Serverless 应用引擎 SAE(Serverless App Engine)通过服务关联角色SLR(Service Linked Role)来获取其他云资源的访问权限。本文介绍SLR的应用场景以及如何创建及删除SLR。
什么是SLR
某些场景下,SAE为了完成自身的某个功能,需要获取其他云服务的访问权限。例如创建应用时要获取您的专有网络VPC(Virtual Private Cloud)等信息,就可以通过SLR获取VPC等产品的访问权限。通过SLR可以更好地配置云服务正常操作所必须的权限,避免误操作带来的风险。SLR的权限策略由关联的云服务定义和使用,您不能修改或删除权限策略,也不能为SLR添加或移除权限。更多信息,请参见服务关联角色。
SLR权限说明
角色名称:AliyunServiceRoleForSAE
角色权限策略:AliyunServiceRolePolicyForSAE
权限说明:
json{
"Version": "1",
"Statement": [
{
"Action": [
"alb:TagResources",
"alb:UnTagResources",
"alb:ListServerGroups",
"alb:ListServerGroupServers",
"alb:AddServersToServerGroup",
"alb:RemoveServersFromServerGroup",
"alb:ReplaceServersInServerGroup",
"alb:CreateLoadBalancer",
"alb:DeleteLoadBalancer",
"alb:UpdateLoadBalancerAttribute",
"alb:UpdateLoadBalancerEdition",
"alb:EnableLoadBalancerAccessLog",
"alb:DisableLoadBalancerAccessLog",
"alb:EnableDeletionProtection",
"alb:DisableDeletionProtection",
"alb:ListLoadBalancers",
"alb:GetLoadBalancerAttribute",
"alb:ListListeners",
"alb:CreateListener",
"alb:GetListenerAttribute",
"alb:UpdateListenerAttribute",
"alb:ListListenerCertificates",
"alb:AssociateAdditionalCertificatesWithListener",
"alb:DissociateAdditionalCertificatesFromListener",
"alb:DeleteListener",
"alb:CreateRule",
"alb:DeleteRule",
"alb:UpdateRuleAttribute",
"alb:CreateRules",
"alb:UpdateRulesAttribute",
"alb:DeleteRules",
"alb:ListRules",
"alb:CreateServerGroup",
"alb:DeleteServerGroup",
"alb:UpdateServerGroupAttribute",
"alb:DescribeZones"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ecs:ListTagResources",
"ecs:TagResources",
"ecs:UnTagResources",
"ecs:CreateNetworkInterface",
"ecs:DeleteNetworkInterface",
"ecs:DescribeNetworkInterfaces",
"ecs:AttachNetworkInterface",
"ecs:DetachNetworkInterface",
"ecs:CreateNetworkInterfacePermission",
"ecs:DescribeNetworkInterfacePermissions",
"ecs:DeleteNetworkInterfacePermission",
"ecs:ModifyNetworkInterfaceAttribute",
"ecs:JoinSecurityGroup",
"ecs:LeaveSecurityGroup",
"ecs:CreateSecurityGroup",
"ecs:AuthorizeSecurityGroup",
"ecs:DescribeSecurityGroupAttribute",
"ecs:DescribeSecurityGroups",
"ecs:RevokeSecurityGroup",
"ecs:DeleteSecurityGroup",
"ecs:ModifySecurityGroupAttribute",
"ecs:AuthorizeSecurityGroupEgress",
"ecs:RevokeSecurityGroupEgress",
"ecs:ModifySecurityGroupRule",
"ecs:DescribeSecurityGroupReferences",
"ecs:ModifySecurityGroupPolicy"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"slb:AddTags",
"slb:RemoveTags",
"slb:CreateLoadBalancer",
"slb:ModifyLoadBalancerInternetSpec",
"slb:DeleteLoadBalancer",
"slb:SetLoadBalancerStatus",
"slb:SetLoadBalancerName",
"slb:DescribeLoadBalancers",
"slb:DescribeLoadBalancerAttribute",
"slb:ModifyLoadBalancerPayType",
"slb:ModifyLoadBalancerInstanceSpec",
"slb:CreateLoadBalancerHTTPListener",
"slb:CreateLoadBalancerHTTPSListener",
"slb:CreateLoadBalancerTCPListener",
"slb:CreateLoadBalancerUDPListener",
"slb:DeleteLoadBalancerListener",
"slb:StartLoadBalancerListener",
"slb:StopLoadBalancerListener",
"slb:DescribeLoadBalancerListeners",
