Service-linked roles for ApsaraMQ for RocketMQ - ApsaraMQ for RocketMQ

An Alibaba Cloud service may need to access other Alibaba Cloud services to implement a feature. In this case, you can assign a service-linked role to the Alibaba Cloud service to obtain the permissions that are required to access other Alibaba Cloud services. A service-linked role is a Resource Access Management (RAM) role. In most cases, the system automatically creates a service-linked role when you perform an operation. If the system fails to create a service-linked role or ApsaraMQ for RocketMQ does not support the automatic creation of a service-linked role, you must manually create the role.

Background information

RAM provides a system policy for each service-linked role. You cannot modify the policy. To view the information about the system policy of a specific service-linked role, go to the details page of the role. For more information, see System Policy Reference.

Supported service-linked roles

ApsaraMQ for RocketMQ provides the service-linked roles that are included in the following table. The first time you use a feature, the system automatically creates the corresponding role.

For example, the first time you use the dashboard feature of ApsaraMQ for RocketMQ, the system automatically creates the service-linked role AliyunServiceRoleForOns.

Role name	Attached policy	Permission
AliyunServiceRoleForOns	AliyunServiceRolePolicyForOns	ApsaraMQ for RocketMQ can assume this role to obtain the following permissions: Permissions to access CloudMonitor to implement the monitoring and alerting feature. Permissions to access Managed Service for Prometheus to implement the dashboard feature.
AliyunServiceRoleForRMQMigration	AliyunServiceRolePolicyForRMQMigration	ApsaraMQ for RocketMQ can assume this RAM role to obtain the permissions to access virtual private clouds (VPCs) to migrate self-managed Apache RocketMQ clusters to ApsaraMQ for RocketMQ instances.
AliyunServiceRoleForRMQDisasterRecovery	AliyunServiceRolePolicyForRMQDisasterRecovery	ApsaraMQ for RocketMQ can assume this role to access EventBridge to implement the global message backup feature.
AliyunServiceRoleForRMQ	AliyunServiceRolePolicyForRMQ	The default policy attached to ApsaraMQ for RocketMQ 5.x instances. When you create an ApsaraMQ for RocketMQ 5.x instance, the system automatically attaches the AliyunServiceRolePolicyForRMQ policy to the instance.

Policy document

AliyunServiceRoleForOns

The following code provides the document of the AliyunServiceRolePolicyForOns policy that is attached to the service-linked role AliyunServiceRoleForOns:

{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "cms:DescribeMetricRuleList",
        "cms:DescribeMetricList",
        "cms:DescribeMetricData"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "arms:OpenVCluster",
        "arms:ListDashboards",
        "arms:CheckServiceStatus"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "ons.aliyuncs.com"
        }
      }
    }
  ]
}

AliyunServiceRoleForRMQMigration

The following code provides the document of the AliyunServiceRolePolicyForRMQMigration policy that is attached to the service-linked role AliyunServiceRoleForRMQMigration:

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "privatelink:CreateVpcEndpoint",
        "privatelink:ListVpcEndpoints",
        "privatelink:GetVpcEndpointAttribute",
        "privatelink:AddZoneToVpcEndpoint",
        "privatelink:ListVpcEndpointZones",
        "privatelink:RemoveZoneFromVpcEndpoint",
        "privatelink:DeleteVpcEndpoint",
        "privatelink:AttachSecurityGroupToVpcEndpoint",
        "privatelink:ListVpcEndpointSecurityGroups",
        "privatelink:DetachSecurityGroupFromVpcEndpoint"
      ],
      "Resource": "*"
    },
    {
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "migration.rmq.aliyuncs.com"
        }
      }
    },
    {
      "Action": "ram:CreateServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "privatelink.aliyuncs.com"
        }
      }
    }
  ]
}

AliyunServiceRoleForRMQDisasterRecovery

The following code provides the document of the AliyunServiceRolePolicyForRMQDisasterRecovery policy that is attached to the service-linked role AliyunServiceRoleForRMQDisasterRecovery:

