All Products
Search

This Product

    Cloud Parallel File Storage:Service-linked roles

    Document Center

    Cloud Parallel File Storage:Service-linked roles

    Last Updated:Dec 16, 2024

    This topic describes the service-linked roles for Cloud Parallel File Storage (CPFS) and how to delete a service-linked role.

    Background

    The service-linked role is a Resource Access Management (RAM) role whose trusted entity is an Alibaba Cloud service. You can use the service-linked role to access other Alibaba Cloud services or resources.

    In most cases, CPFS automatically creates a service-linked role. If an error occurred while automatically creating a service-linked role or CPFS does not support the automatic creation of a service-linked role, you must manually create the role.

    RAM provides a system policy for each service-linked role. You cannot modify the policy. To view the information about the system policy of a specific service-linked role, go to the details page of the role.

    Note

    For more information about service-linked role, see Service-linked roles.

    Role list

    This section describes the service-linked roles for CPFS and the scenarios to which the service-linked roles apply.

    • AliyunServiceRoleForNasCpfsNetwork

      To create or delete an elastic network interface (ENI) or a security group, CPFS assumes the AliyunServiceRoleForNasCpfsNetwork role to access your Virtual Private Cloud (VPC) and Elastic Compute Service (ECS) services.

    • AliyunServiceRoleForNasCpfsClient

      To create or delete an ECS instance, a Cloud Assistant instance, any authorization information, or a security group, CPFS assumes the AliyunServiceRoleForNasCpfsClient role to access your VPC and ECS services.

    • AliyunServiceRoleForNasOssDataFlow

      To use the dataflow feature of a CPFS file system, CPFS assumes the AliyunServiceRoleForNasOssDataFlow role to query, read, and write data in the specified bucket in Object Storage Service (OSS).

    • AliyunServiceRoleForNasEventNotification

      To use the dataflow feature of a CPFS file system, CPFS assumes the AliyunServiceRoleForNasEventNotification role to create and modify the EventBridge parameters.

    For more information, see Service-linked roles.

    Permissions

    This section describes the permission policies attached to service-linked roles for CPFS.

    AliyunServiceRoleForNasCpfsNetwork

    {
    "Version": "1",
    "Statement": [{
            "Action": [
                "vpc:DescribeVSwitchAttributes",
                "vpc:DescribeVpcs",
                "vpc:DescribeVSwitches"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "ecs:CreateSecurityGroup",
                "ecs:DescribeSecurityGroups",
                "ecs:CreateNetworkInterface",
                "ecs:DeleteNetworkInterface",
                "ecs:DescribeNetworkInterfaces",
                "ecs:CreateNetworkInterfacePermission",
                "ecs:DescribeNetworkInterfacePermissions",
                "ecs:DeleteNetworkInterfacePermission"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ecs:DescribeSecurityGroupAttribute",
                "ecs:DeleteSecurityGroup",
                "ecs:AuthorizeSecurityGroup",
                "ecs:AuthorizeSecurityGroupEgress",
                "ecs:RevokeSecurityGroup",
                "ecs:RevokeSecurityGroupEgress"
            ],
            "Resource": "acs:ecs:*:*:*/*",
            "Condition": {
                "StringEqualsIgnoreCase": {
                    "ecs:tag/nas:cpfs": "true"
                }
            }
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "cpfs-network.nas.aliyuncs.com"
                }
            }
        }
    ]
}

    AliyunServiceRoleForNasCpfsClient

    {
 "Version": "1",
 "Statement": [
 {
 "Action": [
 "vpc:DescribeVSwitchAttributes",
 "vpc:DescribeVpcs",
 "vpc:DescribeVSwitches"
 ],
 "Resource": "*",
 "Effect": "Allow"
 },
 {
 "Action": [
 "ecs:RunInstances",
 "ecs:CreateInstance",
 "ecs:DescribeInstances",
 "ecs:CreateSecurityGroup",
 "ecs:DescribeSecurityGroups",
 "ecs:InstallCloudAssistant",
 "ecs:DescribeInvocations"
 ],
 "Resource": "*",
 "Effect": "Allow"
 },
 {
 "Effect": "Allow",
 "Action": [
 "ecs:StartInstances",
 "ecs:DeleteInstances",
 "ecs:RunCommand",
 "ecs:DescribeSecurityGroupAttribute",
 "ecs:DeleteSecurityGroup",
 "ecs:AuthorizeSecurityGroup",
 "ecs:AuthorizeSecurityGroupEgress",
 "ecs:RevokeSecurityGroup",
 "ecs:RevokeSecurityGroupEgress"
 ],
 "Resource": "acs:ecs:*:*:*/*",
 "Condition": {
 "StringEqualsIgnoreCase": {
 "ecs:tag/nas:cpfs": "true"
 }
 }
 },
 {
 "Action": "ram:DeleteServiceLinkedRole",
 "Resource": "*",
 "Effect": "Allow",
 "Condition": {
 "StringEquals": {
 "ram:ServiceName": "cpfs-client.nas.aliyuncs.com"
 }
 }
 } 
 ]
 }

