All Products
Search
Document Center

ApsaraMQ for RabbitMQ:Service-linked roles

Last Updated:Jun 19, 2024

This topic describes the background information, policies, usage notes, and FAQ about the service-linked roles of ApsaraMQ for RabbitMQ.

Background information

An Alibaba Cloud service may require access to other Alibaba Cloud services to enable a feature. In this case, you can assign a service-linked role to the Alibaba Cloud service to obtain the permissions that are required to access other Alibaba Cloud services. A service-linked role is a Resource Access Management (RAM) role. The first time you use the feature in the console of the Alibaba Cloud service, the system creates the service-linked role and notifies you that the service-linked role is created. For more information, see Service-linked roles.

The following table describes the service-linked roles provided by ApsaraMQ for RabbitMQ.

Service-linked role

Description

AliyunServiceRoleForAmqpMonitoring

ApsaraMQ for RabbitMQ can assume this RAM role to obtain the permissions to access CloudMonitor and Application Real-Time Monitoring Service (ARMS) to implement the monitoring and alerting feature and the dashboard feature. The first time you use the monitoring and alerting feature and the dashboard feature in the ApsaraMQ for RabbitMQ console, the system creates this role and notifies you that the role is created. For more information, see Monitoring and alerting and Dashboard.

AliyunServiceRoleForAmqpLogDelivery

ApsaraMQ for RabbitMQ can assume this RAM role to obtain the permissions to access Simple Log Service to implement the message log management feature. The first time you use the message log management feature in the ApsaraMQ for RabbitMQ console, the system creates this role and notifies you that the role is created. For more information, see Configure message logs.

AliyunServiceRoleForAmqpNetwork

ApsaraMQ for RabbitMQ can assume this role to access PrivateLink to implement the virtual private cloud (VPC) feature. The first time you use the VPC feature in the ApsaraMQ for RabbitMQ console, the system creates this role and notifies you that the role is created.

Policies

  • Policies attached to the AliyunServiceRoleForAmqpMonitoring role

    {
        "Version": "1",
        "Statement": [
            {
                "Action": [
                    "cms:DescribeMetricRuleList",
                    "cms:DescribeMetricList",
                    "cms:DescribeMetricData"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "arms:OpenVCluster",
                    "arms:ListDashboards",
                    "arms:CheckServiceStatus"
                   ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": "ram:DeleteServiceLinkedRole",
                "Resource": "*",
                "Effect": "Allow",
                "Condition": {
                    "StringEquals": {
                        "ram:ServiceName": "monitoring.amqp.aliyuncs.com"
                    }
                }
            }
        ]
    }
  • Policies attached to the AliyunServiceRoleForAmqpLogDelivery role

    {
      "Version": "1",
      "Statement": [
        {
          "Action": [
            "log:ListProject",
            "log:ListLogStores",
            "log:PostLogStoreLogs"
          ],
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Action": "ram:DeleteServiceLinkedRole",
          "Resource": "*",
          "Effect": "Allow",
          "Condition": {
            "StringEquals": {
              "ram:ServiceName": "logdelivery.amqp.aliyuncs.com"
            }
          }
        }
      ]
    }
  • Policies attached to the AliyunServiceRoleForAmqpNetwork role

    {
        "Version": "1",
        "Statement": [
            {
                "Action": [
                    "privatelink:GetVpcEndpointServiceAttribute",
                    "privatelink:ListVpcEndpointServices",
                    "privatelink:DeleteVpcEndpoint",
                    "privatelink:CreateVpcEndpoint",
                    "privatelink:UpdateVpcEndpointAttribute",
                    "privatelink:ListVpcEndpoints",
                    "privatelink:GetVpcEndpointAttribute",
                    "privatelink:ListVpcEndpointServicesByEndUser",
                    "privatelink:AddZoneToVpcEndpoint",
                    "privatelink:ListVpcEndpointZones",
                    "privatelink:RemoveZoneFromVpcEndpoint",
                    "privatelink:AttachSecurityGroupToVpcEndpoint",
                    "privatelink:ListVpcEndpointSecurityGroups",
                    "privatelink:DetachSecurityGroupFromVpcEndpoint",
                    "privatelink:UpdateVpcEndpointZoneConnectionResourceAttribute"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "vpc:DescribeVpcAttribute",
                    "vpc:DescribeVpcs",
                    "vpc:ListVSwitchCidrReservations",
                    "vpc:GetVSwitchCidrReservationUsage",
                    "vpc:DescribeVSwitches",
                    "vpc:DescribeVSwitchAttributes",
                    "Ecs:CreateSecurityGroup",
                    "Ecs:DeleteSecurityGroup",
                    "Ecs:DescribeSecurityGroupAttribute",
                    "Ecs:DescribeSecurityGroups"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": "ram:DeleteServiceLinkedRole",
                "Resource": "*",
                "Effect": "Allow",
                "Condition": {
                    "StringEquals": {
                        "ram:ServiceName": "network.amqp.aliyuncs.com"
                    }
                }
            },
            {
                "Action": "ram:CreateServiceLinkedRole",
                "Resource": "*",
                "Effect": "Allow",
                "Condition": {
                    "StringEquals": {
                        "ram:ServiceName": "privatelink.aliyuncs.com"
                    }
                }
            }
        ]
    }

Usage notes

If you delete a service-linked role that is created by the system, you can no longer use the related feature due to insufficient permissions. Proceed with caution when you delete a service-linked role. For information about how to recreate a service-linked role and grant the required permissions to the role, see Create a RAM role for a trusted Alibaba Cloud service and Grant permissions to a RAM role.

FAQ

Why is the system unable to create the AliyunServiceRoleForAmqpMonitoring or AliyunServiceRoleForAmqpLogDelivery role of ApsaraMQ for RabbitMQ for my RAM user?

If the service-linked role is created for your Alibaba Cloud account, your RAM user inherits the service-linked role from your Alibaba Cloud account. If your RAM user fails to inherit the service-linked role, log on to the RAM console, create the following custom policy, and then attach the custom policy to the RAM user.

{
    "Statement": [
        {
            "Action": [
                "ram:CreateServiceLinkedRole"
            ],
            "Resource": "acs:ram:*:${accountid}:role/*",
            "Effect": "Allow",
            "Condition": {
              "StringEquals": {
          "ram:ServiceName": [
            "logdelivery.amqp.aliyuncs.com",
            "monitoring.amqp.aliyuncs.com",
            "network.amqp.aliyuncs.com"
          ]
                }
            }
        }
    ],
    "Version": "1"
}
Note

Replace ${accountid} with the ID of your Alibaba Cloud account.

If the system still cannot create the service-linked role for your RAM user after you attach the required policy to the RAM user, attach the AliyunAMQPFullAccess policy to the RAM user. For more information, see Grant permissions to a RAM user.