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "eventbridge:ListEventStreamings",
        "eventbridge:DeleteEventStreaming",
        "eventbridge:CreateEventStreaming",
        "eventbridge:StartEventStreaming",
        "eventbridge:UpdateEventStreaming",
        "eventbridge:PauseEventStreaming",
        "eventbridge:GetEventStreaming",
        "Ecs:DescribeSecurityGroups"
      ],
      "Resource": "*"
    },
    {
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "disaster-recovery.rmq.aliyuncs.com"
        }
      }
    }
  ]
}

AliyunServiceRoleForRMQ

The following code provides the document of the AliyunServiceRolePolicyForRMQ policy that is attached to the service-linked role AliyunServiceRoleForRMQ:

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "privatelink:CreateVpcEndpoint",
        "privatelink:ListVpcEndpoints",
        "privatelink:GetVpcEndpointAttribute",
        "privatelink:AddZoneToVpcEndpoint",
        "privatelink:ListVpcEndpointZones",
        "privatelink:RemoveZoneFromVpcEndpoint",
        "privatelink:DeleteVpcEndpoint",
        "privatelink:AttachSecurityGroupToVpcEndpoint",
        "privatelink:ListVpcEndpointSecurityGroups",
        "privatelink:DetachSecurityGroupFromVpcEndpoint",
        "privatelink:UpdateVpcEndpointZoneConnectionResourceAttribute",
        "Ecs:CreateSecurityGroup",
        "Ecs:DeleteSecurityGroup",
        "Ecs:DescribeSecurityGroupAttribute",
        "Ecs:DescribeSecurityGroups",
        "kms:DescribeRegions",
        "kms:GetKmsInstance",
        "kms:ListKeys",
        "kms:ListAliases",
        "kms:ListResourceTags",
        "kms:DescribeKey",
        "kms:TagResource",
        "kms:UntagResource"
      ],
      "Resource": "*"
    },
    {
      "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:GenerateDataKey"
      ],
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEqualsIgnoreCase": {
          "kms:tag/acs:rocketmq:instance-encryption": "true"
        }
      }
    },
    {
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "rmq.aliyuncs.com"
        }
      }
    },
    {
      "Action": "ram:CreateServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "privatelink.aliyuncs.com"
        }
      }
    }
  ]
}

View the details of a service-linked role

After a service-linked role is created, you can go to the details page of the role in the RAM console to view the details of the role. The details of a service-linked role include the following information:

Basic information
In the Basic Information section, you can view the basic information about the role. The basic information includes the name, creation time, Alibaba Cloud Resource Name (ARN), and description.
Policy
On the Permissions tab, you can click the policy name to view the policy document.
Note
You cannot view the policy attached to a service-linked role on the Policies page in the RAM console. You can view the policy only on the role details page.
Trust policy
On the Trust Policy tab, you can view the document of the trust policy that is attached to the role. A trust policy describes the trusted entity of a RAM role. A trusted entity refers to an entity that can assume the RAM role. The trusted entity of a service-linked role is a cloud service. You can view the value of the Service field in the trust policy to obtain the trusted entity.

For more information about how to view information about a service-linked role, see View the information about a RAM role.

Delete a service-linked role

Important

After you delete a service-linked role, the features that depend on the role cannot be used. Proceed with caution.

If you do not use Security Center for an extended period of time or you want to delete your Alibaba Cloud account, you may need to manually delete service-linked roles in the RAM console. For more information, see Delete a RAM role.

FAQ

Why is the service-linked role AliyunServiceRoleForOns for ApsaraMQ for RocketMQ not automatically created for my RAM user?

If the service-linked role is created for your Alibaba Cloud account, your RAM user inherits the service-linked role of your Alibaba Cloud account. If your RAM user does not inherit the role, log on to the RAM console and add the following permission policy:

{
  "Statement": [
    {
      "Action": [
        "ram:CreateServiceLinkedRole"
      ],
      "Resource": "acs:ram:*:Alibaba Cloud account ID:role/*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName":  "ons.aliyuncs.com"
        }
      }
    }
  ],
  "Version": "1"
}

Note

Replace Alibaba Cloud account ID with the ID of your Alibaba Cloud account.

If the service-linked role is not automatically created for your RAM user after the policy is attached to the user, attach one of the following system policies to the RAM user:

AliyunMQFullAccess
AliyunMQReadOnlyAccess

For more information about the preceding policies, see System policies.