All Products
Search
Document Center

Cloud Backup:Service-linked roles

Last Updated:Oct 31, 2024

To access an Alibaba Cloud service such as Elastic Compute Service (ECS), Virtual Private Cloud (VPC), Object Storage Service (OSS), and File Storage NAS (NAS), Cloud Backup must assume the corresponding service-linked role. Cloud Backup automatically creates a service-linked role when you enable a backup feature, create a backup plan, or associate a backup policy with a data source. If a service-linked role fails to be automatically created or Cloud Backup does not support automatic creation, you must manually create the service-linked role.

Background information

A service-linked role is a Resource Access Management (RAM) role whose trusted entity is an Alibaba Cloud service. Cloud Backup assumes service-linked roles to obtain the permissions to access other cloud services or cloud resources.

In most cases, the system automatically creates a service-linked role when you perform an operation. If a service-linked role fails to be automatically created or Cloud Backup does not support automatic creation, you must manually create the service-linked role.

RAM provides a system policy for each service-linked role. You cannot modify the system policy. To view the information about the system policy of a specific service-linked role, go to the details page of the role. For more information, see System policies for Cloud Backup.

Scenarios

Cloud Backup automatically creates a service-linked role for you in the following scenarios:

Important

Cloud Backup automatically creates a service-linked role when you enable a backup feature, create a backup plan, or associate a backup policy with a data source.

  • AliyunServiceRoleForHbrEcsBackup

    When you use the ECS backup feature, Cloud Backup automatically creates a service-linked role named AliyunServiceRoleForHbrEcsBackup to obtain the permissions to access ECS and VPC resources.

  • AliyunServiceRoleForHbrOssBackup

    When you use the OSS backup feature, Cloud Backup automatically creates a service-linked role named AliyunServiceRoleForHbrOssBackup to obtain the permissions to access OSS resources.

  • AliyunServiceRoleForHbrNasBackup

    When you use the NAS backup feature, Cloud Backup automatically creates a service-linked role named AliyunServiceRoleForHbrNasBackup to obtain the permissions to access NAS resources.

  • AliyunServiceRoleForHbrCsgBackup

    When you use the Cloud Storage Gateway (CSG) backup feature, Cloud Backup automatically creates a service-linked role named AliyunServiceRoleForHbrCsgBackup to obtain the permissions to access CSG resources.

  • AliyunServiceRoleForHbrVaultEncryption

    When you use a Key Management Service (KMS) key to encrypt a backup vault, Cloud Backup automatically creates a service-linked role named AliyunServiceRoleForHbrVaultEncryption to obtain the permissions to access KMS resources.

  • AliyunServiceRoleForHbrOtsBackup

    When you use the Tablestore backup feature, Cloud Backup automatically creates a service-linked role named AliyunServiceRoleForHbrOtsBackup to obtain the permissions to access Tablestore resources.

  • AliyunServiceRoleForHbrCrossAccountBackup

    When you use the cross-account backup feature, Cloud Backup automatically creates a service-linked role named AliyunServiceRoleForHbrCrossAccountBackup to obtain the permissions to access your resources in other cloud services.

  • AliyunServiceRoleForHbrEcsEncryption

    If you enable the cross-region replication feature when you back up ECS instances, you must specify a KMS key. In this case, Cloud Backup automatically creates a service-linked role named AliyunServiceRoleForHbrEcsEncryption to obtain the permissions to access your resources in KMS.

  • AliyunServiceRoleForHbrMagpieBridge

    When you use the ECS file backup or on-premises file backup feature, Cloud Backup automatically creates a service-linked role named AliyunServiceRoleForHbrMagpieBridge based on the communication mode of the backup client. The service-linked role allows the backup client to access your Cloud Backup resources.

Permissions

This section describes the permissions that are granted to each service-linked role of Cloud Backup.

