全部產品
Search
文件中心

ApsaraMQ for Kafka:服務關聯角色

更新時間:Jul 06, 2024

本文介紹雲訊息佇列 Kafka 版服務關聯角色的背景資訊、策略內容、注意事項和常見問題。

背景資訊

服務關聯角色是某個雲端服務在某些情況下,為了完成自身的某個功能,需要擷取其他雲端服務的存取權限而提供的RAM角色。您在該雲端服務的控制台首次使用該功能時,系統會提示您完成服務關聯角色的自動建立。更多服務關聯角色相關資訊,請參見服務關聯角色

雲訊息佇列 Kafka 版提供以下服務關聯角色:

  • AliyunServiceRoleForAlikafka:雲訊息佇列 Kafka 版訪問您所擁有的其他阿里雲資源的角色。如果您是在雲訊息佇列 Kafka 版控制台首次開通雲訊息佇列 Kafka 版服務,系統會提示您完成AliyunServiceRoleForAlikafka的自動建立。
  • AliyunServiceRoleForAlikafkaConnector:雲訊息佇列 Kafka 版通過扮演該RAM角色,擷取各類與Connector相關的產品的存取權限,以實現Connector的功能。如果您是在雲訊息佇列 Kafka 版控制台首次建立Connector,系統會提示您完成AliyunServiceRoleForAlikafkaConnector的自動建立。更多資訊,請參見建立FC Sink Connector

  • AliyunServiceRoleForAlikafkaInstanceEncryption:雲訊息佇列 Kafka 版通過扮演該RAM角色,擷取KMS的訪問與加密許可權,以實現您執行個體的加密功能。目前執行個體加密功能暫時只通過OpenAPI開放,控制台功能後續才會放出。如果您通過雲訊息佇列 Kafka 版OpenAPI StartInstance首次部署加密執行個體,系統會為您完成AliyunServiceRoleForAlikafkaInstanceEncryption的自動建立。
  • AliyunServiceRoleForAlikafkaETL:雲訊息佇列 Kafka 版通過扮演該RAM角色,建立資料處理任務,從而進行資料分析。如果您是在雲訊息佇列 Kafka 版控制台首次開通資料處理服務,系統會提示您完成AliyunServiceRoleForAlikafkaETL的自動建立。更多資訊,請參見

