Before you activate the fully managed Flink service, your account must be assigned the system default role AliyunStreamAsiDefaultRole. This topic describes two methods that can be used to assign the system default role AliyunStreamAsiDefaultRole to an account.

Background information

Note Fully managed Flink can call services, such as Virtual Private Cloud (VPC), Elastic Compute Service (ECS), Server Load Balancer (SLB), and Application Real-Time Monitoring Service (ARMS), to start the related components of fully managed Flink only after your account is assigned the AliyunStreamAsiDefaultRole role.

Automated authorization

In most cases, you are required to perform automated authorization when you purchase fully managed Flink for the first time.

  1. Log on to the Realtime Compute for Apache Flink console.
  2. Click Purchase under Fully Managed Flink.
  3. On the Authorization Request page, click Authorize in RAM. Authorize
  4. On the Cloud Resource Access Authorization page, click Confirm Authorization Policy in the lower part of the page. AliyunStreamAsiDefaultRole
    Note By default, the AliyunStreamAsiDefaultRole role is selected.

Manual authorization (method 1)

If you delete the AliyunStreamAsiDefaultRole role or modify the authorization policy, the fully managed Flink service becomes unavailable. In this case, you can perform the following steps to perform authorization again:

  1. Create a role.
    1. Log on to the Resource Access Management (RAM) console.
    2. In the left-side navigation pane, click RAM Roles.
    3. Click Create RAM Role and enter role information.
      Note The role name is AliyunStreamAsiDefaultRole. If this role exists, you do not need to repeatedly create it.
  2. Add an authorization policy.
    1. Log on to the RAM console.
    2. In the left-side navigation pane, click RAM Roles.
    3. In the RAM Role Name column, find the AliyunStreamAsiDefaultRole role.
    4. Click Input and Attach.
    5. Select Custom Policy as the policy type.
    6. In the Policy Name field, enter a policy name.
      You must attach the following authorization policies to the AliyunStreamAsiDefaultRole role:
      • Policy 1: custom policy (AliyunStreamAsiDefaultRolePolicy0)
        {
            "Version": "1",
            "Statement": [
                {
                    "Action": "oss:ListBuckets",
                    "Resource": "acs:oss:*:*:*",
                    "Effect": "Allow"
                },
                {
                    "Action": [
                        "ecs:AssociateEipAddress",
                        "ecs:AttachNetworkInterface",
                        "ecs:AuthorizeSecurityGroup",
                        "ecs:AuthorizeSecurityGroupEgress",
                        "ecs:CreateNetworkInterface",
                        "ecs:CreateNetworkInterfacePermission",
                        "ecs:CreateSecurityGroup",
                        "ecs:DeleteNetworkInterface",
                        "ecs:DeleteNetworkInterfacePermission",
                        "ecs:DeleteSecurityGroup",
                        "ecs:DescribeNetworkInterfacePermissions",
                        "ecs:DescribeNetworkInterfaces",
                        "ecs:DescribeSecurityGroupAttribute",
                        "ecs:DescribeSecurityGroupReferences",
                        "ecs:DescribeSecurityGroups",
                        "ecs:DetachNetworkInterface",
                        "ecs:JoinSecurityGroup",
                        "ecs:LeaveSecurityGroup",
                        "ecs:ModifyNetworkInterfaceAttribute",
                        "ecs:ModifySecurityGroupAttribute",
                        "ecs:ModifySecurityGroupPolicy",
                        "ecs:ModifySecurityGroupPolicy",
                        "ecs:ModifySecurityGroupRule",
                        "ecs:RevokeSecurityGroup",
                        "ecs:RevokeSecurityGroupEgress",
                        "ecs:UnassociateEipAddress"
                    ],
                    "Resource": "*",
                    "Effect": "Allow"
                },
                {
                    "Action": [
                        "arms:ListDashboards"
                    ],
                    "Resource": "*",
                    "Effect": "Allow"
                },
                {
                    "Action": [
                        "vpc:DescribeVpcAttribute",
                        "vpc:DescribeVpcs",
                        "vpc:DescribeVSwitchAttributes",
                        "vpc:DescribeVSwitches",
                        "vpc:DescribeRouteTableList",