    AliyunServiceRoleForNasOssDataFlow

    {
 "Statement": [
 {
 "Effect": "Allow",
 "Action": [
 "oss:ListBuckets",
 "oss:GetBucketTagging"
 ],
 "Resource": [
 "acs:oss:*:*:*"
 ]
 },
 {
 "Effect": "Allow",
 "Action": [
 "oss:HeadBucket",
 "oss:GetBucketLocation",
 "oss:GetBucketInventory",
 "oss:GetBucketInfo",
 "oss:GetBucketVersion",
 "oss:GetBucketAcl",
 "oss:GetBucketStat",
 "oss:GetBucket",
 "oss:ListObjects",
 "oss:GetObject",
 "oss:PutObject",
 "oss:CopyObject",
 "oss:AppendObject",
 "oss:DeleteObject",
 "oss:GetObjectMeta",
 "oss:PutObjectACL",
 "oss:GetObjectACL",
 "oss:PutObjectTagging",
 "oss:GetObjectTagging",
 "oss:InitiateMultipartUpload",
 "oss:CompleteMultipartUpload",
 "oss:AbortMultipartUpload",
 "oss:ListMultipartUploads",
 "oss:UploadPart",
 "oss:UploadPartCopy",
 "oss:ListParts"
 ],
 "Resource": [
 "acs:oss:*:*:*",
 "acs:oss:*:*:*/*"
 ],
 "Condition": {
 "StringEqualsIgnoreCase": {
 "oss:tag/cpfs-dataflow": "true"
 }
 }
 },
 {
 "Action": "ram:DeleteServiceLinkedRole",
 "Resource": "*",
 "Effect": "Allow",
 "Condition": {
 "StringEquals": {
 "ram:ServiceName": "oss-dataflow.nas.aliyuncs.com"
 }
 }
 }
 ],
 "Version": "1"
}

    AliyunServiceRoleForNasEventNotification

    {
 "Statement": [
 {
 "Effect": "Allow",
 "Action": [
 "eventbridge:GetEventBus",
 "eventbridge:CreateRule"
 ],
 "Resource": [
 "acs:eventbridge:*:*:*"
 ]
 },
 {
 "Effect": "Allow",
 "Action": [
 "eventbridge:GetRule",
 "eventbridge:ListRules",
 "eventbridge:UpdateRule",
 "eventbridge:EnableRule",
 "eventbridge:DisableRule",
 "eventbridge:DeleteRule",
 "eventbridge:CreateTargets",
 "eventbridge:UpdateTargets",
 "eventbridge:DeleteTargets"
 ],
 "Resource": [
 "acs:eventbridge:*:*:*"
 ]
 },
 {
 "Action": "ram:DeleteServiceLinkedRole",
 "Resource": "*",
 "Effect": "Allow",
 "Condition": {
 "StringEquals": {
 "ram:ServiceName": "event-notification.nas.aliyuncs.com"
 }
 }
 }
 ],
 "Version": "1"
}

    Required permissions for a RAM user to use a service-linked role

    If you use a RAM user to create or delete a service-linked role, you must contact the administrator to grant the AliyunNASFullAccess permission to the RAM user or add the following permissions to the Action statement of the custom policy:

    • Create a service-linked role: ram:CreateServiceLinkedRole

    • Delete a service-linked role: ram:DeleteServiceLinkedRole

    For more information, see Permissions required to create and delete a service-linked role.

    View a service-linked role

    After a service-linked role is created, you can go to the details page of the role in the RAM console to view the details of the role. The details of a service-linked role include the following information:

    • Basic Information

      In the Basic Information section of the details page for the AliyunServiceRoleForNasStandard role, view the basic information of the role, including the role name, creation time, Alibaba Cloud Resource Name (ARN), and description.

    • Policy

      On the Permissions tab of the details page for the AliyunServiceRoleForNasStandard role, click the policy name to view the policy content and the cloud resources that the role can access.

    • Trust Policy

      On the Trust Policy tab of the details page for the AliyunServiceRoleForNasStandard role, view the content of the trust policy. A trust policy describes the trusted entities of a RAM role. A trusted entity refers to an entity that can assume the RAM role. The trusted entity of a service-linked role is a cloud service. To obtain the trusted entity of a service-linked role, you can view the value of theService parameter in the trust policy.

    For more information about how to view the information about a service-linked role, see View the information about a RAM role.

    Delete a service-linked role for CPFS

    You can delete a service-linked role that is no longer needed. For example, if you no longer need to use the dataflow feature of a CPFS file system, you can delete the corresponding service-linked roles. Before you delete a service-linked role, you must delete the CPFS file system instance that assumes the service-linked role. For more information, see Delete a CPFS for Lingjun file system and Delete a service-linked role.

    Important

    After you delete a service-linked role, the features that depend on the role cannot be used. Proceed with caution.

    FAQ

    Why are service-linked roles for CPFS not automatically created when I log on as a RAM user?

    If you want the system to automatically create or delete service-linked roles for CPFS when you log on as a RAM user, you must grant the required permissions to the RAM user. You can attach the following system policies and custom policy to the RAM user. For more information, see Grant permissions to a RAM role.

    • System policies

      • AliyunVPCFullAccess: grants full permissions on VPC.

      • AliyunBSSFullAccess: grants full permissions on Billing Management.

      • AliyunNASFullAccess: grants full permissions on NAS.

      • AliyunECSNetworkInterfaceManagementAccess: grants the permissions to manage ECS ENIs.

    • Custom policy

      • The permissions on cpfs-network.nas.aliyuncs.com and cpfs-client.nas.aliyuncs.com are required to manage mount targets.

      • The permissions on oss-dataflow.nas.aliyuncs.com and event-notification.nas.aliyuncs.com are required to manage dataflows.

      Sample custom policy:

      {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ram:CreateServiceLinkedRole"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": { 
         "ram:ServiceName": [
            "cpfs-network.nas.aliyuncs.com",
            "cpfs-client.nas.aliyuncs.com",
            "oss-dataflow.nas.aliyuncs.com",
            "event-notification.nas.aliyuncs.com" 
         ]
        }
      }
    }
  ]
}