阿里云前置准备
本文主要介绍创建 BYOC 类型仓库涉及的阿里云平台相关操作,包括创建 RAM 用户并授权、创建专有网络 VPC 和交换机、了解资源编排和资源栈 等。
准备 RAM 用户并授权
创建 BYOC 类型仓库前,需提前准备好具备相关权限的阿里云 RAM 用户。
请将此文档发送给您的阿里云平台管理员,请求管理员参照此文档为您创建 RAM 用户,并授权。
管理员访问阿里云 RAM 访问控制 (opens in a new tab) 控制台,执行以下操作:
创建 RAM 用户
提示: 如果已有 RAM 用户,可以跳过创建 RAM 用户步骤。
点击左侧 身份管理 > 用户,进入用户管理页面,点击创建用户,输入相关信息,完成创建。
创建 RAM 用户组(可选)
提示: 如果已有 RAM 用户组,可以跳过创建 RAM 用户组步骤。
如果企业内存在多名人员使用 SelectDB Cloud,可以创建 RAM 用户组,并将相关人员加入用户组,并统一授权。
点击左侧 身份管理 > 用户组,进入用户组管理页面,点击创建用户组,输入相关信息,完成创建。
创建权限策略并授权
创建 SelectDB Cloud BYOC 类型仓库时,需要通过资源编排服务(ROS)执行资源栈模板,会创建 ECS、VPC、OSS 等云资源或进行相关操作,因此需要一系列 RAM 权限。
请参照下面步骤为 RAM 用户或用户组添加权限。
1. 创建权限策略: 点击左侧 权限管理 > 权限策略,进入权限策略管理页面,点击创建权限策略,切换到脚本编辑模式
清空原有文本框,复制以下脚本,输入文本框。详细的权限说明,请见下文 资源栈模板依赖的权限说明 部分。
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:TagResources",
"ecs:UnTagResources",
"ecs:DescribeInstances",
"ecs:StopInstance",
"ecs:StartInstance",
"ecs:RebootInstance",
"ecs:RenewInstance",
"ecs:DeleteInstance",
"ecs:ModifyInstanceAttribute",
"ecs:ModifyInstanceChargeType",
"ecs:ModifyInstanceAutoRenewAttribute",
"ecs:ModifyInstanceSpec",
"ecs:ModifyPrepayInstanceSpec",
"ecs:AttachInstanceRamRole",
"ecs:DetachInstanceRamRole",
"ecs:ResizeDisk",
"ecs:DescribeTags",
"ecs:AddTags",
"ecs:RemoveTags",
"ecs:DescribeSecurityGroups",
"ecs:DescribeSecurityGroupReferences",
"ecs:AuthorizeSecurityGroup",
"ecs:AuthorizeSecurityGroupEgress",
"ecs:DeleteSecurityGroup",
"ecs:RevokeSecurityGroup",
"ecs:RevokeSecurityGroupEgress",
"ecs:DescribeSecurityGroupAttribute",
"slb:DescribeLoadBalancers",
"slb:DescribeLoadBalancerAttribute",
"slb:DeleteLoadBalancer",
"slb:DescribeLoadBalancerListeners",
"slb:StartLoadBalancerListener",
"slb:DeleteLoadBalancerListener",
"slb:DescribeVServerGroups",
"slb:DescribeVServerGroupAttribute",
"slb:ModifyVServerGroupBackendServers",
"slb:RemoveVServerGroupBackendServers",
"slb:RemoveBackendServers",
"slb:DeleteVServerGroup",
"slb:DescribeAccessControlLists",
"slb:DescribeRules",
"slb:CreateRules",
"slb:DeleteRules",
"slb:DescribeTags",
"slb:AddTags",
"slb:RemoveTags"
],
"Resource": [
"acs:ecs:*:*:*",
"acs:vpc:*:*:*",
"acs:slb:*:*:*"
],
"Effect": "Allow",
"Condition": {
"StringEquals": {
"acs:ResourceTag/resource-created-by": [
"selectdb"
]
}
}
},
{
"Action": [
"vpc:DescribeVpcs",
"vpc:DescribeVSwitches",
"ecs:DescribeDisks",
"ecs:DescribeImages",
"ecs:CreateInstance",
"ecs:RunInstances",
"ecs:CreateSecurityGroup",
"slb:CreateLoadBalancer",
"slb:CreateLoadBalancerTCPListener",
"slb:CreateVServerGroup",