                        "vpc:DescribeRouteTables",
                        "vpc:DescribeRouteEntryList",
                        "vpc:DescribeRouterInterfaceAttribute",
                        "vpc:DescribeRouterInterfaces",
                        "vpc:DescribeVRouters"
                    ],
                    "Resource": "*",
                    "Effect": "Allow"
                }
            ]
        }
      • Policy 2: custom policy (AliyunStreamAsiDefaultRolePolicy1)
        {
            "Version": "1",
            "Statement": [
                {
                    "Action": [
                        "slb:AddBackendServers",
                        "slb:AddListenerWhiteListItem",
                        "slb:AddTags",
                        "slb:AddVServerGroupBackendServers",
                        "slb:CreateLoadBalancer",
                        "slb:CreateLoadBalancerHTTPListener",
                        "slb:CreateLoadBalancerHTTPSListener",
                        "slb:CreateLoadBalancerTCPListener",
                        "slb:CreateLoadBalancerUDPListener",
                        "slb:CreateRules",
                        "slb:CreateVServerGroup",
                        "slb:DeleteLoadBalancer",
                        "slb:DeleteLoadBalancerListener",
                        "slb:DeleteRules",
                        "slb:DeleteServerCertificate",
                        "slb:DeleteVServerGroup",
                        "slb:DescribeHealthStatus",
                        "slb:DescribeListenerAccessControlAttribute",
                        "slb:DescribeLoadBalancerAttribute",
                        "slb:DescribeLoadBalancerHTTPListenerAttribute",
                        "slb:DescribeLoadBalancerHTTPListenerAttributes",
                        "slb:DescribeLoadBalancerHTTPSListenerAttribute",
                        "slb:DescribeLoadBalancerTCPListenerAttribute",
                        "slb:DescribeLoadBalancerUDPListenerAttribute",
                        "slb:DescribeLoadBalancers",
                        "slb:DescribeRegions",
                        "slb:DescribeRules",
                        "slb:DescribeServerCertificates",
                        "slb:DescribeTags",
                        "slb:DescribeVServerGroupAttribute",
                        "slb:DescribeVServerGroups",
                        "slb:ModifyLoadBalancerInstanceSpec",
                        "slb:ModifyLoadBalancerInternetSpec",
                        "slb:ModifyLoadBalancerPayType",
                        "slb:RemoveBackendServers",
                        "slb:RemoveListenerWhiteListItem",
                        "slb:RemoveVServerGroupBackendServers",
                        "slb:SetBackendServers",
                        "slb:SetListenerAccessControlStatus",
                        "slb:SetLoadBalancerHTTPListenerAttribute",
                        "slb:SetLoadBalancerHTTPSListenerAttribute",
                        "slb:SetLoadBalancerName",
                        "slb:SetLoadBalancerStatus",
                        "slb:SetLoadBalancerTCPListenerAttribute",
                        "slb:SetLoadBalancerUDPListenerAttribute",
                        "slb:SetRule",
                        "slb:SetServerCertificateName",
                        "slb:SetVServerGroupAttribute",
                        "slb:StartLoadBalancerListener",
                        "slb:StopLoadBalancerListener",
                        "slb:UploadServerCertificate"
                    ],
                    "Resource": "*",
                    "Effect": "Allow"
                }
            ]
        }
      • Policy 3: custom policy (FlinkServerlessPolicy)
        {
            "Version": "1",
            "Statement": [
                {
                    "Action": [
                        "ram:*"
                    ],
                    "Resource": [
                        "acs:ram:*:*:domain/*",
                        "acs:ram:*:*:application/*"
                    ],
                    "Effect": "Allow"
                }
            ]
        }
Note After the preceding role and policies are created, you can activate and use the fully managed Flink service.

Manual authorization (method 2)

If you delete the AliyunStreamAsiDefaultRole role or modify the authorization policy, the fully managed Flink service becomes unavailable. In this case, you can perform the following steps to delete the stack, RAM role, and RAM policy of Resource Orchestration Service (ROS). Then, log on to the Realtime Compute for Apache Flink console and perform authorization again.

