文档

云备份服务关联角色

更新时间:

本文介绍云备份包含的服务关联角色,以及如何删除已创建的角色。

背景信息

云备份服务关联角色是指云备份在某些情况下,为了完成自身的某个功能,需要获取其他云服务的访问权限而提供的RAM角色。更多关于服务关联角色的信息请参见服务关联角色

云备份需要访问云服务器ECS、专有网络VPC、对象存储OSS、文件存储NAS和云存储网关CSG等云服务的资源时,可通过自动创建的云备份服务关联角色获取对应的访问权限。

  • AliyunServiceRoleForHbrEcsBackup

    ECS备份功能需要访问云服务器ECS和专有网络VPC云服务的资源时,可通过自动创建的云备份服务关联角色AliyunServiceRoleForHbrEcsBackup获取访问权限。

  • AliyunServiceRoleForHbrOssBackup

    OSS备份功能需要访问对象存储OSS云服务的资源时,可通过自动创建的云备份服务关联角色AliyunServiceRoleForHbrOssBackup获取访问权限。

  • AliyunServiceRoleForHbrNasBackup

    NAS备份功能需要访问文件存储NAS云服务的资源时,可通过自动创建的云备份服务关联角色AliyunServiceRoleForHbrNasBackup获取访问权限。

  • AliyunServiceRoleForHbrCsgBackup

    云存储网关备份功能需要访问云存储网关CSG云服务的资源时,可通过自动创建的云备份服务关联角色AliyunServiceRoleForHbrCsgBackup获取访问权限。

  • AliyunServiceRoleForHbrVaultEncryption

    使用KMS密钥加密备份库功能需要访问密钥管理服务KMS云服务的资源时,可通过自动创建的云备份服务关联角色AliyunServiceRoleForHbrVaultEncryption获取访问KMS权限。

  • AliyunServiceRoleForHbrOtsBackup

    表格存储备份功能需要访问表格存储的资源时,可通过自动创建的云备份服务关联角色AliyunServiceRoleForHbrOtsBackup获取访问权限。

  • AliyunServiceRoleForHbrCrossAccountBackup

    跨账号备份功能需要访问跨账号的资源时,可通过自动创建的云备份服务关联角色AliyunServiceRoleForHbrCrossAccountBackup获取访问权限。

  • AliyunServiceRoleForHbrEcsEncryption

    ECS整机备份功能开启异地复制需要指定异地加密的KMS密钥时,可通过自动创建的云备份服务关联角色AliyunServiceRoleForHbrEcsEncryption获取访问KMS权限。

权限说明

云备份服务关联角色的权限内容如下:

  • 通过AliyunServiceRoleForHbrEcsBackup获取访问ECS的权限

     {
          "Action": [
            "ecs:RunCommand",
            "ecs:CreateCommand",
            "ecs:InvokeCommand",
            "ecs:DeleteCommand",
            "ecs:DescribeCommands",
            "ecs:StopInvocation",
            "ecs:DescribeInvocationResults",
            "ecs:DescribeCloudAssistantStatus",
            "ecs:DescribeInstances",
            "ecs:DescribeInstanceRamRole",
            "ecs:DescribeInvocations"
          ],
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "ecs:AttachInstanceRamRole",
            "ecs:DetachInstanceRamRole"
          ],
          "Resource": [
            "acs:ecs:*:*:instance/*",
            "acs:ram:*:*:role/aliyunecsaccessinghbrrole"
          ],
          "Effect": "Allow"
        },
        {
          "Action": [
            "ram:GetRole",
            "ram:GetPolicy",
            "ram:ListPoliciesForRole"
          ],
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "ram:PassRole"
          ],
          "Resource": "*",
          "Effect": "Allow",
          "Condition": {
            "StringEquals": {
              "acs:Service": [
                "ecs.aliyuncs.com"
              ]
            }
          }
        },
        {
          "Action": [
            "ecs:DescribeSecurityGroups",
            "ecs:DescribeImages",
            "ecs:CreateImage",
            "ecs:DeleteImage",
            "ecs:DescribeSnapshots",
            "ecs:CreateSnapshot",
            "ecs:DeleteSnapshot",
            "ecs:DescribeSnapshotLinks",
            "ecs:DescribeAvailableResource",
            "ecs:ModifyInstanceAttribute",
            "ecs:CreateInstance",
            "ecs:DeleteInstance",
            "ecs:AllocatePublicIpAddress",
            "ecs:CreateDisk",
            "ecs:DescribeDisks",
            "ecs:AttachDisk",
            "ecs:DetachDisk",
            "ecs:DeleteDisk",
            "ecs:ResetDisk",
            "ecs:StartInstance",
            "ecs:StopInstance",
            "ecs:ReplaceSystemDisk",
            "ecs:ModifyResourceMeta"
          ],
          "Resource": "*",
          "Effect": "Allow"
        }
    

  • 通过AliyunServiceRoleForHbrEcsBackup获取访问VPC的权限

    {
          "Action": [
            "vpc:DescribeVpcs",
            "vpc:DescribeVSwitches"
          ],
          "Resource": "*",
          "Effect": "Allow"
        }