"slb:AddVServerGroupBackendServers",
"slb:CreateAccessControlList",
"slb:AddAccessControlListEntry",
"slb:RemoveAccessControlListEntry",
"slb:DeleteAccessControlList"
],
"Resource": [
"acs:ecs:*:*:*",
"acs:vpc:*:*:*",
"acs:slb:*:*:*"
],
"Effect": "Allow"
},
{
"Action": "oss:*",
"Resource": [
"acs:oss:*:*:selectdb-bucket-*",
"acs:oss:*:*:selectdb-bucket-*/*"
],
"Effect": "Allow"
},
{
"Action": [
"privatelink:CreateVpcEndpoint",
"privatelink:DeleteVpcEndpoint",
"privatelink:GetVpcEndpointAttribute",
"privatelink:ListVpcEndpoints",
"privatelink:ListVpcEndpointServicesByEndUser",
"privatelink:ListVpcEndpointSecurityGroups",
"privatelink:ListVpcEndpointConnections",
"privatelink:AddZoneToVpcEndpoint",
"privatelink:AttachSecurityGroupToVpcEndpoint",
"privatelink:DetachSecurityGroupFromVpcEndpoint",
"privatelink:RemoveZoneFromVpcEndpoint",
"privatelink:TagResources",
"privatelink:UnTagResources",
"privatelink:ListTagResources"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ram:GetUser",
"ram:AttachPolicyToUser",
"ram:CreateUser",
"ram:DeleteUser",
"ram:DetachPolicyFromUser",
"ram:CreateAccessKey",
"ram:DeleteAccessKey",
"ram:ListAccessKeys",
"ram:AttachPolicyToRole",
"ram:AttachPolicyToUser",
"ram:CreatePolicy",
"ram:DeletePolicy",
"ram:DetachPolicyFromRole",
"ram:DetachPolicyFromUser",
"ram:ListPoliciesForRole",
"ram:ListPoliciesForUser",
"ram:ListGroupsForUser",
"ram:ListEntitiesForPolicy",
"ram:GetPolicy",
"ram:CreateRole",
"ram:DeleteRole",
"ram:PassRole",
"ram:GetRole",
"sts:AssumeRole"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"oss:OpenOssService",
"privatelink:OpenPrivateLinkService",
"tag:TagResources",
"ros:*"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
点击确定,输入名称,点击确定,完成创建权限策略。
2. 为 RAM 用户或用户组授权权限策略: 点击左侧 权限管理 > 授权,进入授权页面。授权主体选择 RAM 用户或用户组,选择上述步骤创建的权限策略,点击确认新增授权 完成授权。
至此,您已完成 RAM 用户或用户组创建,并已完成授权。
准备专有网络 VPC 和交换机
提示:
- 如果已有符合地域和可用区要求的 VPC 和交换机,并期望将 BYOC 仓库部署在此 VPC 内,可以跳过下面创建专有网络 VPC 和交换机步骤。
- 当前支持的地域和交换机可用区为:
| 云平台 | 地域名称 | 地域 ID | 可用区 ID |
|---|---|---|---|
| 阿里云 | 华北 2 (北京) | cn-beijing | H, K |
| 阿里云 | 华东 2 (上海) | cn-shanghai | B, E |
| 阿里云 | 华南 1 (深圳) | cn-shenzhen | D, F |
| 阿里云 | 华南 3 (广州) | cn-guangzhou | B |
| 阿里云 | 德国 (法兰克福) | eu-central-1 | A |
创建 BYOC 类型仓库前,需要使用上述 RAM 用户提前创建专有网络 VPC 和交换机,以下是具体操作。
打开阿里云 专有网络 VPC (opens in a new tab) 控制台,点击 专有网络 > 创建专有网络,进入 VPC 创建页面。
选择您期望创建 BYOC 仓库的地域,输入名称、选择 IPv4 网段,输入交换机名称和可用区,点击确定完成创建。
了解资源编排和资源栈
当用户创建 BYOC 类型仓库时,会首先借助云厂商的资源编排服务自动部署 Agent,完成 Agent 与 SelectDB Cloud 平台之间的私有连接,然后由 Agent 负责 BYOC 仓库的部署与管理工作。
