本文介紹雲訊息佇列 Kafka 版服務關聯角色的背景資訊、策略內容、注意事項和常見問題。
背景資訊
服務關聯角色是某個雲端服務在某些情況下,為了完成自身的某個功能,需要擷取其他雲端服務的存取權限而提供的RAM角色。您在該雲端服務的控制台首次使用該功能時,系統會提示您完成服務關聯角色的自動建立。更多服務關聯角色相關資訊,請參見服務關聯角色。
雲訊息佇列 Kafka 版提供以下服務關聯角色:
- AliyunServiceRoleForAlikafka:雲訊息佇列 Kafka 版訪問您所擁有的其他阿里雲資源的角色。如果您是在雲訊息佇列 Kafka 版控制台首次開通雲訊息佇列 Kafka 版服務,系統會提示您完成AliyunServiceRoleForAlikafka的自動建立。
AliyunServiceRoleForAlikafkaConnector:雲訊息佇列 Kafka 版通過扮演該RAM角色,擷取各類與Connector相關的產品的存取權限,以實現Connector的功能。如果您是在雲訊息佇列 Kafka 版控制台首次建立Connector,系統會提示您完成AliyunServiceRoleForAlikafkaConnector的自動建立。更多資訊,請參見建立FC Sink Connector。
- AliyunServiceRoleForAlikafkaInstanceEncryption:雲訊息佇列 Kafka 版通過扮演該RAM角色,擷取KMS的訪問與加密許可權,以實現您執行個體的加密功能。目前執行個體加密功能暫時只通過OpenAPI開放,控制台功能後續才會放出。如果您通過雲訊息佇列 Kafka 版OpenAPI StartInstance首次部署加密執行個體,系統會為您完成AliyunServiceRoleForAlikafkaInstanceEncryption的自動建立。
- AliyunServiceRoleForAlikafkaETL:雲訊息佇列 Kafka 版通過扮演該RAM角色,建立資料處理任務,從而進行資料分析。如果您是在雲訊息佇列 Kafka 版控制台首次開通資料處理服務,系統會提示您完成AliyunServiceRoleForAlikafkaETL的自動建立。更多資訊,請參見
策略內容
- AliyunServiceRoleForAlikafka的權限原則如下:
{ "Version": "1", "Statement": [ { "Action": [ "ecs:CreateNetworkInterface", "ecs:DeleteNetworkInterface", "ecs:DescribeNetworkInterfaces", "ecs:CreateNetworkInterfacePermission", "ecs:DescribeNetworkInterfacePermissions", "ecs:DeleteNetworkInterfacePermission", "ecs:CreateSecurityGroup", "ecs:AuthorizeSecurityGroup", "ecs:DescribeSecurityGroupAttribute", "ecs:RevokeSecurityGroup", "ecs:DeleteSecurityGroup", "ecs:DescribeSecurityGroups" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "vpc:DescribeVSwitches", "vpc:DescribeVpcs" ], "Resource": "*", "Effect": "Allow" }, { "Effect": "Allow", "Action": "ram:DeleteServiceLinkedRole", "Resource": "*", "Condition": { "StringEquals": { "ram:ServiceName": "alikafka.aliyuncs.com" } } } ] } - AliyunServiceRoleForAlikafkaConnector的權限原則如下:
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "fc:InvokeFunction", "fc:GetFunction", "fc:ListServices", "fc:ListFunctions", "fc:ListServiceVersions", "fc:ListAliases", "fc:CreateService", "fc:DeleteService", "fc:CreateFunction", "fc:DeleteFunction", "fc:CreateLayerVersion", "fc:ListLayers" ], "Resource": "*" }, { "Action": [ "rds:DescribeDatabases" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "oss:ListBuckets", "oss:GetBucketAcl" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "elasticsearch:DescribeInstance", "elasticsearch:ListInstance" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "dataworks:CreateRealTimeProcess", "dataworks:QueryRealTimeProcessStatus" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "eventbridge:CreateEventStreaming", "eventbridge:UpdateEventStreaming", "eventbridge:GetEventStreaming", "eventbridge:DeleteEventStreaming", "eventbridge:ListEventStreamings", "eventbridge:StartEventStreaming", "eventbridge:PauseEventStreaming", "eventbridge:ListEventStreamingMetrics" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "ots:GetInstance", "ots:ListInstance", "ots:ListTable", "ots:CreateTable", "ots:UpdateTable", "ots:DescribeTable", "ots:GetRow", "ots:PutRow", "ots:UpdateRow", "ots:DeleteRow", "ots:GetRange", "ots:BatchGetRow", "ots:BatchWriteRow", "ots:BulkImport", "ots:Search", "ots:OpenOtsService", "ots:GetOtsServiceStatus", "ots:InsertInstance", "ots:DeleteTable", "ots:CreateSearchIndex", "ots:DeleteSearchIndex", "ots:UpdateSearchIndex" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "gpdb:DescribeDBInstances", "gpdb:DescribeDBInstanceAttribute" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "adb:DescribeDBClusters", "adb:DescribeSchemas", "adb:DescribeTables" ], "Resource": "*", "Effect": "Allow" }, { "Effect": "Allow", "Action": "ram:DeleteServiceLinkedRole", "Resource": "*", "Condition": { "StringEquals": { "ram:ServiceName": "connector.alikafka.aliyuncs.com" } } } ] } - AliyunServiceRoleForAlikafkaInstanceEncryption的權限原則如下:
{ "Version":"1", "Statement":[ { "Action":[ "kms:Listkeys", "kms:Listaliases", "kms:ListResourceTags", "kms:DescribeKey", "kms:TagResource", "kms:UntagResource" ], "Resource":"*", "Effect":"Allow" }, { "Action":[ "kms:Encrypt", "kms:Decrypt", "kms:GenerateDataKey" ], "Resource":"*", "Effect":"Allow", "Condition":{ "StringEqualsIgnoreCase":{ "kms:tag/acs:alikafka:instance-encryption":"true" } } }, { "Action":"ram:DeleteServiceLinkedRole", "Resource":"*", "Effect":"Allow", "Condition":{ "StringEquals":{ "ram:ServiceName":"instanceencryption.alikafka.aliyuncs.com" } } } ] } - AliyunServiceRoleForAlikafkaETL的權限原則如下:
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "fc:InvokeFunction", "fc:GetFunction", "fc:ListServices", "fc:ListFunctions", "fc:ListServiceVersions", "fc:ListAliases", "fc:CreateService", "fc:DeleteService", "fc:CreateFunction", "fc:DeleteFunction" ], "Resource": "*" }, { "Effect": "Allow", "Action": "ram:DeleteServiceLinkedRole", "Resource": "*", "Condition": { "StringEquals": { "ram:ServiceName": "etl.alikafka.aliyuncs.com" } } }, { "Effect": "Allow", "Action": "ram:PassRole", "Resource": "acs:ram:*:*:role/aliyunfcdefaultrole", "Condition": { "StringEquals": { "acs:Service": "fc.aliyuncs.com" } } } ] }
注意事項
如果您刪除了自動建立的服務關聯角色,該服務關聯角色相關的功能由於許可權不足將無法再被使用,請謹慎操作。如需重新建立該服務關聯角色並為其授權,請參見建立可信實體為阿里雲服務的RAM角色和為RAM角色授權。
常見問題
- 為什麼我的RAM使用者無法自動建立雲訊息佇列 Kafka 版服務關聯角色AliyunServiceRoleForAlikafka?
如果您的阿里雲帳號已經建立了服務關聯角色,您的RAM使用者就會繼承該阿里雲帳號的服務關聯角色。如果沒有繼承,請登入存取控制控制台為RAM使用者添加自訂權限原則,權限原則內容如下:
{ "Statement": [ { "Action": [ "ram:CreateServiceLinkedRole" ], "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "ram:ServiceName": "alikafka.aliyuncs.com" } } } ], "Version": "1" } - 為什麼我的RAM使用者無法自動建立雲訊息佇列 Kafka 版服務關聯角色AliyunServiceRoleForAlikafkaConnector?
如果您的阿里雲帳號已經建立了服務關聯角色,您的RAM使用者就會繼承該阿里雲帳號的服務關聯角色。如果沒有繼承,請登入存取控制控制台為RAM使用者添加自訂權限原則,權限原則內容如下:
{ "Statement": [ { "Action": [ "ram:CreateServiceLinkedRole" ], "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "ram:ServiceName": "connector.alikafka.aliyuncs.com" } } } ], "Version": "1" } - 為什麼我的RAM使用者無法自動建立雲訊息佇列 Kafka 版服務關聯角色AliyunServiceRoleForAlikafkaInstanceEncryption?
如果您的阿里雲帳號已經建立了服務關聯角色,您的RAM使用者就會繼承該阿里雲帳號的服務關聯角色。如果沒有繼承,請登入存取控制控制台為RAM使用者添加自訂權限原則,權限原則內容如下:
{ "Statement":[ { "Action":[ "ram:CreateServiceLinkedRole" ], "Resource":"*", "Effect":"Allow", "Condition":{ "StringEquals":{ "ram:ServiceName":"instanceencryption.alikafka.aliyuncs.com" } } } ], "Version":"1" } - 為什麼我的RAM使用者無法自動建立雲訊息佇列 Kafka 版服務關聯角色AliyunServiceRoleForAlikafkaETL?
如果您的阿里雲帳號已經建立了服務關聯角色,您的RAM使用者就會繼承該阿里雲帳號的服務關聯角色。如果沒有繼承,請登入存取控制控制台為RAM使用者添加自訂權限原則,權限原則內容如下:
{ "Statement":[ { "Action":[ "ram:CreateServiceLinkedRole" ], "Resource":"*", "Effect":"Allow", "Condition":{ "StringEquals":{ "ram:ServiceName":"etl.alikafka.aliyuncs.com" } } } ], "Version":"1" }
如果您的RAM使用者被授予該權限原則後,仍然無法自動建立服務關聯角色,請為該RAM使用者授予權限原則AliyunKafkaFullAccess。具體操作,請參見為RAM使用者授權。