本文为您介绍特权访问管理中心PAM的服务关联角色(AliyunServiceRoleForBastionhostPam)以及如何使用服务关联角色授权PAM访问ECS、VPC等云资源。
前提条件
您使用的是阿里云账号(即主账号),或拥有创建和删除服务关联角色权限的RAM用户(即子账号)。
对于RAM用户,创建和删除服务关联角色权限需要的权限策略如下:
{
"Action": [
"ram:CreateServiceLinkedRole",
"ram:DeleteServiceLinkedRole"
],
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "pam.aliyuncs.com"
}
}
}
背景信息
服务关联角色是指与某个云服务关联的RAM角色。在某些场景下,为了完成云服务的某个功能,需要获取其他云服务的访问权限。更多信息,请参见服务关联角色。
创建服务关联角色
服务关联角色是在您首次登录PAM控制台时,完成资产授权后,PAM为您自动创建的,无需您手动生成或做任何修改。更多信息,请参见步骤二:开通服务。
服务关联角色创建完成后,您可以前往RAM控制台,在RAM角色管理页面,查看到自动创建的服务关联角色AliyunServiceRoleForBastionhostPam。AliyunServiceRoleForBastionhostPam的策略内容如下:
{
"Statement": [
{
"Action": [
"ecs:DescribeInstances",
"ecs:DescribeSecurityGroups",
"ecs:CreateSecurityGroup",
"ecs:DescribeSecurityGroupReferences",
"ecs:AuthorizeSecurityGroup",
"ecs:RevokeSecurityGroup",
"ecs:DeleteSecurityGroup",
"cs:DescribeClustersV1",
"cs:GetClusters",
"cs:DescribeClusterDetail",
"vpc:DescribeVpcs",
"vpc:DescribeVpcAttribute",
"vpc:DescribeVSwitches",
"vpc:DescribeVSwitchAttributes",
"yundun-idaas:DescribeInstances",
"yundun-idaas:DescribeApplicationDefaults",
"yundun-idaas:CreateApplication",
"yundun-idaas:UpdateApplicationAPIStatus",
"yundun-idaas:DescribeApplicationDetail",
"yundun-idaas:DescribeAppApiDetail",
"yundun-idaas:ListApplicationAuthAccount",
"yundun-idaas:DeleteSelectedApplication",
"yundun-idaas:VerifyUserPassword",
"yundun-idaas:VerifyUserOTP",
"yundun-idaas:VerifySmsCode",
"yundun-idaas:ObtainSmsCode",
"yundun-idaas:DescribeUser2FactorStatus",
"yundun-idaas:DescribeIndexUserDetails",
"yundun-idaas:DescribeUsersInOU",
"yundun-sas:DescribeVersionConfig",
"yundun-sas:DescribeExposedInstanceList",
"privatelink:CheckProductOpen",
"privatelink:OpenPrivateLinkService",
"privatelink:ListVpcEndpoints",
"privatelink:CreateVpcEndpoint",
"privatelink:ListVpcEndpointZones",
"privatelink:RemoveZoneFromVpcEndpoint",
"privatelink:DeleteVpcEndpoint",
"ecs:DescribeNetworkInterfaces",
"ecs:DescribeSecurityGroupAttribute",
"privatelink:GetVpcEndpointAttribute",
"privatelink:AddZoneToVpcEndpoint"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "pam.aliyuncs.com"
}
}
},
{
"Action": [
"ram:CreateServiceLinkedRole"
],
"Resource": "acs:ram:*:*:role/*",
"Condition": {
"StringEquals": {
"ram:ServiceName": "privatelink.aliyuncs.com"
}
},
"Effect": "Allow"
}
],
"Version": "1"
}
该角色创建完成后,您的PAM实例才可以访问云资源,并对ECS服务器进行运维等操作。
删除服务关联角色
服务关联角色自动创建后,如果后续您无需再使用PAM服务,可以删除PAM的服务关联角色AliyunServiceRoleForBastionhostPam。详细内容,请参见删除RAM角色。
说明 如果有PAM实例已占用该服务关联角色,需要先删除实例,然后才可以删除PAM的服务关联角色。