服務(wù)關(guān)聯(lián)角色
云原生API網(wǎng)關(guān)服務(wù)關(guān)聯(lián)角色(AliyunServiceRoleForNativeApiGw和AliyunServiceRoleForNativeApiGwInvokeFC)是為了實(shí)現(xiàn)特定功能而設(shè)計(jì)的預(yù)定義RAM角色。本文為您介紹云原生API網(wǎng)關(guān)服務(wù)關(guān)聯(lián)角色(AliyunServiceRoleForNativeApiGw和AliyunServiceRoleForNativeApiGwInvokeFC)的應(yīng)用場(chǎng)景以及如何刪除服務(wù)關(guān)聯(lián)角色。
服務(wù)關(guān)聯(lián)角色的應(yīng)用場(chǎng)景
AliyunServiceRoleForNativeApiGw:當(dāng)云原生API網(wǎng)關(guān)需要訪問專有網(wǎng)絡(luò)VPC、容器服務(wù) Kubernetes 版、函數(shù)計(jì)算FC、企業(yè)級(jí)分布式應(yīng)用服務(wù)EDAS、微服務(wù)引擎MSE、負(fù)載均衡SLB、負(fù)載均衡NLB、云服務(wù)器ECS、應(yīng)用實(shí)時(shí)監(jiān)控服務(wù)ARMS等云服務(wù)的資源時(shí),可通過自動(dòng)創(chuàng)建的云原生API網(wǎng)關(guān)服務(wù)關(guān)聯(lián)角色AliyunServiceRoleForNativeApiGw獲取訪問權(quán)限。
AliyunServiceRoleForNativeApiGwInvokeFC:當(dāng)云原生API網(wǎng)關(guān)需要調(diào)用FC服務(wù)時(shí),可通過自動(dòng)創(chuàng)建的云原生API網(wǎng)關(guān)服務(wù)關(guān)聯(lián)角色AliyunServiceRoleForNativeApiGwInvokeFC完成網(wǎng)關(guān)功能。
RAM用戶使用服務(wù)關(guān)聯(lián)角色需要的權(quán)限
如果使用RAM用戶創(chuàng)建或刪除服務(wù)關(guān)聯(lián)角色,必須聯(lián)系管理員為該RAM用戶授予管理員權(quán)限(AliyunNativeApiGwFullAccess)或在自定義權(quán)限策略的Action語句中為RAM用戶添加以下權(quán)限:
創(chuàng)建服務(wù)關(guān)聯(lián)角色:
ram:CreateServiceLinkedRole刪除服務(wù)關(guān)聯(lián)角色:
ram:DeleteServiceLinkedRole
關(guān)于授權(quán)的詳細(xì)操作,請(qǐng)參見創(chuàng)建和刪除服務(wù)關(guān)聯(lián)角色所需的權(quán)限。
權(quán)限說明
AliyunServiceRoleForNativeApiGw
云原生API網(wǎng)關(guān)服務(wù)關(guān)聯(lián)角色(AliyunServiceRoleForNativeApiGw)具備的訪問權(quán)限說明如下:
專有網(wǎng)絡(luò)VPC
{
"Effect": "Allow",
"Action": [
"vpc:AllocateEipAddress",
"vpc:AllocateEipAddressPro",
"vpc:DescribeEipAddresses",
"vpc:AssociateEipAddress",
"vpc:UnassociateEipAddress",
"vpc:ReleaseEipAddress",
"vpc:ModifyEipAddressAttribute",
"vpc:ModifyBypassToaAttribute",
"vpc:AddCommonBandwidthPackageIp",
"vpc:RemoveCommonBandwidthPackageIp",
"vpc:TagResources",
"vpc:DescribeVSwitches",
"vpc:DescribeVSwitchAttributes",
"vpc:DescribeVpcs",
"vpc:CreateVSwitch",
"vpc:DescribeVpcAttribute",
"vpc:DescribeVRouters",
"vpc:DescribeRouteTables",
"vpc:DescribeRouteEntryList"
],
"Resource": "*"
}容器服務(wù)ACK
{
"Effect": "Allow",
"Action": [
"cs:DescribeClusterDetail",
"cs:DescribeClusterInnerServiceKubeconfig",
"cs:RevokeClusterInnerServiceKubeconfig",
"cs:GetUserConfig",
"cs:DescribeClusterUserKubeconfig",
"cs:GetClusterById",
"cs:GetClustersByUid",
"cs:DescribeClustersV1",
"cs:ListClusters",
"cs:GetClusters",
"cs:DescribeClusterNodePools"
],
"Resource": "*"
}函數(shù)計(jì)算FC
{
"Effect": "Allow",
"Action": [
"fc:ListAliases",
