本文为您介绍OOS服务关联角色AliyunServiceRoleForOOSBandwidthScheduler、AliyunServiceRoleForOOSInstanceScheduler、AliyunServiceRoleForOOSExecutionDelivery、AliyunServiceRoleForOOSAppliactionManager的应用场景以及如何删除服务关联角色。
背景信息
OOS服务关联角色
是OOS为了完成某个执行任务时,需要获取其他云服务的访问权限而提供的RAM用户。
AliyunServiceRoleForOOSExecutionDelivery是OOS为了完成执行记录的投递功能时,需要获取其他云服务的访问权限而提供的RAM用户。
OOS应用管理服务关联角色AliyunServiceRoleForOOSAppliactionManager是使用应用管理自动创建或删除资源时,需要获取其他云服务的访问权限而提供的RAM用户。更多关于服务关联角色的信息请参见 服务关联角色。
应用场景
当OOS完成如下运维任务需要访问ECS的某些资源时,可通过OOS自动创建的服务关联角色AliyunServiceRoleForOOSBandwidthScheduler或AliyunServiceRoleForOOSInstanceScheduler获取访问权限。
当OOS的执行记录投递功能需要访问日志服务和 对象存储OSS云服务的资源时,可通过OOS自动创建的服务关联角色AliyunServiceRoleForOOSExecutionDelivery获取访问权限。
当使用OOS应用管理自动创建或删除云监控应用分组,需要访问什么是云监控的资源时,可通过OOS自动创建的服务关联角色AliyunServiceRoleForOOSAppliactionManager获取访问权限。
AliyunServiceRoleForOOSInstanceScheduler
执行定时开关机操作时,如果角色不存在,OOS会自动创建一个名称为AliyunServiceRoleForOOSInstanceScheduler的服务关联角色,并且该角色被授权的权限策略为AliyunServiceRoleForOOSInstanceSchedulerPolicy,OOS通过扮演该角色即可成功调用OpenAPI完成对实例的开机和关机。
权限说明:
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:StartInstance",
"ecs:StopInstance",
"ecs:DescribeInstances"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
AliyunServiceRoleForOOSBandwidthScheduler
执行带宽临时升级时,如果角色不存在,OOS会自动创建一个名称为AliyunServiceRoleForOOSBandwidthScheduler的服务关联角色,并且该角色被授权的权限策略为AliyunServiceRoleForOOSBandwidthSchedulerPolicy,OOS通过扮演该角色即可成功调用OpenAPI完成带宽临时升级。
权限说明:
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:ModifyInstanceNetworkSpec",
"ecs:DescribeInstances"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
AliyunServiceRoleForOOSExecutionScheduler
执行定时任务时,如果角色不存在,OOS会自动创建一个名称为AliyunServiceRoleForOOSExecutionScheduler的服务关联角色,并且该角色被授权的权限策略为AliyunServiceRolePolicyForOOSExecutionScheduler,OOS通过扮演该角色即可成功调用OpenAPI执行定时任务。
权限说明:
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:CreateSnapshot",
"ecs:DescribeCloudAssistantStatus",
"ecs:DescribeDisks",
"ecs:DescribeInstances",
"ecs:DescribeInvocationResults",
"ecs:DescribeInvocations",
"ecs:DescribeManagedInstances",
"ecs:DescribeSnapshots",
"ecs:RebootInstance",
"ecs:StartInstance",
"ecs:StopInstance",
"ecs:ModifyInstanceNetworkSpec",
"ecs:AcceptInquiredSystemEvent"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ecd:CreateSnapshot",
"ecd:DescribeCloudAssistantStatus",
"ecd:DescribeDesktops",
"ecd:DescribeInvocations",
"ecd:DescribeSnapshots",
"ecd:RebootDesktops"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"rds:StartDBInstance",
"rds:StopDBInstance",
"rds:DescribeDBInstances"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "oos:ListInstancePatchStates",
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "executionscheduler.oos.aliyuncs.com"
}
}
}
]
AliyunServiceRolePolicyForOOSPatchManager
当使用OOS补丁管理进行扫描或扫描并安装补丁时,如果角色不存在,OOS会自动创建一个名称为AliyunServiceRoleForOOSPatchManager的服务关联角色,并且该角色被授权的权限策略为AliyunServiceRolePolicyForOOSPatchManager,OOS通过扮演该角色完成补丁扫描或安装。
权限说明:
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:CreateSnapshot",
"ecs:DescribeCloudAssistantStatus",