  1. Delete the stack of ROS.
    1. Log on to the ROS console.
    2. In the left-side navigation pane, click Stacks.
    3. In the top navigation bar, change the region to China (Hangzhou).
    4. In the search box next to Stack Name, enter FlinkServerlessStack and FlinkOnAckStack separately. Then, click the Search icon icon.
      Note
      • FlinkServerlessStack: the name of the ROS stack of fully managed Flink
      • FlinkOnAckStack: the name of the ROS stack of Container Service for Kubernetes (ACK)
    5. Find the stack that you want to delete, and click Delete in the Actions column. In the dialog box that appears, click OK.
  2. Delete the RAM role.
    1. Log on to the RAM console.
    2. In the left-side navigation pane, click RAM Roles.
    3. In the search box, enter AliyunStreamAsiDefaultRole.
    4. In the Actions column, click Delete. In the dialog box that appears, click OK.
      Note Before you can delete the role, you must click the AliyunStreamAsiDefaultRole name to go to the role details page and remove permissions.
  3. Delete the RAM policy.
    1. Log on to the RAM console.
    2. In the left-side navigation pane, choose Permissions > Policies.
    3. In the search box, enter AliyunStreamAsiDefaultRolePolicy0, AliyunStreamAsiDefaultRolePolicy1, and FlinkServerlessPolicy separately.
    4. In the Actions column, click Delete. In the dialog box that appears, click OK.
  4. In the Realtime Compute for Apache Flink console, perform authorization again.
    1. Log on to the Realtime Compute for Apache Flink console.
    2. Click Purchase below Fully Managed Flink.
    3. On the Authorization Request page, click Authorize in RAM. Authorize
    4. In the lower part of the Cloud Resource Access Authorization page, click Confirm Authorization Policy. AliyunStreamAsiDefaultRole