"fc:ListServices",
"fc:ListServiceVersions",
"fc:ListFunctions",
"fc:ListFunctionVersions",
"fc:ListTriggers"
],
"Resource": "*"
}企業(yè)級(jí)分布式應(yīng)用服務(wù)EDAS
{
"Effect": "Allow",
"Action": [
"edas:ReadNamespace",
"edas:ReadService",
"edas:ListUserDefineRegion"
],
"Resource": "*"
}微服務(wù)引擎MSE
{
"Effect": "Allow",
"Action": [
"mse:ListAnsServices",
"mse:ListEngineNamespaces",
"mse:ListClusters",
"mse:QueryConfig"
],
"Resource": "*"
}負(fù)載均衡SLB
{
"Effect": "Allow",
"Action": [
"slb:SetLoadBalancerName",
"slb:CreateLoadBalancer",
"slb:AddBackendServers",
"slb:SetBackendServers",
"slb:RemoveBackendServers",
"slb:CreateLoadBalancerTCPListener",
"slb:DescribeLoadBalancerTCPListenerAttribute",
"slb:SetLoadBalancerTCPListenerAttribute",
"slb:CreateLoadBalancerHTTPListener",
"slb:DescribeLoadBalancerHTTPListenerAttribute",
"slb:SetLoadBalancerHTTPListenerAttribute",
"slb:CreateLoadBalancerHTTPSListener",
"slb:DescribeLoadBalancerHTTPSListenerAttribute",
"slb:SetLoadBalancerHTTPSListenerAttribute",
"slb:StartLoadBalancerListener",
"slb:StopLoadBalancerListener",
"slb:DeleteLoadBalancerListener",
"slb:DescribeLoadBalancers",
"slb:DescribeLoadBalancerAttribute",
"slb:DescribeHealthStatus",
"slb:CreateLoadBalancerForCloudService",
"slb:DeleteLoadBalancer",
"slb:ModifyLoadBalancerInternetSpec",
"slb:RemoveTags",
"slb:AddTags",
"slb:SetLoadBalancerUDPListenerAttribute",
"slb:CreateLoadBalancerUDPListener",
"slb:CreateVServerGroup",
"slb:DeleteVServerGroup",
"slb:SetVServerGroupAttribute",
"slb:ModifyVServerGroupBackendServers",
"slb:AddVServerGroupBackendServers",
"slb:ModifyLoadBalancerInstanceSpec",
"slb:ModifyLoadBalancerInternetSpec",
"slb:RemoveVServerGroupBackendServers",
"slb:SetLoadBalancerModificationProtection",
"slb:SetLoadBalancerDeleteProtection",
"slb:DescribeLoadBalancerUDPListenerAttribute ",
"slb:DescribeTags",
"slb:DescribeVServerGroups",
"slb:DescribeVServerGroupAttribute",
"slb:DescribeLoadBalancerListeners",
"slb:ListTagResources",
"slb:TagResources",
"slb:UntagResources"
],
"Resource": "*"
}負(fù)載均衡NLB
{
"Effect": "Allow",
"Action": [
"nlb:TagResources",
"nlb:UnTagResources",
"nlb:ListTagResources",
"nlb:CreateLoadBalancer",
"nlb:DeleteLoadBalancer",
"nlb:GetLoadBalancerAttribute",
"nlb:ListLoadBalancers",
"nlb:UpdateLoadBalancerAttribute",
"nlb:UpdateLoadBalancerAddressTypeConfig",
"nlb:UpdateLoadBalancerZones",
"nlb:CreateListener",
"nlb:DeleteListener",
"nlb:ListListeners",
"nlb:UpdateListenerAttribute",
"nlb:StopListener",
"nlb:StartListener",
"nlb:GetListenerAttribute",
