本文介紹事件匯流排EventBridge服務關聯角色的背景資訊、策略內容、注意事項和常見問題。
背景資訊
事件匯流排EventBridge在某些情況下,為了完成自身的某個功能,需要擷取其他雲端服務的存取權限。此時,事件匯流排EventBridge可以建立與某個雲端服務關聯的角色,即服務關聯角色。更多資訊,請參見服務關聯角色。
事件匯流排EventBridge支援自動建立以下服務關聯角色:
AliyunServiceRoleForEventBridgeSendToFC
服務關聯角色AliyunServiceRoleForEventBridgeSendToFC可以擷取訪問Function Compute的許可權,以實現調用函數相關功能。
服務關聯角色AliyunServiceRoleForEventBridgeSendToFC被授與權限策略AliyunServiceRolePolicyForEventBridgeSendToFC的策略內容如下:
{
"Version": "1",
"Statement": [
{
"Action": [
"fc:InvokeFunction",
"fc:ListServices",
"fc:ListFunctions"
"fc:ListServiceVersions",
"fc:ListAliases",
"fc:RegisterEventSource",
"fc:DeregisterEventSource",
"fc:ListEventSources"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "sendevent-fc.eventbridge.aliyuncs.com"
}
}
}
]
}
AliyunServiceRoleForEventBridgeSendToMNS
服務關聯角色AliyunServiceRoleForEventBridgeSendToMNS可以擷取訪問Simple Message Queue (formerly MNS)的許可權,以實現發送訊息、發布訊息相關功能。
服務關聯角色AliyunServiceRoleForEventBridgeSendToMNS被授與權限策略AliyunServiceRolePolicyForEventBridgeSendToMNS的策略內容如下:
{
"Version": "1",
"Statement": [
{
"Action": [
"mns:SendMessage",
"mns:GetQueueAttributes",
"mns:PublishMessage",
"mns:ListQueue",
"mns:ListTopic",
"mns:ReceiveMessage",
"mns:BatchReceiveMessage",
"mns:PeekMessage",
"mns:BatchPeekMessage",
"mns:ChangeMessageVisibility",
"mns:DeleteMessage"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "sendevent-mns.eventbridge.aliyuncs.com"
}
}
}
]
}
AliyunServiceRoleForEventBridgeSendToSMS
服務關聯角色AliyunServiceRoleForEventBridgeSendToSMS可以擷取訪問簡訊服務的許可權,以實現傳送簡訊相關功能。
服務關聯角色AliyunServiceRoleForEventBridgeSendToSMS被授與權限策略AliyunServiceRolePolicyForEventBridgeSendToSMS的策略內容如下:
{
"Version": "1",
"Statement": [
{
"Action": [
"dysms:SendSms",
"dysms:SendBatchSms",
"dysms:QuerySendDetails",
"dysms:QuerySmsSign",
"dysms:QuerySmsTemplate"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "sendevent-sms.eventbridge.aliyuncs.com"
}
}
}
]
}
AliyunServiceRoleForEventBridgeSendToDirectMail
服務關聯角色AliyunServiceRoleForEventBridgeSendToDirectMail可以擷取訪問Direct Mail服務的許可權,以實現發送郵件相關功能。
服務關聯角色AliyunServiceRoleForEventBridgeSendToDirectMail被授與權限策略AliyunServiceRolePolicyForEventBridgeSendToDirectMail的策略內容如下:
{
"Version": "1",
"Statement": [
{
"Action": [
"dm:SingleSendMail",
"dm:BatchSendMail",
"dm:QueryMailAddressByParam"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "sendevent-directmail.eventbridge.aliyuncs.com"
}
}
}
]
}
AliyunServiceRoleForEventBridgeSourceRocketMQ
服務關聯角色AliyunServiceRoleForEventBridgeSourceRocketMQ可以擷取訪問雲訊息佇列 RocketMQ 版的許可權,以實現訪問資源的相關功能。
服務關聯角色AliyunServiceRoleForEventBridgeSourceRocketMQ被授與權限策略AliyunServiceRolePolicyForEventBridgeSourceRocketMQ的策略內容如下:
{
"Version":"1",
"Statement":[
{
"Action":[
"mq:QueryInstanceBaseInfo",
"mq:QueryConsumerStatus",
"mq:SUB"
],
"Resource":"*",
"Effect":"Allow"
},
{
"Action":"ram:DeleteServiceLinkedRole",
"Resource":"*",
"Effect":"Allow",
"Condition":{
"StringEquals":{
"ram:ServiceName":"source-rocketmq.eventbridge.aliyuncs.com"
}
}
}
]
}
AliyunServiceRoleForEventBridgeSendToRocketMQ
服務關聯角色AliyunServiceRoleForEventBridgeSendToRocketMQ可以擷取訪問雲訊息佇列 RocketMQ 版的許可權,以實現發布訊息相關功能。
服務關聯角色AliyunServiceRoleForEventBridgeSendToRocketMQ被授與權限策略AliyunServiceRolePolicyForEventBridgeSendToRocketMQ的策略內容如下:
{
"Version":"1",
"Statement":[
{
"Action":[
"mq:PUB",
"mq:QueryInstanceBaseInfo",
"mq:QueryTopicStatus",
"mq:QueryConsumerAccumulate",
"mq:QueryConsumerStatus"
],
"Resource":"*",
"Effect":"Allow"
},
{
"Action":"ram:DeleteServiceLinkedRole",
"Resource":"*",
"Effect":"Allow",
"Condition":{
"StringEquals":{
"ram:ServiceName":"sendevent-rocketmq.eventbridge.aliyuncs.com"
}
}
}
]
}
AliyunServiceRoleForEventBridgeConnectVPC
服務關聯角色AliyunServiceRoleForEventBridgeConnectVPC可以擷取訪問Virtual Private Cloud的許可權,以實現訪問資源的相關功能。
服務關聯角色AliyunServiceRoleForEventBridgeConnectVPC被授與權限策略AliyunServiceRolePolicyForEventBridgeConnectVPC的策略內容如下:
{
"Version":"1",
"Statement":[
{
"Action":[
"vpc:DescribeVpcs",
"vpc:DescribeVSwitches",
"vpc:DescribeVSwitchAttributes"
],
"Resource":"*",
"Effect":"Allow"
},
{
"Action":[
"ecs:DescribeSecurityGroups",
"ecs:CreateSecurityGroup",
"ecs:CreateNetworkInterface",
"ecs:DeleteNetworkInterface",
"ecs:DescribeNetworkInterfaces",
"ecs:CreateNetworkInterfacePermission",
"ecs:DescribeNetworkInterfacePermissions",
"ecs:DeleteNetworkInterfacePermission"
],
"Resource":"*",
"Effect":"Allow"
},
{
"Action":"ram:DeleteServiceLinkedRole",
"Resource":"*",
"Effect":"Allow",
"Condition":{
"StringEquals":{
"ram:ServiceName":"connect-vpc.eventbridge.aliyuncs.com"
}
}
}
]
}
AliyunServiceRoleForEventBridgeSourceActionTrail
服務關聯角色AliyunServiceRoleForEventBridgeSourceActionTrail可以擷取訪問Action Trail的許可權,以實現查詢和投遞操作記錄的相關功能。
服務關聯角色AliyunServiceRoleForEventBridgeSourceActionTrail被授與權限策略AliyunServiceRolePolicyForEventBridgeSourceActionTrail的策略內容如下:
{
"Version": "1",
"Statement": [
{
"Action": [
"actiontrail:CreateServiceTrail",
"actiontrail:DeleteServiceTrail"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "source-actiontrail.eventbridge.aliyuncs.com"
}
}
}
]
}
AliyunServiceRoleForEventBridgeSourceRabbitMQ
服務關聯角色AliyunServiceRoleForEventBridgeSourceRabbitMQ可以擷取訪問雲訊息佇列 RabbitMQ 版的許可權,以實現訪問資源的相關功能。
服務關聯角色AliyunServiceRoleForEventBridgeSourceRabbitMQ被授與權限策略AliyunServiceRolePolicyForEventBridgeSourceRabbitMQ的策略內容如下:
{
"Version": "1",