Permission description

  • Permissions on ECS resources
    Before you can access the console over the Internet, you must activate Elastic IP Address (EIP) by using your account. Before you can connect resources in a VPC, you must create elastic network interfaces (ENIs) in the VPC. These ENIs are added to the dedicated security group of fully managed Flink. Therefore, the fully managed Flink service must have the operation permissions on the EIP, the security group, and the ENIs.
    Notice You are charged a data transfer fee for an EIP that is used for access over the Internet.
    Permission (Action) Description
    ecs:AssociateEipAddress Applies for an EIP for access to fully managed Flink over the Internet.
    ecs:AttachNetworkInterface Allows fully managed Flink to bind your ENI to the resource pool of fully managed Flink.
    ecs:AuthorizeSecurityGroup Fully managed Flink creates a security group. This permission is required to add an inbound rule to the security group.
    ecs:AuthorizeSecurityGroupEgress Fully managed Flink creates a security group. This permission is required to add an outbound rule to the security group.
    ecs:CreateNetworkInterface Allows fully managed Flink to create an ENI in your VPC and allows fully managed Flink to connect to your VPC.
    ecs:CreateNetworkInterfacePermission Allows fully managed Flink to bind your ENI.
    ecs:CreateSecurityGroup Fully managed Flink creates a security group. This permission is required to create the security group.
    ecs:DeleteNetworkInterface Deletes the ENIs of the related resources after a task of Fully managed Flink is complete.
    ecs:DeleteNetworkInterfacePermission Allows fully managed Flink to unbind your ENI.
    ecs:DeleteSecurityGroup Fully managed Flink creates a security group. This permission is required to delete the security group.
    ecs:DescribeNetworkInterfacePermissions Allows you to unbind your ENI from the resource pool of fully managed Flink.
    ecs:DescribeNetworkInterfaces Allows fully managed Flink to query ENIs.
    ecs:DescribeSecurityGroupAttribute Allows fully managed Flink to query the security group rules of a security group.
    ecs:DescribeSecurityGroupReferences Allows fully managed Flink to query security groups and security group-level authorization.
    ecs:DescribeSecurityGroups Allows fully managed Flink to query basic information about the created security groups.
    ecs:DetachNetworkInterface Allows fully managed Flink to unbind your ENI from the resource pool of fully managed Flink.
    ecs:JoinSecurityGroup Allows fully managed Flink to add ENIs to the specified security group.
    ecs:LeaveSecurityGroup Allows fully managed Flink to remove ENIs from the specified security group.
    ecs:ModifyNetworkInterfaceAttribute Allows fully managed Flink to modify information about an ENI, such as the name, the description, and the security group to which the ENI belongs.
    ecs:ModifySecurityGroupAttribute Allows fully managed Flink to change the name or description of a security group.
    ecs:ModifySecurityGroupPolicy Allows fully managed Flink to modify the access control policy within the security group.
    ecs:ModifySecurityGroupRule Allows fully managed Flink to modify the descriptions of security group inbound rules.
    ecs:RevokeSecurityGroup Allows fully managed Flink to delete a security group inbound rule.
    ecs:RevokeSecurityGroupEgress Allows fully managed Flink to delete a security group outbound rule.
    ecs:UnassociateEipAddress Allows fully managed Flink to release EIPs.
  • Permissions on SLB resources
    Before you can access the console of fully managed Flink over the Internet, you must activate pay-as-you-go SLB by using your account. Therefore, you must be granted the permissions to manage SLB.
    Notice You are charged additional fees for pay-as-you-go SLB.
    Permission (Action) Description
    slb:AddBackendServers Allows fully managed Flink to change the backend of SLB.
    slb:AddListenerWhiteListItem Allows fully managed Flink to add an IP address to the access whitelist of a listener.
    slb:AddTags Allows fully managed Flink to add tags to the specified SLB instance.
    slb:AddVServerGroupBackendServers Allows fully managed Flink to add backend servers to the specified backend server group.
    slb:CreateLoadBalancer Allows fully managed Flink to create an SLB instance.
    slb:CreateLoadBalancerHTTPListener Allows fully managed Flink to create an HTTP listener.
    slb:CreateLoadBalancerHTTPSListener Allows fully managed Flink to create an HTTPS listener.
    slb:CreateLoadBalancerTCPListener Allows fully managed Flink to create a TCP listener.
    slb:CreateLoadBalancerUDPListener Allows fully managed Flink to create a UDP listener.
    slb:CreateRules Allows fully managed Flink to create routing methods for the specified HTTP or HTTPS listener.
    slb:CreateVServerGroup Allows fully managed Flink to add backend server groups and add backend servers to the specified backend server group.
    slb:DeleteLoadBalancer Allows fully managed Flink to delete an SLB instance.
    slb:DeleteLoadBalancerListener Allows fully managed Flink to delete a backend listener.
    slb:DeleteRules Allows fully managed Flink to delete the routing methods of the specified HTTP or HTTPS listener.
    slb:DeleteVServerGroup Allows fully managed Flink to delete a server group.
    slb:DescribeHealthStatus Allows fully managed Flink to query the health status of backend servers.
