An Alibaba Cloud service may need to access other Alibaba Cloud services to implement a feature. In this case, you can assign a service-linked role to the Alibaba Cloud service to obtain the permissions that are required to access other Alibaba Cloud services. A service-linked role is a Resource Access Management (RAM) role. In most cases, the system automatically creates a service-linked role when you perform an operation. If the system fails to create a service-linked role or ApsaraMQ for RocketMQ does not support the automatic creation of a service-linked role, you must manually create the role.
Background information
RAM provides a system policy for each service-linked role. You cannot modify the system policy. To view the information about the system policy of a specific service-linked role, go to the details page of the role. For more information, see System Policy Reference.
Supported service-linked roles
ApsaraMQ for RocketMQ provides the service-linked roles that are listed in the following table. The first time you use a feature, the system automatically creates the corresponding role.
For example, the first time you use the dashboard feature of ApsaraMQ for RocketMQ, the system automatically creates the AliyunServiceRoleForOns service-linked role.
Role name | Attached policy | Permission |
AliyunServiceRoleForOns | AliyunServiceRolePolicyForOns | ApsaraMQ for RocketMQ can assume this role to obtain the following permissions:
|
AliyunServiceRoleForRMQMigration | AliyunServiceRolePolicyForRMQMigration | ApsaraMQ for RocketMQ can assume this RAM role to obtain the permissions to access virtual private clouds (VPCs) to migrate self-managed Apache RocketMQ clusters to ApsaraMQ for RocketMQ instances. |
AliyunServiceRoleForRMQDisasterRecovery | AliyunServiceRolePolicyForRMQDisasterRecovery | ApsaraMQ for RocketMQ can assume this role to access EventBridge to implement the global message backup feature. |
Policy document
AliyunServiceRoleForOns
The following code provides the document of the AliyunServiceRolePolicyForOns policy that is attached to the AliyunServiceRoleForOns service-linked role:
{ "Version": "1", "Statement": [ { "Action": [ "cms:DescribeMetricRuleList", "cms:DescribeMetricList", "cms:DescribeMetricData" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "arms:OpenVCluster", "arms:ListDashboards", "arms:CheckServiceStatus" ], "Resource": "*", "Effect": "Allow" }, { "Action": "ram:DeleteServiceLinkedRole", "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "ram:ServiceName": "ons.aliyuncs.com" } } } ] }
AliyunServiceRoleForRMQMigration
The following code provides the document of the AliyunServiceRolePolicyForRMQMigration policy that is attached to the AliyunServiceRoleForRMQMigration role:
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "privatelink:CreateVpcEndpoint", "privatelink:ListVpcEndpoints", "privatelink:GetVpcEndpointAttribute", "privatelink:AddZoneToVpcEndpoint", "privatelink:ListVpcEndpointZones", "privatelink:RemoveZoneFromVpcEndpoint", "privatelink:DeleteVpcEndpoint", "privatelink:AttachSecurityGroupToVpcEndpoint", "privatelink:ListVpcEndpointSecurityGroups", "privatelink:DetachSecurityGroupFromVpcEndpoint" ], "Resource": "*" }, { "Action": "ram:DeleteServiceLinkedRole", "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "ram:ServiceName": "migration.rmq.aliyuncs.com" } } }, { "Action": "ram:CreateServiceLinkedRole", "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "ram:ServiceName": "privatelink.aliyuncs.com" } } } ] }
AliyunServiceRoleForRMQDisasterRecovery
The following code provides the document of the AliyunServiceRolePolicyForRMQDisasterRecovery policy that is attached to the AliyunServiceRoleForRMQDisasterRecovery service-linked role:
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "eventbridge:ListEventStreamings", "eventbridge:DeleteEventStreaming", "eventbridge:CreateEventStreaming", "eventbridge:StartEventStreaming", "eventbridge:UpdateEventStreaming", "eventbridge:PauseEventStreaming", "eventbridge:GetEventStreaming", "Ecs:DescribeSecurityGroups" ], "Resource": "*" }, { "Action": "ram:DeleteServiceLinkedRole", "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "ram:ServiceName": "disaster-recovery.rmq.aliyuncs.com" } } } ] }
View the details of a service-linked role
After a service-linked role is created, you can go to the details page of the role in the RAM console to view the details of the role. The details of a service-linked role include the following information:
Basic information
In the Basic Information section, you can view the basic information about the role, including the name, creation time, Alibaba Cloud Resource Name (ARN), and description.
Policy
On the Permissions tab, you can click the policy name to view the policy document.
NoteYou cannot view the permission policy attached to a service-linked role on the Policies page of the RAM console. You can view the permission policy only on the role details page.
Trust policy
On the Trust Policy tab, you can view the document of the trust policy that is attached to the role. A trust policy describes the trusted entity of a RAM role. A trusted entity refers to an entity that can assume the RAM role. The trusted entity of a service-linked role is a cloud service. You can view the value of the
Service
field in the trust policy to obtain the trusted entity.
For more information about how to view a service-linked role, see View the information about a RAM role.
Delete a service-linked role
After you delete a service-linked role, the features that depend on the role cannot be used. Proceed with caution.
If you do not use Security Center for a long period of time or want to delete your Alibaba Cloud account, you may need to manually delete service-linked roles in the RAM console. For more information, see Delete a RAM role.
FAQ
Why is the AliyunServiceRoleForOns service-linked role for ApsaraMQ for RocketMQ unable to be automatically created for my RAM user?
If the service-linked role is created for your Alibaba Cloud account, your RAM user inherits the service-linked role of your Alibaba Cloud account. If your RAM user does not inherit the role, log on to the RAM console and add the following permission policy:
{
"Statement": [
{
"Action": [
"ram:CreateServiceLinkedRole"
],
"Resource": "acs:ram:*:Alibaba Cloud account ID:role/*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "ons.aliyuncs.com"
}
}
}
],
"Version": "1"
}
Replace Alibaba Cloud account ID
with the ID of your Alibaba Cloud account.
If the service-linked role cannot be automatically created for your RAM user after the policy is attached to the user, attach one of the following system policies to the RAM user:
AliyunMQFullAccess
AliyunMQReadOnlyAccess
For more information about the preceding policies, see System policies.