"nlb:GetListenerHealthStatus",
"nlb:CreateServerGroup",
"nlb:DeleteServerGroup",
"nlb:UpdateServerGroupAttribute",
"nlb:AddServersToServerGroup",
"nlb:RemoveServersFromServerGroup",
"nlb:UpdateServerGroupServersAttribute",
"nlb:ListServerGroups",
"nlb:ListServerGroupServers",
"nlb:LoadBalancerLeaveSecurityGroup",
"nlb:LoadBalancerJoinSecurityGroup",
"nlb:GetJobStatus",
"nlb:UpdateLoadBalancerProtection"
],
"Resource": "*"
}云服務(wù)器ECS
{
"Effect": "Allow",
"Action": [
"ecs:CreateSecurityGroup",
"ecs:AuthorizeSecurityGroup",
"ecs:AuthorizeSecurityGroupEgress",
"ecs:RevokeSecurityGroup",
"ecs:RevokeSecurityGroupEgress",
"ecs:DeleteSecurityGroup",
"ecs:JoinSecurityGroup",
"ecs:LeaveSecurityGroup",
"ecs:DescribeSecurityGroups",
"ecs:DescribeInstances",
"ecs:CreateNetworkInterface",
"ecs:DeleteNetworkInterface",
"ecs:DescribeNetworkInterfaces",
"ecs:CreateNetworkInterfacePermission",
"ecs:DescribeNetworkInterfacePermissions",
"ecs:DeleteNetworkInterfacePermission",
"ecs:DescribeSecurityGroupAttribute",
"ecs:AddTags",
"ecs:DescribeEipAddresses",
"ecs:DescribeNetworkInterfaceAttribute",
"ecs:ModifyNetworkInterfaceAttribute",
"ecs:AssignPrivateIpAddresses",
"ecs:UnassignPrivateIpAddresses",
"ecs:AssignIpv6Addresses",
"ecs:UnassignIpv6Addresses",
"ecs:AttachNetworkInterface",
"ecs:DetachNetworkInterface",
"ecs:ListTagResources"
],
"Resource": "*"
}應(yīng)用實(shí)時(shí)監(jiān)控服務(wù)ARMS
{
"Effect": "Allow",
"Action": [
"arms:OpenArmsService",
"arms:GetAlertRules",
"arms:ReportCustomIncidents",
"arms:AddPrometheusInstance",
"arms:GetAuthToken",
"arms:GetClusterAllUrl",
"arms:OpenArmsServiceSecondVersion",
"arms:CheckServiceStatus",
"arms:OpenVCluster",
"arms:GetPrometheusApiToken",
"arms:ListDashboards",
"arms:GetExploreUrl",
"arms:CreateDefaultCloudProductPrometheusAlertRule",
"arms:ListNotificationPolicies",
"arms:ListDispatchRule",
"arms:CreateDispatchRule",
"arms:CreateOrUpdateNotificationPolicy",
"arms:DescribeContactGroups",
"arms:SearchContactGroup",
"arms:CreatePrometheusAlertRule"
],
"Resource": "*"
}AliyunServiceRoleForNativeApiGwInvokeFC
云原生API網(wǎng)關(guān)服務(wù)關(guān)聯(lián)角色(AliyunServiceRoleForNativeApiGwInvokeFC)具備的訪問權(quán)限說明如下:
{
"Effect": "Allow",
"Action": "fc:InvokeFunction",
"Resource": "*"
}查看服務(wù)關(guān)聯(lián)角色
當(dāng)服務(wù)關(guān)聯(lián)角色創(chuàng)建成功后,您可以在RAM控制臺(tái)的角色頁面,通過搜索服務(wù)關(guān)聯(lián)角色名稱(AliyunServiceRoleForNativeApiGw、AliyunServiceRoleForNativeApiGwInvokeFC)查看該服務(wù)關(guān)聯(lián)角色的以下信息:
基本信息
在AliyunServiceRoleForNativeApiGw或AliyunServiceRoleForNativeApiGwInvokeFC角色詳情頁面的基本信息區(qū)域,查看角色基本信息,包括角色名稱、創(chuàng)建時(shí)間、角色ARN和備注等。
