All Products
Search

This Product

    ApsaraMQ for RocketMQ:Service-linked roles

    Document Center

    ApsaraMQ for RocketMQ:Service-linked roles

    Last Updated:Sep 23, 2024

    An Alibaba Cloud service may need to access other Alibaba Cloud services to implement a feature. In this case, you can assign a service-linked role to the Alibaba Cloud service to obtain the permissions that are required to access other Alibaba Cloud services. A service-linked role is a Resource Access Management (RAM) role. In most cases, the system automatically creates a service-linked role when you perform an operation. If the system fails to create a service-linked role or ApsaraMQ for RocketMQ does not support the automatic creation of a service-linked role, you must manually create the role.

    Background information

    RAM provides a system policy for each service-linked role. You cannot modify the system policy. To view the information about the system policy of a specific service-linked role, go to the details page of the role. For more information, see System Policy Reference.

    Supported service-linked roles

    ApsaraMQ for RocketMQ provides the service-linked roles that are listed in the following table. The first time you use a feature, the system automatically creates the corresponding role.

    For example, the first time you use the dashboard feature of ApsaraMQ for RocketMQ, the system automatically creates the AliyunServiceRoleForOns service-linked role.

    Role name

    Attached policy

    Permission

    AliyunServiceRoleForOns

    AliyunServiceRolePolicyForOns

    ApsaraMQ for RocketMQ can assume this role to obtain the following permissions:

    AliyunServiceRoleForRMQMigration

    AliyunServiceRolePolicyForRMQMigration

    ApsaraMQ for RocketMQ can assume this RAM role to obtain the permissions to access virtual private clouds (VPCs) to migrate self-managed Apache RocketMQ clusters to ApsaraMQ for RocketMQ instances.

    AliyunServiceRoleForRMQDisasterRecovery

    AliyunServiceRolePolicyForRMQDisasterRecovery

    ApsaraMQ for RocketMQ can assume this role to access EventBridge to implement the global message backup feature.

    Policy document

    • AliyunServiceRoleForOns

      The following code provides the document of the AliyunServiceRolePolicyForOns policy that is attached to the AliyunServiceRoleForOns service-linked role:

      {
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "cms:DescribeMetricRuleList",
        "cms:DescribeMetricList",
        "cms:DescribeMetricData"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "arms:OpenVCluster",
        "arms:ListDashboards",
        "arms:CheckServiceStatus"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "ons.aliyuncs.com"
        }
      }
    }
  ]
}

    • AliyunServiceRoleForRMQMigration

      The following code provides the document of the AliyunServiceRolePolicyForRMQMigration policy that is attached to the AliyunServiceRoleForRMQMigration role:

      {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "privatelink:CreateVpcEndpoint",
        "privatelink:ListVpcEndpoints",
        "privatelink:GetVpcEndpointAttribute",
        "privatelink:AddZoneToVpcEndpoint",
        "privatelink:ListVpcEndpointZones",
        "privatelink:RemoveZoneFromVpcEndpoint",
        "privatelink:DeleteVpcEndpoint",
        "privatelink:AttachSecurityGroupToVpcEndpoint",
        "privatelink:ListVpcEndpointSecurityGroups",
        "privatelink:DetachSecurityGroupFromVpcEndpoint"
      ],
      "Resource": "*"
    },
    {
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "migration.rmq.aliyuncs.com"
        }
      }
    },
    {
      "Action": "ram:CreateServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "privatelink.aliyuncs.com"
        }
      }
    }
  ]
}

    • AliyunServiceRoleForRMQDisasterRecovery

      The following code provides the document of the AliyunServiceRolePolicyForRMQDisasterRecovery policy that is attached to the AliyunServiceRoleForRMQDisasterRecovery service-linked role:

      {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "eventbridge:ListEventStreamings",
        "eventbridge:DeleteEventStreaming",
        "eventbridge:CreateEventStreaming",
        "eventbridge:StartEventStreaming",
        "eventbridge:UpdateEventStreaming",
        "eventbridge:PauseEventStreaming",
        "eventbridge:GetEventStreaming",
        "Ecs:DescribeSecurityGroups"
      ],
      "Resource": "*"
    },
    {
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "disaster-recovery.rmq.aliyuncs.com"
        }
      }
    }
  ]
}

    View the details of a service-linked role

    After a service-linked role is created, you can go to the details page of the role in the RAM console to view the details of the role. The details of a service-linked role include the following information:

    • Basic information

      In the Basic Information section, you can view the basic information about the role, including the name, creation time, Alibaba Cloud Resource Name (ARN), and description.

    • Policy

      On the Permissions tab, you can click the policy name to view the policy document.

      Note

      You cannot view the permission policy attached to a service-linked role on the Policies page of the RAM console. You can view the permission policy only on the role details page.

    • Trust policy

      On the Trust Policy tab, you can view the document of the trust policy that is attached to the role. A trust policy describes the trusted entity of a RAM role. A trusted entity refers to an entity that can assume the RAM role. The trusted entity of a service-linked role is a cloud service. You can view the value of the Service field in the trust policy to obtain the trusted entity.

    For more information about how to view a service-linked role, see View the information about a RAM role.

    Delete a service-linked role

    Important

    After you delete a service-linked role, the features that depend on the role cannot be used. Proceed with caution.

    If you do not use Security Center for a long period of time or want to delete your Alibaba Cloud account, you may need to manually delete service-linked roles in the RAM console. For more information, see Delete a RAM role.

    FAQ

    Why is the AliyunServiceRoleForOns service-linked role for ApsaraMQ for RocketMQ unable to be automatically created for my RAM user?

    If the service-linked role is created for your Alibaba Cloud account, your RAM user inherits the service-linked role of your Alibaba Cloud account. If your RAM user does not inherit the role, log on to the RAM console and add the following permission policy: 

    {
  "Statement": [
    {
      "Action": [
        "ram:CreateServiceLinkedRole"
      ],
      "Resource": "acs:ram:*:Alibaba Cloud account ID:role/*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName":  "ons.aliyuncs.com"
        }
      }
    }
  ],
  "Version": "1"
}
    Note

    Replace Alibaba Cloud account ID with the ID of your Alibaba Cloud account.

    If the service-linked role cannot be automatically created for your RAM user after the policy is attached to the user, attach one of the following system policies to the RAM user:

    • AliyunMQFullAccess

    • AliyunMQReadOnlyAccess

    For more information about the preceding policies, see System policies.