All Products
Search
Document Center

Bastionhost:Authorize Bastionhost to access cloud resources

最終更新日:Apr 25, 2024

When you use Bastionhost for the first time, authorize it to access other cloud resources. This topic describes how to perform the authorization.

Prerequisites

  • A bastion host is created. For more information, see Purchase a bastion host.

  • An Alibaba Cloud account or a Resource Access Management (RAM) user that has permissions to create and delete service-linked roles is used.

Background information

When you use Bastionhost for the first time, Alibaba Cloud automatically creates a service-linked role AliyunServiceRoleForBastionhost. This role allows Bastionhost to access other cloud services. You do not need to manually create or modify the service-linked role. For more information, see Service-linked roles.

Procedure

  1. Log on to the Bastionhost console.

  2. In the Welcome to Bastionhost dialog box, click Create.

    When you log on to the Bastionhost console for the first time after your bastion host is created, the console prompts you to authorize Bastionhost to access other cloud resources.

    After you click Create, Alibaba Cloud automatically creates the AliyunServiceRoleForBastionhost role. You can view the automatically created role in the RAM console. Your bastion host can access other cloud services, such as Elastic Compute Service (ECS) and Virtual Private Cloud (VPC), or perform server O&M and audit only after the AliyunServiceRoleForBastionhost role is created.

Service-linked role for Bastionhost

If you want to use Bastionhost for O&M, it needs to access other cloud services, such as ECS and VPC. To obtain the access permissions, you must assume the AliyunServiceRoleForBastionhost role that is automatically created for Bastionhost.

The following list provides details of the AliyunServiceRoleForBastionhost role:

  • Role name: AliyunServiceRoleForBastionhost

  • Permission policy: AliyunServiceRolePolicyForBastionhost

    Note

    This is a system policy. You are not allowed to modify the name or content of this policy.

  • Example:

    {
        "Version": "1",
        "Statement": [
            {
                "Action": [
                    "rds:DescribeDBInstanceNetInfo",
                    "rds:DescribeDBInstances",
                    "rds:DescribeDBInstanceAttribute",
                    "ecs:DescribeInstances",
                    "ecs:DescribeImages",
                    "ecs:DescribeZones",
                    "ecs:DescribeRegions",
                    "ecs:DescribeTags",
                    "ecs:DescribeSecurityGroups",
                    "ecs:DescribeSecurityGroupAttribute",
                    "ecs:AuthorizeSecurityGroup",
                    "ecs:DescribeSecurityGroups",
                    "ecs:DescribeSecurityGroupReferences",
                    "ecs:CreateSecurityGroup",
                    "ecs:RevokeSecurityGroup",
                    "ecs:DeleteSecurityGroup",
                    "ecs:ModifySecurityGroupAttribute",
                    "ecs:ModifySecurityGroupPolicy",
                    "ecs:ModifySecurityGroupRule",
                    "ecs:CreateNetworkInterface",
                    "ecs:DeleteNetworkInterface",
                    "ecs:DescribeNetworkInterfaces",
                    "ecs:CreateNetworkInterfacePermission",
                    "ecs:DescribeNetworkInterfacePermissions",
                    "ecs:DeleteNetworkInterfacePermission",
                    "ecs:DetachNetworkInterface",
                    "ecs:AttachNetworkInterface",
                    "ecs:ModifyNetworkInterfaceAttribute"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "vpc:DescribeVpcAttribute",
                    "vpc:DescribeVSwitchAttributes"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": "ram:DeleteServiceLinkedRole",
                "Resource": "*",
                "Effect": "Allow",
                "Condition": {
                    "StringEquals": {
                        "ram:ServiceName": "bastionhost.aliyuncs.com"
                    }
                }
            }
        ]
    }

Delete the AliyunServiceRoleForBastionhost role

If you no longer use Bastionhost, you can delete its service-linked role AliyunServiceRoleForBastionhost. Before you can delete the AliyunServiceRoleForBastionhost role, you must release your bastion host. Then, perform the following steps:

  1. Log on to the RAM console.

  2. In the left-side navigation pane, choose Identities > Roles.

  3. On the Roles page, find the AliyunServiceRoleForBastionhost role and click Delete Role in the Actions column.

  4. In the Delete Role dialog box, enter the name of the role and click Delete Role.

FAQ

The system does not create the AliyunServiceRoleForBastionhost role for my RAM user. What do I do?

The system creates and deletes the AliyunServiceRoleForBastionhost role only if your RAM user has the required permissions. To obtain the required permissions, add the following policy to your RAM user. For more information, see Grant permissions to a RAM role.

{
    "Statement": [
        {
            "Action": [
                "ram:CreateServiceLinkedRole"
            ],
            "Resource": "acs:ram:*:Alibaba Cloud account ID:role/*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": [
                        "bastionhost.aliyuncs.com"
                    ]
                }
            }
        }
    ],
    "Version": "1"
}