本文为您介绍特权访问管理中心PAM的服务关联角色(AliyunServiceRoleForBastionhostPam)以及如何使用服务关联角色授权PAM访问ECS、VPC等云资源。

前提条件

您使用的是阿里云账号(即主账号),或拥有创建和删除服务关联角色权限的RAM用户(即子账号)。

对于RAM用户,创建和删除服务关联角色权限需要的权限策略如下:
{
    "Action": [
        "ram:CreateServiceLinkedRole",
        "ram:DeleteServiceLinkedRole"
    ],
    "Resource": "*",
    "Effect": "Allow",
    "Condition": {
        "StringEquals": {
            "ram:ServiceName": "pam.aliyuncs.com"
        }
    }
}

背景信息

服务关联角色是指与某个云服务关联的RAM角色。在某些场景下,为了完成云服务的某个功能,需要获取其他云服务的访问权限。更多信息,请参见服务关联角色

创建服务关联角色

服务关联角色是在您首次登录PAM控制台时,完成资产授权后,PAM为您自动创建的,无需您手动生成或做任何修改。更多信息,请参见步骤二:开通服务

服务关联角色创建完成后,您可以前往RAM控制台,在RAM角色管理页面,查看到自动创建的服务关联角色AliyunServiceRoleForBastionhostPam。AliyunServiceRoleForBastionhostPam的策略内容如下:
{
    "Statement": [
        {
            "Action": [
                "ecs:DescribeInstances",
                "ecs:DescribeSecurityGroups",
                "ecs:CreateSecurityGroup",
                "ecs:DescribeSecurityGroupReferences",
                "ecs:AuthorizeSecurityGroup",
                "ecs:RevokeSecurityGroup",
                "ecs:DeleteSecurityGroup",
                "cs:DescribeClustersV1",
                "cs:GetClusters",
                "cs:DescribeClusterDetail",
                "vpc:DescribeVpcs",
                "vpc:DescribeVpcAttribute",
                "vpc:DescribeVSwitches",
                "vpc:DescribeVSwitchAttributes",
                "yundun-idaas:DescribeInstances",
                "yundun-idaas:DescribeApplicationDefaults",
                "yundun-idaas:CreateApplication",
                "yundun-idaas:UpdateApplicationAPIStatus",
                "yundun-idaas:DescribeApplicationDetail",
                "yundun-idaas:DescribeAppApiDetail",
                "yundun-idaas:ListApplicationAuthAccount",
                "yundun-idaas:DeleteSelectedApplication",
                "yundun-idaas:VerifyUserPassword",
                "yundun-idaas:VerifyUserOTP",
                "yundun-idaas:VerifySmsCode",
                "yundun-idaas:ObtainSmsCode",
                "yundun-idaas:DescribeUser2FactorStatus",
                "yundun-idaas:DescribeIndexUserDetails",
                "yundun-idaas:DescribeUsersInOU",
                "yundun-sas:DescribeVersionConfig",
                "yundun-sas:DescribeExposedInstanceList",
                "privatelink:CheckProductOpen",
                "privatelink:OpenPrivateLinkService",
                "privatelink:ListVpcEndpoints",
                "privatelink:CreateVpcEndpoint",
                "privatelink:ListVpcEndpointZones",
                "privatelink:RemoveZoneFromVpcEndpoint",
                "privatelink:DeleteVpcEndpoint",
                "ecs:DescribeNetworkInterfaces",
                "ecs:DescribeSecurityGroupAttribute",
                "privatelink:GetVpcEndpointAttribute",
                "privatelink:AddZoneToVpcEndpoint"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "pam.aliyuncs.com"
                }
            }
        },
        {
            "Action": [
                "ram:CreateServiceLinkedRole"
            ],
            "Resource": "acs:ram:*:*:role/*",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "privatelink.aliyuncs.com"
                }
            },
            "Effect": "Allow"
        }
    ],
    "Version": "1"
}

该角色创建完成后,您的PAM实例才可以访问云资源,并对ECS服务器进行运维等操作。

删除服务关联角色

服务关联角色自动创建后,如果后续您无需再使用PAM服务,可以删除PAM的服务关联角色AliyunServiceRoleForBastionhostPam。详细内容,请参见删除RAM角色
说明 如果有PAM实例已占用该服务关联角色,需要先删除实例,然后才可以删除PAM的服务关联角色。

相关文档

创建和删除服务关联角色所需的权限