Before you can manage servers with Bastionhost, you must authorize it to access other Alibaba Cloud services. The authorization creates the AliyunServiceRoleForBastionhost service-linked role, which grants Bastionhost the permissions it needs to work with Elastic Compute Service (ECS), Virtual Private Cloud (VPC), and Relational Database Service (RDS).
Prerequisites
Before you begin, make sure you have:
A bastion host. See Purchase a bastion host.
An Alibaba Cloud account, or a RAM user with permissions to create and delete service-linked roles.
Authorize Bastionhost
Log on to the Bastionhost console.
In the Welcome to Bastionhost dialog box, click Create. This dialog box appears only on your first log-on after purchasing a bastion host. Clicking Create triggers Alibaba Cloud to automatically create the
AliyunServiceRoleForBastionhostrole. After the role is created, your bastion host can access ECS, VPC, and other cloud services for server O&M and audit. To confirm the role was created, check the RAM console.
Service-linked role for Bastionhost
The AliyunServiceRoleForBastionhost role grants Bastionhost the permissions it needs to access other cloud services for O&M tasks.
Note: A service-linked role differs from a regular RAM role. Alibaba Cloud creates and manages it automatically on behalf of Bastionhost — you cannot modify its name or permission policy.
Role details:
Role name:
AliyunServiceRoleForBastionhostPermission policy:
AliyunServiceRolePolicyForBastionhost(system policy — name and content are fixed)
The permission policy grants the following access:
{
"Version": "1",
"Statement": [
{
"Action": [
"rds:DescribeDBInstanceNetInfo",
"rds:DescribeDBInstances",
"rds:DescribeDBInstanceAttribute",
"ecs:DescribeInstances",
"ecs:DescribeImages",
"ecs:DescribeZones",
"ecs:DescribeRegions",
"ecs:DescribeTags",
"ecs:DescribeSecurityGroups",
"ecs:DescribeSecurityGroupAttribute",
"ecs:AuthorizeSecurityGroup",
"ecs:DescribeSecurityGroups",
"ecs:DescribeSecurityGroupReferences",
"ecs:CreateSecurityGroup",
"ecs:RevokeSecurityGroup",
"ecs:DeleteSecurityGroup",
"ecs:ModifySecurityGroupAttribute",
"ecs:ModifySecurityGroupPolicy",
"ecs:ModifySecurityGroupRule",
"ecs:CreateNetworkInterface",
"ecs:DeleteNetworkInterface",
"ecs:DescribeNetworkInterfaces",
"ecs:CreateNetworkInterfacePermission",
"ecs:DescribeNetworkInterfacePermissions",
"ecs:DeleteNetworkInterfacePermission",
"ecs:DetachNetworkInterface",
"ecs:AttachNetworkInterface",
"ecs:ModifyNetworkInterfaceAttribute"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"vpc:DescribeVpcAttribute",
"vpc:DescribeVSwitchAttributes"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "bastionhost.aliyuncs.com"
}
}
}
]
}Delete the AliyunServiceRoleForBastionhost role
Before you delete the AliyunServiceRoleForBastionhost role, you must release your bastion host. Then, perform the following steps:
Log on to the RAM console.
In the left-side navigation pane, choose Identities > Roles.
On the Roles page, find
AliyunServiceRoleForBastionhostand click Delete Role in the Actions column.In the Delete Role dialog box, enter the role name and click Delete Role.
FAQ
The system did not create the AliyunServiceRoleForBastionhost role for my RAM user. What do I do?
Your RAM user is missing the ram:CreateServiceLinkedRole permission. Add the following policy to the RAM user:
{
"Statement": [
{
"Action": [
"ram:CreateServiceLinkedRole"
],
"Resource": "acs:ram:*:Alibaba Cloud account ID:role/*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": [
"bastionhost.aliyuncs.com"
]
}
}
}
],
"Version": "1"
}For steps on attaching a policy to a RAM user, see Grant permissions to a RAM role.