Serverless App Engine (SAE) menggunakan peran terkait layanan (SLR) untuk mengakses sumber daya Alibaba Cloud lainnya. Topik ini menjelaskan kasus penggunaan SLR serta cara membuat dan menghapusnya.
Apa itu SLR?
Dalam beberapa skenario, SAE perlu mengakses layanan cloud lain agar berfungsi secara penuh. Misalnya, saat Anda membuat aplikasi, SAE mungkin perlu mengambil informasi tentang sumber daya Anda, seperti Virtual Private Cloud (VPC). SLR memberikan izin yang diperlukan kepada SAE untuk mengakses layanan seperti VPC. Metode ini secara aman mendelegasikan hanya izin yang diperlukan, sehingga mengurangi risiko kesalahan operasional. Kebijakan izin untuk SLR telah ditentukan sebelumnya dan dikelola oleh layanan terkait. Anda tidak dapat memodifikasi atau menghapus kebijakan tersebut, menyambungkan kebijakan tambahan ke peran, maupun melepaskannya. Untuk informasi selengkapnya, lihat Service-linked roles.
Izin SLR
Nama peran: AliyunServiceRoleForSAE
Kebijakan izin: AliyunServiceRolePolicyForSAE
Dokumen kebijakan:
json{
"Version": "1",
"Statement": [
{
"Action": [
"alb:TagResources",
"alb:UnTagResources",
"alb:ListServerGroups",
"alb:ListServerGroupServers",
"alb:AddServersToServerGroup",
"alb:RemoveServersFromServerGroup",
"alb:ReplaceServersInServerGroup",
"alb:CreateLoadBalancer",
"alb:DeleteLoadBalancer",
"alb:UpdateLoadBalancerAttribute",
"alb:UpdateLoadBalancerEdition",
"alb:EnableLoadBalancerAccessLog",
"alb:DisableLoadBalancerAccessLog",
"alb:EnableDeletionProtection",
"alb:DisableDeletionProtection",
"alb:ListLoadBalancers",
"alb:GetLoadBalancerAttribute",
"alb:ListListeners",
"alb:CreateListener",
"alb:GetListenerAttribute",
"alb:UpdateListenerAttribute",
"alb:ListListenerCertificates",
"alb:AssociateAdditionalCertificatesWithListener",
"alb:DissociateAdditionalCertificatesFromListener",
"alb:DeleteListener",
"alb:CreateRule",
"alb:DeleteRule",
"alb:UpdateRuleAttribute",
"alb:CreateRules",
"alb:UpdateRulesAttribute",
"alb:DeleteRules",
"alb:ListRules",
"alb:CreateServerGroup",
"alb:DeleteServerGroup",
"alb:UpdateServerGroupAttribute",
"alb:DescribeZones"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ecs:ListTagResources",
"ecs:TagResources",
"ecs:UnTagResources",
"ecs:CreateNetworkInterface",
"ecs:DeleteNetworkInterface",
"ecs:DescribeNetworkInterfaces",
"ecs:AttachNetworkInterface",
"ecs:DetachNetworkInterface",
"ecs:CreateNetworkInterfacePermission",
"ecs:DescribeNetworkInterfacePermissions",
"ecs:DeleteNetworkInterfacePermission",
"ecs:ModifyNetworkInterfaceAttribute",
"ecs:JoinSecurityGroup",
"ecs:LeaveSecurityGroup",
"ecs:CreateSecurityGroup",
"ecs:AuthorizeSecurityGroup",
"ecs:DescribeSecurityGroupAttribute",
"ecs:DescribeSecurityGroups",
"ecs:RevokeSecurityGroup",
"ecs:DeleteSecurityGroup",
"ecs:ModifySecurityGroupAttribute",
"ecs:AuthorizeSecurityGroupEgress",
"ecs:RevokeSecurityGroupEgress",
"ecs:ModifySecurityGroupRule",
"ecs:DescribeSecurityGroupReferences",
"ecs:ModifySecurityGroupPolicy"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"slb:AddTags",
"slb:RemoveTags",
"slb:CreateLoadBalancer",
"slb:ModifyLoadBalancerInternetSpec",
"slb:DeleteLoadBalancer",
"slb:SetLoadBalancerStatus",
"slb:SetLoadBalancerName",
"slb:DescribeLoadBalancers",
"slb:DescribeLoadBalancerAttribute",
"slb:ModifyLoadBalancerPayType",
"slb:ModifyLoadBalancerInstanceSpec",
"slb:CreateLoadBalancerHTTPListener",
"slb:CreateLoadBalancerHTTPSListener",
"slb:CreateLoadBalancerTCPListener",
"slb:CreateLoadBalancerUDPListener",
"slb:DeleteLoadBalancerListener",
"slb:StartLoadBalancerListener",
