AI網關服務關聯角色是為實現特定功能而設計的預定義RAM角色。本文將介紹AI網關服務關聯角色的應用情境以及如何管理服務關聯角色。
服務關聯角色的應用情境
AliyunServiceRoleForNativeApiGw:當AI網關需要訪問Virtual Private Cloud、Container Service Kubernetes 版、Function ComputeFC、Enterprise Distributed Application Service、微服務引擎MSE、Server Load Balancer、負載平衡NLB、Elastic Compute Service、應用即時監控服務ARMS等雲端服務的資源時,可通過自動建立的AI網關服務關聯角色AliyunServiceRoleForNativeApiGw擷取存取權限。
AliyunServiceRoleForNativeApiGwInvokeFC:當AI網關需要調用FC服務時,可通過自動建立的AI網關服務關聯角色AliyunServiceRoleForNativeApiGwInvokeFC完成網關功能。
AliyunServiceRoleForNativeApiGwInvokeKMS:當雲原生API Gateway需要調用密鑰管理KMS服務時,可通過自動建立的雲原生API Gateway服務關聯角色
AliyunServiceRoleForNativeApiGwInvokeKMS擷取存取權限。
RAM使用者使用服務關聯角色需要的許可權
如果使用RAM使用者建立或刪除服務關聯角色,必須聯絡管理員為該RAM使用者授予管理員權限(AliyunNativeApiGwFullAccess)或在自訂權限原則的Action語句中為RAM使用者添加以下許可權:
建立服務關聯角色:
ram:CreateServiceLinkedRole刪除服務關聯角色:
ram:DeleteServiceLinkedRole
關於授權的詳細操作,請參見建立和刪除服務關聯角色所需的許可權。
許可權說明
AliyunServiceRoleForNativeApiGw
AI網關服務關聯角色(AliyunServiceRoleForNativeApiGw)具備的存取權限說明如下:
Virtual Private Cloud
{
"Effect": "Allow",
"Action": [
"vpc:AllocateEipAddress",
"vpc:AllocateEipAddressPro",
"vpc:DescribeEipAddresses",
"vpc:AssociateEipAddress",
"vpc:UnassociateEipAddress",
"vpc:ReleaseEipAddress",
"vpc:ModifyEipAddressAttribute",
"vpc:ModifyBypassToaAttribute",
"vpc:AddCommonBandwidthPackageIp",
"vpc:RemoveCommonBandwidthPackageIp",
"vpc:TagResources",
"vpc:DescribeVSwitches",
"vpc:DescribeVSwitchAttributes",
"vpc:DescribeVpcs",
"vpc:CreateVSwitch",
"vpc:DescribeVpcAttribute",
"vpc:DescribeVRouters",
"vpc:DescribeRouteTables",
"vpc:DescribeRouteEntryList"
],
"Resource": "*"
}Container ServiceACK
{
"Effect": "Allow",
"Action": [
"cs:DescribeClusterDetail",
"cs:DescribeClusterInnerServiceKubeconfig",
"cs:RevokeClusterInnerServiceKubeconfig",
"cs:GetUserConfig",
"cs:DescribeClusterUserKubeconfig",
"cs:GetClusterById",
"cs:GetClustersByUid",
"cs:DescribeClustersV1",
"cs:ListClusters",
"cs:GetClusters",
"cs:DescribeClusterNodePools"
],
"Resource": "*"
}Function ComputeFC
{
"Effect": "Allow",
"Action": [
"fc:ListAliases",
"fc:ListServices",
"fc:ListServiceVersions",
"fc:ListFunctions",
"fc:ListFunctionVersions",
"fc:ListTriggers"
],
"Resource": "*"
}Enterprise Distributed Application Service
{
"Effect": "Allow",
"Action": [
"edas:ReadNamespace",
"edas:ReadService",
"edas:ListUserDefineRegion"
],
"Resource": "*"
}微服務引擎MSE
{
"Effect": "Allow",
"Action": [
"mse:ListAnsServices",
"mse:ListEngineNamespaces",
"mse:ListClusters",
"mse:QueryConfig"
],
"Resource": "*"
}Server Load Balancer
{
"Effect": "Allow",
"Action": [
"slb:SetLoadBalancerName",
"slb:CreateLoadBalancer",
"slb:AddBackendServers",
"slb:SetBackendServers",
"slb:RemoveBackendServers",
"slb:CreateLoadBalancerTCPListener",
"slb:DescribeLoadBalancerTCPListenerAttribute",
"slb:SetLoadBalancerTCPListenerAttribute",
"slb:CreateLoadBalancerHTTPListener",
"slb:DescribeLoadBalancerHTTPListenerAttribute",
"slb:SetLoadBalancerHTTPListenerAttribute",
"slb:CreateLoadBalancerHTTPSListener",
