ApsaraMQ for RabbitMQ uses service-linked roles to access other Alibaba Cloud services on your behalf. Each role is a Resource Access Management (RAM) role that the system creates automatically when you first use the corresponding feature. For general information, see Service-linked roles.
Roles and permissions
ApsaraMQ for RabbitMQ provides four service-linked roles. Each role grants the minimum permissions required for a specific feature.
| Role | Service name | Feature | Accessed services |
|---|---|---|---|
| AliyunServiceRoleForAmqpMonitoring | monitoring.amqp.aliyuncs.com | Monitoring and alerting, Dashboard | CloudMonitor, Application Real-Time Monitoring Service (ARMS) |
| AliyunServiceRoleForAmqpLogDelivery | logdelivery.amqp.aliyuncs.com | Message log management | Simple Log Service |
| AliyunServiceRoleForAmqpNetwork | network.amqp.aliyuncs.com | VPC access | PrivateLink, VPC, ECS |
| AliyunServiceRoleForAmqpEncrypt | encrypt.amqp.aliyuncs.com | Encryption at rest | Key Management Service (KMS) |
When roles are created
The system creates most service-linked roles automatically when you first use the corresponding feature in the ApsaraMQ for RabbitMQ console. The system notifies you when a role is created.
The encryption role (AliyunServiceRoleForAmqpEncrypt) is an exception: the system creates it when you purchase an exclusive instance that supports encryption at rest, and notifies you that the role is created. RAM users can also create this role by calling the CreateServiceLinkedRole API operation.
Policy details
Each service-linked role has an attached policy that defines its allowed actions. The following sections list the allowed actions for each role, with the full policy JSON available in collapsible blocks.
AliyunServiceRoleForAmqpMonitoring
Reads CloudMonitor metrics and manages ARMS dashboards.
Allowed actions:
cms:DescribeMetricRuleList,cms:DescribeMetricList,cms:DescribeMetricDataon all resourcesarms:OpenVCluster,arms:ListDashboards,arms:CheckServiceStatuson all resourcesram:DeleteServiceLinkedRole(restricted to service namemonitoring.amqp.aliyuncs.com)
Full policy JSON
{
"Version": "1",
"Statement": [
{
"Action": [
"cms:DescribeMetricRuleList",
"cms:DescribeMetricList",
"cms:DescribeMetricData"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"arms:OpenVCluster",
"arms:ListDashboards",
"arms:CheckServiceStatus"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "monitoring.amqp.aliyuncs.com"
}
}
}
]
}AliyunServiceRoleForAmqpLogDelivery
Lists Simple Log Service projects and logstores, and writes log data.
Allowed actions:
log:ListProject,log:ListLogStores,log:PostLogStoreLogson all resourcesram:DeleteServiceLinkedRole(restricted to service namelogdelivery.amqp.aliyuncs.com)
Full policy JSON
{
"Version": "1",
"Statement": [
{
"Action": [
"log:ListProject",
"log:ListLogStores",
"log:PostLogStoreLogs"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "logdelivery.amqp.aliyuncs.com"
}
}
}
]
}AliyunServiceRoleForAmqpNetwork
Manages PrivateLink endpoints, queries VPC and vSwitch attributes, and manages ECS security groups.
