全部产品
Search
文档中心

办公安全平台:授权SASE访问云资源

更新时间:Sep 26, 2024

首次使用办公安全平台前,您需要先授予办公安全平台访问云资源的权限。本文介绍如何授权。

前提条件

  • 您已开通办公安全平台

  • 您使用的是阿里云主账号或拥有创建和删除服务关联角色权限的RAM账号。

背景信息

首次使用办公安全平台时,阿里云会自动创建办公安全平台的关联角色AliyunServiceRoleForCsas,授权办公安全平台访问其他关联的阿里云服务。服务关联角色无需您手动创建或做任何修改。相关内容请参见服务关联角色

操作步骤

  1. 登录办公安全平台控制台

  2. 欢迎使用SASE对话框,单击确认创建

    您开通办公安全平台后,首次登录控制台时,办公安全平台会提示您创建服务关联角色的流程。

    当您单击确认创建后,阿里云将自动为您创建SASE的服务关联角色AliyunServiceRoleForCsas。您可以在RAM控制台角色页面查看阿里云为SASE自动创建的服务关联角色。只有创建服务关联角色完成后,您的SASE实例才能访问IDaaS、SAG等云服务的资源。

办公安全平台关联角色介绍

以下是办公安全平台关联角色的介绍:

  • 角色名称:AliyunServiceRoleForCsas

  • 权限策略名称:AliyunServiceRolePolicyForCsas

    说明

    该权限策略为系统默认提供的策略,其策略名称和策略内容都不支持修改。

  • 权限策略示例:

    {
      "Version": "1",
      "Statement": [
        {
          "Action": [
            "ecs:DescribeInstances",
            "ecs:CreateSecurityGroup",
            "ecs:DeleteSecurityGroup",
            "ecs:AuthorizeSecurityGroup",
            "ecs:DescribeSecurityGroups",
            "ecs:DescribeSecurityGroupReferences",
            "ecs:ModifySecurityGroupPolicy",
            "ecs:ModifySecurityGroupRule",
            "ecs:ModifySecurityGroupEgressRule",
            "ecs:CreateNetworkInterface",
            "ecs:DeleteNetworkInterface",
            "ecs:DescribeNetworkInterfaces",
            "ecs:CreateNetworkInterfacePermission",
            "ecs:DescribeNetworkInterfacePermissions",
            "ecs:DeleteNetworkInterfacePermission",
            "ecs:AttachNetworkInterface",
            "ecs:DetachNetworkInterface",
            "ecs:RevokeSecurityGroup"
          ],
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "rds:DescribeDBInstances",
            "rds:DescribeSecurityGroupConfiguration",
            "rds:ModifySecurityGroupConfiguration",
            "rds:DescribeDBInstanceIPArrayList",
            "rds:ModifySecurityIps"
          ],
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "kvstore:DescribeInstances",
            "kvstore:DescribeGlobalDistributeCache",
            "kvstore:DescribeSecurityIps",
            "kvstore:ModifySecurityIps",
            "kvstore:DescribeSecurityGroupConfiguration",
            "kvstore:ModifySecurityGroupConfiguration"
          ],
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "dds:DescribeDBInstances",
            "dds:DescribeSecurityIps",
            "dds:ModifySecurityIps",
            "dds:DescribeSecurityGroupConfiguration",
            "dds:ModifySecurityGroupConfiguration"
          ],
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "polardb:DescribeDBClusters",
            "polardb:DescribeDBClusterAccessWhitelist",
            "polardb:ModifyDBClusterAccessWhitelist"
          ],
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "vpc:DescribeVpcs",
            "vpc:DescribeVSwitches",
            "vpc:CreateVpc",
            "vpc:DeleteVpc",
            "vpc:CreateVSwitch",
            "vpc:DeleteVSwitch",
            "vpc:DescribeZones",
            "vpc:DescribePhysicalConnections",
            "vpc:DescribeVirtualBorderRouters",
            "vpc:DescribeVirtualBorderRoutersForPhysicalConnection",
            "vpc:DescribeVpnGateways",
            "vpc:DescribeVpnGateway",
            "vpc:DescribeCustomerGateways",
            "vpc:DescribeVpnConnections",
            "vpc:DescribeVpcAttribute",
            "vpc:DescribeRouteTables",
            "vpc:DescribeRouteTableList",
            "vpc:DescribeRouteEntryList"
          ],
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "cen:DescribeCens",
            "cen:DescribeCenAttachedChildInstances",
            "cen:DescribeCenAttachedChildInstanceAttribute",
            "cen:AttachCenChildInstance",
            "cen:DetachCenChildInstance",
            "cen:GrantInstanceToCen",
            "cen:RevokeInstanceFromCen"
          ],
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "smartag:CreateSmartAGTrafficService",
            "smartag:UpdateSmartAGTrafficService",
            "smartag:DeleteSmartAGTrafficSerivce",
            "smartag:ListSmartAGTrafficService",
            "smartag:DescribeSmartAccessGateways",
            "smartag:DescribeCloudConnectNetworks",
            "smartag:CreateCloudConnectNetwork",
            "smartag:ModifyCloudConnectNetwork",
            "smartag:DeleteCloudConnectNetwork",
            "smartag:CreateSmartAccessGatewaySoftware",
            "smartag:UpgradeSmartAccessGatewaySoftware",
            "smartag:DowngradeSmartAccessGatewaySoftware",
            "smartag:BindSmartAccessGateway",
            "smartag:UnbindSmartAccessGateway"
          ],
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "log:PostLogStoreLogs",
            "log:GetProject",
            "log:ListProject",
            "log:GetLogStore",
            "log:ListLogStores",
            "log:CreateLogStore",
            "log:CreateProject",
            "log:GetIndex",
            "log:CreateIndex",
            "log:UpdateIndex",
            "log:CreateDashboard",
            "log:ClearLogStoreStorage",
            "log:UpdateLogStore",
            "log:UpdateDashboard",
            "log:CreateSavedSearch",
            "log:UpdateSavedSearch",
            "log:DeleteLogStore",
            "log:DeleteSavedSearch",
            "log:GetSavedSearch",
            "log:ListSavedSearch",
            "log:DeleteDashboard",
            "log:GetDashboard",
            "log:ListDashboard"
          ],
          "Resource": "acs:log:*:*:project/csas-project-*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "pvtz:DescribeZones",
            "pvtz:DescribeZoneInfo",
            "pvtz:DescribeZoneRecords"
          ],
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Action": "ram:DeleteServiceLinkedRole",
          "Resource": "*",
          "Effect": "Allow",
          "Condition": {
            "StringEquals": {
              "ram:ServiceName": "csas.aliyuncs.com"
            }
          }
        }
      ]
    }

删除服务关联角色

如果不再需要使用SASE服务,您可以删除SASE服务关联角色AliyunServiceRoleForCsas。在删除服务关联角色前您需要先释放已有的SASE实例。释放实例后,您可以参考以下步骤在RAM控制台删除SASE服务关联角色。

  1. 登录RAM控制台

  2. 在左侧导航栏,选择身份管理 > 角色

  3. 使用搜索功能定位到SASE服务关联角色AliyunServiceRoleForCsas,单击其操作列删除角色

  4. 删除角色对话框中,单击确定

相关问题

为什么我使用RAM用户无法自动创建SASE服务关联角色?

RAM用户需要拥有指定的权限,才能自动创建或删除服务关联角色。您需为RAM用户添加以下权限策略:

{
    "Statement": [
        {
            "Action": [
                "ram:CreateServiceLinkedRole"
            ],
            "Resource": "acs:ram:*:主账号ID:role/*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": [
                        "csas.aliyuncs.com"
                    ]
                }
            }
        }
    ],
    "Version": "1"
}
说明

详细操作步骤指导,请参见为RAM角色授权