鏈路追蹤服務關聯角色及如何刪除該角色 - Managed Service for OpenTelemetry

本文介紹Managed Service for OpenTelemetry服務關聯角色AliyunServiceRoleForXtrace以及如何刪除該角色。

背景資訊

Managed Service for OpenTelemetry服務關聯角色AliyunServiceRoleForXtrace是Managed Service for OpenTelemetry在某些情況下，為了完成自身的某個功能，需要擷取其他雲端服務的存取權限而提供的RAM角色。更多關於服務關聯角色的資訊，請參見服務關聯角色。

AliyunServiceRoleForXtrace應用情境

Managed Service for OpenTelemetry監控功能需要訪問Container ServiceACK、Log ServiceSLS、Elastic Compute Service和Virtual Private Cloud雲端服務的資源時，可通過自動建立的Managed Service for OpenTelemetry服務關聯角色AliyunServiceRoleForXtrace擷取存取權限。

AliyunServiceRoleForXtrace許可權說明

AliyunServiceRoleForXtrace具備以下雲端服務的存取權限。

Container ServiceACK的存取權限

{
            "Action": [
                "cs:ScaleCluster",
                "cs:GetClusterById",
                "cs:GetClusters",
                "cs:GetUserConfig",
                "cs:CheckKritisInstall",
                "cs:GetKritisAttestationAuthority",
                "cs:GetKritisGenericAttestationPolicy",
                "cs:AttachInstances",
                "cs:InstallKritis",
                "cs:InstallKritisAttestationAuthority",
                "cs:InstallKritisGenericAttestationPolicy",
                "cs:UpdateClusterTags",
                "cs:UninstallKritis",
                "cs:DeleteKritisAttestationAuthority",
                "cs:DeleteKritisGenericAttestationPolicy",
                "cs:UpdateKritisAttestationAuthority",
                "cs:UpdateKritisGenericAttestationPolicy",
                "cs:UpgradeCluster",
                "cs:GetClusterLogs"
            ],
            "Resource": [
              "acs:cs:*:*:cluster/*"
            ],
            "Effect": "Allow"
        }

Log ServiceSLS的存取權限

{
       "Action": [
        "log:CreateProject",
        "log:GetProject",
        "log:GetLogStoreLogs",
        "log:GetHistograms",
        "log:GetLogStoreHistogram",
        "log:GetLogStore",
        "log:ListLogStores",
        "log:EnableService",
        "log:DescribeService",
        "log:CreateLogStore",
        "log:DeleteLogStore",
        "log:UpdateLogStore",
        "log:GetCursorOrData",
        "log:GetCursor",
        "log:PullLogs",
        "log:ListShards",
        "log:PostLogStoreLogs",
        "log:CreateConfig",
        "log:UpdateConfig",
        "log:DeleteConfig",
        "log:GetConfig",
        "log:ListConfig",
        "log:CreateMachineGroup",
        "log:UpdateMachineGroup",
        "log:DeleteMachineGroup",
        "log:GetMachineGroup",
        "log:ListMachineGroup",
        "log:ListMachines",
        "log:ApplyConfigToGroup",
        "log:RemoveConfigFromGroup",
        "log:GetAppliedMachineGroups",
        "log:GetAppliedConfigs",
        "log:GetShipperStatus",
        "log:RetryShipperTask",
        "log:CreateConsumerGroup",
        "log:UpdateConsumerGroup",
        "log:DeleteConsumerGroup",
        "log:ListConsumerGroup",
        "log:UpdateCheckPoint",
        "log:HeartBeat",
        "log:GetCheckPoint",
        "log:CreateIndex",
        "log:DeleteIndex",
        "log:GetIndex",
        "log:UpdateIndex",
        "log:CreateSavedSearch",
        "log:UpdateSavedSearch",
        "log:GetSavedSearch",
        "log:DeleteSavedSearch",
        "log:ListSavedSearch",
        "log:CreateDashboard",
        "log:UpdateDashboard",
        "log:GetDashboard",
        "log:DeleteDashboard",
        "log:ListDashboard",
        "log:CreateJob",
        "log:UpdateJob"
       }
]

