通過MSE服務關聯角色訪問其他雲端服務許可權 - Microservices Engine

MSE服務關聯角色AliyunServiceRoleForMSE是為了實現特定功能而設計的一個預定義RAM角色。在使用MSE時，某些功能需要訪問或系統管理使用者賬戶下的其他阿里雲服務資源，例如VPC、SLB、ACK等，以確保微服務架構下的各項能力正常運作。通過建立並授權給MSE這個服務關聯角色，可以自動擷取和管理這些服務的許可權，避免手動逐個分配複雜且容易出錯的權限原則，簡化了許可權管理流程，並增強了安全性。本文介紹MSE服務關聯角色AliyunServiceRoleForMSE以及如何刪除該角色。

AliyunServiceRoleForMSE應用情境

MSE需要訪問Elastic Compute Service、Virtual Private Cloud、應用即時監控服務ARMS、負載平衡服務SLB、Container ServiceACK、Enterprise Distributed Application Service、服務網格ASM等雲端服務的資源時，可通過自動建立的MSE服務關聯角色AliyunServiceRoleForMSE擷取存取權限。

AliyunServiceRoleForMSE許可權說明

AliyunServiceRoleForMSE具備以下雲端服務的存取權限：

Elastic Compute Service的存取權限

{
  "Action": [
    "ecs:CreateNetworkInterfacePermission",
    "ecs:DeleteNetworkInterfacePermission",
    "ecs:CreateNetworkInterface",
    "ecs:DescribeNetworkInterfaces",
    "ecs:DescribeSecurityGroups",
    "ecs:CreateSecurityGroup"
  ],
  "Resource": "*",
  "Effect": "Allow"
}

Virtual Private Cloud的存取權限

{
  "Action": [
    "vpc:DescribeVSwitches",
    "vpc:DescribeVpcs",
    "vpc:CreateVSwitch",
  ],
  "Resource": "*",
  "Effect": "Allow"
},

應用即時監控服務ARMS的存取權限

   {
            "Action": [
                "arms:OpenArmsService",
                "arms:OpenArmsServiceSecondVersion",
                "arms:CheckServiceStatus",
                "arms:OpenVCluster",
                "arms:GetPrometheusApiToken",
                "arms:ListDashboards"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },

負載平衡服務SLB的存取權限

  {
            "Action": [
                "slb:CreateLoadBalancer",
                "slb:AddBackendServers",
                "slb:SetBackendServers",
                "slb:RemoveBackendServers",
                "slb:CreateLoadBalancerTCPListener",
                "slb:DescribeLoadBalancerTCPListenerAttribute",
                "slb:SetLoadBalancerTCPListenerAttribute",
                "slb:CreateLoadBalancerHTTPListener",
                "slb:DescribeLoadBalancerHTTPListenerAttribute",
                "slb:SetLoadBalancerHTTPListenerAttribute",
                "slb:CreateLoadBalancerHTTPSListener",
                "slb:DescribeLoadBalancerHTTPSListenerAttribute",
                "slb:SetLoadBalancerHTTPSListenerAttribute",
                "slb:StartLoadBalancerListener",
                "slb:StopLoadBalancerListener",
                "slb:DeleteLoadBalancerListener",
                "slb:DescribeLoadBalancers",
                "slb:DescribeLoadBalancerAttribute",
                "slb:DescribeHealthStatus",
                "slb:CreateLoadBalancerForCloudService",
                "slb:DeleteLoadBalancer",
                "slb:ModifyLoadBalancerInternetSpec",
                "slb:RemoveTags",
                "slb:AddTags",
                "slb:SetLoadBalancerUDPListenerAttribute",
                "slb:CreateLoadBalancerUDPListener",
                "slb:CreateVServerGroup",
                "slb:DeleteVServerGroup",
                "slb:SetVServerGroupAttribute",
                "slb:ModifyVServerGroupBackendServers",
                "slb:AddVServerGroupBackendServers",
                "slb:ModifyLoadBalancerInstanceSpec",
                "slb:ModifyLoadBalancerInternetSpec",
                "slb:RemoveVServerGroupBackendServers",
                "slb:SetLoadBalancerModificationProtection",
                "slb:SetLoadBalancerDeleteProtection",
                "slb:DescribeLoadBalancerUDPListenerAttribute  ",
                "slb:DescribeTags",
                "slb:DescribeVServerGroups",
                "slb:DescribeVServerGroupAttribute",
                "slb:DescribeLoadBalancerListeners"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },

Container ServiceACK的存取權限

   {
            "Action": [
                "cs:DescribeClusterInnerServiceKubeconfig",
                "cs:RevokeClusterInnerServiceKubeconfig",
                "cs:GetUserConfig",
                "cs:DescribeClusterUserKubeconfig",
                "cs:GetClusterById",
                "cs:GetClustersByUid",
                "cs:GetClusters",
                "cs:ListClusters",
                "cs:DescribeClusterNodes"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },

Enterprise Distributed Application Service的存取權限

 {
            "Action": [
                "edas:ReadApplication",
                "edas:ReadCluster",
                "edas:ReadNamespace",
                "edas:ReadService",
                "edas:ListUserDefineRegion",
                "edas:GetSecureToken"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },

服務網格ASM的存取權限

   {
            "Action": [
                "servicemesh:CreateServiceMesh",
                "servicemesh:DeleteServiceMesh",
                "servicemesh:DescribeServiceMeshDetail",
                "servicemesh:DescribeServiceMeshKubeconfig",
                "servicemesh:AddClusterIntoServiceMesh",
                "servicemesh:RemoveClusterFromServiceMesh",
                "servicemesh:InitializeASMRole",
                "servicemesh:InvokeApiServer"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },

刪除AliyunServiceRoleForMSE

說明

如果您使用了MSE功能，然後刪除MSE服務關聯角色AliyunServiceRoleForMSE，您將無法使用服務測試和壓測功能。

使用阿里雲帳號登入RAM控制台，在左側導覽列中單擊身份管理 > 角色。
在角色頁面的搜尋方塊中輸入AliyunServiceRoleForMSE進行搜尋。
在AliyunServiceRoleForMSE的操作列下單擊刪除角色。
在刪除角色對話方塊中輸入角色名稱進行確認，然後單擊刪除角色。

常見問題

為什麼我的RAM使用者無法自動建立MSE服務關聯角色AliyunServiceRoleForMSE？

您需要擁有指定的許可權，才能自動建立或刪除AliyunServiceRoleForMSE。因此，在RAM使用者無法自動建立AliyunServiceRoleForMSE時，您需要為其添加以下權限原則。

{
    "Statement": [
        {
            "Action": [
                "ram:CreateServiceLinkedRole"
            ],
            "Resource": "acs:ram:*:主帳號ID:role/*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": [
                        "mse.aliyuncs.com"
                    ]
                }
            }
        }
    ],
    "Version": "1"
}

說明

請將主帳號ID替換為您實際的阿里雲帳號ID。