"slb:SetLoadBalancerHTTPListenerAttribute",
"slb:SetLoadBalancerHTTPSListenerAttribute",
"slb:SetLoadBalancerTCPListenerAttribute",
"slb:SetLoadBalancerUDPListenerAttribute",
"slb:SetListenerAccessControlStatus",
"slb:DescribeLoadBalancerHTTPListenerAttribute",
"slb:DescribeLoadBalancerHTTPListenerAttributes",
"slb:DescribeLoadBalancerHTTPSListenerAttribute",
"slb:DescribeLoadBalancerTCPListenerAttribute",
"slb:DescribeLoadBalancerUDPListenerAttribute",
"slb:DescribeListenerAccessControlAttribute",
"slb:AddListenerWhiteListItem",
"slb:RemoveListenerWhiteListItem",
"slb:AddBackendServers",
"slb:RemoveBackendServers",
"slb:SetBackendServers",
"slb:DescribeHealthStatus",
"slb:UploadServerCertificate",
"slb:DeleteServerCertificate",
"slb:DescribeServerCertificates",
"slb:SetServerCertificateName",
"slb:DescribeRegions",
"slb:CreateVServerGroup",
"slb:DescribeVServerGroupAttribute",
"slb:DescribeVServerGroups",
"slb:AddVServerGroupBackendServers",
"slb:SetVServerGroupAttribute",
"slb:ModifyVServerGroupBackendServers",
"slb:RemoveVServerGroupBackendServers",
"slb:DescribeRules",
"slb:SetRule",
"slb:CreateRules",
"slb:DeleteRules",
"slb:DescribeTags",
"slb:DeleteVServerGroup"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"nas:DescribeRegions",
"nas:CreateFileSystem",
"nas:DeleteFileSystem",
"nas:DescribeFileSystems",
"nas:ModifyFileSystem",
"nas:CreateMountTarget",
"nas:DeleteMountTarget",
"nas:DescribeMountTargets",
"nas:ModifyMountTarget",
"nas:CreateAccessGroup",
"nas:DeleteAccessGroup",
"nas:DescribeAccessGroups",
"nas:ModifyAccessGroup",
"nas:CreateAccessRule",
"nas:DeleteAccessRule",
"nas:DescribeAccessRules",
"nas:ModifyAccessRule",
"nas:SetUserVolumeCountLimit"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"vpc:DescribeVSwitches",
"vpc:DescribeVpcs",
"vpc:CreateVpc",
"vpc:DescribeZones",
"vpc:CreateVSwitch",
"vpc:DescribeVSwitchAttributes",
"vpc:DescribeEipAddresses",
"vpc:AssociateEipAddress",
"vpc:UnassociateEipAddress",
"vpc:AllocateEipAddress",
"vpc:ReleaseEipAddress"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"cr:GetUserInfo",
"cr:GetRegionList",
"cr:GetNamespaceList",
"cr:GetRepoListByNamespace",
"cr:GetRepoTags",
"cr:GetRepoList",
"cr:GetRepo",
"cr:GetInstanceVpcEndpoint",
"cr:ListNamespace",
"cr:ListInstanceEndpoint",
"cr:CreateNamespace",
"cr:DeleteNamespace",
"cr:UpdateNamespace",
"cr:GetNamespace",
"cr:CreateRepository",
"cr:DeleteRepository",
"cr:UpdateRepository",
"cr:GetRepository",
"cr:ListRepository",
"cr:ListRepositoryTag",
"cr:DeleteRepositoryTag",
"cr:GetRepositoryManifest",
"cr:GetRepositoryLayers",
"cr:PullRepository",
"cr:PushRepository",
"cr:GetAuthorizationToken"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ram:GetRole"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:PassRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"acs:Service": "oos.aliyuncs.com"
}
}
},
{
"Action": [
"log:GetLogStore",
"log:ListLogStores",
"log:CreateLogStore",
"log:DeleteLogStore",
"log:UpdateLogStore",
"log:GetCursorOrData",
