全部產品
Search
文件中心

ApsaraMQ for RabbitMQ:服務關聯角色

更新時間:Dec 07, 2024

本文介紹雲訊息佇列 RabbitMQ 版服務關聯角色的背景資訊,權限原則、注意事項和常見問題。

背景資訊

服務關聯角色是某個雲端服務在某些情況下,為了完成自身的某個功能,需要擷取其他雲端服務的存取權限而提供的RAM角色。您在該雲端服務的控制台首次使用該功能時,系統會提示您完成服務關聯角色的自動建立。更多服務關聯角色相關資訊,請參見服務關聯角色

雲訊息佇列 RabbitMQ 版提供以下服務關聯角色:

服務關聯角色

ServiceName

內容

AliyunServiceRoleForAmqpMonitoring

monitoring.amqp.aliyuncs.com

雲訊息佇列 RabbitMQ 版通過扮演該RAM角色,擷取CloudMonitor和阿里雲應用即時監控服務ARMS的許可權,以實現自身的監控警示和Dashboard功能。您在雲訊息佇列 RabbitMQ 版控制台首次使用監控警示和Dashboard時,系統會提示您完成AliyunServiceRoleForAmqpMonitoring的自動建立。更多資訊,請參見監控指標Dashboard

AliyunServiceRoleForAmqpLogDelivery

logdelivery.amqp.aliyuncs.com

雲訊息佇列 RabbitMQ 版通過扮演該RAM角色,擷取Log Service的存取權限,以實現自身的訊息日誌功能。您在雲訊息佇列 RabbitMQ 版控制台首次使用訊息日誌時,系統會提示您完成AliyunServiceRoleForAmqpLogDelivery的自動建立。更多資訊,請參見日誌管理

AliyunServiceRoleForAmqpNetwork

network.amqp.aliyuncs.com

允許雲訊息佇列 RabbitMQ 版使用此角色訪問您的PrivateLink服務完成Virtual Private Cloud相關功能。您在雲訊息佇列 RabbitMQ 版控制台首次使用私網串連存取點時,系統會提示您完成建立。

AliyunServiceRoleForAmqpEncrypt

encrypt.amqp.aliyuncs.com

允許雲訊息佇列 RabbitMQ 版使用此角色訪問您的KMS服務完成儲存加密相關功能。您在雲訊息佇列 RabbitMQ 版控制台購買獨享加密執行個體時,系統會提示您完成建立。如果您為RAM使用者,也可以在OpenAPI使用CreateServiceLinkedRole介面建立。

權限原則

  • AliyunServiceRoleForAmqpMonitoring的權限原則如下:

    {
        "Version": "1",
        "Statement": [
            {
                "Action": [
                    "cms:DescribeMetricRuleList",
                    "cms:DescribeMetricList",
                    "cms:DescribeMetricData"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "arms:OpenVCluster",
                    "arms:ListDashboards",
                    "arms:CheckServiceStatus"
                   ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": "ram:DeleteServiceLinkedRole",
                "Resource": "*",
                "Effect": "Allow",
                "Condition": {
                    "StringEquals": {
                        "ram:ServiceName": "monitoring.amqp.aliyuncs.com"
                    }
                }
            }
        ]
    }
  • AliyunServiceRoleForAmqpLogDelivery的權限原則如下:

    {
      "Version": "1",
      "Statement": [
        {
          "Action": [
            "log:ListProject",
            "log:ListLogStores",
            "log:PostLogStoreLogs"
          ],
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Action": "ram:DeleteServiceLinkedRole",
          "Resource": "*",
          "Effect": "Allow",
          "Condition": {
            "StringEquals": {
              "ram:ServiceName": "logdelivery.amqp.aliyuncs.com"
            }
          }
        }
      ]
    }
  • AliyunServiceRoleForAmqpNetwork的權限原則如下:

    {
        "Version": "1",
        "Statement": [
            {
                "Action": [
                    "privatelink:GetVpcEndpointServiceAttribute",
                    "privatelink:ListVpcEndpointServices",
                    "privatelink:DeleteVpcEndpoint",
                    "privatelink:CreateVpcEndpoint",
                    "privatelink:UpdateVpcEndpointAttribute",
                    "privatelink:ListVpcEndpoints",
                    "privatelink:GetVpcEndpointAttribute",
                    "privatelink:ListVpcEndpointServicesByEndUser",
                    "privatelink:AddZoneToVpcEndpoint",
                    "privatelink:ListVpcEndpointZones",
                    "privatelink:RemoveZoneFromVpcEndpoint",
                    "privatelink:AttachSecurityGroupToVpcEndpoint",
                    "privatelink:ListVpcEndpointSecurityGroups",
                    "privatelink:DetachSecurityGroupFromVpcEndpoint",
                    "privatelink:UpdateVpcEndpointZoneConnectionResourceAttribute"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "vpc:DescribeVpcAttribute",
                    "vpc:DescribeVpcs",
                    "vpc:ListVSwitchCidrReservations",
                    "vpc:GetVSwitchCidrReservationUsage",
                    "vpc:DescribeVSwitches",
                    "vpc:DescribeVSwitchAttributes",
                    "Ecs:CreateSecurityGroup",
                    "Ecs:DeleteSecurityGroup",
                    "Ecs:DescribeSecurityGroupAttribute",
                    "Ecs:DescribeSecurityGroups"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": "ram:DeleteServiceLinkedRole",
                "Resource": "*",
                "Effect": "Allow",
                "Condition": {
                    "StringEquals": {
                        "ram:ServiceName": "network.amqp.aliyuncs.com"
                    }
                }
            },
            {
                "Action": "ram:CreateServiceLinkedRole",
                "Resource": "*",
                "Effect": "Allow",
                "Condition": {
                    "StringEquals": {
                        "ram:ServiceName": "privatelink.aliyuncs.com"
                    }
                }
            }
        ]
    }
  • AliyunServiceRoleForAmqpEncrypt的權限原則如下:

    {
      "Version": "1",
      "Statement": [
        {
          "Action": [
            "kms:List*",
            "kms:DescribeKey",
            "kms:TagResource",
            "kms:UntagResource"
          ],
          "Resource": [
            "acs:kms:*:*:*"
          ],
          "Effect": "Allow"
        },
        {
          "Action": [
            "kms:Encrypt",
            "kms:Decrypt",
            "kms:GenerateDataKey"
          ],
          "Resource": [
            "acs:kms:*:*:*"
          ],
          "Effect": "Allow",
          "Condition": {
            "StringEqualsIgnoreCase": {
              "kms:tag/acs:rabbitmq:instance-encryption": "true"
            }
          }
        },
        {
          "Action": "ram:DeleteServiceLinkedRole",
          "Resource": "*",
          "Effect": "Allow",
          "Condition": {
            "StringEquals": {
              "ram:ServiceName": "encrypt.amqp.aliyuncs.com"
            }
          }
        }
      ]
    }

注意事項

如果您刪除了自動建立的服務關聯角色,該服務關聯角色相關的功能由於許可權不足將無法再被使用,請謹慎操作。如需重新建立該服務關聯角色並為其授權,請參見建立可信實體為阿里雲服務的RAM角色為RAM角色授權

常見問題

為什麼我的RAM使用者無法自動建立雲訊息佇列 RabbitMQ 版服務關聯角色?

如果您的阿里雲帳號已經建立了服務關聯角色,您的RAM使用者就會繼承該阿里雲帳號的服務關聯角色。如果沒有繼承,請登入存取控制控制台為RAM使用者添加自訂權限原則,權限原則內容如下:

{
    "Statement": [
        {
            "Action": [
                "ram:CreateServiceLinkedRole"
            ],
            "Resource": "acs:ram:*:${accountid}:role/*",
            "Effect": "Allow",
            "Condition": {
              "StringEquals": {
          "ram:ServiceName": [
            "logdelivery.amqp.aliyuncs.com",
            "monitoring.amqp.aliyuncs.com",
            "network.amqp.aliyuncs.com",
            "encrypt.amqp.aliyuncs.com"
          ]
                }
            }
        }
    ],
    "Version": "1"
}
說明

請將${accountid}替換為您的阿里雲帳號ID。

如果您的RAM使用者被授予該權限原則後,仍然無法自動建立服務關聯角色,請為該RAM使用者授予權限原則AliyunAMQPFullAccess。具體操作,請參見為RAM使用者授權