權(quán)限策略
在AliyunServiceRoleForNativeApiGw或AliyunServiceRoleForNativeApiGwInvokeFC角色詳情頁面的權(quán)限管理頁簽,單擊權(quán)限策略名稱,查看權(quán)限策略內(nèi)容以及該角色可授權(quán)訪問哪些云資源。
信任策略
在AliyunServiceRoleForNativeApiGw或AliyunServiceRoleForNativeApiGwInvokeFC角色詳情頁的信任策略管理頁簽,查看信任策略內(nèi)容。信任策略是描述RAM角色可信實(shí)體的策略,可信實(shí)體是指可以扮演RAM角色的實(shí)體用戶身份。服務(wù)關(guān)聯(lián)角色的可信實(shí)體為云服務(wù),您可以通過信任策略中的
Service字段查看。
關(guān)于如何查看服務(wù)關(guān)聯(lián)角色的詳細(xì)操作,請(qǐng)參見查看RAM角色。
刪除服務(wù)關(guān)聯(lián)角色
當(dāng)您長時(shí)間不使用云原生API網(wǎng)關(guān)時(shí),您可以在RAM控制臺(tái)手動(dòng)刪除服務(wù)關(guān)聯(lián)角色。
刪除AliyunServiceRoleForNativeApiGw
使用阿里云賬號(hào)登錄RAM控制臺(tái),在左側(cè)導(dǎo)航欄中單擊。
在角色頁面的搜索框中輸入
AliyunServiceRoleForNativeApiGw進(jìn)行搜索。在AliyunServiceRoleForNativeApiGw的操作列下單擊刪除角色。
在刪除角色對(duì)話框中輸入角色名稱進(jìn)行確認(rèn),然后單擊刪除角色。
刪除云原生API網(wǎng)關(guān)服務(wù)關(guān)聯(lián)角色(AliyunServiceRoleForNativeApiGw)后,依賴該角色的服務(wù)來源和壓測(cè)功能將無法正常使用,請(qǐng)謹(jǐn)慎刪除。
刪除AliyunServiceRoleForNativeApiGwInvokeFC
使用阿里云賬號(hào)登錄RAM控制臺(tái),在左側(cè)導(dǎo)航欄中單擊。
在角色頁面的搜索框中輸入
AliyunServiceRoleForNativeApiGwInvokeFC進(jìn)行搜索。在AliyunServiceRoleForNativeApiGwInvokeFC的操作列下單擊刪除角色。
在刪除角色對(duì)話框中輸入角色名稱進(jìn)行確認(rèn),然后單擊刪除角色。
刪除云原生API網(wǎng)關(guān)服務(wù)關(guān)聯(lián)角色(AliyunServiceRoleForNativeApiGwInvokeFC)后,依賴該角色的FC函數(shù)調(diào)用功能將無法正常使用,請(qǐng)謹(jǐn)慎刪除。
常見問題
為什么我的RAM用戶無法自動(dòng)創(chuàng)建云原生API網(wǎng)關(guān)服務(wù)關(guān)聯(lián)角色(AliyunServiceRoleForNativeApiGw)?
您需要擁有指定的權(quán)限,才能自動(dòng)創(chuàng)建或刪除AliyunServiceRoleForNativeApiGw。因此,在RAM用戶無法自動(dòng)創(chuàng)建AliyunServiceRoleForNativeApiGw時(shí),您需要為其添加以下權(quán)限策略。
{
"Statement": [
{
"Action": [
"ram:CreateServiceLinkedRole"
],
"Resource": "acs:ram:*:主賬號(hào)ID:role/*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": [
"nativeapigw.aliyuncs.com"
]
}
}
}
],
"Version": "1"
}請(qǐng)將主賬號(hào)ID替換為您實(shí)際的阿里云賬號(hào)ID。
為什么我的RAM用戶無法自動(dòng)創(chuàng)建云原生API網(wǎng)關(guān)服務(wù)關(guān)聯(lián)角色(AliyunServiceRoleForNativeApiGwInvokeFC)?
您需要擁有指定的權(quán)限,才能自動(dòng)創(chuàng)建或刪除AliyunServiceRoleForNativeApiGwInvokeFC。因此,在RAM用戶無法自動(dòng)創(chuàng)建AliyunServiceRoleForNativeApiGwInvokeFC時(shí),您需要為其添加以下權(quán)限策略。
{
"Statement": [
{
"Action": [
"ram:CreateServiceLinkedRole"
],
"Resource": "acs:ram:*:主賬號(hào)ID:role/*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": [
"invokefc.nativeapigw.aliyuncs.com"
]
}
}
}
],
"Version": "1"
}請(qǐng)將主賬號(hào)ID替換為您實(shí)際的阿里云賬號(hào)ID。
相關(guān)文檔
更多關(guān)于服務(wù)關(guān)聯(lián)角色的信息,請(qǐng)參見服務(wù)關(guān)聯(lián)角色。