  • AliyunServiceRoleForHbrEcsBackup: the permissions to access ECS and VPC

     {
          "Action": [
            "ecs:RunCommand",
            "ecs:CreateCommand",
            "ecs:InvokeCommand",
            "ecs:DeleteCommand",
            "ecs:DescribeCommands",
            "ecs:StopInvocation",
            "ecs:DescribeInvocationResults",
            "ecs:DescribeCloudAssistantStatus",
            "ecs:DescribeInstances",
            "ecs:DescribeInstanceRamRole",
            "ecs:DescribeInvocations"
            "vpc:DescribeVpcs",
            "vpc:DescribeVSwitches"
          ],
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "ecs:AttachInstanceRamRole",
            "ecs:DetachInstanceRamRole"
          ],
          "Resource": [
            "acs:ecs:*:*:instance/*",
            "acs:ram:*:*:role/aliyunecsaccessinghbrrole"
          ],
          "Effect": "Allow"
        },
        {
          "Action": [
            "ram:GetRole",
            "ram:GetPolicy",
            "ram:ListPoliciesForRole"
          ],
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "ram:PassRole"
          ],
          "Resource": "*",
          "Effect": "Allow",
          "Condition": {
            "StringEquals": {
              "acs:Service": [
                "ecs.aliyuncs.com"
              ]
            }
          }
        },
        {
          "Action": [
            "ecs:DescribeSecurityGroups",
            "ecs:DescribeImages",
            "ecs:CreateImage",
            "ecs:DeleteImage",
            "ecs:DescribeSnapshots",
            "ecs:CreateSnapshot",
            "ecs:DeleteSnapshot",
            "ecs:DescribeSnapshotLinks",
            "ecs:DescribeAvailableResource",
            "ecs:ModifyInstanceAttribute",
            "ecs:CreateInstance",
            "ecs:DeleteInstance",
            "ecs:AllocatePublicIpAddress",
            "ecs:CreateDisk",
            "ecs:DescribeDisks",
            "ecs:AttachDisk",
            "ecs:DetachDisk",
            "ecs:DeleteDisk",
            "ecs:ResetDisk",
            "ecs:StartInstance",
            "ecs:StopInstance",
            "ecs:ReplaceSystemDisk",
            "ecs:ModifyResourceMeta"
          ],
          "Resource": "*",
          "Effect": "Allow"
        }
    

  • AliyunServiceRoleForHbrOssBackup: the permissions to access OSS

    {
          "Action": [
            "oss:ListObjects",
            "oss:HeadBucket",
            "oss:GetBucket",
            "oss:GetBucketAcl",
            "oss:GetBucketLocation",
            "oss:GetBucketInfo",
            "oss:PutObject",
            "oss:CopyObject",
            "oss:GetObject",
            "oss:AppendObject",
            "oss:GetObjectMeta",
            "oss:PutObjectACL",
            "oss:GetObjectACL",
            "oss:PutObjectTagging",
            "oss:GetObjectTagging",
            "oss:InitiateMultipartUpload",
            "oss:UploadPart",
            "oss:UploadPartCopy",
            "oss:CompleteMultipartUpload",
            "oss:AbortMultipartUpload",
            "oss:ListMultipartUploads",
            "oss:ListParts"
          ],
          "Resource": "*",
          "Effect": "Allow"
        }

  • AliyunServiceRoleForHbrNasBackup: the permissions to access NAS

    {
          "Action": [
            "nas:DescribeFileSystems",
            "nas:CreateMountTargetSpecial",
            "nas:DeleteMountTargetSpecial",
            "nas:CreateMountTarget",
            "nas:DeleteMountTarget",
            "nas:DescribeMountTargets",
            "nas:DescribeAccessGroups"
          ],
          "Resource": "*",
          "Effect": "Allow"
        }

  • AliyunServiceRoleForHbrCsgBackup: the permissions to access CSG

    {
          "Action": [
            "hcs-sgw:DescribeGateways"
          ],
          "Resource": "*",
          "Effect": "Allow"
        }
  • AliyunServiceRoleForHbrVaultEncryption: the permissions to enable KMS-based encryption for a backup vault

    {
     "Statement": [
     {
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
       "StringEquals": {
        "ram:ServiceName": "vaultencryption.hbr.aliyuncs.com"
       }
      }
     },
     {
      "Action": [
      "kms:Decrypt"
      ],
      "Resource": "*",
      "Effect": "Allow"
     }
     ],
     "Version": "1"
    
    }

  • AliyunServiceRoleForHbrOtsBackup: the permissions to access Tablestore

    {
      "Version": "1",
      "Statement": [
        {
          "Action": "ram:DeleteServiceLinkedRole",
          "Resource": "*",
          "Effect": "Allow",
          "Condition": {
            "StringEquals": {
              "ram:ServiceName": "otsbackup.hbr.aliyuncs.com"
            }
          }
        },
        {
          "Effect": "Allow",
          "Action": [
            "ots:ListTable",
            "ots:CreateTable",
            "ots:UpdateTable",
            "ots:DescribeTable",
            "ots:BatchWriteRow",
            "ots:CreateTunnel",
            "ots:DeleteTunnel",
            "ots:ListTunnel",
            "ots:DescribeTunnel",
            "ots:ConsumeTunnel",
            "ots:GetRange",
            "ots:ListStream",
            "ots:DescribeStream"
          ],
          "Resource": "*"
        }
      ]
    }
  • AliyunServiceRoleForHbrCrossAccountBackup: the permissions to perform cross-account backup

