本文介绍云消息队列 RabbitMQ 版服务关联角色的背景信息,权限策略、注意事项和常见问题。
背景信息
服务关联角色是某个云服务在某些情况下,为了完成自身的某个功能,需要获取其他云服务的访问权限而提供的RAM角色。您在该云服务的控制台首次使用该功能时,系统会提示您完成服务关联角色的自动创建。更多服务关联角色相关信息,请参见服务关联角色。
云消息队列 RabbitMQ 版提供以下服务关联角色:
服务关联角色 | ServiceName | 内容 |
AliyunServiceRoleForAmqpMonitoring | monitoring.amqp.aliyuncs.com | 云消息队列 RabbitMQ 版通过扮演该RAM角色,获取云监控和阿里云应用实时监控服务ARMS的权限,以实现自身的监控报警和Dashboard功能。您在云消息队列 RabbitMQ 版控制台首次使用监控报警和Dashboard时,系统会提示您完成AliyunServiceRoleForAmqpMonitoring的自动创建。更多信息,请参见监控指标和Dashboard。 |
AliyunServiceRoleForAmqpLogDelivery | logdelivery.amqp.aliyuncs.com | 云消息队列 RabbitMQ 版通过扮演该RAM角色,获取日志服务的访问权限,以实现自身的消息日志功能。您在云消息队列 RabbitMQ 版控制台首次使用消息日志时,系统会提示您完成AliyunServiceRoleForAmqpLogDelivery的自动创建。更多信息,请参见配置消息日志。 |
AliyunServiceRoleForAmqpNetwork | network.amqp.aliyuncs.com | 允许云消息队列 RabbitMQ 版使用此角色访问您的私网连接(PrivateLink)服务完成专有网络VPC相关功能。您在云消息队列 RabbitMQ 版控制台首次使用私网连接接入点时,系统会提示您完成创建。 |
AliyunServiceRoleForAmqpEncrypt | encrypt.amqp.aliyuncs.com | 允许云消息队列 RabbitMQ 版使用此角色访问您的KMS服务完成存储加密相关功能。您在云消息队列 RabbitMQ 版控制台购买独享加密实例时,系统会提示您完成创建。如果您为RAM用户,也可以在OpenAPI使用CreateServiceLinkedRole接口创建。 |
权限策略
AliyunServiceRoleForAmqpMonitoring的权限策略如下:
{ "Version": "1", "Statement": [ { "Action": [ "cms:DescribeMetricRuleList", "cms:DescribeMetricList", "cms:DescribeMetricData" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "arms:OpenVCluster", "arms:ListDashboards", "arms:CheckServiceStatus" ], "Resource": "*", "Effect": "Allow" }, { "Action": "ram:DeleteServiceLinkedRole", "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "ram:ServiceName": "monitoring.amqp.aliyuncs.com" } } } ] }
AliyunServiceRoleForAmqpLogDelivery的权限策略如下:
{ "Version": "1", "Statement": [ { "Action": [ "log:ListProject", "log:ListLogStores", "log:PostLogStoreLogs" ], "Resource": "*", "Effect": "Allow" }, { "Action": "ram:DeleteServiceLinkedRole", "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "ram:ServiceName": "logdelivery.amqp.aliyuncs.com" } } } ] }
AliyunServiceRoleForAmqpNetwork的权限策略如下:
{ "Version": "1", "Statement": [ { "Action": [ "privatelink:GetVpcEndpointServiceAttribute", "privatelink:ListVpcEndpointServices", "privatelink:DeleteVpcEndpoint", "privatelink:CreateVpcEndpoint", "privatelink:UpdateVpcEndpointAttribute", "privatelink:ListVpcEndpoints", "privatelink:GetVpcEndpointAttribute", "privatelink:ListVpcEndpointServicesByEndUser", "privatelink:AddZoneToVpcEndpoint", "privatelink:ListVpcEndpointZones", "privatelink:RemoveZoneFromVpcEndpoint", "privatelink:AttachSecurityGroupToVpcEndpoint", "privatelink:ListVpcEndpointSecurityGroups", "privatelink:DetachSecurityGroupFromVpcEndpoint", "privatelink:UpdateVpcEndpointZoneConnectionResourceAttribute" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "vpc:DescribeVpcAttribute", "vpc:DescribeVpcs", "vpc:ListVSwitchCidrReservations", "vpc:GetVSwitchCidrReservationUsage", "vpc:DescribeVSwitches", "vpc:DescribeVSwitchAttributes", "Ecs:CreateSecurityGroup", "Ecs:DeleteSecurityGroup", "Ecs:DescribeSecurityGroupAttribute", "Ecs:DescribeSecurityGroups" ], "Resource": "*", "Effect": "Allow" }, { "Action": "ram:DeleteServiceLinkedRole", "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "ram:ServiceName": "network.amqp.aliyuncs.com" } } }, { "Action": "ram:CreateServiceLinkedRole", "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "ram:ServiceName": "privatelink.aliyuncs.com" } } } ] }
AliyunServiceRoleForAmqpEncrypt的权限策略如下:
{ "Version": "1", "Statement": [ { "Action": [ "kms:List*", "kms:DescribeKey", "kms:TagResource", "kms:UntagResource" ], "Resource": [ "acs:kms:*:*:*" ], "Effect": "Allow" }, { "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:GenerateDataKey" ], "Resource": [ "acs:kms:*:*:*" ], "Effect": "Allow", "Condition": { "StringEqualsIgnoreCase": { "kms:tag/acs:rabbitmq:instance-encryption": "true" } } }, { "Action": "ram:DeleteServiceLinkedRole", "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "ram:ServiceName": "encrypt.amqp.aliyuncs.com" } } } ] }
注意事项
如果您删除了自动创建的服务关联角色,该服务关联角色相关的功能由于权限不足将无法再被使用,请谨慎操作。如需重新创建该服务关联角色并为其授权,请参见创建可信实体为阿里云服务的RAM角色和为RAM角色授权。
常见问题
为什么我的RAM用户无法自动创建云消息队列 RabbitMQ 版服务关联角色?
如果您的阿里云账号已经创建了服务关联角色,您的RAM用户就会继承该阿里云账号的服务关联角色。如果没有继承,请登录访问控制控制台为RAM用户添加自定义权限策略,权限策略内容如下:
{
"Statement": [
{
"Action": [
"ram:CreateServiceLinkedRole"
],
"Resource": "acs:ram:*:${accountid}:role/*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": [
"logdelivery.amqp.aliyuncs.com",
"monitoring.amqp.aliyuncs.com",
"network.amqp.aliyuncs.com",
"encrypt.amqp.aliyuncs.com"
]
}
}
}
],
"Version": "1"
}
请将${accountid}替换为您的阿里云账号ID。
如果您的RAM用户被授予该权限策略后,仍然无法自动创建服务关联角色,请为该RAM用户授予权限策略AliyunAMQPFullAccess。具体操作,请参见为RAM用户授权。