"slb:StopLoadBalancerListener",
"slb:DescribeLoadBalancerListeners",
"slb:SetLoadBalancerHTTPListenerAttribute",
"slb:SetLoadBalancerHTTPSListenerAttribute",
"slb:SetLoadBalancerTCPListenerAttribute",
"slb:SetLoadBalancerUDPListenerAttribute",
"slb:SetListenerAccessControlStatus",
"slb:DescribeLoadBalancerHTTPListenerAttribute",
"slb:DescribeLoadBalancerHTTPListenerAttributes",
"slb:DescribeLoadBalancerHTTPSListenerAttribute",
"slb:DescribeLoadBalancerTCPListenerAttribute",
"slb:DescribeLoadBalancerUDPListenerAttribute",
"slb:DescribeListenerAccessControlAttribute",
"slb:AddListenerWhiteListItem",
"slb:RemoveListenerWhiteListItem",
"slb:AddBackendServers",
"slb:RemoveBackendServers",
"slb:SetBackendServers",
"slb:DescribeHealthStatus",
"slb:UploadServerCertificate",
"slb:DeleteServerCertificate",
"slb:DescribeServerCertificates",
"slb:SetServerCertificateName",
"slb:DescribeRegions",
"slb:CreateVServerGroup",
"slb:DescribeVServerGroupAttribute",
"slb:DescribeVServerGroups",
"slb:AddVServerGroupBackendServers",
"slb:SetVServerGroupAttribute",
"slb:ModifyVServerGroupBackendServers",
"slb:RemoveVServerGroupBackendServers",
"slb:DescribeRules",
"slb:SetRule",
"slb:CreateRules",
"slb:DeleteRules",
"slb:DescribeTags",
"slb:DeleteVServerGroup"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"nas:DescribeRegions",
"nas:CreateFileSystem",
"nas:DeleteFileSystem",
"nas:DescribeFileSystems",
"nas:ModifyFileSystem",
"nas:CreateMountTarget",
"nas:DeleteMountTarget",
"nas:DescribeMountTargets",
"nas:ModifyMountTarget",
"nas:CreateAccessGroup",
"nas:DeleteAccessGroup",
"nas:DescribeAccessGroups",
"nas:ModifyAccessGroup",
"nas:CreateAccessRule",
"nas:DeleteAccessRule",
"nas:DescribeAccessRules",
"nas:ModifyAccessRule",
"nas:SetUserVolumeCountLimit"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"vpc:DescribeVSwitches",
"vpc:DescribeVpcs",
"vpc:CreateVpc",
"vpc:DescribeZones",
"vpc:CreateVSwitch",
"vpc:DescribeVSwitchAttributes",
"vpc:DescribeEipAddresses",
"vpc:AssociateEipAddress",
"vpc:UnassociateEipAddress",
"vpc:AllocateEipAddress",
"vpc:ReleaseEipAddress"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"cr:GetUserInfo",
"cr:GetRegionList",
"cr:GetNamespaceList",
"cr:GetRepoListByNamespace",
"cr:GetRepoTags",
"cr:GetRepoList",
"cr:GetRepo",
"cr:GetInstanceVpcEndpoint",
"cr:ListNamespace",
"cr:ListInstanceEndpoint",
"cr:CreateNamespace",
"cr:DeleteNamespace",
"cr:UpdateNamespace",
"cr:GetNamespace",
"cr:CreateRepository",
"cr:DeleteRepository",
"cr:UpdateRepository",
"cr:GetRepository",
"cr:ListRepository",
"cr:ListRepositoryTag",
"cr:DeleteRepositoryTag",
"cr:GetRepositoryManifest",
"cr:GetRepositoryLayers",
"cr:PullRepository",
"cr:PushRepository",
"cr:GetAuthorizationToken"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ram:GetRole"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:PassRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"acs:Service": "oos.aliyuncs.com"
}
}
},
{
"Action": [
"log:GetLogStore",
"log:ListLogStores",
"log:CreateLogStore",
"log:DeleteLogStore",
"log:UpdateLogStore",
"log:GetCursorOrData",
"log:ListShards",
"log:PostLogStoreLogs",
"log:CreateConfig",
"log:UpdateConfig",
"log:DeleteConfig",
"log:GetConfig",
"log:ListConfig",
"log:CreateMachineGroup",
"log:UpdateMachineGroup",
"log:DeleteMachineGroup",
"log:GetMachineGroup",
"log:ListMachineGroup",
"log:ListMachines",
"log:ApplyConfigToGroup",
"log:RemoveConfigFromGroup",
"log:GetAppliedMachineGroups",
"log:GetAppliedConfigs",
"log:GetLogStoreLogs",
"log:GetLogStoreHistogram",
"log:CreateProject",