ROS 资源编排模版说明
SelectDB 提供的资源编排模板运行在您的云账号下,并且模版代码可见、可审计,不会对您的数据与 VPC 内的其他环境进行操作。您可以通过以下链接获取 SelectDB 提供的资源编排模板:
https://selectdb-cloud-online-bj.oss-cn-beijing.aliyuncs.com/public/aliyun-byoc.yaml当您通过阿里云 ROS 执行上述资源模板时,它会自动进行 Agent 的创建与部署。然后 Agent 会与 SelectDB Cloud 建立私有连接,并完成仓库初始化流程。
在完成资源编排脚本执行后,您即可从 SelectDB Cloud 平台进入相应仓库,像使用普通的仓库一样,开始新建用于数据分析的计算集群。
如何查看资源栈信息
您可以通过阿里云 资源编排ROS (opens in a new tab) 控制台,查看由 SelectDB 资源栈模板创建的所有资源信息,并可通过资源名称查看特定资源。
注意 所有资源栈模版创建出来的资源,都属于您的云账号,并只在您的 VPC 内使用,不会外泄。
- 虚拟机
- 名称:SelectDBAgent(ECS)
- 用途:用于部署Agent,Prometheus,FluentBit等程序
- 终端节点
- 名称:SelectDBEndpoint(VPC Endpoint)
- 用途:与 SelectDB Cloud 平台建立私网连接,从而可以拉取管控指令、推送监控和日志
- 存储桶
- 名称:SelectDBBucket(OSS Bucket)
- 用途:存储数仓数据
- 安全组
- 名称:SelectDBSecurityGroup(VPC SecurityGroup)
- 用途:绑定在终端节点和 ECS 实例,并通过安全组规则限定特定端口特定子网的流量才能通行(允许来自同一安全组的所有流量访问所有端口,来自同一子网的流量访问8666端口,允许所有流量出网)
- 子用户/角色
- 名称:(RAM User / RAM Role)
- SelectDBUser(子用户),SelectDBUserAccessKey(aksk),SelectDBUserPolicy(子用户权限)
- SelectDBControlPanelRole(管控侧角色),SelectDBControlPanelRolePolicy(管控侧角色权限),SelectDBDataAccessRole(内核侧角色),SelectDBDataAccessRolePolicy(内核侧角色权限)
- 用途:
- 创建出的子用户具备 Agent 所需的最小权限,之后进行的所有的管控操作均使用该子用户的身份进行,子用户信息只会在用户 VPC 内使用,不会外泄
- 绑定在 ECS 实例上,后续可以获取临时 AkSk 来进行鉴权,相较于目前使用永久 AkSk 的方式更加安全。一个给管控侧使用(绑定在 Agent),一个给内核侧使用(绑定在 MS/FE/BE)
- 名称:(RAM User / RAM Role)
资源栈模板依赖的权限说明
在您的云账号下通过资源编排服务(ROS)执行资源栈模板时,会创建 ECS、VPC、OSS 等云资源或进行相关操作,因此需要一系列 RAM 权限。在正式执行前,请确保执行此模板的用户具备相应权限,否则可能会遇到执行模板失败的情况。
注意 资源栈模版的执行过程完全在您的云账号下进行,创建出来的资源也都属于您的云账号。SelectDB 不会获取您的云账号信息,也无法使用该账号的相应 RAM 权限。
以下是根据模板中定义的资源和操作所需的权限:
- 权限汇总:
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:TagResources",
"ecs:UnTagResources",
"ecs:DescribeInstances",
"ecs:StopInstance",
"ecs:StartInstance",
"ecs:RebootInstance",
"ecs:RenewInstance",
"ecs:DeleteInstance",
"ecs:ModifyInstanceAttribute",
"ecs:ModifyInstanceChargeType",
"ecs:ModifyInstanceAutoRenewAttribute",
"ecs:ModifyInstanceSpec",
"ecs:ModifyPrepayInstanceSpec",
"ecs:AttachInstanceRamRole",
"ecs:DetachInstanceRamRole",
"ecs:ResizeDisk",
"ecs:DescribeTags",
"ecs:AddTags",
"ecs:RemoveTags",
"ecs:DescribeSecurityGroups",
"ecs:DescribeSecurityGroupReferences",
"ecs:AuthorizeSecurityGroup",
"ecs:AuthorizeSecurityGroupEgress",
"ecs:DeleteSecurityGroup",
"ecs:RevokeSecurityGroup",
"ecs:RevokeSecurityGroupEgress",
"ecs:DescribeSecurityGroupAttribute",
"slb:DescribeLoadBalancers",
"slb:DescribeLoadBalancerAttribute",
"slb:DeleteLoadBalancer",
"slb:DescribeLoadBalancerListeners",
"slb:StartLoadBalancerListener",