"ecs:DescribeDisks",
"ecs:DescribeInstances",
"ecs:DescribeInvocationResults",
"ecs:DescribeInvocations",
"ecs:DescribeManagedInstances",
"ecs:DescribeSnapshots",
"ecs:RebootInstance",
"ecs:RunCommand"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ecd:CreateSnapshot",
"ecd:DescribeCloudAssistantStatus",
"ecd:DescribeDesktops",
"ecd:DescribeInvocations",
"ecd:DescribeSnapshots",
"ecd:RebootDesktops",
"ecd:RunCommand"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"oos:ListInstancePatchStates"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "patchmanager.oos.aliyuncs.com"
}
}
}
]
}
AliyunServiceRoleForOOSExecutionDelivery
OOS执行记录投递功能需要访问日志服务和对象存储OSS云服务的资源时,可通过自动创建的服务关联角色AliyunServiceRoleForOOSExecutionDelivery获取访问权限。
权限说明:
{
"Version": "1",
"Statement": [
{
"Action": [
"oss:PutObject",
"oss:GetBucketInfo",
"log:GetProject",
"log:GetLogStore",
"log:CreateLogStore",
"log:PostLogStoreLogs"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "executiondelivery.oos.aliyuncs.com"
}
}
}
]
}
AliyunServiceRoleForOOSApplicationManager
当使用OOS自动创建或删除云监控应用分组时,需要访问什么是云监控的资源时,可通过OOS自动创建的服务关联角色AliyunServiceRoleForOOSApplicationManager获取访问权限。
权限说明:
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"cms:CreateDynamicTagGroup",
"cms:DescribeDynamicTagRuleList",
"cms:DescribeMonitorGroups",
"cms:DeleteDynamicTagGroup"
],
"Resource": "*"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "applicationmanager.oos.aliyuncs.com"
}
}
}
],
"Version": "1"
}
AliyunServiceRoleForOOSSystemEventOperator
接受并授权执行系统事件操作时,如果角色不存在,OOS会自动创建一个名称为 AliyunServiceRoleForOOSSystemEventOperator的服务关联角色,并且该角色被授权的权限策略为 AliyunServiceRolePolicyForOOSSystemEventOperator,OOS通过扮演该角色即可成功调用OpenAPI完成接受并授权执行系统事件操作。
权限说明:
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:AcceptInquiredSystemEvent",
"ecs:StopInstance",
"ecs:DescribeInstances",
"ecs:StartInstance"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "systemeventoperator.oos.aliyuncs.com"
}
}
}
]
}
删除服务关联角色
如果您需要删除服务关联角色AliyunServiceRoleForOOSBandwidthScheduler、AliyunServiceRoleForOOSInstanceScheduler,需先取消依赖这个服务关联角色的OOS执行。而删除AliyunServiceRoleForOOSExecutionDelivery、AliyunServiceRoleForOOSAppliactionManager角色则可以直接删除。
以下为删除AliyunServiceRoleForOOSExecutionDelivery角色的示例:
如果您使用了OOS执行投递功能,出于安全考虑,需要删除OOS服务关联角色AliyunServiceRoleForOOSExecutionDelivery,则需要先明确删除后的影响:当删除AliyunServiceRoleForOOSExecutionDelivery后,当前账号下的OOS执行记录将无法投递到OOS及SLS中。
登录RAM控制台,在左侧导航栏中单击角色。
在角色页面的搜索框中,输入AliyunServiceRoleForOOSExecutionDelivery,自动搜索到名称为AliyunServiceRoleForOOSExecutionDelivery的RAM角色。
在右侧操作列,单击删除。
在删除RAM角色对话框中,单击确定。
5. 删除服务关联角色具体操作请参考删除服务关联角色文档。
常见问题
为什么RAM用户无法自动创建OOS服务关联角色AliyunServiceRoleForOOSExecutionDelivery?
您需要拥有指定的权限,才能自动创建或删除AliyunServiceRoleForOOSExecutionDelivery。因此,在RAM用户无法自动创建AliyunServiceRoleForOOSExecutionDelivery时,您需为其添加以下权限策略。
{
"Statement": [
{
"Action": [
"ram:CreateServiceLinkedRole"
],
"Resource": "acs:ram:*:主账号ID:role/*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": [
"executiondelivery.oos.aliyuncs.com"
]
}
}
}
],
"Version": "1"
}