This topic describes the background information, policy documents, precautions, and frequently asked questions (FAQ) for the service-linked roles of EventBridge.
Background information
EventBridge sometimes needs to access other Alibaba Cloud services to perform specific functions. To enable this access, EventBridge creates a service-linked role. A service-linked role is a role that is associated with an Alibaba Cloud service. For more information, see Service-linked roles.
EventBridge supports the automatic creation of the following service-linked roles:
AliyunServiceRoleForEventBridgeSendToFC
The AliyunServiceRoleForEventBridgeSendToFC service-linked role grants EventBridge the permission to invoke functions in Function Compute.
The AliyunServiceRoleForEventBridgeSendToFC service-linked role has the AliyunServiceRolePolicyForEventBridgeSendToFC access policy attached. The policy document is as follows:
{
"Version": "1",
"Statement": [
{
"Action": [
"fc:InvokeFunction",
"fc:ListServices",
"fc:ListFunctions"
"fc:ListServiceVersions",
"fc:ListAliases",
"fc:RegisterEventSource",
"fc:DeregisterEventSource",
"fc:ListEventSources"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "sendevent-fc.eventbridge.aliyuncs.com"
}
}
}
]
}AliyunServiceRoleForEventBridgeSendToMNS
The AliyunServiceRoleForEventBridgeSendToMNS service-linked role grants EventBridge the permission to send and publish messages to Simple Message Queue (formerly MNS).
The AliyunServiceRoleForEventBridgeSendToMNS service-linked role is granted the AliyunServiceRolePolicyForEventBridgeSendToMNS access policy. The policy document is as follows:
{
"Version": "1",
"Statement": [
{
"Action": [
"mns:SendMessage",
"mns:GetQueueAttributes",
"mns:PublishMessage",
"mns:ListQueue",
"mns:ListTopic",
"mns:ReceiveMessage",
"mns:BatchReceiveMessage",
"mns:PeekMessage",
"mns:BatchPeekMessage",
"mns:ChangeMessageVisibility",
"mns:DeleteMessage"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "sendevent-mns.eventbridge.aliyuncs.com"
}
}
}
]
}AliyunServiceRoleForEventBridgeSendToSMS
The AliyunServiceRoleForEventBridgeSendToSMS service-linked role grants EventBridge the permission to send text messages using Short Message Service.
The AliyunServiceRoleForEventBridgeSendToSMS service-linked role is granted the AliyunServiceRolePolicyForEventBridgeSendToSMS access policy. The policy document is as follows:
{
"Version": "1",
"Statement": [
{
"Action": [
"dysms:SendSms",
"dysms:SendBatchSms",
"dysms:QuerySendDetails",
"dysms:QuerySmsSign",
"dysms:QuerySmsTemplate"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "sendevent-sms.eventbridge.aliyuncs.com"
}
}
}
]
}AliyunServiceRoleForEventBridgeSendToDirectMail
The AliyunServiceRoleForEventBridgeSendToDirectMail service-linked role grants EventBridge the permission to send emails using Direct Mail.
The AliyunServiceRoleForEventBridgeSendToDirectMail service-linked role is granted the AliyunServiceRolePolicyForEventBridgeSendToDirectMail access policy. The policy document is as follows:
{
"Version": "1",
"Statement": [
{
"Action": [
"dm:SingleSendMail",
"dm:BatchSendMail",
"dm:QueryMailAddressByParam"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "sendevent-directmail.eventbridge.aliyuncs.com"
}
}
}
]
}AliyunServiceRoleForEventBridgeSourceRocketMQ
The service-linked role AliyunServiceRoleForEventBridgeSourceRocketMQ provides the permissions to access resources and use features in ApsaraMQ for RocketMQ.
