All Products
Search

This Product

    Backup and Disaster Recovery Center:Service-linked role of BDRC

    Document Center

    Backup and Disaster Recovery Center:Service-linked role of BDRC

    Last Updated:Oct 31, 2024

    This topic describes the service-linked role of Backup and Disaster Recovery Center (BDRC) and how to delete the role.

    Background information

    The service-linked role of BDRC refers to the Resource Access Management (RAM) role that is provided by BDRC to obtain the access permissions on other cloud services. To implement specific features, BDRC may need to assume the service-linked role to access other cloud services. For more information about service-linked roles, see Service-linked roles.

    If BDRC needs to access the resources of the Elastic Compute Service (ECS), Object Storage Service (OSS), File Storage NAS (NAS), Tablestore, or Cloud Backup service, BDRC can automatically create a service-linked role to obtain the access permissions on the related cloud service.

    • AliyunServiceRoleForBDRC

      If BDRC needs to access the ECS, OSS, NAS, Tablestore, or Cloud Backup service, BDRC can automatically create the service-linked role AliyunServiceRoleForBDRC to obtain the access permissions on the related cloud service.

    Permissions

    The following code shows the permissions of the service-linked role AliyunServiceRoleForBDRC.

    • BDRC obtains the permissions to access cloud services such as ECS, OSS, NAS, Tablestore, and Cloud Backup by using the service-linked role AliyunServiceRoleForBDRC.

      {
    "Version": "1",
    "Statement": [
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "bdrc.aliyuncs.com"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "ecs:DescribeRegions",
                "ecs:DescribeInstances",
                "ecs:DescribeDisks",
                "ecs:DescribeAutoSnapshotPolicyEx",
                "oss:ListBuckets",
                "oss:GetBucketStat",
                "oss:GetBucketVersioning",
                "oss:getBucketReplication",
                "nas:DescribeRegions",
                "nas:DescribeFileSystems",
                "nas:GetRecycleBinAttribute",
                "ots:DescribeRegions",
                "ots:ListInstance",
                "hbr:DescribeRegions",
                "hbr:DescribeUserBusinessStatus",
                "hbr:DescribeBackupPlans",
                "hbr:DescribeUniBackupInstances",
                "hbr:DescribeUniBackupPlans",
                "hbr:DescribeVaults"
            ],
            "Resource": "*"
        }
    ]
}

    Delete the AliyunServiceRoleForBDRC role

    If you no longer use BDRC, we recommend that you delete the service-linked role of BDRC for security reasons.

    Important

    Before you delete the AliyunServiceRoleForBDRC role, make sure that no BDRC resources exist within your account.

    To delete the AliyunServiceRoleForBDRC role, perform the following steps:

    1. Log on to the RAM console.

    2. In the left-side navigation pane, choose Identities > Roles.

    3. On the Roles page, enter AliyunServiceRoleForBDRC in the search box to search for the RAM role AliyunServiceRoleForBDRC.

    4. Click Delete Role in the Actions column.

    5. In the Delete Role dialog box, enter AliyunServiceRoleForBDRC and click Delete Role.