All Products
Search

This Product

    ActionTrail:Manage the service-linked role

    Document Center

    ActionTrail:Manage the service-linked role

    Last Updated:Oct 12, 2024

    The service-linked role AliyunServiceRoleForActionTrail is a Resource Access Management (RAM) role that ActionTrail assumes to access other Alibaba Cloud services. This topic describes the scenarios of the service-linked role, the permissions of the role, and how to create and delete the role.

    Scenarios

    The AliyunServiceRoleForActionTrail role is applicable to the following scenarios:

    • Access Simple Log Service

      If you create a trail and specify a Simple Log Service project to store events, ActionTrail assumes the AliyunServiceRoleForActionTrail role to obtain the permissions to create a Logstore in the specified project and write events to the Logstore.

    • Access Object Storage Service (OSS)

      If you create a trail and specify an OSS bucket to store events, ActionTrail assumes the AliyunServiceRoleForActionTrail role to obtain the permissions to write events to the specified OSS bucket.

    • Access Simple Message Queue (formerly MNS)

      If you create a trail and specify an OSS bucket to store events and also specify a Simple Message Queue topic to receive messages for event delivery, ActionTrail assumes the AliyunServiceRoleForActionTrail role to obtain the permissions to send messages to the Simple Message Queue topic.

    • Access Resource Directory

      If you create a multi-account trail to deliver the events of all members in a resource directory to the specified storage object, ActionTrail assumes the AliyunServiceRoleForActionTrail role to obtain the permissions to access the resource directory and retrieve the members in the resource directory.

    For more information, see Service-linked roles.

    Permissions

    Role: AliyunServiceRoleForActionTrail

    Policy: AliyunServiceRolePolicyForActionTrail

    After the service-linked role is assigned to ActionTrail, ActionTrail is granted the permissions to access resources of other Alibaba Cloud services such as OSS, Simple Log Service, Simple Message Queue (formerly MNS), and Resource Directory. 

    {
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "oss:ListObjects",
                "oss:PutObject",
                "oss:GetBucketInfo",
                "oss:GetBucketLifecycle",
                "oss:GetBucketLocation",
                "kms:ListKeys",
                "kms:Listalias",
                "kms:ListAliasesByKeyId",
                "kms:DescribeKey",
                "kms:GenerateDataKey",
                "kms:Decrypt"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "log:GetProject",
                "log:ListJobs"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "log:PostLogStoreLogs",
                "log:CreateLogstore",
                "log:GetLogstore",
                "log:CreateIndex",
                "log:UpdateIndex",
                "log:GetIndex",
                "log:GetLogStoreLogs"
            ],
            "Resource": [
                "acs:log:*:*:project/*/logstore/actiontrail_*",
                "acs:log:*:*:project/*/logstore/innertrail_*",
                "acs:log:*:*:project/*/logstore/insights_*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "log:CreateDashboard",
                "log:UpdateDashboard"
            ],
            "Resource": "acs:log:*:*:project/*/dashboard/*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "log:CreateSavedSearch",
                "log:UpdateSavedSearch"
            ],
            "Resource": [
                "acs:log:*:*:project/*/savedsearch/actiontrail_*",
                "acs:log:*:*:project/*/savedsearch/innertrail_*",
                "acs:log:*:*:project/*/savedsearch/insights_*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "mns:PublishMessage"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "resourcemanager:GetResourceDirectory",
                "resourcemanager:ListAccounts",
                "resourcemanager:GetResourceDirectoryAccount"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "cms:DescribeMetricList",
                "cms:QueryMetricList"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "actiontrail.aliyuncs.com"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": "odps:updateUsersToAdmin",
            "Resource": "acs:odps:*:*:projects/actiontrail_*"
        }
    ]
}

    Create the AliyunServiceRoleForActionTrail role

    ActionTrail automatically creates the AliyunServiceRoleForActionTrail role if this role does not exist when you perform one of the following operations for the first time:

    • Call the CreateTrail operation to create a trail.

    • Create a trail in the ActionTrail console.

    Delete the AliyunServiceRoleForActionTrail role

    Before you delete the AliyunServiceRoleForActionTrail role, you must delete all trails in the ActionTrail console. For more information, see Delete a single-account trail and Delete a multi-account trail.

    You can delete the AliyunServiceRoleForActionTrail role in the RAM console. For more information, see Delete a RAM role.