策略內容

  • AliyunServiceRoleForAlikafka的權限原則如下:
    {
        "Version": "1",
        "Statement": [
            {
                "Action": [
                    "ecs:CreateNetworkInterface",
                    "ecs:DeleteNetworkInterface",
                    "ecs:DescribeNetworkInterfaces",
                    "ecs:CreateNetworkInterfacePermission",
                    "ecs:DescribeNetworkInterfacePermissions",
                    "ecs:DeleteNetworkInterfacePermission",
                    "ecs:CreateSecurityGroup",
                    "ecs:AuthorizeSecurityGroup",
                    "ecs:DescribeSecurityGroupAttribute",
                    "ecs:RevokeSecurityGroup",
                    "ecs:DeleteSecurityGroup",
                    "ecs:DescribeSecurityGroups"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "vpc:DescribeVSwitches",
                    "vpc:DescribeVpcs"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Effect": "Allow",
                "Action": "ram:DeleteServiceLinkedRole",
                "Resource": "*",
                "Condition": {
                    "StringEquals": {
                        "ram:ServiceName": "alikafka.aliyuncs.com"
                    }
                }
            }
        ]
    }
  • AliyunServiceRoleForAlikafkaConnector的權限原則如下:
    {
      "Version": "1",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "fc:InvokeFunction",
            "fc:GetFunction",
            "fc:ListServices",
            "fc:ListFunctions",
            "fc:ListServiceVersions",
            "fc:ListAliases",
            "fc:CreateService",
            "fc:DeleteService",
            "fc:CreateFunction",
            "fc:DeleteFunction",
            "fc:CreateLayerVersion",
            "fc:ListLayers"
          ],
          "Resource": "*"
        },
        {
          "Action": [
            "rds:DescribeDatabases"
          ],
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "oss:ListBuckets",
            "oss:GetBucketAcl"
          ],
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "elasticsearch:DescribeInstance",
            "elasticsearch:ListInstance"
          ],
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "dataworks:CreateRealTimeProcess",
            "dataworks:QueryRealTimeProcessStatus"
          ],
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "eventbridge:CreateEventStreaming",
            "eventbridge:UpdateEventStreaming",
            "eventbridge:GetEventStreaming",
            "eventbridge:DeleteEventStreaming",
            "eventbridge:ListEventStreamings",
            "eventbridge:StartEventStreaming",
            "eventbridge:PauseEventStreaming",
            "eventbridge:ListEventStreamingMetrics"
          ],
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "ots:GetInstance",
            "ots:ListInstance",
            "ots:ListTable",
            "ots:CreateTable",
            "ots:UpdateTable",
            "ots:DescribeTable",
            "ots:GetRow",
            "ots:PutRow",
            "ots:UpdateRow",
            "ots:DeleteRow",
            "ots:GetRange",
            "ots:BatchGetRow",
            "ots:BatchWriteRow",
            "ots:BulkImport",
            "ots:Search",
            "ots:OpenOtsService",
            "ots:GetOtsServiceStatus",
            "ots:InsertInstance",
            "ots:DeleteTable",
            "ots:CreateSearchIndex",
            "ots:DeleteSearchIndex",
            "ots:UpdateSearchIndex"
          ],
          "Effect": "Allow",
          "Resource": "*"
        },
        {
          "Action": [
            "gpdb:DescribeDBInstances",
            "gpdb:DescribeDBInstanceAttribute"
          ],
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "adb:DescribeDBClusters",
            "adb:DescribeSchemas",
            "adb:DescribeTables"
          ],
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Effect": "Allow",
          "Action": "ram:DeleteServiceLinkedRole",
          "Resource": "*",
          "Condition": {
            "StringEquals": {
              "ram:ServiceName": "connector.alikafka.aliyuncs.com"
            }
          }
        }
      ]
    }
  • AliyunServiceRoleForAlikafkaInstanceEncryption的權限原則如下:
    {
        "Version":"1",
        "Statement":[
            {
                "Action":[
                    "kms:Listkeys",
                    "kms:Listaliases",
                    "kms:ListResourceTags",
                    "kms:DescribeKey",
                    "kms:TagResource",
                    "kms:UntagResource"
                ],
                "Resource":"*",
                "Effect":"Allow"
            },
            {
                "Action":[
                    "kms:Encrypt",
                    "kms:Decrypt",
                    "kms:GenerateDataKey"
                ],
                "Resource":"*",
                "Effect":"Allow",
                "Condition":{
                    "StringEqualsIgnoreCase":{
                        "kms:tag/acs:alikafka:instance-encryption":"true"
                    }
                }
            },
            {
                "Action":"ram:DeleteServiceLinkedRole",
                "Resource":"*",
                "Effect":"Allow",
                "Condition":{
                    "StringEquals":{
                        "ram:ServiceName":"instanceencryption.alikafka.aliyuncs.com"
                    }
                }
            }
        ]
    }
  • AliyunServiceRoleForAlikafkaETL的權限原則如下:
    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "fc:InvokeFunction",
                    "fc:GetFunction",
                    "fc:ListServices",
                    "fc:ListFunctions",
                    "fc:ListServiceVersions",
                    "fc:ListAliases",
                    "fc:CreateService",
                    "fc:DeleteService",
                    "fc:CreateFunction",
                    "fc:DeleteFunction"
                ],
                "Resource": "*"
            },
            {
                "Effect": "Allow",
                "Action": "ram:DeleteServiceLinkedRole",
                "Resource": "*",
                "Condition": {
                    "StringEquals": {
                        "ram:ServiceName": "etl.alikafka.aliyuncs.com"
                    }
                }
            },
            {
                "Effect": "Allow",
                "Action": "ram:PassRole",
                "Resource": "acs:ram:*:*:role/aliyunfcdefaultrole",
                "Condition": {
                    "StringEquals": {
                        "acs:Service": "fc.aliyuncs.com"
                    }
                }
            }
        ]
    }

