本文介绍消息队列Kafka版服务关联角色的背景信息、策略内容、注意事项和常见问题。

背景信息

服务关联角色是某个云服务在某些情况下,为了完成自身的某个功能,需要获取其他云服务的访问权限而提供的RAM角色。您在该云服务的控制台首次使用该功能时,系统会提示您完成服务关联角色的自动创建。更多服务关联角色相关信息,请参见服务关联角色

消息队列Kafka版提供以下服务关联角色:

  • AliyunServiceRoleForAlikafka:消息队列Kafka版访问您所拥有的其他阿里云资源的角色。如果您是在消息队列Kafka版控制台首次开通消息队列Kafka版服务,系统会提示您完成AliyunServiceRoleForAlikafka的自动创建。
  • AliyunServiceRoleForAlikafkaConnector:消息队列Kafka版通过扮演该RAM角色,获取各类与Connector相关的产品的访问权限,以实现Connector的功能。如果您是在消息队列Kafka版控制台首次创建Connector,系统会提示您完成AliyunServiceRoleForAlikafkaConnector的自动创建。更多信息,请参见创建FC Sink Connector

  • AliyunServiceRoleForAlikafkaInstanceEncryption:消息队列Kafka版通过扮演该RAM角色,获取KMS的访问与加密权限,以实现您实例的加密功能。目前实例加密功能暂时只通过OpenAPI开放,控制台功能后续才会放出。如果您通过消息队列Kafka版OpenAPI StartInstance首次部署加密实例,系统会为您完成AliyunServiceRoleForAlikafkaInstanceEncryption的自动创建。
  • AliyunServiceRoleForAlikafkaETL:消息队列Kafka版通过扮演该RAM角色,创建数据加工ETL(Extract Transform Load)任务,通过ETL进行数据分析。如果您是在消息队列Kafka版控制台首次开通ETL服务,系统会提示您完成AliyunServiceRoleForAlikafkaETL的自动创建。

策略内容

  • AliyunServiceRoleForAlikafka的权限策略如下:
    {
        "Version": "1",
        "Statement": [
            {
                "Action": [
                    "ecs:CreateNetworkInterface",
                    "ecs:DeleteNetworkInterface",
                    "ecs:DescribeNetworkInterfaces",
                    "ecs:CreateNetworkInterfacePermission",
                    "ecs:DescribeNetworkInterfacePermissions",
                    "ecs:DeleteNetworkInterfacePermission",
                    "ecs:CreateSecurityGroup",
                    "ecs:AuthorizeSecurityGroup",
                    "ecs:DescribeSecurityGroupAttribute",
                    "ecs:RevokeSecurityGroup",
                    "ecs:DeleteSecurityGroup",
                    "ecs:DescribeSecurityGroups"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "vpc:DescribeVSwitches",
                    "vpc:DescribeVpcs"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Effect": "Allow",
                "Action": "ram:DeleteServiceLinkedRole",
                "Resource": "*",
                "Condition": {
                    "StringEquals": {
                        "ram:ServiceName": "alikafka.aliyuncs.com"
                    }
                }
            }
        ]
    }
  • AliyunServiceRoleForAlikafkaConnector的权限策略如下:
    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "fc:InvokeFunction",
                    "fc:GetFunction",
                    "fc:ListServices",
                    "fc:ListFunctions",
                    "fc:ListServiceVersions",
                    "fc:ListAliases",
                    "fc:CreateService",
                    "fc:DeleteService",
                    "fc:CreateFunction",
                    "fc:DeleteFunction"
                ],
                "Resource": "*"
            },
            {
                "Action": [
                    "rds:DescribeDatabases"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "oss:ListBuckets",
                    "oss:GetBucketAcl"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "elasticsearch:DescribeInstance",
                    "elasticsearch:ListInstance"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "dataworks:CreateRealTimeProcess",
                    "dataworks:QueryRealTimeProcessStatus"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Effect": "Allow",
                "Action": "ram:DeleteServiceLinkedRole",
                "Resource": "*",
                "Condition": {
                    "StringEquals": {
                        "ram:ServiceName": "connector.alikafka.aliyuncs.com"
                    }
                }
            }
        ]
    }
  • AliyunServiceRoleForAlikafkaInstanceEncryption的权限策略如下:
    {
        "Version":"1",
        "Statement":[
            {
                "Action":[
                    "kms:Listkeys",
                    "kms:Listaliases",
                    "kms:ListResourceTags",
                    "kms:DescribeKey",
                    "kms:TagResource",
                    "kms:UntagResource"
                ],
                "Resource":"*",
                "Effect":"Allow"
            },
            {
                "Action":[
                    "kms:Encrypt",
                    "kms:Decrypt",
                    "kms:GenerateDataKey"
                ],
                "Resource":"*",
                "Effect":"Allow",
                "Condition":{
                    "StringEqualsIgnoreCase":{
                        "kms:tag/acs:alikafka:instance-encryption":"true"
                    }
                }
            },
            {
                "Action":"ram:DeleteServiceLinkedRole",
                "Resource":"*",
                "Effect":"Allow",
                "Condition":{
                    "StringEquals":{
                        "ram:ServiceName":"instanceencryption.alikafka.aliyuncs.com"
                    }
                }
            }
        ]
    }
  • AliyunServiceRoleForAlikafkaETL的权限策略如下:
    [
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "fc:InvokeFunction",
                    "fc:GetFunction",
                    "fc:ListServices",
                    "fc:ListFunctions",
                    "fc:ListServiceVersions",
                    "fc:ListAliases",
                    "fc:CreateService",
                    "fc:DeleteService",
                    "fc:CreateFunction",
                    "fc:DeleteFunction"
                ],
                "Resource": "*"
            },
            {
                "Effect": "Allow",
                "Action": "ram:DeleteServiceLinkedRole",
                "Resource": "*",
                "Condition": {
                    "StringEquals": {
                        "ram:ServiceName": "etl.alikafka.aliyuncs.com"
                    }
                }
            },
            {
                "Effect": "Allow",
                "Action": "ram:PassRole",
                "Resource": "acs:ram:*:*:role/aliyunfcdefaultrole",
                "Condition": {
                    "StringEquals": {
                        "acs:Service": "fc.aliyuncs.com"
                    }
                }
            }
        ]
    }

