通過MSE服務關聯角色訪問其他雲端服務許可權 - Microservices Engine

MSE服務關聯角色是一系列為實現特定功能而設計的預定義RAM角色。通過建立並授權給MSE這些服務關聯角色，可以自動擷取和管理相關許可權，避免手動逐個分配複雜且容易出錯的權限原則，簡化了許可權管理流程，並增強了安全性。本文介紹MSE相關服務關聯角色以及如何刪除角色。

AliyunServiceRoleForMSE

應用情境

MSE需要訪問Elastic Compute Service、Virtual Private Cloud、應用即時監控服務ARMS、負載平衡服務SLB、Container ServiceACK、Enterprise Distributed Application Service、服務網格ASM等雲端服務的資源時，可通過自動建立的MSE服務關聯角色AliyunServiceRoleForMSE擷取存取權限。

許可權說明

AliyunServiceRoleForMSE具備以下雲端服務的存取權限：

Elastic Compute Service的存取權限

{
  "Action": [
    "ecs:CreateNetworkInterfacePermission",
    "ecs:DeleteNetworkInterfacePermission",
    "ecs:CreateNetworkInterface",
    "ecs:DescribeNetworkInterfaces",
    "ecs:DescribeSecurityGroups",
    "ecs:CreateSecurityGroup"
  ],
  "Resource": "*",
  "Effect": "Allow"
}

Virtual Private Cloud的存取權限

{
  "Action": [
    "vpc:DescribeVSwitches",
    "vpc:DescribeVpcs",
    "vpc:CreateVSwitch",
  ],
  "Resource": "*",
  "Effect": "Allow"
},

應用即時監控服務ARMS的存取權限

   {
            "Action": [
                "arms:OpenArmsService",
                "arms:OpenArmsServiceSecondVersion",
                "arms:CheckServiceStatus",
                "arms:OpenVCluster",
                "arms:GetPrometheusApiToken",
                "arms:ListDashboards"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },

負載平衡服務SLB的存取權限

  {
            "Action": [
                "slb:CreateLoadBalancer",
                "slb:AddBackendServers",
                "slb:SetBackendServers",
                "slb:RemoveBackendServers",
                "slb:CreateLoadBalancerTCPListener",
                "slb:DescribeLoadBalancerTCPListenerAttribute",
                "slb:SetLoadBalancerTCPListenerAttribute",
                "slb:CreateLoadBalancerHTTPListener",
                "slb:DescribeLoadBalancerHTTPListenerAttribute",
                "slb:SetLoadBalancerHTTPListenerAttribute",
                "slb:CreateLoadBalancerHTTPSListener",
                "slb:DescribeLoadBalancerHTTPSListenerAttribute",
                "slb:SetLoadBalancerHTTPSListenerAttribute",
                "slb:StartLoadBalancerListener",
                "slb:StopLoadBalancerListener",
                "slb:DeleteLoadBalancerListener",
                "slb:DescribeLoadBalancers",
                "slb:DescribeLoadBalancerAttribute",
                "slb:DescribeHealthStatus",
                "slb:CreateLoadBalancerForCloudService",
                "slb:DeleteLoadBalancer",
                "slb:ModifyLoadBalancerInternetSpec",
                "slb:RemoveTags",
                "slb:AddTags",
                "slb:SetLoadBalancerUDPListenerAttribute",
                "slb:CreateLoadBalancerUDPListener",
                "slb:CreateVServerGroup",
                "slb:DeleteVServerGroup",
                "slb:SetVServerGroupAttribute",
                "slb:ModifyVServerGroupBackendServers",
                "slb:AddVServerGroupBackendServers",
                "slb:ModifyLoadBalancerInstanceSpec",
                "slb:ModifyLoadBalancerInternetSpec",
                "slb:RemoveVServerGroupBackendServers",
                "slb:SetLoadBalancerModificationProtection",
                "slb:SetLoadBalancerDeleteProtection",
                "slb:DescribeLoadBalancerUDPListenerAttribute  ",
                "slb:DescribeTags",
                "slb:DescribeVServerGroups",
                "slb:DescribeVServerGroupAttribute",
                "slb:DescribeLoadBalancerListeners"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },

Container ServiceACK的存取權限

   {
            "Action": [
                "cs:DescribeClusterInnerServiceKubeconfig",
                "cs:RevokeClusterInnerServiceKubeconfig",
                "cs:GetUserConfig",
                "cs:DescribeClusterUserKubeconfig",
                "cs:GetClusterById",
                "cs:GetClustersByUid",
                "cs:GetClusters",
                "cs:ListClusters",
                "cs:DescribeClusterNodes"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },

Enterprise Distributed Application Service的存取權限

 {
            "Action": [
                "edas:ReadApplication",
                "edas:ReadCluster",
                "edas:ReadNamespace",
                "edas:ReadService",
                "edas:ListUserDefineRegion",
                "edas:GetSecureToken"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },

服務網格ASM的存取權限

   {
            "Action": [
                "servicemesh:CreateServiceMesh",
                "servicemesh:DeleteServiceMesh",
                "servicemesh:DescribeServiceMeshDetail",
                "servicemesh:DescribeServiceMeshKubeconfig",
                "servicemesh:AddClusterIntoServiceMesh",
                "servicemesh:RemoveClusterFromServiceMesh",
                "servicemesh:InitializeASMRole",
                "servicemesh:InvokeApiServer"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },

AliyunServiceRolePolicyForMSEEngineService

應用情境

當Nacos引擎側需要整合安全護欄等其他雲產品時，使用者可以通過AliyunServiceRolePolicyForMSEEngineService角色便捷地完成接入操作。

許可權說明

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "yundun-greenweb:MultiModalGuard",
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "engine-service.mse.aliyuncs.com"
        }
      }
    }
  ]
}

刪除許可權

重要

如果正在使用MSE功能，刪除MSE服務關聯角色將無法使用對應角色所提供的能力，可能造成業務影響，需要謹慎評估與操作。

使用阿里雲帳號登入RAM控制台，在左側導覽列中單擊身份管理 > 角色。
在角色頁面的搜尋方塊中輸入許可權名，如AliyunServiceRoleForMSE並進行搜尋。
在搜尋結果對應角色操作列下單擊刪除角色。
在刪除角色對話方塊中輸入角色名稱進行確認，然後單擊刪除角色。

常見問題

為什麼我的RAM使用者無法自動建立MSE服務關聯角色AliyunServiceRoleForMSE？

需要擁有指定的許可權，才能自動建立或刪除AliyunServiceRoleForMSE。因此，在RAM使用者無法自動建立AliyunServiceRoleForMSE時，需要為其添加以下權限原則。

說明

將主帳號ID替換為實際的阿里雲帳號ID。

{
    "Statement": [
        {
            "Action": [
                "ram:CreateServiceLinkedRole"
            ],
            "Resource": "acs:ram:*:主帳號ID:role/*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": [
                        "mse.aliyuncs.com"
                    ]
                }
            }
        }
    ],
    "Version": "1"
}