All Products
Search
Document Center

ApsaraMQ for RocketMQ:Service-linked roles

Last Updated:Sep 23, 2024

An Alibaba Cloud service may need to access other Alibaba Cloud services to implement a feature. In this case, you can assign a service-linked role to the Alibaba Cloud service to obtain the permissions that are required to access other Alibaba Cloud services. A service-linked role is a Resource Access Management (RAM) role. In most cases, the system automatically creates a service-linked role when you perform an operation. If the system fails to create a service-linked role or ApsaraMQ for RocketMQ does not support the automatic creation of a service-linked role, you must manually create the role.

Background information

RAM provides a system policy for each service-linked role. You cannot modify the system policy. To view the information about the system policy of a specific service-linked role, go to the details page of the role. For more information, see System Policy Reference.

Supported service-linked roles

ApsaraMQ for RocketMQ provides the service-linked roles that are listed in the following table. The first time you use a feature, the system automatically creates the corresponding role.

For example, the first time you use the dashboard feature of ApsaraMQ for RocketMQ, the system automatically creates the AliyunServiceRoleForOns service-linked role.

Role name

Attached policy

Permission

AliyunServiceRoleForOns

AliyunServiceRolePolicyForOns

ApsaraMQ for RocketMQ can assume this role to obtain the following permissions:

AliyunServiceRoleForRMQMigration

AliyunServiceRolePolicyForRMQMigration

ApsaraMQ for RocketMQ can assume this RAM role to obtain the permissions to access virtual private clouds (VPCs) to migrate self-managed Apache RocketMQ clusters to ApsaraMQ for RocketMQ instances.

AliyunServiceRoleForRMQDisasterRecovery

AliyunServiceRolePolicyForRMQDisasterRecovery

ApsaraMQ for RocketMQ can assume this role to access EventBridge to implement the global message backup feature.

Policy document

  • AliyunServiceRoleForOns

    The following code provides the document of the AliyunServiceRolePolicyForOns policy that is attached to the AliyunServiceRoleForOns service-linked role:

    {
      "Version": "1",
      "Statement": [
        {
          "Action": [
            "cms:DescribeMetricRuleList",
            "cms:DescribeMetricList",
            "cms:DescribeMetricData"
          ],
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "arms:OpenVCluster",
            "arms:ListDashboards",
            "arms:CheckServiceStatus"
          ],
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Action": "ram:DeleteServiceLinkedRole",
          "Resource": "*",
          "Effect": "Allow",
          "Condition": {
            "StringEquals": {
              "ram:ServiceName": "ons.aliyuncs.com"
            }
          }
        }
      ]
    }
  • AliyunServiceRoleForRMQMigration

    The following code provides the document of the AliyunServiceRolePolicyForRMQMigration policy that is attached to the AliyunServiceRoleForRMQMigration role:

    {
      "Version": "1",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "privatelink:CreateVpcEndpoint",
            "privatelink:ListVpcEndpoints",
            "privatelink:GetVpcEndpointAttribute",
            "privatelink:AddZoneToVpcEndpoint",
            "privatelink:ListVpcEndpointZones",
            "privatelink:RemoveZoneFromVpcEndpoint",
            "privatelink:DeleteVpcEndpoint",
            "privatelink:AttachSecurityGroupToVpcEndpoint",
            "privatelink:ListVpcEndpointSecurityGroups",
            "privatelink:DetachSecurityGroupFromVpcEndpoint"
          ],
          "Resource": "*"
        },
        {
          "Action": "ram:DeleteServiceLinkedRole",
          "Resource": "*",
          "Effect": "Allow",
          "Condition": {
            "StringEquals": {
              "ram:ServiceName": "migration.rmq.aliyuncs.com"
            }
          }
        },
        {
          "Action": "ram:CreateServiceLinkedRole",
          "Resource": "*",
          "Effect": "Allow",
          "Condition": {
            "StringEquals": {
              "ram:ServiceName": "privatelink.aliyuncs.com"
            }
          }
        }
      ]
    }
  • AliyunServiceRoleForRMQDisasterRecovery

    The following code provides the document of the AliyunServiceRolePolicyForRMQDisasterRecovery policy that is attached to the AliyunServiceRoleForRMQDisasterRecovery service-linked role:

    {
      "Version": "1",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "eventbridge:ListEventStreamings",
            "eventbridge:DeleteEventStreaming",
            "eventbridge:CreateEventStreaming",
            "eventbridge:StartEventStreaming",
            "eventbridge:UpdateEventStreaming",
            "eventbridge:PauseEventStreaming",
            "eventbridge:GetEventStreaming",
            "Ecs:DescribeSecurityGroups"
          ],
          "Resource": "*"
        },
        {
          "Action": "ram:DeleteServiceLinkedRole",
          "Resource": "*",
          "Effect": "Allow",
          "Condition": {
            "StringEquals": {
              "ram:ServiceName": "disaster-recovery.rmq.aliyuncs.com"
            }
          }
        }
      ]
    }

View the details of a service-linked role

After a service-linked role is created, you can go to the details page of the role in the RAM console to view the details of the role. The details of a service-linked role include the following information:

  • Basic information

    In the Basic Information section, you can view the basic information about the role, including the name, creation time, Alibaba Cloud Resource Name (ARN), and description.

  • Policy

    On the Permissions tab, you can click the policy name to view the policy document.

    Note

    You cannot view the permission policy attached to a service-linked role on the Policies page of the RAM console. You can view the permission policy only on the role details page.

  • Trust policy

    On the Trust Policy tab, you can view the document of the trust policy that is attached to the role. A trust policy describes the trusted entity of a RAM role. A trusted entity refers to an entity that can assume the RAM role. The trusted entity of a service-linked role is a cloud service. You can view the value of the Service field in the trust policy to obtain the trusted entity.

For more information about how to view a service-linked role, see View the information about a RAM role.

Delete a service-linked role

Important

After you delete a service-linked role, the features that depend on the role cannot be used. Proceed with caution.

If you do not use Security Center for a long period of time or want to delete your Alibaba Cloud account, you may need to manually delete service-linked roles in the RAM console. For more information, see Delete a RAM role.

FAQ

Why is the AliyunServiceRoleForOns service-linked role for ApsaraMQ for RocketMQ unable to be automatically created for my RAM user?

If the service-linked role is created for your Alibaba Cloud account, your RAM user inherits the service-linked role of your Alibaba Cloud account. If your RAM user does not inherit the role, log on to the RAM console and add the following permission policy:

{
  "Statement": [
    {
      "Action": [
        "ram:CreateServiceLinkedRole"
      ],
      "Resource": "acs:ram:*:Alibaba Cloud account ID:role/*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName":  "ons.aliyuncs.com"
        }
      }
    }
  ],
  "Version": "1"
}
Note

Replace Alibaba Cloud account ID with the ID of your Alibaba Cloud account.

If the service-linked role cannot be automatically created for your RAM user after the policy is attached to the user, attach one of the following system policies to the RAM user:

  • AliyunMQFullAccess

  • AliyunMQReadOnlyAccess

For more information about the preceding policies, see System policies.