Elastic Compute Service的存取權限

{
       "Action": [
        "ecs:DescribeInstanceAutoRenewAttribute",
        "ecs:DescribeInstances",
        "ecs:DescribeInstanceStatus",
        "ecs:DescribeInstanceVncUrl",
        "ecs:DescribeSpotPriceHistory",
        "ecs:DescribeUserdata",
        "ecs:DescribeInstanceRamRole",
        "ecs:DescribeDisks",
        "ecs:DescribeSnapshots",
        "ecs:DescribeAutoSnapshotPolicy",
        "ecs:DescribeSnapshotLinks",
        "ecs:DescribeImages",
        "ecs:DescribeImageSharePermission",
        "ecs:DescribeClassicLinkInstances",
        "ecs:AuthorizeSecurityGroup",
        "ecs:DescribeSecurityGroupAttribute",
        "ecs:DescribeSecurityGroups",
        "ecs:AuthorizeSecurityGroupEgress",
        "ecs:DescribeSecurityGroupReferences",
        "ecs:RevokeSecurityGroup",
        "ecs:DescribeNetworkInterfaces",
        "ecs:DescribeTags",
        "ecs:DescribeRegions",
        "ecs:DescribeZones",
        "ecs:DescribeInstanceMonitorData",
        "ecs:DescribeEipMonitorData",
        "ecs:DescribeDiskMonitorData",
        "ecs:DescribeInstanceTypes",
        "ecs:DescribeInstanceTypeFamilies",
        "ecs:DescribeTasks",
        "ecs:DescribeTaskAttribute",
        "ecs:DescribeInstanceAttribute",
        "ecs:InvokeCommand",
        "ecs:CreateCommand",
        "ecs:StopInvocation",
        "ecs:DeleteCommand",
        "ecs:DescribeCommands",
        "ecs:DescribeInvocations",
        "ecs:DescribeInvocationResults",
        "ecs:ModifyCommand",
        "ecs:InstallCloudAssistant"
         ],
      "Resource": "*",
      "Effect": "Allow"
    }

Virtual Private Cloud的存取權限

{
       "Action": [
        "vpc:DescribeVpcs",
        "vpc:DescribeVSwitches",
        "vpc:DescribeEipAddresses",
        "vpc:DescribeRouterInterfaces",
        "vpc:DescribeGlobalAccelerationInstances",
        "vpc:DescribeVpnGateways",
        "vpc:DescribeNatGateways"
       ],
       "Resource": "*",
       "Effect": "Allow"
}

SLB的訪問和配置許可權

{
       "Action": [
        "slb:DescribeLoadBalancers",
        "slb:DescribeLoadBalancerAttribute",
        "slb:SetLoadbalancerListenerAttributeEx",
        "slb:DescribeLoadbalancerListenersEx",
        "slb:DescribeLoadbalancerListenersEx",
        "slb:SetAccessLogsDownloadAttribute",
        "slb:DeleteAccessLogsDownloadAttribute",
        "slb:DescribeAccessLogsDownloadAttribute"
       ],
       "Resource": "*",
       "Effect": "Allow"
}

刪除AliyunServiceRoleForXtrace

如果您使用了Managed Service for OpenTelemetry的監控功能，然後需要刪除Managed Service for OpenTelemetry服務關聯角色AliyunServiceRoleForXtrace，例如您出於安全考慮，需要刪除該角色，則需要先明確刪除後的影響：刪除AliyunServiceRoleForXtrace後，無法將當前帳號下的資料進行儲存和展示。

刪除AliyunServiceRoleForXtrace的操作步驟如下：

說明

如果當前帳號下還有應用資料，則需先刪除所有應用後才能刪除AliyunServiceRoleForXtrace。

登入RAM控制台，在左側導覽列中選擇身份管理 > 角色。
在角色頁面的搜尋方塊中，輸入AliyunServiceRoleForXtrace，自動搜尋到名稱為AliyunServiceRoleForXtrace的RAM角色。
在右側操作列，單擊刪除角色。
在刪除角色對話方塊，確認資訊並單擊刪除角色。
- 如果當前帳號下還有Managed Service for OpenTelemetry的應用，則需先刪除所有應用才能刪除AliyunServiceRoleForXtrace，否則提示刪除失敗。
- 如果當前帳號下所有應用已經刪除，則可直接刪除AliyunServiceRoleForXtrace。

常見問題

為什麼我的XTRACE使用者無法自動建立ARMS服務關聯角色AliyunServiceRoleForXtrace？

您需要擁有指定的許可權，才能自動建立或刪除AliyunServiceRoleForXtrace。因此，在RAM使用者無法自動建立AliyunServiceRoleForXtrace時，您需為其添加以下權限原則。

{
    "Statement": [
        {
            "Action": [
                "ram:CreateServiceLinkedRole"
            ],
            "Resource": "acs:ram:*:主帳號ID:role/*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": [
                        "xtrace.aliyuncs.com"
                    ]
                }
            }
        }
    ],
    "Version": "1"
}