"slb:DescribeLoadBalancerHTTPSListenerAttribute",
"slb:SetLoadBalancerHTTPSListenerAttribute",
"slb:StartLoadBalancerListener",
"slb:StopLoadBalancerListener",
"slb:DeleteLoadBalancerListener",
"slb:DescribeLoadBalancers",
"slb:DescribeLoadBalancerAttribute",
"slb:DescribeHealthStatus",
"slb:CreateLoadBalancerForCloudService",
"slb:DeleteLoadBalancer",
"slb:ModifyLoadBalancerInternetSpec",
"slb:RemoveTags",
"slb:AddTags",
"slb:SetLoadBalancerUDPListenerAttribute",
"slb:CreateLoadBalancerUDPListener",
"slb:CreateVServerGroup",
"slb:DeleteVServerGroup",
"slb:SetVServerGroupAttribute",
"slb:ModifyVServerGroupBackendServers",
"slb:AddVServerGroupBackendServers",
"slb:ModifyLoadBalancerInstanceSpec",
"slb:ModifyLoadBalancerInternetSpec",
"slb:RemoveVServerGroupBackendServers",
"slb:SetLoadBalancerModificationProtection",
"slb:SetLoadBalancerDeleteProtection",
"slb:DescribeLoadBalancerUDPListenerAttribute ",
"slb:DescribeTags",
"slb:DescribeVServerGroups",
"slb:DescribeVServerGroupAttribute",
"slb:DescribeLoadBalancerListeners",
"slb:ListTagResources",
"slb:TagResources",
"slb:UntagResources"
],
"Resource": "*"
}負載平衡NLB
{
"Effect": "Allow",
"Action": [
"nlb:TagResources",
"nlb:UnTagResources",
"nlb:ListTagResources",
"nlb:CreateLoadBalancer",
"nlb:DeleteLoadBalancer",
"nlb:GetLoadBalancerAttribute",
"nlb:ListLoadBalancers",
"nlb:UpdateLoadBalancerAttribute",
"nlb:UpdateLoadBalancerAddressTypeConfig",
"nlb:UpdateLoadBalancerZones",
"nlb:CreateListener",
"nlb:DeleteListener",
"nlb:ListListeners",
"nlb:UpdateListenerAttribute",
"nlb:StopListener",
"nlb:StartListener",
"nlb:GetListenerAttribute",
"nlb:GetListenerHealthStatus",
"nlb:CreateServerGroup",
"nlb:DeleteServerGroup",
"nlb:UpdateServerGroupAttribute",
"nlb:AddServersToServerGroup",
"nlb:RemoveServersFromServerGroup",
"nlb:UpdateServerGroupServersAttribute",
"nlb:ListServerGroups",
"nlb:ListServerGroupServers",
"nlb:LoadBalancerLeaveSecurityGroup",
"nlb:LoadBalancerJoinSecurityGroup",
"nlb:GetJobStatus",
"nlb:UpdateLoadBalancerProtection"
],
"Resource": "*"
}Elastic Compute Service
{
"Effect": "Allow",
"Action": [
"ecs:CreateSecurityGroup",
"ecs:AuthorizeSecurityGroup",
"ecs:AuthorizeSecurityGroupEgress",
"ecs:RevokeSecurityGroup",
"ecs:RevokeSecurityGroupEgress",
"ecs:DeleteSecurityGroup",
"ecs:JoinSecurityGroup",
"ecs:LeaveSecurityGroup",
"ecs:DescribeSecurityGroups",
"ecs:DescribeInstances",
"ecs:CreateNetworkInterface",
"ecs:DeleteNetworkInterface",
"ecs:DescribeNetworkInterfaces",
"ecs:CreateNetworkInterfacePermission",
"ecs:DescribeNetworkInterfacePermissions",
"ecs:DeleteNetworkInterfacePermission",
"ecs:DescribeSecurityGroupAttribute",
"ecs:AddTags",
"ecs:DescribeEipAddresses",
"ecs:DescribeNetworkInterfaceAttribute",
"ecs:ModifyNetworkInterfaceAttribute",
"ecs:AssignPrivateIpAddresses",
"ecs:UnassignPrivateIpAddresses",
"ecs:AssignIpv6Addresses",
"ecs:UnassignIpv6Addresses",
"ecs:AttachNetworkInterface",
"ecs:DetachNetworkInterface",
"ecs:ListTagResources"
],
"Resource": "*"
