ApsaraMQ for RocketMQ uses a service-linked role to access other Alibaba Cloud services on your behalf. This is a Resource Access Management (RAM) role that grants only the permissions the service requires. Only ApsaraMQ for RocketMQ can assume this role, and you do not need to configure the permissions manually.
How it works
When you first use a feature that requires cross-service access, such as the dashboard, ApsaraMQ for RocketMQ automatically creates the AliyunServiceRoleForOns service-linked role. All subsequent features that require cross-service access reuse this role. No additional roles are created.
If automatic creation fails, create the role manually. See FAQ for troubleshooting.
Permissions
The AliyunServiceRoleForOns role uses the AliyunServiceRolePolicyForOns policy, which grants the following permissions:
| Permission | Service | Purpose |
|---|---|---|
cms:DescribeMetricRuleList, cms:DescribeMetricList, cms:DescribeMetricData | CloudMonitor | Monitoring and alerting |
arms:OpenVCluster, arms:ListDashboards, arms:CheckServiceStatus | Managed Service for Prometheus | Dashboard |
ram:DeleteServiceLinkedRole | RAM | Self-deletion of the service-linked role (scoped to ons.aliyuncs.com) |
RAM provides a system policy for each service-linked role. You cannot modify system policies. For more information, see System policy reference.
Policy document
The following JSON shows the AliyunServiceRolePolicyForOns policy:
{
"Version": "1",
"Statement": [
{
"Action": [
"cms:DescribeMetricRuleList",
"cms:DescribeMetricList",
"cms:DescribeMetricData"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"arms:OpenVCluster",
"arms:ListDashboards",
"arms:CheckServiceStatus"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "ons.aliyuncs.com"
}
}
}
]
}View role details
After the role is created, you can view its details in the RAM console:
Basic Information: Role name, creation time, Alibaba Cloud Resource Name (ARN), and description.
Permissions tab: Click the policy name to view the policy document.
Trust Policy tab: The
Servicefield identifies the cloud service that can assume the role.
The policy attached to a service-linked role does not appear on the Policies page in the RAM console. View it from the role details page instead.
For more information, see View the information about a RAM role.
Delete a service-linked role
Deleting the service-linked role disables all features that depend on it, including monitoring and alerting and the dashboard. Proceed with caution.
If you no longer use ApsaraMQ for RocketMQ or want to delete your Alibaba Cloud account, delete the service-linked role in the RAM console.
For step-by-step instructions, see Delete a RAM role.
FAQ
Why is my RAM user unable to create the AliyunServiceRoleForOns role automatically?
If the Alibaba Cloud account already has the role, RAM users under that account inherit it. If a RAM user does not inherit the role, add the following custom policy to the RAM user in the RAM console:
{
"Statement": [
{
"Action": [
"ram:CreateServiceLinkedRole"
],
"Resource": "acs:ram:*:<Alibaba-Cloud-account-ID>:role/*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "ons.aliyuncs.com"
}
}
}
],
"Version": "1"
}Replace <Alibaba-Cloud-account-ID> with the ID of your Alibaba Cloud account.
If the RAM user still cannot create the role after you attach this policy, attach one of the following system policies:
AliyunMQFullAccessAliyunMQPubOnlyAccessAliyunMQSubOnlyAccess
For details, see System policies.