DescribeNatGateways",
"vpc:CreateForwardEntry",
"vpc:DeleteForwardEntry",
"vpc:DescribeForwardTableEntries",
"vpc:ModifyForwardEntry",
"vpc:UnassociateEipAddress",
"vpc:ReleaseEipAddress",
"vpc:DescribeEipAddresses",
"vpc:AssociateEipAddress",
"vpc:AllocateEipAddress"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"privatelink:CreateVpcEndpoint",
"privatelink:ListVpcEndpoints",
"privatelink:UpdateVpcEndpointAttribute",
"privatelink:GetVpcEndpointAttribute",
"privatelink:AddZoneToVpcEndpoint",
"privatelink:RemoveZoneFromVpcEndpoint",
"privatelink:ListVpcEndpointSecurityGroups",
"privatelink:AttachSecurityGroupToVpcEndpoint",
"privatelink:DetachSecurityGroupFromVpcEndpoint",
"privatelink:ListVpcEndpointZones",
"privatelink:DeleteVpcEndpoint",
"privatelink:OpenPrivateLinkService"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"nas:OpenNASService",
"nas:CreateFileSystem",
"nas:DeleteFileSystem",
"nas:ModifyFileSystem",
"nas:DescribeFileSystems",
"nas:CreateMountTarget",
"nas:DeleteMountTarget",
"nas:DescribeMountTargets",
"nas:DescribeSmbAcl",
"nas:TagResources",
"nas:DisableSmbAcl",
"nas:ModifySmbAcl",
"nas:CreateFile",
"nas:ListDirectoriesAndFiles",
"nas:DescribeSmbAcl",
"nas:EnableSmbAcl",
"nas:DescribeZones"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"cen:AttachCenChildInstance",
"cen:DetachCenChildInstance",
"cen:DescribeCenAttachedChildInstances",
"cen:DescribeCens",
"cen:DescribeCenRegionDomainRouteEntries",
"cen:CreateTransitRouterVpcAttachment",
"cen:ListTransitRouters",
"cen:CreateTransitRouter",
"cen:ListTransitRouterVpcAttachments",
"cen:ListTransitRouterRouteTables",
"cen:DeleteTransitRouterVpcAttachment",
"cen:ListTransitRouterRouteTableAssociations",
"cen:DissociateTransitRouterAttachmentFromRouteTable",
"cen:ListTransitRouterRouteTablePropagations",
"cen:DisableTransitRouterRouteTablePropagation",
"cen:AssociateTransitRouterAttachmentWithRouteTable",
"cen:EnableTransitRouterRouteTablePropagation",
"cen:DescribeCenAttachedChildInstanceAttribute",
"cen:CheckTransitRouterService",
"cen:ListTransitRouterRouteEntries",
"cen:DeleteTransitRouterRouteEntry"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"oss:ListObjects",
"oss:PutObject",
"oss:GetObject",
"oss:DeleteObject",
"oss:PutBucketLifecycle",
"oss:GetBucketLifecycle"
],
"Resource": [
"acs:oss:*:*:eds-recording-bucket-*",
"acs:oss:*:*:eds-recording-bucket-*/*"
],
"Effect": "Allow"
},
{
"Action": [
"oss:ListBuckets",
"oss:PutBucket"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "quotas:GetProductQuota",
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"pds:CreateUser",
"pds:DeleteUser",
"pds:UpdateUser",
"pds:GetUser",
"pds:ListUser",
"pds:ShareFile",
"pds:VisibleFile",
"pds:GetUserExtraInfo",
"pds:CreateGroup",
"pds:DeleteGroup",
"pds:UpdateGroup",
"pds:ListGroup",
"pds:GetGroup",
"pds:CreateMembership",
"pds:DeleteMembership",
"pds:GetMembership",
"pds:ListMembership",
"pds:CreateDrive",
"pds:DeleteDrive",
"pds:UpdateDrive",
"pds:GetDrive",
"pds:ListDrive",
"pds:CreateFile",
"pds:EditFile",
"pds:UpdateFile",
"pds:GetFile",
"pds:ListFiles",
"pds:MoveFile",
"pds:CopyFile",
"pds:DeleteFile",
"pds:GetAsyncTask",
"pds:CreateOrder",
"pds:AssignRole",
"pds:CreateDomain",
"pds:UpdateDomain",
"pds:DeleteDomain",
"pds:GetDomain",
"pds:ListDomains",
"pds:CreateShare",
"pds:GetShare",
"pds:UpdateShare",
"pds:ListShares",
"pds:DownloadFile",
"pds:Batch"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
删除服务关联角色
如果您需要删除无影云电脑服务关联角色(AliyunServiceRoleForGws),请先通过控制台或者OpenAPI删除依赖该服务关联角色的无影云电脑资源后,您可以删除服务关联角色(AliyunServiceRoleForGws)。具体操作,请参见删除RAM角色。
文档内容是否对您有帮助?