To access an Alibaba Cloud service such as Elastic Compute Service (ECS), Virtual Private Cloud (VPC), Object Storage Service (OSS), and File Storage NAS (NAS), Cloud Backup must assume the corresponding service-linked role. Cloud Backup automatically creates a service-linked role when you enable a backup feature, create a backup plan, or associate a backup policy with a data source. If a service-linked role fails to be automatically created or Cloud Backup does not support automatic creation, you must manually create the service-linked role.
Background information
A service-linked role is a Resource Access Management (RAM) role whose trusted entity is an Alibaba Cloud service. Cloud Backup assumes service-linked roles to obtain the permissions to access other cloud services or cloud resources.
In most cases, the system automatically creates a service-linked role when you perform an operation. If a service-linked role fails to be automatically created or Cloud Backup does not support automatic creation, you must manually create the service-linked role.
RAM provides a system policy for each service-linked role. You cannot modify the system policy. To view the information about the system policy of a specific service-linked role, go to the details page of the role. For more information, see System policies for Cloud Backup.
Scenarios
Cloud Backup automatically creates a service-linked role for you in the following scenarios:
Cloud Backup automatically creates a service-linked role when you enable a backup feature, create a backup plan, or associate a backup policy with a data source.
AliyunServiceRoleForHbrEcsBackup
When you use the ECS backup feature, Cloud Backup automatically creates a service-linked role named AliyunServiceRoleForHbrEcsBackup to obtain the permissions to access ECS and VPC resources.
AliyunServiceRoleForHbrOssBackup
When you use the OSS backup feature, Cloud Backup automatically creates a service-linked role named AliyunServiceRoleForHbrOssBackup to obtain the permissions to access OSS resources.
AliyunServiceRoleForHbrNasBackup
When you use the NAS backup feature, Cloud Backup automatically creates a service-linked role named AliyunServiceRoleForHbrNasBackup to obtain the permissions to access NAS resources.
AliyunServiceRoleForHbrCsgBackup
When you use the Cloud Storage Gateway (CSG) backup feature, Cloud Backup automatically creates a service-linked role named AliyunServiceRoleForHbrCsgBackup to obtain the permissions to access CSG resources.
AliyunServiceRoleForHbrVaultEncryption
When you use a Key Management Service (KMS) key to encrypt a backup vault, Cloud Backup automatically creates a service-linked role named AliyunServiceRoleForHbrVaultEncryption to obtain the permissions to access KMS resources.
AliyunServiceRoleForHbrOtsBackup
When you use the Tablestore backup feature, Cloud Backup automatically creates a service-linked role named AliyunServiceRoleForHbrOtsBackup to obtain the permissions to access Tablestore resources.
AliyunServiceRoleForHbrCrossAccountBackup
When you use the cross-account backup feature, Cloud Backup automatically creates a service-linked role named AliyunServiceRoleForHbrCrossAccountBackup to obtain the permissions to access your resources in other cloud services.
AliyunServiceRoleForHbrEcsEncryption
If you enable the cross-region replication feature when you back up ECS instances, you must specify a KMS key. In this case, Cloud Backup automatically creates a service-linked role named AliyunServiceRoleForHbrEcsEncryption to obtain the permissions to access your resources in KMS.
AliyunServiceRoleForHbrMagpieBridge
When you use the ECS file backup or on-premises file backup feature, Cloud Backup automatically creates a service-linked role named AliyunServiceRoleForHbrMagpieBridge based on the communication mode of the backup client. The service-linked role allows the backup client to access your Cloud Backup resources.
Permissions
This section describes the permissions that are granted to each service-linked role of Cloud Backup.
Required permissions for a RAM user to use a service-linked role
If you create or delete a service-linked role as a RAM user, you must contact the administrator to grant the AliyunHBRFullAccess permission to the RAM user or add the following permissions to the Action
statement of the custom policy:
Permission required to create a service-linked role:
ram:CreateServiceLinkedRole
Permission required to delete a service-link role:
ram:DeleteServiceLinkedRole
For more information, see Permissions required to create and delete a service-linked role.
View a service-linked role
After a service-linked role is created, you can view the following information about the service-linked role on the Roles page of the RAM console.
Basic information
In the Basic Information section of the details page for the service-linked role, view the basic information of the role, including the role name, creation time, Alibaba Cloud Resource Name (ARN), and description.
Policy
On the Permissions tab of the details page for the service-linked role, click the policy name to view the policy content and the cloud resources that the role can access.
Trust policy
On the Trust Policy tab of the details page for the service-linked role, view the content of the trust policy. A trust policy describes the trusted entities of a RAM role. A trusted entity is an entity that can assume the RAM role. The trusted entity of a service-linked role is a cloud service. To obtain the trusted entity of a service-linked role, you can view the value of the
Service
parameter in the trust policy.
For more information about how to view the information about a service-linked role, see View the information about a RAM role.
Delete a service-linked role
You may need to delete service-linked roles to ensure security. For example, if you no longer need to use the ECS backup feature, you can delete the AliyunServiceRoleForHbrEcsBackup role.
After you delete a service-linked role, the features that depend on the role cannot be used. Proceed with caution.
Before you delete the AliyunServiceRoleForHbrEcsBackup, AliyunServiceRoleForHbrOssBackup, AliyunServiceRoleForHbrNasBackup, or AliyunServiceRoleForHbrCsgBackup role, make sure that no backup vault exists within the current account. Otherwise, the role fails to be deleted.
Before you delete the AliyunServiceRoleForHbrVaultEncryption role, make sure that no KMS-encrypted backup vault exists within the current account. Otherwise, the role fails to be deleted.
Before you delete the AliyunServiceRoleForHbrMagpieBridge role, make sure that the Cloud Backup client for ECS file backup or on-premises file backup is uninstalled within the current account. Otherwise, the role fails to be deleted.
To delete the AliyunServiceRoleForHbrEcsBackup role, perform the following steps:
Log on to the RAM console.
In the left-side navigation pane, choose Identities > Roles.
On the Roles page, enter AliyunServiceRoleForHbrEcsBackup in the search box to find the role.
Click Delete Role in the Actions column.
In the Delete Role dialog box, enter the role name and click Delete Role.
For more information, see Delete a RAM role.
If you want to delete other service-linked roles, such as AliyunServiceRoleForHbrOssBackup, AliyunServiceRoleForHbrNasBackup, AliyunServiceRoleForHbrCsgBackup, AliyunServiceRoleForHbrVaultEncryption, AliyunServiceRoleForHbrEcsEncryption, and AliyunServiceRoleForHbrMagpieBridge, enter the corresponding role name in the search box.