注意事项

如果您删除了自动创建的服务关联角色,该服务关联角色相关的功能由于权限不足将无法再被使用,请谨慎操作。如需重新创建该服务关联角色并为其授权,请参见创建可信实体为阿里云服务的RAM角色为RAM角色授权

常见问题

  • 为什么我的RAM用户无法自动创建消息队列Kafka版服务关联角色AliyunServiceRoleForAlikafka?

    如果您的阿里云账号已经创建了服务关联角色,您的RAM用户就会继承该阿里云账号的服务关联角色。如果没有继承,请登录访问控制控制台为RAM用户添加自定义权限策略,权限策略内容如下:

    {
        "Statement": [
            {
                "Action": [
                    "ram:CreateServiceLinkedRole"
                ],
                "Resource": "*",
                "Effect": "Allow",
                "Condition": {
                  "StringEquals": {
                    "ram:ServiceName": "alikafka.aliyuncs.com"
                    }
                }
            }
        ],
        "Version": "1"
    }
  • 为什么我的RAM用户无法自动创建消息队列Kafka版服务关联角色AliyunServiceRoleForAlikafkaConnector?

    如果您的阿里云账号已经创建了服务关联角色,您的RAM用户就会继承该阿里云账号的服务关联角色。如果没有继承,请登录访问控制控制台为RAM用户添加自定义权限策略,权限策略内容如下:

    {
        "Statement": [
            {
                "Action": [
                    "ram:CreateServiceLinkedRole"
                ],
                "Resource": "*",
                "Effect": "Allow",
                "Condition": {
                  "StringEquals": {
                    "ram:ServiceName": "connector.alikafka.aliyuncs.com"
                    }
                }
            }
        ],
        "Version": "1"
    }
  • 为什么我的RAM用户无法自动创建消息队列Kafka版服务关联角色AliyunServiceRoleForAlikafkaInstanceEncryption?

    如果您的阿里云账号已经创建了服务关联角色,您的RAM用户就会继承该阿里云账号的服务关联角色。如果没有继承,请登录访问控制控制台为RAM用户添加自定义权限策略,权限策略内容如下:

    {
        "Statement":[
            {
                "Action":[
                    "ram:CreateServiceLinkedRole"
                ],
                "Resource":"*",
                "Effect":"Allow",
                "Condition":{
                    "StringEquals":{
                        "ram:ServiceName":"instanceencryption.alikafka.aliyuncs.com"
                    }
                }
            }
        ],
        "Version":"1"
    }
  • 为什么我的RAM用户无法自动创建消息队列Kafka版服务关联角色AliyunServiceRoleForAlikafkaETL?

    如果您的阿里云账号已经创建了服务关联角色,您的RAM用户就会继承该阿里云账号的服务关联角色。如果没有继承,请登录访问控制控制台为RAM用户添加自定义权限策略,权限策略内容如下:

    {
        "Statement":[
            {
                "Action":[
                    "ram:CreateServiceLinkedRole"
                ],
                "Resource":"*",
                "Effect":"Allow",
                "Condition":{
                    "StringEquals":{
                        "ram:ServiceName":"etl.alikafka.aliyuncs.com"
                    }
                }
            }
        ],
        "Version":"1"
    }

如果您的RAM用户被授予该权限策略后,仍然无法自动创建服务关联角色,请为该RAM用户授予权限策略AliyunKafkaFullAccess。具体操作,请参见为RAM用户授权