"slb:DeleteLoadBalancerListener",
"slb:DescribeVServerGroups",
"slb:DescribeVServerGroupAttribute",
"slb:ModifyVServerGroupBackendServers",
"slb:RemoveVServerGroupBackendServers",
"slb:RemoveBackendServers",
"slb:DeleteVServerGroup",
"slb:DescribeAccessControlLists",
"slb:DescribeRules",
"slb:CreateRules",
"slb:DeleteRules",
"slb:DescribeTags",
"slb:AddTags",
"slb:RemoveTags"
],
"Resource": [
"acs:ecs:*:*:*",
"acs:vpc:*:*:*",
"acs:slb:*:*:*"
],
"Effect": "Allow",
"Condition": {
"StringEquals": {
"acs:ResourceTag/resource-created-by": [
"selectdb"
]
}
}
},
{
"Action": [
"vpc:DescribeVpcs",
"vpc:DescribeVSwitches",
"ecs:DescribeDisks",
"ecs:DescribeImages",
"ecs:CreateInstance",
"ecs:RunInstances",
"ecs:CreateSecurityGroup",
"slb:CreateLoadBalancer",
"slb:CreateLoadBalancerTCPListener",
"slb:CreateVServerGroup",
"slb:AddVServerGroupBackendServers",
"slb:CreateAccessControlList",
"slb:AddAccessControlListEntry",
"slb:RemoveAccessControlListEntry",
"slb:DeleteAccessControlList"
],
"Resource": [
"acs:ecs:*:*:*",
"acs:vpc:*:*:*",
"acs:slb:*:*:*"
],
"Effect": "Allow"
},
{
"Action": "oss:*",
"Resource": [
"acs:oss:*:*:selectdb-bucket-*",
"acs:oss:*:*:selectdb-bucket-*/*"
],
"Effect": "Allow"
},
{
"Action": [
"privatelink:CreateVpcEndpoint",
"privatelink:DeleteVpcEndpoint",
"privatelink:GetVpcEndpointAttribute",
"privatelink:ListVpcEndpoints",
"privatelink:ListVpcEndpointServicesByEndUser",
"privatelink:ListVpcEndpointSecurityGroups",
"privatelink:ListVpcEndpointConnections",
"privatelink:AddZoneToVpcEndpoint",
"privatelink:AttachSecurityGroupToVpcEndpoint",
"privatelink:DetachSecurityGroupFromVpcEndpoint",
"privatelink:RemoveZoneFromVpcEndpoint",
"privatelink:TagResources",
"privatelink:UnTagResources",
"privatelink:ListTagResources"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ram:GetUser",
"ram:AttachPolicyToUser",
"ram:CreateUser",
"ram:DeleteUser",
"ram:DetachPolicyFromUser",
"ram:CreateAccessKey",
"ram:DeleteAccessKey",
"ram:ListAccessKeys",
"ram:AttachPolicyToRole",
"ram:AttachPolicyToUser",
"ram:CreatePolicy",
"ram:DeletePolicy",
"ram:DetachPolicyFromRole",
"ram:DetachPolicyFromUser",
"ram:ListPoliciesForRole",
"ram:ListPoliciesForUser",
"ram:ListGroupsForUser",
"ram:ListEntitiesForPolicy",
"ram:GetPolicy",
"ram:CreateRole",
"ram:DeleteRole",
"ram:PassRole",
"ram:GetRole",
"sts:AssumeRole"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"oss:OpenOssService",
"privatelink:OpenPrivateLinkService",
"tag:TagResources",
"ros:*"