    {
      "Version": "1",
      "Statement": [
        {
          "Action": "sts:AssumeRole",
          "Effect": "Allow",
          "Resource": "*"
        },
        {
          "Action": "ram:DeleteServiceLinkedRole",
          "Resource": "*",
          "Effect": "Allow",
          "Condition": {
            "StringEquals": {
              "ram:ServiceName": "crossbackup.hbr.aliyuncs.com"
            }
          }
        }
      ]
    }
  • AliyunServiceRoleForHbrEcsEncryption: the permissions to enable KMS-based encryption for cross-region replication

    {
      "Version": "1",
      "Statement": [
        {
          "Action": [
            "kms:ListKeys",
            "kms:ListAliases"
          ],
          "Effect": "Allow",
          "Resource": "*"
        },
        {
          "Action": "ram:DeleteServiceLinkedRole",
          "Resource": "*",
          "Effect": "Allow",
          "Condition": {
            "StringEquals": {
              "ram:ServiceName": "ecsencryption.hbr.aliyuncs.com"
            }
          }
        }
      ]
    }
  • AliyunServiceRoleForHbrMagpieBridge: the permissions to access Cloud Backup by using a client

    {
      "Version": "1",
      "Statement": [
        {
          "Action": [
            "hbr:ClientSendMessage",
            "hbr:ClientReceiveMessage"
          ],
          "Resource": "acs:hbr:*:*:messageClient/*",
          "Effect": "Allow"
        },
        {
          "Action": "ram:DeleteServiceLinkedRole",
          "Resource": "*",
          "Effect": "Allow",
          "Condition": {
            "StringEquals": {
              "ram:ServiceName": "magpiebridge.hbr.aliyuncs.com"
            }
          }
        }
      ]
    }

Required permissions for a RAM user to use a service-linked role

If you create or delete a service-linked role as a RAM user, you must contact the administrator to grant the AliyunHBRFullAccess permission to the RAM user or add the following permissions to the Action statement of the custom policy:

  • Permission required to create a service-linked role: ram:CreateServiceLinkedRole

  • Permission required to delete a service-link role: ram:DeleteServiceLinkedRole

For more information, see Permissions required to create and delete a service-linked role.

View a service-linked role

After a service-linked role is created, you can view the following information about the service-linked role on the Roles page of the RAM console.

  • Basic information

    In the Basic Information section of the details page for the service-linked role, view the basic information of the role, including the role name, creation time, Alibaba Cloud Resource Name (ARN), and description.

  • Policy

    On the Permissions tab of the details page for the service-linked role, click the policy name to view the policy content and the cloud resources that the role can access.

  • Trust policy

    On the Trust Policy tab of the details page for the service-linked role, view the content of the trust policy. A trust policy describes the trusted entities of a RAM role. A trusted entity is an entity that can assume the RAM role. The trusted entity of a service-linked role is a cloud service. To obtain the trusted entity of a service-linked role, you can view the value of the Service parameter in the trust policy.

For more information about how to view the information about a service-linked role, see View the information about a RAM role.

Delete a service-linked role

You may need to delete service-linked roles to ensure security. For example, if you no longer need to use the ECS backup feature, you can delete the AliyunServiceRoleForHbrEcsBackup role.

Important
  • After you delete a service-linked role, the features that depend on the role cannot be used. Proceed with caution.

  • Before you delete the AliyunServiceRoleForHbrEcsBackup, AliyunServiceRoleForHbrOssBackup, AliyunServiceRoleForHbrNasBackup, or AliyunServiceRoleForHbrCsgBackup role, make sure that no backup vault exists within the current account. Otherwise, the role fails to be deleted.

  • Before you delete the AliyunServiceRoleForHbrVaultEncryption role, make sure that no KMS-encrypted backup vault exists within the current account. Otherwise, the role fails to be deleted.

  • Before you delete the AliyunServiceRoleForHbrMagpieBridge role, make sure that the Cloud Backup client for ECS file backup or on-premises file backup is uninstalled within the current account. Otherwise, the role fails to be deleted.

To delete the AliyunServiceRoleForHbrEcsBackup role, perform the following steps:

  1. Log on to the RAM console.

  2. In the left-side navigation pane, choose Identities > Roles.

  3. On the Roles page, enter AliyunServiceRoleForHbrEcsBackup in the search box to find the role.

  4. Click Delete Role in the Actions column.

  5. In the Delete Role dialog box, enter the role name and click Delete Role.

For more information, see Delete a RAM role.

If you want to delete other service-linked roles, such as AliyunServiceRoleForHbrOssBackup, AliyunServiceRoleForHbrNasBackup, AliyunServiceRoleForHbrCsgBackup, AliyunServiceRoleForHbrVaultEncryption, AliyunServiceRoleForHbrEcsEncryption, and AliyunServiceRoleForHbrMagpieBridge, enter the corresponding role name in the search box.