本文介紹雲訊息佇列 RabbitMQ 版服務關聯角色的背景資訊,權限原則、注意事項和常見問題。
背景資訊
服務關聯角色是某個雲端服務在某些情況下,為了完成自身的某個功能,需要擷取其他雲端服務的存取權限而提供的RAM角色。您在該雲端服務的控制台首次使用該功能時,系統會提示您完成服務關聯角色的自動建立。更多服務關聯角色相關資訊,請參見服務關聯角色。
雲訊息佇列 RabbitMQ 版提供以下服務關聯角色:
服務關聯角色 | ServiceName | 內容 |
AliyunServiceRoleForAmqpMonitoring | monitoring.amqp.aliyuncs.com | 雲訊息佇列 RabbitMQ 版通過扮演該RAM角色,擷取CloudMonitor和阿里雲應用即時監控服務ARMS的許可權,以實現自身的監控警示和Dashboard功能。您在雲訊息佇列 RabbitMQ 版控制台首次使用監控警示和Dashboard時,系統會提示您完成AliyunServiceRoleForAmqpMonitoring的自動建立。更多資訊,請參見監控指標和Dashboard。 |
AliyunServiceRoleForAmqpLogDelivery | logdelivery.amqp.aliyuncs.com | 雲訊息佇列 RabbitMQ 版通過扮演該RAM角色,擷取Log Service的存取權限,以實現自身的訊息日誌功能。您在雲訊息佇列 RabbitMQ 版控制台首次使用訊息日誌時,系統會提示您完成AliyunServiceRoleForAmqpLogDelivery的自動建立。更多資訊,請參見日誌管理。 |
AliyunServiceRoleForAmqpNetwork | network.amqp.aliyuncs.com | 允許雲訊息佇列 RabbitMQ 版使用此角色訪問您的PrivateLink服務完成Virtual Private Cloud相關功能。您在雲訊息佇列 RabbitMQ 版控制台首次使用私網串連存取點時,系統會提示您完成建立。 |
AliyunServiceRoleForAmqpEncrypt | encrypt.amqp.aliyuncs.com | 允許雲訊息佇列 RabbitMQ 版使用此角色訪問您的KMS服務完成儲存加密相關功能。您在雲訊息佇列 RabbitMQ 版控制台購買獨享加密執行個體時,系統會提示您完成建立。如果您為RAM使用者,也可以在OpenAPI使用CreateServiceLinkedRole介面建立。 |
權限原則
AliyunServiceRoleForAmqpMonitoring的權限原則如下:
{ "Version": "1", "Statement": [ { "Action": [ "cms:DescribeMetricRuleList", "cms:DescribeMetricList", "cms:DescribeMetricData" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "arms:OpenVCluster", "arms:ListDashboards", "arms:CheckServiceStatus" ], "Resource": "*", "Effect": "Allow" }, { "Action": "ram:DeleteServiceLinkedRole", "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "ram:ServiceName": "monitoring.amqp.aliyuncs.com" } } } ] }
AliyunServiceRoleForAmqpLogDelivery的權限原則如下:
{ "Version": "1", "Statement": [ { "Action": [ "log:ListProject", "log:ListLogStores", "log:PostLogStoreLogs" ], "Resource": "*", "Effect": "Allow" }, { "Action": "ram:DeleteServiceLinkedRole", "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "ram:ServiceName": "logdelivery.amqp.aliyuncs.com" } } } ] }
AliyunServiceRoleForAmqpNetwork的權限原則如下:
{ "Version": "1", "Statement": [ { "Action": [ "privatelink:GetVpcEndpointServiceAttribute", "privatelink:ListVpcEndpointServices", "privatelink:DeleteVpcEndpoint", "privatelink:CreateVpcEndpoint", "privatelink:UpdateVpcEndpointAttribute", "privatelink:ListVpcEndpoints", "privatelink:GetVpcEndpointAttribute", "privatelink:ListVpcEndpointServicesByEndUser", "privatelink:AddZoneToVpcEndpoint", "privatelink:ListVpcEndpointZones", "privatelink:RemoveZoneFromVpcEndpoint", "privatelink:AttachSecurityGroupToVpcEndpoint", "privatelink:ListVpcEndpointSecurityGroups", "privatelink:DetachSecurityGroupFromVpcEndpoint", "privatelink:UpdateVpcEndpointZoneConnectionResourceAttribute" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "vpc:DescribeVpcAttribute", "vpc:DescribeVpcs", "vpc:ListVSwitchCidrReservations", "vpc:GetVSwitchCidrReservationUsage", "vpc:DescribeVSwitches", "vpc:DescribeVSwitchAttributes", "Ecs:CreateSecurityGroup", "Ecs:DeleteSecurityGroup", "Ecs:DescribeSecurityGroupAttribute", "Ecs:DescribeSecurityGroups" ], "Resource": "*", "Effect": "Allow" }, { "Action": "ram:DeleteServiceLinkedRole", "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "ram:ServiceName": "network.amqp.aliyuncs.com" } } }, { "Action": "ram:CreateServiceLinkedRole", "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "ram:ServiceName": "privatelink.aliyuncs.com" } } } ] }
AliyunServiceRoleForAmqpEncrypt的權限原則如下:
{ "Version": "1", "Statement": [ { "Action": [ "kms:List*", "kms:DescribeKey", "kms:TagResource", "kms:UntagResource" ], "Resource": [ "acs:kms:*:*:*" ], "Effect": "Allow" }, { "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:GenerateDataKey" ], "Resource": [ "acs:kms:*:*:*" ], "Effect": "Allow", "Condition": { "StringEqualsIgnoreCase": { "kms:tag/acs:rabbitmq:instance-encryption": "true" } } }, { "Action": "ram:DeleteServiceLinkedRole", "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "ram:ServiceName": "encrypt.amqp.aliyuncs.com" } } } ] }
注意事項
如果您刪除了自動建立的服務關聯角色,該服務關聯角色相關的功能由於許可權不足將無法再被使用,請謹慎操作。如需重新建立該服務關聯角色並為其授權,請參見建立可信實體為阿里雲服務的RAM角色和為RAM角色授權。
常見問題
為什麼我的RAM使用者無法自動建立雲訊息佇列 RabbitMQ 版服務關聯角色?
如果您的阿里雲帳號已經建立了服務關聯角色,您的RAM使用者就會繼承該阿里雲帳號的服務關聯角色。如果沒有繼承,請登入存取控制控制台為RAM使用者添加自訂權限原則,權限原則內容如下:
{
"Statement": [
{
"Action": [
"ram:CreateServiceLinkedRole"
],
"Resource": "acs:ram:*:${accountid}:role/*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": [
"logdelivery.amqp.aliyuncs.com",
"monitoring.amqp.aliyuncs.com",
"network.amqp.aliyuncs.com",
"encrypt.amqp.aliyuncs.com"
]
}
}
}
],
"Version": "1"
}
請將${accountid}替換為您的阿里雲帳號ID。
如果您的RAM使用者被授予該權限原則後,仍然無法自動建立服務關聯角色,請為該RAM使用者授予權限原則AliyunAMQPFullAccess。具體操作,請參見為RAM使用者授權。