],
"Resource": "*",
"Effect": "Allow"
}
]
}-
ECS 权限:
- 管理 ECS 实例
"ecs:TagResources", "ecs:UnTagResources", "ecs:DescribeInstances", "ecs:StopInstance", "ecs:StartInstance", "ecs:RebootInstance", "ecs:RenewInstance", "ecs:DeleteInstance", "ecs:ModifyInstanceAttribute", "ecs:ModifyInstanceChargeType", "ecs:ModifyInstanceAutoRenewAttribute", "ecs:ModifyInstanceSpec", "ecs:ModifyPrepayInstanceSpec", "ecs:AttachInstanceRamRole", "ecs:DetachInstanceRamRole", "ecs:ResizeDisk", "ecs:DescribeTags", "ecs:AddTags", "ecs:RemoveTags", "ecs:DescribeDisks", "ecs:DescribeImages", "ecs:CreateInstance", "ecs:RunInstances",- 管理 ECS 安全组
"ecs:CreateSecurityGroup", "ecs:DescribeSecurityGroups", "ecs:DescribeSecurityGroupReferences", "ecs:AuthorizeSecurityGroup", "ecs:AuthorizeSecurityGroupEgress", "ecs:DeleteSecurityGroup", "ecs:RevokeSecurityGroup", "ecs:RevokeSecurityGroupEgress", "ecs:DescribeSecurityGroupAttribute", -
VPC & PrivateLink & SLB 权限:
- 获取 VPC 相关资源信息
"vpc:DescribeVpcs", "vpc:DescribeVSwitches",- 管理 PrivateLink 终端节点
"privatelink:CreateVpcEndpoint", "privatelink:DeleteVpcEndpoint", "privatelink:GetVpcEndpointAttribute", "privatelink:ListVpcEndpoints", "privatelink:ListVpcEndpointServicesByEndUser", "privatelink:ListVpcEndpointSecurityGroups", "privatelink:ListVpcEndpointConnections", "privatelink:AddZoneToVpcEndpoint", "privatelink:AttachSecurityGroupToVpcEndpoint", "privatelink:DetachSecurityGroupFromVpcEndpoint", "privatelink:RemoveZoneFromVpcEndpoint", "privatelink:TagResources", "privatelink:UnTagResources", "privatelink:ListTagResources"- 管理负载均衡器 SLB 资源
"slb:DescribeLoadBalancers", "slb:DescribeLoadBalancerAttribute", "slb:DeleteLoadBalancer", "slb:DescribeLoadBalancerListeners", "slb:StartLoadBalancerListener", "slb:DeleteLoadBalancerListener", "slb:DescribeVServerGroups", "slb:DescribeVServerGroupAttribute", "slb:ModifyVServerGroupBackendServers", "slb:RemoveVServerGroupBackendServers", "slb:RemoveBackendServers", "slb:DeleteVServerGroup", "slb:DescribeAccessControlLists", "slb:DescribeRules", "slb:CreateRules", "slb:DeleteRules", "slb:DescribeTags", "slb:AddTags", "slb:RemoveTags", "slb:CreateLoadBalancer", "slb:CreateLoadBalancerTCPListener", "slb:CreateVServerGroup", "slb:AddVServerGroupBackendServers", "slb:CreateAccessControlList", "slb:AddAccessControlListEntry", "slb:RemoveAccessControlListEntry", "slb:DeleteAccessControlList" -
OSS 权限:
- 管理 OSS 存储桶以及对存储桶及其内容进行读写操作(针对特定桶)
{ "Action": "oss:*", "Resource": [ "acs:oss:*:*:selectdb-bucket-*", "acs:oss:*:*:selectdb-bucket-*/*" ], "Effect": "Allow" }, -
