本文為您介紹CMH服務關聯角色(AliyunServiceRoleForCMH)的應用情境以及如何刪除服務關聯角色。
應用情境
雲遷移中心服務關聯角色(AliyunServiceRoleForCMH)的應用情境如下:
訪問Server Migration Center(Server Migration Center)當您開啟遷移-遷移工具-伺服器遷移工具的“連結”功能時,雲遷移中心會將您在SMC中建立的任務同步過來,需要通過服務關聯角色擷取查詢SMC的許可權。
訪問Data Transmission Service(Data Transmission Service)當您開啟遷移-遷移工具-資料庫遷移工具的“連結”功能時,雲遷移中心會將您在DTS中建立的任務同步過來,需要通過服務關聯角色擷取查詢DTS的許可權。
配置審計(Config)當您開啟評估-資源調研-阿里雲匯入的“連結”功能時,雲遷移中心會將您在阿里雲指定地區購買過的資源清單同步過來,需要通過服務關聯角色擷取查詢資源清單及詳情的許可權。
自動化服務台(IaC Service)當您開啟準備-資源建立-選擇某個遷移計劃詳情-大量建立資源的“連結”功能時,雲遷移中心會使用自動化服務台提供的資源匯出和建立功能,實現阿里雲上資源的匯出和建立,需要通過服務關聯角色擷取管理自動化服務台的許可權。註:本許可權僅包含自動化服務台的許可權,在該情境下匯出和建立您的阿里雲資源需要您的登入帳號具備相關資源的系統管理權限。
阿里雲資源遷移情境。當您使用準備-遷移計劃-建立遷移計劃-阿里雲跨可用性區域遷移模板時,雲遷移中心會完成您相關資源的遷移任務,實現阿里雲資源的跨可用性區域遷移。需要通過服務關聯角色擷取您的資源查詢和遷移相關的許可權,當前支援的雲產品類型:Elastic Compute Service,雲資料庫RDS,Tair (Redis OSS-compatible),SLB負載平衡,VPC交換器。
關於服務關聯角色的更多資訊,請參見服務關聯角色。
許可權說明
角色名稱:AliyunServiceRoleForCMH
角色權限原則:AliyunServiceRolePolicyForCMH
許可權說明:雲遷移中心預設使用此角色來訪問您的SMC、DTS、配置審計等雲產品資源。
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"oss:ListImportJob",
"oss:ListImportAddress",
"oss:ListBuckets"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"smc:DescribeSourceServers",
"smc:DescribeReplicationJobs",
"smc:CreateReplicationJob",
"smc:StartReplicationJob"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"dts:DescribeDtsJobs",
"dts:ConfigureDtsJob",
"dts:StartDtsJob",
"dts:CreateDtsInstance",
"dts:DescribeDatabases",
"dts:DescribePreCheckStatus"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"config:ListDiscoveredResources",
"config:GetDiscoveredResource",
"config:GetDiscoveredResourceCountsGroupByResourceType",
"config:GetDiscoveredResourceCountsGroupByRegion"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"rds:DescribeDBInstanceAttribute",
"rds:MigrateToOtherZone",
"rds:DescribeAvailableClasses",
"rds:DescribeAvailableZones",
"rds:ModifySecurityIps",
"rds:DescribeDatabases"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"kvstore:DescribeInstances",
"kvstore:MigrateToOtherZone",
"kvstore:DescribeAvailableResource",
"kvstore:DescribeDBInstanceNetInfo",
"kvstore:ModifySecurityIps"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"oos:StartExecution",
"oos:ListExecutions"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iacservice:CreateModule",
"iacservice:ListModules",
"iacservice:UpdateModuleAttribute",
"iacservice:GetModule",
"iacservice:CreateModuleVersion",
"iacservice:ListModuleVersion",
"iacservice:GetModuleVersion",
"iacservice:CreateTask",
"iacservice:GetTask",
"iacservice:ListTasks",
"iacservice:UpdateTaskAttribute",
"iacservice:CreateJob",
"iacservice:ListJobs",
"iacservice:GetJob",
"iacservice:OperateJob",
"iacservice:CreateParameterSet",
"iacservice:UpdateParameterSetAttribute",
"iacservice:GetParameterSet",
"iacservice:ListParameterSets",
"iacservice:AssociateParameterSet",
"iacservice:DissociateParameterSet",
"iacservice:CreateRabbitmqPublisher",
"iacservice:ListRabbitmqPublishers",
"iacservice:UpdateRabbitmqPublisherAttribute",
"iacservice:GetRabbitmqPublisher",
"iacservice:AttachRabbitmqPublisher",
"iacservice:DetachRabbitmqPublisher",
"iacservice:CheckResourceName",
"iacservice:CreateResourceExportTask",
"iacservice:ExecuteResourceExportTask",
"iacservice:CancelResourceExportTask",
"iacservice:GetResourceExportTask",
"iacservice:ListResourceExportTaskVersions",
"iacservice:ListResourceExportTasks",
"iacservice:UpdateResourceExportTaskAttribute",
"iacservice:ListResources"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"vpc:DescribeVpcs",
"vpc:DescribeVSwitches",
"ecs:DescribeAvailableResource",
"ecs:CloneInstanceWithIncrementSnapshot",
"ecs:DescribeDisks",
"ecs:DescribeAvailableResource",
"ecs:StartInstance",
"ecs:DescribeVSwitches",
"ecs:StopInstance",
"ecs:DeleteImage",
"ecs:DeleteSnapshot",
"ecs:RunInstances",
"ecs:DescribeSnapshots",
"ecs:CreateImage",
"ecs:DescribeInstances",
"ecs:DescribeImages",
"ecs:CreateSnapshot",
"ecs:DescribePrice",
"ecs:AuthorizeSecurityGroup",
"ecs:DescribeSecurityGroups",
"ecs:DescribeSecurityGroupAttribute",
"slb:DescribeAvailableResource",
"slb:DescribeAccessControlLists",
"slb:DescribeAccessControlListAttribute",
"slb:AddAccessControlListEntry"
],
"Resource": "*"
}
]
}建立服務關聯角色
系統會在以下情境中自動建立服務關聯角色(AliyunServiceRoleForCMH):
當您調用InitializeCMHTools介面首次建立跟蹤時,會自動建立服務關聯角色。
當您在雲遷移中心首次點擊“遷移-遷移工具—伺服器遷移工具—連結”,“遷移-遷移工具—資料庫遷移工具—連結”或者“評估-資源調研—阿里雲調研—連結”時,會自動建立服務關聯角色(如果使用阿里雲調研功能,需要先確保您的配置審計已啟用:配置審計控制台,如果您已啟用請忽略)。
刪除服務關聯角色
您可以在RAM控制台刪除服務關聯角色。具體操作,請參見刪除RAM角色。