本文介绍应用型负载均衡ALB(Application Load Balancer)服务关联角色的应用场景以及如何删除服务关联角色。

背景信息

服务关联角色是指与某个云服务关联的RAM角色。在某些场景下,为了完成云服务的某个功能,需要获取其他云服务的访问权限。通过服务关联角色,您可以更好地创建云服务正常操作所需的权限,避免误操作带来的风险。更多信息,请参见服务关联角色

AliyunServiceRoleForAlb

项目说明
角色名称AliyunServiceRoleForAlb
角色权限策略AliyunServiceRolePolicyForAlb
权限说明允许应用型负载均衡ALB服务访问您的弹性网卡、安全组、弹性公网IP(Elastic IP Address,简称EIP)和共享带宽包等服务。

应用型负载均衡ALB的创建、删除和变配等功能需要通过云服务器ECS(Elastic Compute Service)和专有网络VPC(Virtual Private Cloud)等云产品来实现。

授权策略
{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "ecs:CreateNetworkInterface",
                "ecs:DeleteNetworkInterface",
                "ecs:DescribeNetworkInterfaces",
                "ecs:CreateSecurityGroup",
                "ecs:DeleteSecurityGroup",
                "ecs:DescribeSecurityGroups",
                "ecs:AuthorizeSecurityGroup",
                "vpc:RemoveCommonBandwidthPackageIp",
                "vpc:AddCommonBandwidthPackageIp",
                "vpc:DeleteCommonBandwidthPackage",
                "vpc:CreateCommonBandwidthPackage",
                "vpc:DescribeCommonBandwidthPackages",
                "vpc:ModifyCommonBandwidthPackageSpec",
                "vpc:ModifyCommonBandwidthPackageChargeType",
                "vpc:ReleaseEipAddress",
                "vpc:AllocateEipAddress",
                "vpc:AssociateEipAddress",
                "vpc:UnassociateEipAddress",
                "vpc:DescribeEipAddresses",
                "vpc:ModifyEipAddressAttribute",
                "vpc:DeleteIpv6InternetBandwidth",
                "vpc:AllocateIpv6InternetBandwidth",
                "vpc:DescribeIpv6Addresses",
                "vpc:DescribeIpv6Gateways",
                "vpc:MoveResourceGroup",
                "vpc:TagResources",
                "cas:DescribeCACertificate",
                "yundun-waf:DescribeInstanceCompatible",
                "yundun-waf:CreateInstance",
                "eipanycast:AllocateAnycastEipAddress",
                "eipanycast:ModifyAnycastEipAddressAttribute",
                "eipanycast:ReleaseAnycastEipAddress",
                "eipanycast:AssociateAnycastEipAddress",
                "eipanycast:UnassociateAnycastEipAddress",
                "eipanycast:DescribeAnycastEipAddress",
                "eipanycast:ListAnycastEipAddresses"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "alb.aliyuncs.com"
                }
            }
        },
        {
            "Action": [
                "oss:GetBucketInfo",
                "oss:PutObject",
                "oss:GetObject",
                "oss:PutBucket",
                "oss:PutBucketVersioning",
                "oss:GetBucketVersioning",
                "oss:GetObjectVersion",
                "oss:PutBucketCors"
            ],
            "Effect": "Allow",
            "Resource": [
                "acs:oss:*:*:alb-res-backup-*",
                "acs:oss:*:*:alb-res-backup-*/*"
            ]
        }
    ]
}
删除服务关联角色条件

如果您要删除应用型负载均衡ALB服务关联角色AliyunServiceRoleForAlb,需先确保在该地域下没有应用型负载均衡ALB实例。具体操作,请参见释放实例

AliyunServiceRoleForAlbLogDelivery

项目说明
角色名称AliyunServiceRoleForAlbLogDelivery
角色权限策略AliyunServiceRolePolicyForAlbLogDelivery
权限说明允许阿里云应用型负载均衡ALB访问您的日志服务SLS。

启用实例的访问日志,应用型负载均衡ALB会将底层采集到的日志传送到用户指定的日志库(LogStore)。

授权策略
{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "log:PostLogStoreLogs"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "logdelivery.alb.aliyuncs.com"
        }
      }
    }
  ]
}
删除服务关联角色条件如果您要删除应用型负载均衡ALB服务关联角色AliyunServiceRoleForAlbLogDelivery,需先关闭该实例的访问日志功能。具体操作,请参见DisableLoadBalancerAccessLog