All Products
Search

This Product

    Microservices Engine:MSE service-linked role

    Document Center

    Microservices Engine:MSE service-linked role

    Last Updated:Jul 19, 2024

    The Microservices Engine (MSE) service-linked role AliyunServiceRoleForMSE is a predefined RAM role that is designed to implement specific features. When you use MSE to implement specific features, you need to access or manage the resources of other Alibaba Cloud services of your account. This ensures that the capabilities in the microservices architecture can work as expected. Other Alibaba Cloud services include Virtual Private Cloud (VPC), Server Load Balancer (SLB), and Container Service for Kubernetes (ACK). After you create and assign the service-linked role to MSE, you can use the role to obtain and manage permissions on these services. This prevents manual allocation of complex and error-prone policies, simplifies the permission management process, and enhances security. This topic describes the MSE service-linked role AliyunServiceRoleForMSE and how to delete the role.

    Scenarios

    If you want MSE to access the resources of other Alibaba Cloud services, you can use the MSE service-linked role AliyunServiceRoleForMSE that is automatically created to obtain access permissions on these services. The services include Elastic Compute Service (ECS), VPC, Application Real-Time Monitoring Service (ARMS), SLB, ACK, Enterprise Distributed Application Service (EDAS), and Alibaba Cloud Service Mesh (ASM).

    Permission description

    AliyunServiceRoleForMSE has the following permissions:

    ECS access permissions

    {
  "Action": [
    "ecs:CreateNetworkInterfacePermission",
    "ecs:DeleteNetworkInterfacePermission",
    "ecs:CreateNetworkInterface",
    "ecs:DescribeNetworkInterfaces",
    "ecs:DescribeSecurityGroups",
    "ecs:CreateSecurityGroup"
  ],
  "Resource": "*",
  "Effect": "Allow"
}

    VPC access permissions

    {
  "Action": [
    "vpc:DescribeVSwitches",
    "vpc:DescribeVpcs",
    "vpc:CreateVSwitch",
  ],
  "Resource": "*",
  "Effect": "Allow"
},

    ARMS access permissions

       {
            "Action": [
                "arms:OpenArmsService",
                "arms:OpenArmsServiceSecondVersion",
                "arms:CheckServiceStatus",
                "arms:OpenVCluster",
                "arms:GetPrometheusApiToken",
                "arms:ListDashboards"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },

    SLB access permissions

      {
            "Action": [
                "slb:CreateLoadBalancer",
                "slb:AddBackendServers",
                "slb:SetBackendServers",
                "slb:RemoveBackendServers",
                "slb:CreateLoadBalancerTCPListener",
                "slb:DescribeLoadBalancerTCPListenerAttribute",
                "slb:SetLoadBalancerTCPListenerAttribute",
                "slb:CreateLoadBalancerHTTPListener",
                "slb:DescribeLoadBalancerHTTPListenerAttribute",
                "slb:SetLoadBalancerHTTPListenerAttribute",
                "slb:CreateLoadBalancerHTTPSListener",
                "slb:DescribeLoadBalancerHTTPSListenerAttribute",
                "slb:SetLoadBalancerHTTPSListenerAttribute",
                "slb:StartLoadBalancerListener",
                "slb:StopLoadBalancerListener",
                "slb:DeleteLoadBalancerListener",
                "slb:DescribeLoadBalancers",
                "slb:DescribeLoadBalancerAttribute",
                "slb:DescribeHealthStatus",
                "slb:CreateLoadBalancerForCloudService",
                "slb:DeleteLoadBalancer",
                "slb:ModifyLoadBalancerInternetSpec",
                "slb:RemoveTags",
                "slb:AddTags",
                "slb:SetLoadBalancerUDPListenerAttribute",
                "slb:CreateLoadBalancerUDPListener",
                "slb:CreateVServerGroup",
                "slb:DeleteVServerGroup",
                "slb:SetVServerGroupAttribute",
                "slb:ModifyVServerGroupBackendServers",
                "slb:AddVServerGroupBackendServers",
                "slb:ModifyLoadBalancerInstanceSpec",
                "slb:ModifyLoadBalancerInternetSpec",
                "slb:RemoveVServerGroupBackendServers",
                "slb:SetLoadBalancerModificationProtection",
                "slb:SetLoadBalancerDeleteProtection",
                "slb:DescribeLoadBalancerUDPListenerAttribute  ",
                "slb:DescribeTags",
                "slb:DescribeVServerGroups",
                "slb:DescribeVServerGroupAttribute",
                "slb:DescribeLoadBalancerListeners"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },

    ACK access permissions

       {
            "Action": [
                "cs:DescribeClusterInnerServiceKubeconfig",
                "cs:RevokeClusterInnerServiceKubeconfig",
                "cs:GetUserConfig",
                "cs:DescribeClusterUserKubeconfig",
                "cs:GetClusterById",
                "cs:GetClustersByUid",
                "cs:GetClusters",
                "cs:ListClusters",
                "cs:DescribeClusterNodes"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },

    EDAS access permissions

     {
            "Action": [
                "edas:ReadApplication",
                "edas:ReadCluster",
                "edas:ReadNamespace",
                "edas:ReadService",
                "edas:ListUserDefineRegion",
                "edas:GetSecureToken"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },

    ASM access permissions

       {
            "Action": [
                "servicemesh:CreateServiceMesh",
                "servicemesh:DeleteServiceMesh",
                "servicemesh:DescribeServiceMeshDetail",
                "servicemesh:DescribeServiceMeshKubeconfig",
                "servicemesh:AddClusterIntoServiceMesh",
                "servicemesh:RemoveClusterFromServiceMesh",
                "servicemesh:InitializeASMRole",
                "servicemesh:InvokeApiServer"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },

    Delete AliyunServiceRoleForMSE

    Note

    When you use MSE, if you delete the MSE service-linked role AliyunServiceRoleForMSE, you cannot perform service testing or stress testing.

    1. Log on to the Resource Access Management (RAM) console by using your Alibaba Cloud account. In the left-side navigation pane, choose Identities > Roles.

    2. On the Roles page, enter AliyunServiceRoleForMSE in the search box and click the search icon to search for the role.

    3. Click Delete Role in the Actions column of the role.

    4. In the Delete Role message, enter the role name, and click Delete Role.

    FAQ

    Why is the MSE service-linked role AliyunServiceRoleForMSE not automatically created for my RAM user?

    The AliyunServiceRoleForMSE role can be automatically created or deleted only if you have specific permissions. If the system does not automatically create the AliyunServiceRoleForMSE role for your RAM user, attach the following policy to your RAM user: 

    {
    "Statement": [
        {
            "Action": [
                "ram:CreateServiceLinkedRole"
            ],
            "Resource": "acs:ram:*:Alibaba Cloud account ID:role/*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": [
                        "mse.aliyuncs.com"
                    ]
                }
            }
        }
    ],
    "Version": "1"
}
    Note

    Replace Alibaba Cloud account ID with the ID of your Alibaba Cloud account.