RAM 权限:
- 管理 RAM 用户、角色、策略
"ram:GetUser", "ram:AttachPolicyToUser", "ram:CreateUser", "ram:DeleteUser", "ram:DetachPolicyFromUser", "ram:AttachPolicyToRole", "ram:AttachPolicyToUser", "ram:CreatePolicy", "ram:DeletePolicy", "ram:DetachPolicyFromRole", "ram:DetachPolicyFromUser", "ram:ListPoliciesForRole", "ram:ListPoliciesForUser", "ram:ListGroupsForUser", "ram:ListEntitiesForPolicy", "ram:GetPolicy", "ram:CreateRole", "ram:DeleteRole", "ram:PassRole", "ram:GetRole", "sts:AssumeRole"- 管理 RAM 访问密钥
"ram:CreateAccessKey", "ram:DeleteAccessKey", "ram:ListAccessKeys", -
ROS 权限:
- 管理资源栈
"ros:*" -
其他权限:
- 开通 OSS 服务,开通 PrivateLink 服务,允许给资源打标签
"oss:OpenOssService", "privatelink:OpenPrivateLinkService", "tag:TagResources",
资源栈模板创建的子用户的权限说明
初次执行完资源栈模板后会创建一个子用户,用于后续在您的 VPC 内管控数据仓库相关组件,以下为该子用户权限示例:
注意 创建出来的子用户隶属于您的云账号,并只在您的 VPC 内使用,不会外泄。
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:TagResources",
"ecs:UnTagResources",
"ecs:DescribeInstances",
"ecs:StopInstance",
"ecs:StartInstance",
"ecs:RebootInstance",
"ecs:RenewInstance",
"ecs:DeleteInstance",
"ecs:ModifyInstanceAttribute",
"ecs:ModifyInstanceChargeType",
"ecs:ModifyInstanceAutoRenewAttribute",
"ecs:ModifyInstanceSpec",
"ecs:ModifyPrepayInstanceSpec",
"ecs:AttachInstanceRamRole",
"ecs:DetachInstanceRamRole",
"ecs:ResizeDisk",
"ecs:DescribeTags",
"ecs:AddTags",
"ecs:RemoveTags",
"ecs:DescribeSecurityGroups",
"ecs:AuthorizeSecurityGroup",
"ecs:AuthorizeSecurityGroupEgress",
"ecs:DescribeSecurityGroupAttribute",
"ecs:DeleteSecurityGroup",
"slb:DescribeLoadBalancers",
"slb:DescribeLoadBalancerAttribute",
"slb:DeleteLoadBalancer",
"slb:DescribeLoadBalancerListeners",
"slb:StartLoadBalancerListener",
"slb:DeleteLoadBalancerListener",
"slb:DescribeVServerGroups",
"slb:DescribeVServerGroupAttribute",
"slb:ModifyVServerGroupBackendServers",
"slb:RemoveVServerGroupBackendServers",
"slb:RemoveBackendServers",
"slb:DeleteVServerGroup",
"slb:DescribeAccessControlLists",
"slb:DescribeRules",
"slb:CreateRules",
"slb:DeleteRules",
"slb:DescribeTags",
"slb:AddTags",
"slb:RemoveTags"
],
"Resource": [
"acs:ecs:cn-beijing:*:*",
"acs:vpc:cn-beijing:*:*",
"acs:slb:cn-beijing:*:*"
],
"Effect": "Allow",
"Condition": {
"StringEquals": {
"acs:ResourceTag/resource-created-by": [
"selectdb"
]
}
}
},
{
"Action": [
"vpc:DescribeVpcs",
"vpc:DescribeVSwitches",
"ecs:DescribeDisks",
"ecs:CreateInstance",
"ecs:RunInstances",
"ecs:CreateSecurityGroup",
"slb:CreateLoadBalancer",
