AI 助理
备案控制台
文档
输入文档关键字查找
首页 云数据库 SelectDB 版 安全合规 使用RAM进行访问控制 服务关联角色

服务关联角色

更新时间:
产品详情
我的收藏

本文介绍云数据库 SelectDB 版服务关联角色AliyunServiceRoleForSelectDB的应用场景以及如何删除该角色。

背景信息

云数据库 SelectDB 版服务关联角色AliyunServiceRoleForSelectDB是在某些情况下,为了完成云数据库 SelectDB 版自身的某个功能,需要获取其他云服务的访问权限,而提供的RAM角色。更多关于服务关联角色的信息请参见服务关联角色

应用场景

服务关联角色AliyunServiceRoleForSelectDB的应用场景,包括但不限于:

  • 获取ECS云服务的访问权限:创建云数据库 SelectDB 版实例需要从ECS云服务获取所需的计算资源并进行管理。

  • 获取VPC云服务的访问权限:部署和运行云数据库 SelectDB 版实例需要VPC云服务提供网络环境并进行管理。

  • 获取SLB云服务的访问权限:云数据库 SelectDB 版实例需要SLB云服务提供负载均衡服务;

  • 获取ARMS云服务的访问权限:云数据库 SelectDB 版实例需要ARMS云服务提供监控信息和告警服务。

AliyunServiceRoleForSelectDB介绍

  • 角色名称:AliyunServiceRoleForSelectDB

  • 角色权限策略:AliyunServiceRolePolicyForSelectDB

  • 权限说明:

    {
  "Statement": [
    {
      "Action": [
        "log:GetProject",
        "log:ListProject",
        "log:GetCursor",
        "log:GetCursorTime",
        "log:GetLogs",
        "log:GetHistograms",
        "log:GetContextLogs",
        "log:PullLogs",
        "log:GetLogStoreLogs",
        "log:GetLogStoreHistogram",
        "log:GetLogStore",
        "log:ListLogStores",
        "log:GetCursorOrData",
        "log:ListShards",
        "log:GetConfig",
        "log:ListConfig",
        "log:GetShipperStatus",
        "log:GetCheckPoint",
        "log:HeartBeat",
        "log:UpdateCheckPoint",
        "log:PostLogStoreLogs",
        "log:CreateConsumerGroup",
        "log:UpdateConsumerGroup",
        "log:DeleteConsumerGroup",
        "log:ListConsumerGroup",
        "log:ConsumerGroupUpdateCheckPoint",
        "log:ConsumerGroupHeartBeat",
        "log:GetConsumerGroupCheckPoint",
        "log:CreateExport",
        "log:GetExport",
        "log:ListExport",
        "log:UpdateExport",
        "log:DeleteExport",
        "log:CreateJob",
        "log:GetJob",
        "log:ListJobs",
        "log:UpdateJob",
        "log:DeleteJob",
        "ecs:AttachNetworkInterface",
        "ecs:AuthorizeSecurityGroup",
        "ecs:CreateNetworkInterface",
        "ecs:CreateNetworkInterfacePermission",
        "ecs:CreateRouteEntry",
        "ecs:CreateSecurityGroup",
        "ecs:DeleteNetworkInterface",
        "ecs:DeleteNetworkInterfacePermission",
        "ecs:DeleteRouteEntry",
        "ecs:DeleteSecurityGroup",
        "ecs:DescribeInstanceAttribute",
        "ecs:DescribeInstanceStatus",
        "ecs:DescribeInstanceTypeFamilies",
        "ecs:DescribeInstanceTypes",
        "ecs:DescribeInstances",
        "ecs:DescribeInstancesFullStatus",
        "ecs:DescribeNetworkInterfaceAttribute",
        "ecs:DescribeNetworkInterfaces",
        "ecs:DescribeRegions",
        "ecs:DescribeSecurityGroupAttribute",
        "ecs:DescribeSecurityGroups",
        "ecs:DescribeZones",
        "ecs:DetachNetworkInterface",
        "ecs:ListTagResources",
        "ecs:ModifyNetworkInterfaceAttribute",
        "ecs:RevokeSecurityGroup",
        "ecs:TagResources",
        "ecs:UntagResources",
        "vpc:CreateRouteEntry",
        "vpc:DeleteRouteEntry",
        "vpc:DescribeRegions",
        "vpc:DescribeVSwitchAttributes",
        "vpc:DescribeVSwitches",
        "vpc:DescribeVpcAttribute",
        "vpc:DescribeVpcs",
        "vpc:DescribeZones",
        "vpc:ListTagResources",
        "vpc:ModifyBypassToaAttribute",
        "vpc:TagResources",
        "vpc:UntagResources",
        "selectdb:DescribeSecurityIPList",
        "selectdb:ModifySecurityIPList"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "selectdb.aliyuncs.com"
        }
      }
    },
    {
      "Action": [
        "kms:Listkeys",
        "kms:Listaliases",
        "kms:ListResourceTags",
        "kms:DescribeKey",
        "kms:UntagResource",
        "kms:TagResource",
        "kms:DescribeAccountKmsStatus"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:GenerateDataKey"
      ],
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEqualsIgnoreCase": {
          "kms:tag/acs:selectdb:instance-encryption": "true"
        }
      }
    },
    {
      "Action": [
        "rds:ModifySecurityIps",
        "rds:DescribeDBInstanceNetInfo",
        "rds:DescribeDBInstanceIPArrayList"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "arms:CheckServiceStatus",
        "arms:OpenArmsService",
        "arms:GetPrometheusApiToken",
        "arms:OpenVCluster",
        "arms:ListDashboards"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "slb:AddBackendServers",
        "slb:AddTags",
        "slb:AddVServerGroupBackendServers",
        "slb:CreateLoadBalancer",
        "slb:CreateLoadBalancerForCloudService",
        "slb:CreateLoadBalancerHTTPListener",
        "slb:CreateLoadBalancerHTTPSListener",
        "slb:CreateLoadBalancerTCPListener",
        "slb:CreateLoadBalancerUDPListener",
        "slb:CreateVServerGroup",
        "slb:DeleteLoadBalancer",
        "slb:DeleteLoadBalancerListener",
        "slb:DeleteVServerGroup",
        "slb:DescribeTags",
        "slb:DescribeVServerGroups",
        "slb:DescribeLoadBalancers",
        "slb:DescribeVServerGroupAttribute",
        "slb:DescribeLoadBalancerAttribute",
        "slb:DescribeLoadBalancerHTTPSListenerAttribute",
        "slb:DescribeLoadBalancerHTTPListenerAttribute",
        "slb:DescribeLoadBalancerListeners",
        "slb:DescribeLoadBalancerTCPListenerAttribute",
        "slb:DescribeLoadBalancerUDPListenerAttribute",
        "slb:ModifyLoadBalancerInstanceSpec",
        "slb:ModifyLoadBalancerInternetSpec",
        "slb:ModifyVServerGroupBackendServers",
        "slb:RemoveBackendServers",
        "slb:RemoveTags",
        "slb:DescribeAccessControlLists",
        "slb:RemoveVServerGroupBackendServers",
        "slb:SetLoadBalancerHTTPListenerAttribute",
        "slb:SetLoadBalancerHTTPSListenerAttribute",
        "slb:SetLoadBalancerTCPListenerAttribute",
        "slb:SetLoadBalancerUDPListenerAttribute",
        "slb:SetLoadBalancerModificationProtection",
        "slb:SetLoadBalancerDeleteProtection",
        "slb:SetVServerGroupAttribute",
        "slb:ServiceManagedControl",
        "slb:StartLoadBalancerListener",
        "slb:StopLoadBalancerListener",
        "slb:DeleteAccessControlList",
        "slb:CreateAccessControlList",
        "slb:DescribeAccessControlListAttribute",
        "slb:AddAccessControlListEntry",
        "slb:RemoveAccessControlListEntry"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "pvtz:DescribeUserServiceStatus",
        "pvtz:DescribeZones"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Effect": "Allow",
      "Action": [
        "bssapi:QueryAvailableInstances"
      ],
      "Resource": "*"
    },
    {
      "Action": "bss:DescribeAcccount",
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Effect": "Allow",
      "Action": [
        "bssapi:CreateInstance"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "bssapi:ProductCode": "pvtz",
          "bssapi:ProductType": [
            "pvtzpost"
          ]
        }
      }
    },
    {
      "Action": "ram:CreateServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "eipaccess.slb.aliyuncs.com"
        }
      }
    }
  ],
  "Version": "1"
}

创建服务关联角色

如果您尚未创建云数据库 SelectDB 版服务关联角色AliyunServiceRoleForSelectDB,每次打开云数据库 SelectDB 版产品控制台时,都会弹出开通云数据库SelectDB产品服务提示框,单击确认开通后,系统将自动帮您创建该角色

说明

未创建服务关联角色AliyunServiceRoleForSelectDB将导致无法正常使用云数据库 SelectDB 版

删除服务关联角色

您可前往RAM控制台,删除服务关联角色AliyunServiceRoleForSelectDB,具体操作,请参见删除RAM角色

说明

删除服务关联角色AliyunServiceRoleForSelectDB后,将会影响正常使用云数据库 SelectDB 版,慎重操作。

上一篇:云数据库SelectDB自定义权限策略参考下一篇:管控操作审计
文档推荐