The AliyunServiceRoleForEventBridgeSourceRocketMQ service-linked role is granted the AliyunServiceRolePolicyForEventBridgeSourceRocketMQ access policy. The policy document is as follows:
{
"Version":"1",
"Statement":[
{
"Action":[
"mq:QueryInstanceBaseInfo",
"mq:QueryConsumerStatus",
"mq:SUB"
],
"Resource":"*",
"Effect":"Allow"
},
{
"Action":"ram:DeleteServiceLinkedRole",
"Resource":"*",
"Effect":"Allow",
"Condition":{
"StringEquals":{
"ram:ServiceName":"source-rocketmq.eventbridge.aliyuncs.com"
}
}
}
]
}AliyunServiceRoleForEventBridgeSendToRocketMQ
The AliyunServiceRoleForEventBridgeSendToRocketMQ service-linked role grants EventBridge the permission to publish messages to ApsaraMQ for RocketMQ.
The AliyunServiceRoleForEventBridgeSendToRocketMQ service-linked role is granted the AliyunServiceRolePolicyForEventBridgeSendToRocketMQ access policy. The policy document is as follows:
{
"Version":"1",
"Statement":[
{
"Action":[
"mq:PUB",
"mq:QueryInstanceBaseInfo",
"mq:QueryTopicStatus",
"mq:QueryConsumerAccumulate",
"mq:QueryConsumerStatus"
],
"Resource":"*",
"Effect":"Allow"
},
{
"Action":"ram:DeleteServiceLinkedRole",
"Resource":"*",
"Effect":"Allow",
"Condition":{
"StringEquals":{
"ram:ServiceName":"sendevent-rocketmq.eventbridge.aliyuncs.com"
}
}
}
]
}AliyunServiceRoleForEventBridgeConnectVPC
The AliyunServiceRoleForEventBridgeConnectVPC service-linked role grants EventBridge permissions to access resources in a virtual private cloud (VPC).
The AliyunServiceRoleForEventBridgeConnectVPC service-linked role is granted the AliyunServiceRolePolicyForEventBridgeConnectVPC access policy. The policy document is as follows:
{
"Version":"1",
"Statement":[
{
"Action":[
"vpc:DescribeVpcs",
"vpc:DescribeVSwitches",
"vpc:DescribeVSwitchAttributes"
],
"Resource":"*",
"Effect":"Allow"
},
{
"Action":[
"ecs:DescribeSecurityGroups",
"ecs:CreateSecurityGroup",
"ecs:CreateNetworkInterface",
"ecs:DeleteNetworkInterface",
"ecs:DescribeNetworkInterfaces",
"ecs:CreateNetworkInterfacePermission",
"ecs:DescribeNetworkInterfacePermissions",
"ecs:DeleteNetworkInterfacePermission"
],
"Resource":"*",
"Effect":"Allow"
},
{
"Action":"ram:DeleteServiceLinkedRole",
"Resource":"*",
"Effect":"Allow",
"Condition":{
"StringEquals":{
"ram:ServiceName":"connect-vpc.eventbridge.aliyuncs.com"
}
}
}
]
}AliyunServiceRoleForEventBridgeSourceActionTrail
The AliyunServiceRoleForEventBridgeSourceActionTrail service-linked role grants EventBridge permissions to query and deliver operation records from ActionTrail.
The AliyunServiceRoleForEventBridgeSourceActionTrail service-linked role is granted the AliyunServiceRolePolicyForEventBridgeSourceActionTrail access policy. The policy document is as follows:
{
"Version": "1",
"Statement": [
{
"Action": [
"actiontrail:CreateServiceTrail",
"actiontrail:DeleteServiceTrail"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "source-actiontrail.eventbridge.aliyuncs.com"
}
}
}
]
}AliyunServiceRoleForEventBridgeSourceRabbitMQ
The service-linked role AliyunServiceRoleForEventBridgeSourceRabbitMQ grants permissions to access resources in ApsaraMQ for RabbitMQ.
The AliyunServiceRoleForEventBridgeSourceRabbitMQ service-linked role is granted the AliyunServiceRolePolicyForEventBridgeSourceRabbitMQ access policy. The policy document is as follows:
{
"Version": "1",
"Statement": [
{
"Action": [
"amqp:ListInstance",
"amqp:ListVhost",
"amqp:ListExchange",
"amqp:GetVhost",
"amqp:GetExchange",
"amqp:GetQueue",
"amqp:BasicRecover",
"amqp:BasicCancel",
"amqp:BasicConsume",
"amqp:BasicAck",
"amqp:BasicNack",
"amqp:BasicReject",
"amqp:QueuePurge",
"amqp:BasicGet"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "source-rabbitmq.eventbridge.aliyuncs.com"
}
}
}
]
}AliyunServiceRoleForEventBridgeSendToRabbitMQ
The AliyunServiceRoleForEventBridgeSendToRabbitMQ service-linked role grants EventBridge the permission to publish messages to ApsaraMQ for RabbitMQ.