"slb:CreateLoadBalancerTCPListener",
"slb:CreateVServerGroup",
"slb:AddVServerGroupBackendServers",
"slb:CreateAccessControlList",
"slb:AddAccessControlListEntry",
"slb:RemoveAccessControlListEntry",
"slb:DeleteAccessControlList"
],
"Resource": [
"acs:ecs:cn-beijing:*:*",
"acs:vpc:cn-beijing:*:*",
"acs:slb:cn-beijing:*:*"
],
"Effect": "Allow"
},
{
"Action": "oss:*",
"Resource": [
"acs:oss:*:*:selectdb-bucket-bbkxkwwlcnmqcjyh",
"acs:oss:*:*:selectdb-bucket-bbkxkwwlcnmqcjyh/*"
],
"Effect": "Allow",
"Condition": {
"StringEquals": {
"oss:BucketTag/resource-created-by": [
"selectdb"
]
}
}
}
]
}具体权限划分如下:
-
ECS 权限:
- 管理 ECS 实例
"ecs:TagResources", "ecs:UnTagResources", "ecs:DescribeDisks", "ecs:RunInstances", "ecs:DescribeInstances", "ecs:StopInstance", "ecs:StartInstance", "ecs:RebootInstance", "ecs:RenewInstance", "ecs:DeleteInstance", "ecs:ModifyInstanceAttribute", "ecs:ModifyInstanceChargeType", "ecs:ModifyInstanceAutoRenewAttribute", "ecs:ModifyInstanceSpec", "ecs:ModifyPrepayInstanceSpec", "ecs:AttachInstanceRamRole", "ecs:DetachInstanceRamRole", "ecs:ResizeDisk", "ecs:DescribeTags", "ecs:AddTags", "ecs:RemoveTags",- 管理 ECS 安全组
"ecs:DescribeSecurityGroups", "ecs:AuthorizeSecurityGroup", "ecs:AuthorizeSecurityGroupEgress", "ecs:DescribeSecurityGroupAttribute", "ecs:CreateSecurityGroup", "ecs:DeleteSecurityGroup", -
VPC & SLB 权限:
- 获取 VPC 相关资源信息
"vpc:DescribeVpcs", "vpc:DescribeVSwitches",- 管理负载均衡器 SLB 资源
"slb:DescribeLoadBalancers", "slb:DescribeLoadBalancerAttribute", "slb:DeleteLoadBalancer", "slb:DescribeLoadBalancerListeners", "slb:StartLoadBalancerListener", "slb:DeleteLoadBalancerListener", "slb:DescribeVServerGroups", "slb:DescribeVServerGroupAttribute", "slb:ModifyVServerGroupBackendServers", "slb:RemoveVServerGroupBackendServers", "slb:RemoveBackendServers", "slb:DeleteVServerGroup", "slb:DescribeAccessControlLists", "slb:DescribeRules", "slb:CreateRules", "slb:DeleteRules", "slb:DescribeTags", "slb:AddTags", "slb:RemoveTags", "slb:CreateLoadBalancer", "slb:CreateLoadBalancerTCPListener", "slb:CreateVServerGroup", "slb:AddVServerGroupBackendServers", "slb:CreateAccessControlList", "slb:AddAccessControlListEntry", "slb:RemoveAccessControlListEntry", "slb:DeleteAccessControlList" -
OSS 权限:
- 管理 OSS 存储桶以及对存储桶及其内容进行读写操作(针对特定桶)
{ "Action": "oss:*", "Resource": [ "acs:oss:*:*:selectdb-bucket-*", "acs:oss:*:*:selectdb-bucket-*/*" ], "Effect": "Allow", "Condition": { "StringEquals": { "oss:BucketTag/resource-created-by": [ "selectdb" ] } } }