"Statement": [
{
"Action": [
"amqp:ListInstance",
"amqp:ListVhost",
"amqp:ListExchange",
"amqp:GetVhost",
"amqp:GetExchange",
"amqp:GetQueue",
"amqp:BasicRecover",
"amqp:BasicCancel",
"amqp:BasicConsume",
"amqp:BasicAck",
"amqp:BasicNack",
"amqp:BasicReject",
"amqp:QueuePurge",
"amqp:BasicGet"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "source-rabbitmq.eventbridge.aliyuncs.com"
}
}
}
]
}
AliyunServiceRoleForEventBridgeSendToRabbitMQ
服務關聯角色AliyunServiceRoleForEventBridgeSendToRabbitMQ可以擷取訪問雲訊息佇列 RabbitMQ 版的許可權,以實現發布訊息相關功能。
服務關聯角色AliyunServiceRoleForEventBridgeSendToRabbitMQ被授與權限策略AliyunServiceRolePolicyForEventBridgeSendToRabbitMQ的策略內容如下:
{
"Version":"1",
"Statement":[
{
"Action":[
"amqp:ListInstance",
"amqp:ListVhost",
"amqp:ListExchange",
"amqp:GetVhost",
"amqp:CreateExchange",
"amqp:GetExchange",
"amqp:CreateQueue",
"amqp:GetQueue",
"amqp:BasicRecover",
"amqp:BasicPublish",
"amqp:BasicAck",
"amqp:BasicNack"
],
"Resource":"*",
"Effect":"Allow"
},
{
"Action":"ram:DeleteServiceLinkedRole",
"Resource":"*",
"Effect":"Allow",
"Condition":{
"StringEquals":{
"ram:ServiceName":"sendevent-rabbitmq.eventbridge.aliyuncs.com"
}
}
}
]
}
AliyunServiceRoleForEventBridgeSourceKafka
服務關聯角色AliyunServiceRoleForEventBridgeSourceKafka可以擷取訪問雲訊息佇列 Kafka 版的許可權,以實現訪問資源的相關功能。
服務關聯角色AliyunServiceRoleForEventBridgeSourceKafka被授與權限策略AliyunServiceRolePolicyForEventBridgeSourceKafka的策略內容如下:
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"alikafka:ListInstance",
"alikafka:ListSaslUser"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"ram:ServiceName": "source-kafka.eventbridge.aliyuncs.com"
}
}
}
]
}
AliyunServiceRoleForEventBridgeSendToKafka
服務關聯角色AliyunServiceRoleForEventBridgeSendToKafka可以擷取訪問雲訊息佇列 Kafka 版的許可權,以實現發布訊息相關功能。
服務關聯角色AliyunServiceRoleForEventBridgeSendToKafka被授與權限策略AliyunServiceRolePolicyForEventBridgeSendToKafka的策略內容如下:
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"alikafka:ListInstance",
"alikafka:ListSaslUser"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"ram:ServiceName": "sendevent-kafka.eventbridge.aliyuncs.com"
}
}
}
]
}
AliyunServiceRoleForEventBridgeSendToRDS
服務關聯角色AliyunServiceRoleForEventBridgeSendToRDS可以擷取訪問雲資料庫RDS的許可權,以實現資料投遞至RDS相關功能。
服務關聯角色AliyunServiceRoleForEventBridgeSendToRDS被授與權限策略AliyunServiceRolePolicyForEventBridgeSendToRDS的策略內容如下:
{
"Version": "1",
"Statement": [
{
"Action": [
"rds:DescribeDBInstanceAttribute",
"rds:DescribeDatabases",
"rds:DescribeAccounts"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "sendevent-rds.eventbridge.aliyuncs.com"
}
}
}
]
}
AliyunServiceRoleForEventBridgeSourceCMS
服務關聯角色AliyunServiceRoleForEventBridgeSourceCMS可以擷取訪問CloudMonitor源CMS的許可權,以實現訪問資源的相關功能。