The AliyunServiceRoleForEventBridgeSendToRabbitMQ service-linked role is granted the AliyunServiceRolePolicyForEventBridgeSendToRabbitMQ access policy. The policy document is as follows:
{
"Version":"1",
"Statement":[
{
"Action":[
"amqp:ListInstance",
"amqp:ListVhost",
"amqp:ListExchange",
"amqp:GetVhost",
"amqp:CreateExchange",
"amqp:GetExchange",
"amqp:CreateQueue",
"amqp:GetQueue",
"amqp:BasicRecover",
"amqp:BasicPublish",
"amqp:BasicAck",
"amqp:BasicNack"
],
"Resource":"*",
"Effect":"Allow"
},
{
"Action":"ram:DeleteServiceLinkedRole",
"Resource":"*",
"Effect":"Allow",
"Condition":{
"StringEquals":{
"ram:ServiceName":"sendevent-rabbitmq.eventbridge.aliyuncs.com"
}
}
}
]
}AliyunServiceRoleForEventBridgeSourceKafka
The service-linked role AliyunServiceRoleForEventBridgeSourceKafka provides permissions to access ApsaraMQ for Kafka, enabling resource access features.
The AliyunServiceRoleForEventBridgeSourceKafka service-linked role is granted the AliyunServiceRolePolicyForEventBridgeSourceKafka access policy. The policy document is as follows:
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"alikafka:ListInstance",
"alikafka:ListSaslUser"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"ram:ServiceName": "source-kafka.eventbridge.aliyuncs.com"
}
}
}
]
}AliyunServiceRoleForEventBridgeSendToKafka
The AliyunServiceRoleForEventBridgeSendToKafka service-linked role grants EventBridge the permission to publish messages to ApsaraMQ for Kafka.
The AliyunServiceRoleForEventBridgeSendToKafka service-linked role is granted the AliyunServiceRolePolicyForEventBridgeSendToKafka access policy. The policy document is as follows:
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"alikafka:ListInstance",
"alikafka:ListSaslUser"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"ram:ServiceName": "sendevent-kafka.eventbridge.aliyuncs.com"
}
}
}
]
}AliyunServiceRoleForEventBridgeSendToRDS
The AliyunServiceRoleForEventBridgeSendToRDS service-linked role grants EventBridge the permission to deliver data to ApsaraDB RDS.
The AliyunServiceRoleForEventBridgeSendToRDS service-linked role is granted the AliyunServiceRolePolicyForEventBridgeSendToRDS access policy. The policy document is as follows:
{
"Version": "1",
"Statement": [
{
"Action": [
"rds:DescribeDBInstanceAttribute",
"rds:DescribeDatabases",
"rds:DescribeAccounts"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "sendevent-rds.eventbridge.aliyuncs.com"
}
}
}
]
}AliyunServiceRoleForEventBridgeSourceCMS
The AliyunServiceRoleForEventBridgeSourceCMS service-linked role grants EventBridge permissions to access resources in Cloud Monitor.
The AliyunServiceRoleForEventBridgeSourceCMS service-linked role is granted the AliyunServiceRolePolicyForEventBridgeSourceCMS access policy. The policy document is as follows:
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cms:DescribeSystemEventAttribute",
"cms:DescribeSystemEventCount",
"cms:DescribeSystemEventHistogram"
],
"Resource": "*"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "source-cms.eventbridge.aliyuncs.com"
}
}
}
]
}AliyunServiceRoleForEventBridgeSendToSAE
The AliyunServiceRoleForEventBridgeSendToSAE service-linked role grants EventBridge the permission to deliver data to Serverless App Engine (SAE).