"log:ListShards",
"log:PostLogStoreLogs",
"log:CreateConfig",
"log:UpdateConfig",
"log:DeleteConfig",
"log:GetConfig",
"log:ListConfig",
"log:CreateMachineGroup",
"log:UpdateMachineGroup",
"log:DeleteMachineGroup",
"log:GetMachineGroup",
"log:ListMachineGroup",
"log:ListMachines",
"log:ApplyConfigToGroup",
"log:RemoveConfigFromGroup",
"log:GetAppliedMachineGroups",
"log:GetAppliedConfigs",
"log:GetLogStoreLogs",
"log:GetLogStoreHistogram",
"log:CreateProject",
"log:GetProject",
"log:GetIndex",
"log:CreateIndex",
"log:DeleteIndex",
"log:UpdateIndex",
"log:GetMachineGroups",
"log:RemoveConfigFromMachineGroup",
"log:DeleteProject"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"yundun-cert:DescribeUserCertificateList",
"yundun-cert:DescribeUserCertificateDetail"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"bss:DescribePrice",
"bss:DescribeInstances"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"arms:QueryMetric",
"arms:ListDashboards",
"arms:OpenArmsService",
"arms:ListServerlessTopNApps",
"arms:CreateAlertContact",
"arms:SearchAlertContact",
"arms:UpdateAlertContact",
"arms:DeleteAlertContact",
"arms:CreateAlertContactGroup",
"arms:SearchAlertContactGroup",
"arms:UpdateAlertContactGroup",
"arms:DeleteAlertContactGroup"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"oos:ListExecutions",
"oos:StartExecution",
"oos:DeleteExecutions",
"oos:CancelExecution",
"oos:GetTemplate",
"oos:CreateTemplate",
"oos:UpdateTemplate"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"mse:CreateApplication",
"mse:RemoveApplication",
"mse:FetchRoutePolicyList",
"mse:AddRoutePolicy",
"mse:UpdateRoutePolicy",
"mse:RemoveRoutePolicy",
"mse:GetServiceDetail",
"mse:GetServiceListPage",
"mse:GetServiceList"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"eventbridge:CreateEventBus",
"eventbridge:GetEventBus",
"eventbridge:DeleteEventBus",
"eventbridge:ListEventBuses",
"eventbridge:CreateRule",
"eventbridge:GetRule",
"eventbridge:UpdateRule",
"eventbridge:EnableRule",
"eventbridge:DisableRule",
"eventbridge:DeleteRule",
"eventbridge:ListRules",
"eventbridge:UpdateTargets",
"eventbridge:DeleteTargets",
"eventbridge:ListTargets",
"eventbridge:PutEvents",
"eventbridge:CreateEventSource",
"eventbridge:UpdateEventSource",
"eventbridge:DeleteEventSource",
"eventbridge:ListAliyunOfficialEventSources",
"eventbridge:ListUserDefinedEventSources"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"alikafka:ListInstance",
"alikafka:ListTopic"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "sae.aliyuncs.com"
}
}
},
{
"Action": "ram:CreateServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "eipaccess.slb.aliyuncs.com"
}
}
}
]
}创建SLR
SAE支持SLR的自动创建。如果您未创建SLR,登录SAE控制台时会弹出欢迎使用Serverless应用引擎SAE对话框,单击确认创建即可完成SLR的创建。
说明
如果您未创建SLR,登录SAE控制台时会持续显示欢迎使用Serverless应用引擎SAE对话框,直至您完成SLR的创建。
删除SLR
如果您需要删除SLR,需要先删除该阿里云账号在SAE上部署的所有应用。
重要
删除SLR后,您将无法使用SAE产品,请谨慎操作。
如果您在删除SLR后仍需要再次使用SAE,请登录SAE控制台重新创建SLR角色。具体操作,请参见创建SLR。
删除应用:具体操作,请参见删除应用。
删除SLR角色:具体操作,请参见删除RAM角色。