注意事項

如果您刪除了自動建立的服務關聯角色,該服務關聯角色相關的功能由於許可權不足將無法再被使用,請謹慎操作。如需重新建立該服務關聯角色並為其授權,請參見建立可信實體為阿里雲服務的RAM角色為RAM角色授權

常見問題

  • 為什麼我的RAM使用者無法自動建立雲訊息佇列 Kafka 版服務關聯角色AliyunServiceRoleForAlikafka?

    如果您的阿里雲帳號已經建立了服務關聯角色,您的RAM使用者就會繼承該阿里雲帳號的服務關聯角色。如果沒有繼承,請登入存取控制控制台為RAM使用者添加自訂權限原則,權限原則內容如下:

    {
        "Statement": [
            {
                "Action": [
                    "ram:CreateServiceLinkedRole"
                ],
                "Resource": "*",
                "Effect": "Allow",
                "Condition": {
                  "StringEquals": {
                    "ram:ServiceName": "alikafka.aliyuncs.com"
                    }
                }
            }
        ],
        "Version": "1"
    }
  • 為什麼我的RAM使用者無法自動建立雲訊息佇列 Kafka 版服務關聯角色AliyunServiceRoleForAlikafkaConnector?

    如果您的阿里雲帳號已經建立了服務關聯角色,您的RAM使用者就會繼承該阿里雲帳號的服務關聯角色。如果沒有繼承,請登入存取控制控制台為RAM使用者添加自訂權限原則,權限原則內容如下:

    {
        "Statement": [
            {
                "Action": [
                    "ram:CreateServiceLinkedRole"
                ],
                "Resource": "*",
                "Effect": "Allow",
                "Condition": {
                  "StringEquals": {
                    "ram:ServiceName": "connector.alikafka.aliyuncs.com"
                    }
                }
            }
        ],
        "Version": "1"
    }
  • 為什麼我的RAM使用者無法自動建立雲訊息佇列 Kafka 版服務關聯角色AliyunServiceRoleForAlikafkaInstanceEncryption?

    如果您的阿里雲帳號已經建立了服務關聯角色,您的RAM使用者就會繼承該阿里雲帳號的服務關聯角色。如果沒有繼承,請登入存取控制控制台為RAM使用者添加自訂權限原則,權限原則內容如下:

    {
        "Statement":[
            {
                "Action":[
                    "ram:CreateServiceLinkedRole"
                ],
                "Resource":"*",
                "Effect":"Allow",
                "Condition":{
                    "StringEquals":{
                        "ram:ServiceName":"instanceencryption.alikafka.aliyuncs.com"
                    }
                }
            }
        ],
        "Version":"1"
    }
  • 為什麼我的RAM使用者無法自動建立雲訊息佇列 Kafka 版服務關聯角色AliyunServiceRoleForAlikafkaETL?

    如果您的阿里雲帳號已經建立了服務關聯角色,您的RAM使用者就會繼承該阿里雲帳號的服務關聯角色。如果沒有繼承,請登入存取控制控制台為RAM使用者添加自訂權限原則,權限原則內容如下:

    {
        "Statement":[
            {
                "Action":[
                    "ram:CreateServiceLinkedRole"
                ],
                "Resource":"*",
                "Effect":"Allow",
                "Condition":{
                    "StringEquals":{
                        "ram:ServiceName":"etl.alikafka.aliyuncs.com"
                    }
                }
            }
        ],
        "Version":"1"
    }

如果您的RAM使用者被授予該權限原則後,仍然無法自動建立服務關聯角色,請為該RAM使用者授予權限原則AliyunKafkaFullAccess。具體操作,請參見為RAM使用者授權