Allowed actions:
15 PrivateLink actions including
CreateVpcEndpoint,DeleteVpcEndpoint,ListVpcEndpoints, and zone and security group management on all resourcesvpc:DescribeVpcAttribute,vpc:DescribeVpcs,vpc:ListVSwitchCidrReservations,vpc:GetVSwitchCidrReservationUsage,vpc:DescribeVSwitches,vpc:DescribeVSwitchAttributeson all resourcesEcs:CreateSecurityGroup,Ecs:DeleteSecurityGroup,Ecs:DescribeSecurityGroupAttribute,Ecs:DescribeSecurityGroupson all resourcesram:DeleteServiceLinkedRole(restricted to service namenetwork.amqp.aliyuncs.com)ram:CreateServiceLinkedRole(restricted to service nameprivatelink.aliyuncs.com)
Full policy JSON
{
"Version": "1",
"Statement": [
{
"Action": [
"privatelink:GetVpcEndpointServiceAttribute",
"privatelink:ListVpcEndpointServices",
"privatelink:DeleteVpcEndpoint",
"privatelink:CreateVpcEndpoint",
"privatelink:UpdateVpcEndpointAttribute",
"privatelink:ListVpcEndpoints",
"privatelink:GetVpcEndpointAttribute",
"privatelink:ListVpcEndpointServicesByEndUser",
"privatelink:AddZoneToVpcEndpoint",
"privatelink:ListVpcEndpointZones",
"privatelink:RemoveZoneFromVpcEndpoint",
"privatelink:AttachSecurityGroupToVpcEndpoint",
"privatelink:ListVpcEndpointSecurityGroups",
"privatelink:DetachSecurityGroupFromVpcEndpoint",
"privatelink:UpdateVpcEndpointZoneConnectionResourceAttribute"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"vpc:DescribeVpcAttribute",
"vpc:DescribeVpcs",
"vpc:ListVSwitchCidrReservations",
"vpc:GetVSwitchCidrReservationUsage",
"vpc:DescribeVSwitches",
"vpc:DescribeVSwitchAttributes",
"Ecs:CreateSecurityGroup",
"Ecs:DeleteSecurityGroup",
"Ecs:DescribeSecurityGroupAttribute",
"Ecs:DescribeSecurityGroups"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "network.amqp.aliyuncs.com"
}
}
},
{
"Action": "ram:CreateServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "privatelink.aliyuncs.com"
}
}
}
]
}AliyunServiceRoleForAmqpEncrypt
Lists and describes KMS keys, manages key tags, and performs encrypt and decrypt operations on keys tagged for RabbitMQ instance encryption.
Allowed actions:
kms:List*,kms:DescribeKey,kms:TagResource,kms:UntagResourceon all KMS resources (acs:kms:*:*:*)kms:Encrypt,kms:Decrypt,kms:GenerateDataKeyon KMS resources, restricted by conditionkms:tag/acs:rabbitmq:instance-encryption = trueram:DeleteServiceLinkedRole(restricted to service nameencrypt.amqp.aliyuncs.com)
Full policy JSON
{
"Version": "1",
"Statement": [
{
"Action": [
"kms:List*",
"kms:DescribeKey",
"kms:TagResource",
"kms:UntagResource"
],
"Resource": [
"acs:kms:*:*:*"
],
"Effect": "Allow"
},
{
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Resource": [
"acs:kms:*:*:*"
],
"Effect": "Allow",
"Condition": {
"StringEqualsIgnoreCase": {
"kms:tag/acs:rabbitmq:instance-encryption": "true"
}
}
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "encrypt.amqp.aliyuncs.com"
}
}
}
]
}Delete a service-linked role
Deleting a service-linked role revokes all permissions it grants. You can no longer use the corresponding feature due to insufficient permissions.
To recreate a deleted service-linked role:
Create a RAM role for a trusted Alibaba Cloud service. For more information, see Create a RAM role for a trusted Alibaba Cloud service.
Attach the required permissions to the role. For more information, see Grant permissions to a RAM role.
FAQ
Why can't my RAM user create the service-linked role?
If the service-linked role already exists under your Alibaba Cloud account, RAM users inherit it automatically. If a RAM user cannot inherit the role, grant explicit permission to create service-linked roles:
Log on to the RAM console.
Create a custom policy with the following content:
{
"Statement": [
{
"Action": [
"ram:CreateServiceLinkedRole"
],
"Resource": "acs:ram:*:${accountid}:role/*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": [
"logdelivery.amqp.aliyuncs.com",
"monitoring.amqp.aliyuncs.com",
"network.amqp.aliyuncs.com",
"encrypt.amqp.aliyuncs.com"
]
}
}
}
],
"Version": "1"
}Replace ${accountid} with the ID of your Alibaba Cloud account.
Attach the custom policy to the RAM user.
If the issue persists after you attach this policy, attach the AliyunAMQPFullAccess system policy to the RAM user instead. For more information, see Grant permissions to a RAM user.