  • 通过AliyunServiceRoleForHbrOssBackup获取访问OSS的权限

    {
          "Action": [
            "oss:ListObjects",
            "oss:HeadBucket",
            "oss:GetBucket",
            "oss:GetBucketAcl",
            "oss:GetBucketLocation",
            "oss:GetBucketInfo",
            "oss:PutObject",
            "oss:CopyObject",
            "oss:GetObject",
            "oss:AppendObject",
            "oss:GetObjectMeta",
            "oss:PutObjectACL",
            "oss:GetObjectACL",
            "oss:PutObjectTagging",
            "oss:GetObjectTagging",
            "oss:InitiateMultipartUpload",
            "oss:UploadPart",
            "oss:UploadPartCopy",
            "oss:CompleteMultipartUpload",
            "oss:AbortMultipartUpload",
            "oss:ListMultipartUploads",
            "oss:ListParts"
          ],
          "Resource": "*",
          "Effect": "Allow"
        }

  • 通过AliyunServiceRoleForHbrNasBackup获取访问NAS的权限

    {
          "Action": [
            "nas:DescribeFileSystems",
            "nas:CreateMountTargetSpecial",
            "nas:DeleteMountTargetSpecial",
            "nas:CreateMountTarget",
            "nas:DeleteMountTarget",
            "nas:DescribeMountTargets",
            "nas:DescribeAccessGroups"
          ],
          "Resource": "*",
          "Effect": "Allow"
        }

  • 通过AliyunServiceRoleForHbrCsgBackup获取访问CSG的权限

    {
          "Action": [
            "hcs-sgw:DescribeGateways"
          ],
          "Resource": "*",
          "Effect": "Allow"
        }
  • 通过AliyunServiceRoleForHbrVaultEncryption获取访问KMS的权限(加密备份库)

    {
     "Statement": [
     {
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
       "StringEquals": {
        "ram:ServiceName": "vaultencryption.hbr.aliyuncs.com"
       }
      }
     },
     {
      "Action": [
      "kms:Decrypt"
      ],
      "Resource": "*",
      "Effect": "Allow"
     }
     ],
     "Version": "1"
    
    }

  • 通过AliyunServiceRoleForHbrOtsBackup获取访问表格存储的权限

    {
      "Version": "1",
      "Statement": [
        {
          "Action": "ram:DeleteServiceLinkedRole",
          "Resource": "*",
          "Effect": "Allow",
          "Condition": {
            "StringEquals": {
              "ram:ServiceName": "otsbackup.hbr.aliyuncs.com"
            }
          }
        },
        {
          "Effect": "Allow",
          "Action": [
            "ots:ListTable",
            "ots:CreateTable",
            "ots:UpdateTable",
            "ots:DescribeTable",
            "ots:BatchWriteRow",
            "ots:CreateTunnel",
            "ots:DeleteTunnel",
            "ots:ListTunnel",
            "ots:DescribeTunnel",
            "ots:ConsumeTunnel",
            "ots:GetRange",
            "ots:ListStream",
            "ots:DescribeStream"
          ],
          "Resource": "*"
        }
      ]
    }
  • 通过AliyunServiceRoleForHbrCrossAccountBackup获取跨账号备份权限

    {
      "Version": "1",
      "Statement": [
        {
          "Action": "sts:AssumeRole",
          "Effect": "Allow",
          "Resource": "*"
        },
        {
          "Action": "ram:DeleteServiceLinkedRole",
          "Resource": "*",
          "Effect": "Allow",
          "Condition": {
            "StringEquals": {
              "ram:ServiceName": "crossbackup.hbr.aliyuncs.com"
            }
          }
        }
      ]
    }
  • 通过AliyunServiceRoleForHbrEcsEncryption获取访问KMS权限(开启异地复制)

    {
      "Version": "1",
      "Statement": [
        {
          "Action": [
            "kms:ListKeys",
            "kms:ListAliases"
          ],
          "Effect": "Allow",
          "Resource": "*"
        },
        {
          "Action": "ram:DeleteServiceLinkedRole",
          "Resource": "*",
          "Effect": "Allow",
          "Condition": {
            "StringEquals": {
              "ram:ServiceName": "ecsencryption.hbr.aliyuncs.com"
            }
          }
        }
      ]
    }

删除服务关联角色

假设您已不再使用ECS备份功能,出于安全考虑,建议您删除该功能所使用的服务关联角色。

重要

  • 删除AliyunServiceRoleForHbrEcsBackup、AliyunServiceRoleForHbrOssBackup、AliyunServiceRoleForHbrNasBackup和AliyunServiceRoleForHbrCsgBackup等角色前,请确保当前账号下没有备份仓库,否则删除失败。

  • 删除AliyunServiceRoleForHbrVaultEncryption前,请确保当前账号下没有使用KMS加密的备份仓库,否则删除失败。

例如,删除AliyunServiceRoleForHbrEcsBackup的操作步骤如下:

  1. 登录RAM控制台

  2. 在左侧导航栏中选择身份管理>角色。

  3. 角色管理页面的搜索框中,输入AliyunServiceRoleForHbrEcsBackup,自动搜索到名称为AliyunServiceRoleForHbrEcsBackup的RAM角色。

  4. 在右侧操作列,单击删除

  5. 删除RAM角色对话框,单击确定

删除AliyunServiceRoleForHbrOssBackup、AliyunServiceRoleForHbrNasBackup和AliyunServiceRoleForHbrCsgBackup、AliyunServiceRoleForHbrVaultEncryption、AliyunServiceRoleForHbrEcsEncryption等服务关联角色与删除AliyunServiceRoleForHbrEcsBackup服务关联角色步骤类似,仅需替换为对应的RAM角色即可。

  • 本页导读 (1)
文档反馈