Service-linked roles for ApsaraMQ for RocketMQ 4.x - ApsaraMQ for RocketMQ

An Alibaba Cloud service may require access to other Alibaba Cloud services to enable a feature. In this case, you can assign a service-linked role to the Alibaba Cloud service to obtain the permissions that are required to access other Alibaba Cloud services. A service-linked role is a Resource Access Management (RAM) role. In most cases, a service-linked role is automatically created when you perform an operation. If a service-linked role fails to be created or cannot be automatically created by ApsaraMQ for RocketMQ, you must manually create the role.

Background information

RAM provides a system policy for each service-linked role. You cannot modify the system policy. To view the information about the system policy of a specific service-linked role, go to the details page of the role. For more information, see System Policy Reference.

Supported service-linked roles

ApsaraMQ for RocketMQ provides the AliyunServiceRoleForOns service-linked role. The first time you use a related feature, the system automatically creates the role.

For example, the first time you use the dashboard feature of ApsaraMQ for RocketMQ, the system automatically creates the AliyunServiceRoleForOns service-linked role.

Role name

Attached policy

Permission

AliyunServiceRoleForOns

AliyunServiceRolePolicyForOns

ApsaraMQ for RocketMQ can assume this role to obtain the following permissions:

Permissions to access CloudMonitor to implement the monitoring and alerting feature.
Permissions to access Managed Service for Prometheus to implement the dashboard feature.

Policy document

AliyunServiceRoleForOns

The following code shows the AliyunServiceRolePolicyForOns policy that is attached to the AliyunServiceRoleForOns service-linked role:

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "cms:DescribeMetricRuleList",
                "cms:DescribeMetricList",
                "cms:DescribeMetricData"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "arms:OpenVCluster",
                "arms:ListDashboards",
                "arms:CheckServiceStatus"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "ons.aliyuncs.com"
                }
            }
        }
    ]
}

View the details of a service-linked role

After a service-linked role is created, you can go to the details page of the role in the RAM console to view the details of the role. The details of a service-linked role include the following information:

Basic information
In the Basic Information section, you can view the basic information about the role, including the name, creation time, Alibaba Cloud Resource Name (ARN), and description.
Policy
On the Permissions tab, you can click the policy name to view the policy document.
Note
You cannot view the policy attached to a service-linked role on the Policies page of the RAM console. You can view the permission policy only on the role details page.
Trust policy
On the Trust Policy tab, you can view the document of the trust policy that is attached to the role. A trust policy describes the trusted entities of a RAM role. A trusted entity refers to an entity that can assume the RAM role. The trusted entity of a service-linked role is a cloud service. You can view the value of the Service field in the trust policy to obtain the trusted entity.

For more information about how to view a service-linked role, see View the information about a RAM role.

Delete a service-linked role

Important

After you delete a service-linked role, the features that depend on the role cannot be used. Proceed with caution.

If you do not use Security Center for a long period of time or want to delete your Alibaba Cloud account, you may need to manually delete service-linked roles in the RAM console. For more information, see Delete a RAM role.

FAQ

Why is my RAM user unable to automatically create the AliyunServiceRoleForOns service-linked role for ApsaraMQ for RocketMQ?

If the service-linked role is created for your Alibaba Cloud account, your RAM user inherits the service-linked role of your Alibaba Cloud account. If your RAM user does not inherit the role, log on to the RAM console and add the following policy:

{
    "Statement": [
        {
            "Action": [
                "ram:CreateServiceLinkedRole"
            ],
            "Resource": "acs:ram:*:Alibaba Cloud account ID:role/*",
            "Effect": "Allow",
            "Condition": {
              "StringEquals": {
                "ram:ServiceName":  "ons.aliyuncs.com"    
                }
            }
        }
    ],
    "Version": "1"
}

Note

Replace Alibaba Cloud account ID with the ID of your Alibaba Cloud account.

If your RAM user cannot automatically create the service-linked role after the policy is attached to the RAM user, attach one of the following policies to the RAM user:

AliyunMQFullAccess
AliyunMQPubOnlyAccess
AliyunMQSubOnlyAccess

For more information about the preceding policies, see System policies.