    slb:DescribeListenerAccessControlAttribute Allows fully managed Flink to query the whitelist configurations of the specified SLB listener.
    slb:DescribeLoadBalancerAttribute Allows fully managed Flink to query the details about the specified SLB instance.
    slb:DescribeLoadBalancerHTTPListenerAttribute Allows fully managed Flink to query the configurations of an HTTP listener.
    slb:DescribeLoadBalancerHTTPSListenerAttribute Allows fully managed Flink to query the configurations of an HTTPS listener.
    slb:DescribeLoadBalancerTCPListenerAttribute Allows fully managed Flink to query the configurations of a TCP listener.
    slb:DescribeLoadBalancerUDPListenerAttribute Allows fully managed Flink to query the configurations of a UDP listener.
    slb:DescribeLoadBalancers Allows fully managed Flink to query the created SLB instances.
    slb:DescribeRegions Allows fully managed Flink to query the regions of available SLB instances.
    slb:DescribeRules Allows fully managed Flink to query the routing methods that are configured for the specified listener.
    slb:DescribeTags Allows fully managed Flink to query the list of tags.
    slb:DescribeVServerGroupAttribute Allows fully managed Flink to query the details about a server group.
    slb:DescribeVServerGroups Allows fully managed Flink to query the list of server groups.
    slb:ModifyLoadBalancerInstanceSpec Allows fully managed Flink to modify the sample specifications of SLB.
    slb:ModifyLoadBalancerInternetSpec Allows fully managed Flink to change the metering method of an Internet-facing SLB instance. The metering method can be pay-by-data-transfer or pay-by-bandwidth.
    slb:ModifyLoadBalancerPayType Allows fully managed Flink to change the billing method of an Internet-facing SLB instance. The billing method can be pay-as-you-go or subscription.
    slb:RemoveBackendServers Allows fully managed Flink to remove backend servers.
    slb:RemoveListenerWhiteListItem Allows fully managed Flink to delete an IP address from the whitelist of a listener.
    slb:RemoveVServerGroupBackendServers Allows fully managed Flink to remove backend servers from the specified backend server group.
    slb:SetBackendServers Allows fully managed Flink to specify the backend server weight.
    slb:SetListenerAccessControlStatus Allows fully managed Flink to specify whether to enable the whitelist of the specified listener for access control.
    slb:SetLoadBalancerHTTPListenerAttribute Allows fully managed Flink to modify the configurations of an HTTP listener.
    slb:SetLoadBalancerHTTPSListenerAttribute Allows fully managed Flink to modify the configurations of an HTTPS listener.
    slb:SetLoadBalancerName Allows fully managed Flink to specify the name of an SLB instance.
    slb:SetLoadBalancerStatus Allows fully managed Flink to specify the status of an SLB instance.
    slb:SetLoadBalancerTCPListenerAttribute Allows fully managed Flink to modify the configurations of a TCP listener.
    slb:SetLoadBalancerUDPListenerAttribute Allows fully managed Flink to modify the configurations of a UDP listener.
    slb:SetRule Allows fully managed Flink to modify the routing methods of a vServer.
    slb:SetServerCertificateName Allows fully managed Flink to specify the name of a server certificate.
    slb:SetVServerGroupAttribute Allows fully managed Flink to modify the configurations of a vServer group.
    slb:StartLoadBalancerListener Allows fully managed Flink to start the specified listener.
    slb:StopLoadBalancerListener Allows fully managed Flink to stop the specified listener.
  • Permissions on OSS resources
    Your buckets in the selected region are listed.
    Permission (Action) Description
    oss:ListBuckets Allows fully managed Flink to view the list of OSS buckets.
  • Permissions on ARMS resources
    ARMS is activated for you. The metrics of fully managed Flink are stored in ARMS.
    Notice You can store fully managed Flink-related metrics in ARMS free of charge.
    Permission (Action) Description
    arms:ListDashboards Allows fully managed Flink to view the ARMS dashboard.
  • Permissions on VPC resources
    When you activate fully managed Flink, the Describe permission on resources in the VPC is required.
    Permission (Action) Description
    vpc:DescribeVpcAttribute Allows fully managed Flink to query the configuration information about the specified VPC.
    vpc:DescribeVpcs Allows fully managed Flink to query the created VPCs.
    vpc:DescribeVSwitchAttributes Allows fully managed Flink to query information about the specified vSwitch.
    vpc:DescribeVSwitches Allows fully managed Flink to query the created vSwitches.
    vpc:DescribeRouteTableList Allows fully managed Flink to query the list of route tables.
    vpc:DescribeRouteTables Allows fully managed Flink to query the specified route table.
    vpc:DescribeRouteEntryList Allows fully managed Flink to query the list of route entries in a route table.
    vpc:DescribeRouterInterfaceAttribute Allows fully managed Flink to query the configurations of the router interface.
    vpc:DescribeRouterInterfaces Allows fully managed Flink to query router interfaces.
    vpc:DescribeVRouters Allows fully managed Flink to query the list of vRouters in the specified region.
  • Permissions on RAM resources
    When you activate fully managed Flink, permissions on RAM resources are required to configure resources.
    Permission (Action) Description
    ram:* Allows you to add, remove, modify, and query the RAM resources domain and application.