全部產品
Search
文件中心

EventBridge:服務關聯角色

更新時間:Dec 11, 2024

本文介紹事件匯流排EventBridge服務關聯角色的背景資訊、策略內容、注意事項和常見問題。

背景資訊

事件匯流排EventBridge在某些情況下,為了完成自身的某個功能,需要擷取其他雲端服務的存取權限。此時,事件匯流排EventBridge可以建立與某個雲端服務關聯的角色,即服務關聯角色。更多資訊,請參見服務關聯角色

事件匯流排EventBridge支援自動建立以下服務關聯角色:

AliyunServiceRoleForEventBridgeSendToFC

服務關聯角色AliyunServiceRoleForEventBridgeSendToFC可以擷取訪問Function Compute的許可權,以實現調用函數相關功能。

服務關聯角色AliyunServiceRoleForEventBridgeSendToFC被授與權限策略AliyunServiceRolePolicyForEventBridgeSendToFC的策略內容如下:

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "fc:InvokeFunction",
                "fc:ListServices",
                "fc:ListFunctions"
                "fc:ListServiceVersions",
                "fc:ListAliases",
                "fc:RegisterEventSource",
                "fc:DeregisterEventSource",
                "fc:ListEventSources"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "sendevent-fc.eventbridge.aliyuncs.com"
                }
            }
        }
    ]
}

AliyunServiceRoleForEventBridgeSendToMNS

服務關聯角色AliyunServiceRoleForEventBridgeSendToMNS可以擷取訪問Simple Message Queue (formerly MNS)的許可權,以實現發送訊息、發布訊息相關功能。

服務關聯角色AliyunServiceRoleForEventBridgeSendToMNS被授與權限策略AliyunServiceRolePolicyForEventBridgeSendToMNS的策略內容如下:

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "mns:SendMessage",
                "mns:GetQueueAttributes",
                "mns:PublishMessage",
                "mns:ListQueue",
                "mns:ListTopic",
                "mns:ReceiveMessage",
                "mns:BatchReceiveMessage",
                "mns:PeekMessage",
                "mns:BatchPeekMessage",
                "mns:ChangeMessageVisibility",
                "mns:DeleteMessage"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "sendevent-mns.eventbridge.aliyuncs.com"
                }
            }
        }
    ]
}

AliyunServiceRoleForEventBridgeSendToSMS

服務關聯角色AliyunServiceRoleForEventBridgeSendToSMS可以擷取訪問簡訊服務的許可權,以實現傳送簡訊相關功能。

服務關聯角色AliyunServiceRoleForEventBridgeSendToSMS被授與權限策略AliyunServiceRolePolicyForEventBridgeSendToSMS的策略內容如下:

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "dysms:SendSms",
                "dysms:SendBatchSms",
                "dysms:QuerySendDetails",
                "dysms:QuerySmsSign",
                "dysms:QuerySmsTemplate"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "sendevent-sms.eventbridge.aliyuncs.com"
                }
            }
        }
    ]
}

AliyunServiceRoleForEventBridgeSendToDirectMail

服務關聯角色AliyunServiceRoleForEventBridgeSendToDirectMail可以擷取訪問Direct Mail服務的許可權,以實現發送郵件相關功能。

服務關聯角色AliyunServiceRoleForEventBridgeSendToDirectMail被授與權限策略AliyunServiceRolePolicyForEventBridgeSendToDirectMail的策略內容如下:

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "dm:SingleSendMail",
                "dm:BatchSendMail",
                "dm:QueryMailAddressByParam"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "sendevent-directmail.eventbridge.aliyuncs.com"
                }
            }
        }
    ]
}

AliyunServiceRoleForEventBridgeSourceRocketMQ

服務關聯角色AliyunServiceRoleForEventBridgeSourceRocketMQ可以擷取訪問雲訊息佇列 RocketMQ 版的許可權,以實現訪問資源的相關功能。

服務關聯角色AliyunServiceRoleForEventBridgeSourceRocketMQ被授與權限策略AliyunServiceRolePolicyForEventBridgeSourceRocketMQ的策略內容如下:

{
    "Version":"1",
    "Statement":[
        {
            "Action":[
                "mq:QueryInstanceBaseInfo",
                "mq:QueryConsumerStatus",
                "mq:SUB"
            ],
            "Resource":"*",
            "Effect":"Allow"
        },
        {
            "Action":"ram:DeleteServiceLinkedRole",
            "Resource":"*",
            "Effect":"Allow",
            "Condition":{
                "StringEquals":{
                    "ram:ServiceName":"source-rocketmq.eventbridge.aliyuncs.com"
                }
            }
        }
    ]
}

AliyunServiceRoleForEventBridgeSendToRocketMQ

服務關聯角色AliyunServiceRoleForEventBridgeSendToRocketMQ可以擷取訪問雲訊息佇列 RocketMQ 版的許可權,以實現發布訊息相關功能。

服務關聯角色AliyunServiceRoleForEventBridgeSendToRocketMQ被授與權限策略AliyunServiceRolePolicyForEventBridgeSendToRocketMQ的策略內容如下:

{
    "Version":"1",
    "Statement":[
        {
            "Action":[
                "mq:PUB",
                "mq:QueryInstanceBaseInfo",
                "mq:QueryTopicStatus",
                "mq:QueryConsumerAccumulate",
                "mq:QueryConsumerStatus"
            ],
            "Resource":"*",
            "Effect":"Allow"
        },
        {
            "Action":"ram:DeleteServiceLinkedRole",
            "Resource":"*",
            "Effect":"Allow",
            "Condition":{
                "StringEquals":{
                    "ram:ServiceName":"sendevent-rocketmq.eventbridge.aliyuncs.com"
                }
            }
        }
    ]
}

AliyunServiceRoleForEventBridgeConnectVPC

服務關聯角色AliyunServiceRoleForEventBridgeConnectVPC可以擷取訪問Virtual Private Cloud的許可權,以實現訪問資源的相關功能。

服務關聯角色AliyunServiceRoleForEventBridgeConnectVPC被授與權限策略AliyunServiceRolePolicyForEventBridgeConnectVPC的策略內容如下:

{
    "Version":"1",
    "Statement":[
        {
            "Action":[
                "vpc:DescribeVpcs",
                "vpc:DescribeVSwitches",
                "vpc:DescribeVSwitchAttributes"
            ],
            "Resource":"*",
            "Effect":"Allow"
        },
        {
            "Action":[
                "ecs:DescribeSecurityGroups",
                "ecs:CreateSecurityGroup",
                "ecs:CreateNetworkInterface",
                "ecs:DeleteNetworkInterface",
                "ecs:DescribeNetworkInterfaces",
                "ecs:CreateNetworkInterfacePermission",
                "ecs:DescribeNetworkInterfacePermissions",
                "ecs:DeleteNetworkInterfacePermission"
            ],
            "Resource":"*",
            "Effect":"Allow"
        },
        {
            "Action":"ram:DeleteServiceLinkedRole",
            "Resource":"*",
            "Effect":"Allow",
            "Condition":{
                "StringEquals":{
                    "ram:ServiceName":"connect-vpc.eventbridge.aliyuncs.com"
                }
            }
        }
    ]
}

AliyunServiceRoleForEventBridgeSourceActionTrail

服務關聯角色AliyunServiceRoleForEventBridgeSourceActionTrail可以擷取訪問Action Trail的許可權,以實現查詢和投遞操作記錄的相關功能。

服務關聯角色AliyunServiceRoleForEventBridgeSourceActionTrail被授與權限策略AliyunServiceRolePolicyForEventBridgeSourceActionTrail的策略內容如下:

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "actiontrail:CreateServiceTrail",
                "actiontrail:DeleteServiceTrail"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "source-actiontrail.eventbridge.aliyuncs.com"
                }
            }
        }
    ]
}

AliyunServiceRoleForEventBridgeSourceRabbitMQ

服務關聯角色AliyunServiceRoleForEventBridgeSourceRabbitMQ可以擷取訪問雲訊息佇列 RabbitMQ 版的許可權,以實現訪問資源的相關功能。

服務關聯角色AliyunServiceRoleForEventBridgeSourceRabbitMQ被授與權限策略AliyunServiceRolePolicyForEventBridgeSourceRabbitMQ的策略內容如下:

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "amqp:ListInstance",
                "amqp:ListVhost",
                "amqp:ListExchange",
                "amqp:GetVhost",
                "amqp:GetExchange",
                "amqp:GetQueue",
                "amqp:BasicRecover",
                "amqp:BasicCancel",
                "amqp:BasicConsume",
                "amqp:BasicAck",
                "amqp:BasicNack",
                "amqp:BasicReject",
                "amqp:QueuePurge",
                "amqp:BasicGet"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "source-rabbitmq.eventbridge.aliyuncs.com"
                }
            }
        }
    ]
}

AliyunServiceRoleForEventBridgeSendToRabbitMQ

服務關聯角色AliyunServiceRoleForEventBridgeSendToRabbitMQ可以擷取訪問雲訊息佇列 RabbitMQ 版的許可權,以實現發布訊息相關功能。

服務關聯角色AliyunServiceRoleForEventBridgeSendToRabbitMQ被授與權限策略AliyunServiceRolePolicyForEventBridgeSendToRabbitMQ的策略內容如下:

{
    "Version":"1",
    "Statement":[
        {
            "Action":[
                "amqp:ListInstance",
                "amqp:ListVhost",
                "amqp:ListExchange",
                "amqp:GetVhost",
                "amqp:CreateExchange",
                "amqp:GetExchange",
                "amqp:CreateQueue",
                "amqp:GetQueue",
                "amqp:BasicRecover",
                "amqp:BasicPublish",
                "amqp:BasicAck",
                "amqp:BasicNack"
            ],
            "Resource":"*",
            "Effect":"Allow"
        },
        {
            "Action":"ram:DeleteServiceLinkedRole",
            "Resource":"*",
            "Effect":"Allow",
            "Condition":{
                "StringEquals":{
                    "ram:ServiceName":"sendevent-rabbitmq.eventbridge.aliyuncs.com"
                }
            }
        }
    ]
}

AliyunServiceRoleForEventBridgeSourceKafka

服務關聯角色AliyunServiceRoleForEventBridgeSourceKafka可以擷取訪問雲訊息佇列 Kafka 版的許可權,以實現訪問資源的相關功能。

服務關聯角色AliyunServiceRoleForEventBridgeSourceKafka被授與權限策略AliyunServiceRolePolicyForEventBridgeSourceKafka的策略內容如下:

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "alikafka:ListInstance",
        "alikafka:ListSaslUser"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "source-kafka.eventbridge.aliyuncs.com"
        }
      }
    }
  ]
}

AliyunServiceRoleForEventBridgeSendToKafka

服務關聯角色AliyunServiceRoleForEventBridgeSendToKafka可以擷取訪問雲訊息佇列 Kafka 版的許可權,以實現發布訊息相關功能。

服務關聯角色AliyunServiceRoleForEventBridgeSendToKafka被授與權限策略AliyunServiceRolePolicyForEventBridgeSendToKafka的策略內容如下:

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "alikafka:ListInstance",
        "alikafka:ListSaslUser"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "sendevent-kafka.eventbridge.aliyuncs.com"
        }
      }
    }
  ]
}

AliyunServiceRoleForEventBridgeSendToRDS

服務關聯角色AliyunServiceRoleForEventBridgeSendToRDS可以擷取訪問雲資料庫RDS的許可權,以實現資料投遞至RDS相關功能。

服務關聯角色AliyunServiceRoleForEventBridgeSendToRDS被授與權限策略AliyunServiceRolePolicyForEventBridgeSendToRDS的策略內容如下:

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "rds:DescribeDBInstanceAttribute",
                "rds:DescribeDatabases",
                "rds:DescribeAccounts"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "sendevent-rds.eventbridge.aliyuncs.com"
                }
            }
        }
    ]
}

AliyunServiceRoleForEventBridgeSourceCMS

服務關聯角色AliyunServiceRoleForEventBridgeSourceCMS可以擷取訪問CloudMonitor源CMS的許可權,以實現訪問資源的相關功能。

服務關聯角色AliyunServiceRoleForEventBridgeSourceCMS被授與權限策略AliyunServiceRolePolicyForEventBridgeSourceCMS的策略內容如下:

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "cms:DescribeSystemEventAttribute",
                "cms:DescribeSystemEventCount",
                "cms:DescribeSystemEventHistogram"
            ],
            "Resource": "*"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "source-cms.eventbridge.aliyuncs.com"
                }
            }
        }
    ]
}

AliyunServiceRoleForEventBridgeSendToSAE

服務關聯角色AliyunServiceRoleForEventBridgeSendToSAE可以擷取訪問Serverless引用引擎的許可權,以實現將資料投遞至SAE相關功能。

服務關聯角色AliyunServiceRoleForEventBridgeSendToSAE被授與權限策略AliyunServiceRolePolicyForEventBridgeSendToSAE的策略內容如下:

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
              "sae:ExecJob"
            ],
            "Resource": "*"
            "Effect": "Allow"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "sendevent-sae.eventbridge.aliyuncs.com"
                }
            }
        }
    ]
}

AliyunServiceRoleForEventBridgeSourceMqtt

服務關聯角色AliyunServiceRoleForEventBridgeSourceMqtt可以擷取訪問微Message QueueTT的許可權,以實現訪問資源的相關功能。

關聯角色AliyunServiceRoleForEventBridgeSourceMqtt被授與權限策略AliyunServiceRolePolicyForEventBridgeSourceMqtt的策略內容如下:

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "mq:SUB"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "source-mqtt.eventbridge.aliyuncs.com"
                }
            }
        }
    ]
}

注意事項

服務關聯角色刪除後,事件匯流排EventBridge將無法發布事件到對應的阿里雲服務,請謹慎操作。如需再次使用相關功能,則需重新建立該角色。具體操作,請參見建立服務關聯角色

關於刪除服務關聯角色的具體操作,請參見刪除服務關聯角色

常見問題

Q:為什麼我的RAM使用者無法自動建立事件匯流排EventBridge服務關聯角色?

A:如果阿里雲帳號已經建立了服務關聯角色,RAM使用者就會繼承該阿里雲帳號的服務關聯角色。如果沒有繼承,請登入RAM 控制台為RAM使用者添加自訂權限原則,權限原則內容如下:

{
    "Version":"1",
    "Statement":[
        {
            "Action":"ram:CreateServiceLinkedRole",
            "Resource":"acs:ram:*:阿里雲帳號ID:role/*",
            "Effect":"Allow",
            "Condition":{
                "StringEquals":{
                    "ram:ServiceName":[
                        "sendevent-fc.eventbridge.aliyuncs.com",
                        "sendevent-mns.eventbridge.aliyuncs.com",
                        "sendevent-sms.eventbridge.aliyuncs.com",
                        "sendevent-directmail.eventbridge.aliyuncs.com",
                        "source-rocketmq.eventbridge.aliyuncs.com",
                        "source-mns.eventbridge.aliyuncs.com",
                        "source-cms.eventbridge.aliyuncs.com",
                        "source-mqtt.eventbridge.aliyuncs.com",
                        "source-sls.eventbridge.aliyuncs.com",
                        "sendevent-sae.eventbridge.aliyuncs.com",
                        "sendevent-rocketmq.eventbridge.aliyuncs.com",
                        "connect-vpc.eventbridge.aliyuncs.com",
                        "source-actiontrail.eventbridge.aliyuncs.com",
                        "source-rabbitmq.eventbridge.aliyuncs.com",                      
                        "sendevent-rabbitmq.eventbridge.aliyuncs.com",
                        "source-kafka.eventbridge.aliyuncs.com",
                        "sendevent-kafka.eventbridge.aliyuncs.com",
                        "sendevent-rds.eventbridge.aliyuncs.com",
                        "sendevent-arms.eventbridge.aliyuncs.com"
                    ]
                }
            }
        }
    ]
}
說明

請將阿里雲帳號ID替換為您實際的阿里雲帳號ID。

如果您的RAM使用者被授予該權限原則後,仍然無法自動建立服務關聯角色,請為該RAM使用者授予權限原則AliyunEventBridgeFullAccess。更多權限原則的詳細說明,請參見權限原則和樣本