服務關聯角色AliyunServiceRoleForEventBridgeSourceCMS被授與權限策略AliyunServiceRolePolicyForEventBridgeSourceCMS的策略內容如下:
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cms:DescribeSystemEventAttribute",
"cms:DescribeSystemEventCount",
"cms:DescribeSystemEventHistogram"
],
"Resource": "*"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "source-cms.eventbridge.aliyuncs.com"
}
}
}
]
}
AliyunServiceRoleForEventBridgeSendToSAE
服務關聯角色AliyunServiceRoleForEventBridgeSendToSAE可以擷取訪問Serverless引用引擎的許可權,以實現將資料投遞至SAE相關功能。
服務關聯角色AliyunServiceRoleForEventBridgeSendToSAE被授與權限策略AliyunServiceRolePolicyForEventBridgeSendToSAE的策略內容如下:
{
"Version": "1",
"Statement": [
{
"Action": [
"sae:ExecJob"
],
"Resource": "*"
"Effect": "Allow"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "sendevent-sae.eventbridge.aliyuncs.com"
}
}
}
]
}
AliyunServiceRoleForEventBridgeSourceMqtt
服務關聯角色AliyunServiceRoleForEventBridgeSourceMqtt可以擷取訪問微Message QueueTT的許可權,以實現訪問資源的相關功能。
關聯角色AliyunServiceRoleForEventBridgeSourceMqtt被授與權限策略AliyunServiceRolePolicyForEventBridgeSourceMqtt的策略內容如下:
{
"Version": "1",
"Statement": [
{
"Action": [
"mq:SUB"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "source-mqtt.eventbridge.aliyuncs.com"
}
}
}
]
}
注意事項
服務關聯角色刪除後,事件匯流排EventBridge將無法發布事件到對應的阿里雲服務,請謹慎操作。如需再次使用相關功能,則需重新建立該角色。具體操作,請參見建立服務關聯角色。
關於刪除服務關聯角色的具體操作,請參見刪除服務關聯角色。
常見問題
Q:為什麼我的RAM使用者無法自動建立事件匯流排EventBridge服務關聯角色?
A:如果阿里雲帳號已經建立了服務關聯角色,RAM使用者就會繼承該阿里雲帳號的服務關聯角色。如果沒有繼承,請登入RAM 控制台為RAM使用者添加自訂權限原則,權限原則內容如下:
{
"Version":"1",
"Statement":[
{
"Action":"ram:CreateServiceLinkedRole",
"Resource":"acs:ram:*:阿里雲帳號ID:role/*",
"Effect":"Allow",
"Condition":{
"StringEquals":{
"ram:ServiceName":[
"sendevent-fc.eventbridge.aliyuncs.com",
"sendevent-mns.eventbridge.aliyuncs.com",
"sendevent-sms.eventbridge.aliyuncs.com",
"sendevent-directmail.eventbridge.aliyuncs.com",
"source-rocketmq.eventbridge.aliyuncs.com",
"source-mns.eventbridge.aliyuncs.com",
"source-cms.eventbridge.aliyuncs.com",
"source-mqtt.eventbridge.aliyuncs.com",
"source-sls.eventbridge.aliyuncs.com",
"sendevent-sae.eventbridge.aliyuncs.com",
"sendevent-rocketmq.eventbridge.aliyuncs.com",
"connect-vpc.eventbridge.aliyuncs.com",
"source-actiontrail.eventbridge.aliyuncs.com",
"source-rabbitmq.eventbridge.aliyuncs.com",
"sendevent-rabbitmq.eventbridge.aliyuncs.com",
"source-kafka.eventbridge.aliyuncs.com",
"sendevent-kafka.eventbridge.aliyuncs.com",
"sendevent-rds.eventbridge.aliyuncs.com",
"sendevent-arms.eventbridge.aliyuncs.com"
]
}
}
}
]
}
請將阿里雲帳號ID替換為您實際的阿里雲帳號ID。
如果您的RAM使用者被授予該權限原則後,仍然無法自動建立服務關聯角色,請為該RAM使用者授予權限原則AliyunEventBridgeFullAccess。更多權限原則的詳細說明,請參見權限原則和樣本。