"log:GetProject",
"log:GetIndex",
"log:CreateIndex",
"log:DeleteIndex",
"log:UpdateIndex",
"log:GetMachineGroups",
"log:RemoveConfigFromMachineGroup",
"log:DeleteProject"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"yundun-cert:DescribeUserCertificateList",
"yundun-cert:DescribeUserCertificateDetail"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"bss:DescribePrice",
"bss:DescribeInstances"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"arms:QueryMetric",
"arms:ListDashboards",
"arms:OpenArmsService",
"arms:ListServerlessTopNApps",
"arms:CreateAlertContact",
"arms:SearchAlertContact",
"arms:UpdateAlertContact",
"arms:DeleteAlertContact",
"arms:CreateAlertContactGroup",
"arms:SearchAlertContactGroup",
"arms:UpdateAlertContactGroup",
"arms:DeleteAlertContactGroup"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"oos:ListExecutions",
"oos:StartExecution",
"oos:DeleteExecutions",
"oos:CancelExecution",
"oos:GetTemplate",
"oos:CreateTemplate",
"oos:UpdateTemplate"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"mse:CreateApplication",
"mse:RemoveApplication",
"mse:FetchRoutePolicyList",
"mse:AddRoutePolicy",
"mse:UpdateRoutePolicy",
"mse:RemoveRoutePolicy",
"mse:GetServiceDetail",
"mse:GetServiceListPage",
"mse:GetServiceList"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"eventbridge:CreateEventBus",
"eventbridge:GetEventBus",
"eventbridge:DeleteEventBus",
"eventbridge:ListEventBuses",
"eventbridge:CreateRule",
"eventbridge:GetRule",
"eventbridge:UpdateRule",
"eventbridge:EnableRule",
"eventbridge:DisableRule",
"eventbridge:DeleteRule",
"eventbridge:ListRules",
"eventbridge:UpdateTargets",
"eventbridge:DeleteTargets",
"eventbridge:ListTargets",
"eventbridge:PutEvents",
"eventbridge:CreateEventSource",
"eventbridge:UpdateEventSource",
"eventbridge:DeleteEventSource",
"eventbridge:ListAliyunOfficialEventSources",
"eventbridge:ListUserDefinedEventSources"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"alikafka:ListInstance",
"alikafka:ListTopic"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "sae.aliyuncs.com"
}
}
},
{
"Action": "ram:CreateServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "eipaccess.slb.aliyuncs.com"
}
}
}
]
}
Membuat SLR
SAE dapat membuat SLR-nya secara otomatis. Jika SLR belum dibuat, kotak dialog Welcome to Serverless App Engine (SAE) akan muncul saat Anda login ke SAE console. Klik Confirm untuk membuat SLR.
Kotak dialog tersebut menyatakan bahwa peran baru bernama AliyunServiceRoleForSAE dan menggunakan kebijakan AliyunServiceRolePolicyForSAE. Peran ini memungkinkan SAE mengakses sumber daya cloud seperti VPC, RDS, ECS, SLB, Container Registry (ACR), Log Service (SLS), Apsara File Storage (NAS), dan Application Real-Time Monitoring Service (ARMS). Akses ini diperlukan untuk operasi seperti menarik image, mengumpulkan data pemantauan, mengekspor log, dan menyimpan data secara persisten.
Kotak dialog Welcome to Serverless App Engine (SAE) akan terus muncul setiap kali Anda login ke SAE console hingga Anda membuat SLR.
Menghapus SLR
Jika Anda perlu menghapus SLR, Anda harus terlebih dahulu menghapus semua aplikasi yang dideploy oleh Akun Alibaba Cloud di SAE.
-
Setelah Anda menghapus SLR, Anda tidak dapat lagi menggunakan SAE. Lakukan dengan hati-hati.
-
Untuk menggunakan kembali SAE setelah menghapus SLR, login ke SAE console untuk membuatnya ulang. Untuk informasi selengkapnya, lihat Create an SLR.
-
Menghapus aplikasi: Untuk petunjuknya, lihat Delete an application.
-
Menghapus SLR: Untuk petunjuknya, lihat Delete a RAM role.