}應用即時監控服務ARMS
{
"Effect": "Allow",
"Action": [
"arms:OpenArmsService",
"arms:GetAlertRules",
"arms:ReportCustomIncidents",
"arms:AddPrometheusInstance",
"arms:GetAuthToken",
"arms:GetClusterAllUrl",
"arms:OpenArmsServiceSecondVersion",
"arms:CheckServiceStatus",
"arms:OpenVCluster",
"arms:GetPrometheusApiToken",
"arms:ListDashboards",
"arms:GetExploreUrl",
"arms:CreateDefaultCloudProductPrometheusAlertRule",
"arms:ListNotificationPolicies",
"arms:ListDispatchRule",
"arms:CreateDispatchRule",
"arms:CreateOrUpdateNotificationPolicy",
"arms:DescribeContactGroups",
"arms:SearchContactGroup",
"arms:CreatePrometheusAlertRule"
],
"Resource": "*"
}AliyunServiceRoleForNativeApiGwInvokeFC
AI網關服務關聯角色(AliyunServiceRoleForNativeApiGwInvokeFC)具備的存取權限說明如下:
{
"Effect": "Allow",
"Action": "fc:InvokeFunction",
"Resource": "*"
}AliyunServiceRoleForNativeApiGwInvokeKMS
AI網關服務關聯角色(AliyunServiceRoleForNativeApiGwInvokeKMS)具備的存取權限說明如下:
{
"Effect": "Allow",
"Action": [
"kms:ListKmsInstances",
"kms:ListKeys",
"kms:GenerateDataKey",
"kms:Decrypt",
"kms:CreateSecret",
"kms:DeleteSecret",
"kms:UpdateSecret",
"kms:DescribeSecret",
"kms:GetSecretValue",
"kms:PutSecretValue",
"kms:TagResource",
"kms:UntagResource"
],
"Resource": "*"
}查看服務關聯角色
當服務關聯角色建立成功後,您可以在RAM控制台的角色頁面,通過搜尋服務關聯角色名稱(AliyunServiceRoleForNativeApiGw、AliyunServiceRoleForNativeApiGwInvokeFC)查看該服務關聯角色的以下資訊:
基本資料
在AliyunServiceRoleForNativeApiGw或AliyunServiceRoleForNativeApiGwInvokeFC角色詳情頁面的基本資料地區,查看角色基本資料,包括角色名稱、建立時間、角色ARN和備忘等。
權限原則
在AliyunServiceRoleForNativeApiGw或AliyunServiceRoleForNativeApiGwInvokeFC角色詳情頁面的許可權管理頁簽,單擊權限原則名稱,查看權限原則內容以及該角色可授權訪問哪些雲資源。
信任策略
在AliyunServiceRoleForNativeApiGw或AliyunServiceRoleForNativeApiGwInvokeFC角色詳情頁的信任策略管理頁簽,查看信任策略內容。信任策略是描述RAM角色可信實體的策略,可信實體是指可以扮演RAM角色的實體使用者身份。服務關聯角色的可信實體為雲端服務,您可以通過信任策略中的
Service欄位查看。
關於如何查看服務關聯角色的詳細操作,請參見查看RAM角色。
刪除服務關聯角色
當長時間不使用AI網關時,可前往RAM控制台手動刪除服務關聯角色。
使用阿里雲帳號登入RAM控制台,在左側導覽列中單擊。
在角色頁面的搜尋方塊輸入您希望刪除的角色名稱(例如
AliyunServiceRoleForNativeApiGw)。在搜尋結果中找到目標角色,單擊其操作列下的刪除角色。
在彈出的確認對話方塊中,輸入角色名稱進行二次確認,然後單擊刪除角色。
刪除雲原生API Gateway服務關聯角色後,依賴該角色的功能將無法正常使用,請謹慎刪除。
常見問題
為什麼我的RAM使用者無法自動建立AI網關服務關聯角色(AliyunServiceRoleForNativeApiGw)?
您需要擁有指定的許可權,才能自動建立或刪除AliyunServiceRoleForNativeApiGw。因此,在RAM使用者無法自動建立AliyunServiceRoleForNativeApiGw時,您需要為其添加以下權限原則。
{
"Statement": [
{
"Action": [
"ram:CreateServiceLinkedRole"
],
"Resource": "acs:ram:*:主帳號ID:role/*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": [
"nativeapigw.aliyuncs.com"
]
}
}
}
],
"Version": "1"
}請將主帳號ID替換為您實際的阿里雲帳號ID。
為什麼我的RAM使用者無法自動建立AI網關服務關聯角色(AliyunServiceRoleForNativeApiGwInvokeFC)?
您需要擁有指定的許可權,才能自動建立或刪除AliyunServiceRoleForNativeApiGwInvokeFC。因此,在RAM使用者無法自動建立AliyunServiceRoleForNativeApiGwInvokeFC時,您需要為其添加以下權限原則。
{
"Statement": [
{
"Action": [
"ram:CreateServiceLinkedRole"
],
"Resource": "acs:ram:*:主帳號ID:role/*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": [
"invokefc.nativeapigw.aliyuncs.com"
]
}
}
}
],
"Version": "1"
}請將主帳號ID替換為您實際的阿里雲帳號ID。
相關文檔
更多關於服務關聯角色的資訊,請參見服務關聯角色。