The AliyunServiceRoleForEventBridgeSendToSAE service-linked role is granted the AliyunServiceRolePolicyForEventBridgeSendToSAE access policy. The policy document is as follows:
{
"Version": "1",
"Statement": [
{
"Action": [
"sae:ExecJob"
],
"Resource": "*"
"Effect": "Allow"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "sendevent-sae.eventbridge.aliyuncs.com"
}
}
}
]
}AliyunServiceRoleForEventBridgeSourceMqtt
The service-linked role AliyunServiceRoleForEventBridgeSourceMqtt is granted permissions to access resources in Message Queue for MQTT.
The AliyunServiceRoleForEventBridgeSourceMqtt service-linked role is granted the AliyunServiceRolePolicyForEventBridgeSourceMqtt access policy. The policy document is as follows:
{
"Version": "1",
"Statement": [
{
"Action": [
"mq:SUB"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "source-mqtt.eventbridge.aliyuncs.com"
}
}
}
]
}AliyunServiceRoleForEventBridgeSendToMqtt
The AliyunServiceRoleForEventBridgeSendToMqtt service-linked role grants EventBridge the permission to publish messages to ApsaraMQ for MQTT.
The AliyunServiceRoleForEventBridgeSendToMqtt service-linked role is granted the AliyunServiceRolePolicyForEventBridgeSendToMqtt access policy. The policy document is as follows:
{
"Version": "1",
"Statement": [
{
"Effect":"Allow",
"Action":[
"mq:MqttInstanceAccess"
],
"Resource": "*"
},
{
"Action": [
"mq:PUB"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Effect": "Allow",
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"ram:ServiceName": "sendevent-mqtt.eventbridge.aliyuncs.com"
}
}
}
]
}Precautions
If a service-linked role is deleted, EventBridge can no longer publish events to the corresponding Alibaba Cloud service. Exercise caution when you delete service-linked roles. To use the feature again, you must recreate the role. For more information, see Create a service-linked role.
For more information about how to delete a service-linked role, see Delete a service-linked role.
FAQ
Q: Why can't my Resource Access Management (RAM) user automatically create a service-linked role for EventBridge?
A: RAM users inherit the service-linked role from their Alibaba Cloud account. If a RAM user does not inherit the role, you can log on to the RAM console to add a custom policy to the RAM user. The policy document is as follows:
{
"Version":"1",
"Statement":[
{
"Action":"ram:CreateServiceLinkedRole",
"Resource":"acs:ram:*:Alibaba Cloud account ID:role/*",
"Effect":"Allow",
"Condition":{
"StringEquals":{
"ram:ServiceName":[
"sendevent-fc.eventbridge.aliyuncs.com",
"sendevent-mns.eventbridge.aliyuncs.com",
"sendevent-sms.eventbridge.aliyuncs.com",
"sendevent-directmail.eventbridge.aliyuncs.com",
"source-rocketmq.eventbridge.aliyuncs.com",
"source-mns.eventbridge.aliyuncs.com",
"source-cms.eventbridge.aliyuncs.com",
"source-mqtt.eventbridge.aliyuncs.com",
"source-sls.eventbridge.aliyuncs.com",
"sendevent-sae.eventbridge.aliyuncs.com",
"sendevent-rocketmq.eventbridge.aliyuncs.com",
"connect-vpc.eventbridge.aliyuncs.com",
"source-actiontrail.eventbridge.aliyuncs.com",
"source-rabbitmq.eventbridge.aliyuncs.com",
"sendevent-rabbitmq.eventbridge.aliyuncs.com",
"source-kafka.eventbridge.aliyuncs.com",
"sendevent-kafka.eventbridge.aliyuncs.com",
"sendevent-rds.eventbridge.aliyuncs.com",
"sendevent-arms.eventbridge.aliyuncs.com",
"sendevent-mqtt.eventbridge.aliyuncs.com"
]
}
}
}
]
}Replace Alibaba Cloud account ID with your actual Alibaba Cloud account ID.
If your RAM user still cannot automatically create the service-linked role after you grant this access policy, you can grant the AliyunEventBridgeFullAccess policy to the RAM user. For more information about access policies, see Access policies and examples.