本文为您介绍VPN网关的服务关联角色AliyunServiceRoleForVpn。
背景信息
服务关联角色是指与某个云服务关联的RAM角色。在某些场景下,为了完成云服务的某个功能,需要获取其他云服务的访问权限。通过服务关联角色,您可以更好地管理云服务正常操作所需的权限,避免误操作带来的风险。更多信息,请参见服务关联角色。
创建服务关联角色AliyunServiceRoleForVpn
创建VPN网关时,系统会自动创建服务关联角色AliyunServiceRoleForVpn,该角色下包含名称为AliyunServiceRolePolicyForVpn的权限策略,此权限策略允许VPN网关访问其他云资源,策略内容如下。
说明 如果您的账号下已存在该服务关联角色,系统则不会重复创建。
{
"Version": "1",
"Statement": [
{
"Action": [
"vpc:DescribeVSwitchAttributes"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ecs:CreateNetworkInterface",
"ecs:CreateSecurityGroup",
"ecs:AuthorizeSecurityGroup",
"ecs:RevokeSecurityGroup",
"ecs:DeleteSecurityGroup",
"ecs:JoinSecurityGroup",
"ecs:LeaveSecurityGroup",
"ecs:DescribeSecurityGroups",
"ecs:AttachNetworkInterface",
"ecs:DetachNetworkInterface",
"ecs:DeleteNetworkInterface",
"ecs:DescribeNetworkInterfaces",
"ecs:CreateNetworkInterfacePermission",
"ecs:DescribeNetworkInterfacePermissions",
"ecs:DeleteNetworkInterfacePermission",
"ecs:CreateSecurityGroupPermission",
"ecs:AuthorizeSecurityGroupPermission",
"ecs:RevokeSecurityGroupPermission",
"ecs:JoinSecurityGroupPermission",
"ecs:DeleteSecurityGroupPermission",
"ecs:LeaveSecurityGroupPermission",
"ecs:DescribeSecurityGroupPermissions",
"ecs:AttachNetworkInterfacePermissions",
"ecs:DetachNetworkInterfacePermissions",
"ecs:AssignPrivateIpAddresses",
"ecs:UnassignPrivateIpAddresses",
"ecs:DescribeNetworkInterfaceAttribute"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "vpn.aliyuncs.com"
}
}
}
]
}
删除服务关联角色AliyunServiceRoleForVpn
常见问题
为什么我的RAM用户(子账号)无法创建服务关联角色AliyunServiceRoleForVpn?
阿里云账号(主账号)默认拥有创建服务关联角色AliyunServiceRoleForVpn的权限,RAM用户(子账号)必须拥有相应权限,才可以创建服务关联角色AliyunServiceRoleForVpn。
您需要创建如下自定义权限策略,为RAM用户(子账号)授予创建服务关联角色AliyunServiceRoleForVpn的权限。具体操作,请参见创建自定义权限策略和为RAM角色授权。
{
"Statement": [
{
"Action": "ram:CreateServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "vpn.aliyuncs.com"
}
}
}
],
"Version": "1"
}