AliyunServiceRoleForOpenAnalytics is a role that is associated with Data Lake Analytics (DLA). This topic describes the scenarios in which this role can be used and how to delete this role.
Background information
AliyunServiceRoleForOpenAnalytics is a Resource Access Management (RAM) role that is used to obtain access permissions on other cloud services to implement a feature of DLA. For more information, see Service-linked roles.
Scenarios
DLA is a data lake analytics service developed by Alibaba Cloud. It provides both the serverless Presto engine and the serverless Spark engine. To implement the features of data lakes, DLA needs to obtain data from various Alibaba Cloud data sources, such as Object Storage Service (OSS), Tablestore, ApsaraDB RDS, AnalyticDB for MySQL, MaxCompute (formerly referred to as ODPS), ECS, VPC, RAM, and Message Queue (MQ). When you activate DLA, the AliyunServiceRoleForOpenAnalytics role is automatically created in DLA to deliver better user experience.
View the information of AliyunServiceRoleForOpenAnalytics
- Log on to the DLA console.
- In the upper-right corner of the Overview page, click Options.
- In the Cross-cloud service authorization section of the Options Management page, view the information about the role that
is associated with DLA.
- Role name: AliyunServiceRoleForOpenAnalytics
- Role policy: AliyunServiceRolePolicyForOpenAnalytics
- Policy details:
{ "Version": "1", "Statement": [ { "Action": "ram:DeleteServiceLinkedRole", "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "ram:ServiceName": "openanalytics.aliyuncs.com" } } }, { "Action": [ "ram:ListUsers", "ram:GenerateCredentialReport" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "oss:GetBucket", "oss:GetBucketAcl", "oss:GetBucketLocation", "oss:GetBucketInfo", "oss:GetBucketLogging", "oss:GetBucketWebsite", "oss:GetBucketReferer", "oss:GetBucketLifecycle", "oss:GetBucketEncryption", "oss:GetBucketStat", "oss:GetBucketMetadata", "oss:GetBucketTagging", "oss:GetBucketVersioning", "oss:GetSimplifiedObjectMeta", "oss:GetObjectMetadata", "oss:GetBucketStorageCapacity", "oss:GetBucketEncryption", "oss:GetObject", "oss:GetObjectMeta", "oss:GetObjectAcl", "oss:GetSymlink", "oss:GetObjectTagging", "oss:GetService", "oss:ListObjects", "oss:ListMultipartUploads", "oss:ListParts", "oss:ListBuckets", "oss:ListVpcip", "oss:ListVersions", "oss:GetBucketCname", "oss:GetBucketRequestPayment", "oss:GetBucketVpcip", "oss:DoesBucketExist", "oss:DoesObjectExist", "oss:ListObjectsV2", "oss:SelectObject", "oss:HeadObject", "oss:PutBucket", "oss:PutObject", "oss:PutObjectTagging", "oss:CopyObject", "oss:InitiateMultipartUpload", "oss:UploadPart", "oss:UploadPartCopy", "oss:CompleteMultipartUpload", "oss:AbortMultipartUpload", "oss:RestoreObject", "oss:PostObject", "oss:UploadFile", "oss:DownloadFile", "oss:AppendObject", "oss:DeleteObject", "oss:DeleteObjects" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "alikafka:PUB" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "rds:DescribeDBInstances", "rds:DescribeDBInstanceAttribute", "rds:DescribeDBInstanceNetInfo", "rds:DescribeDBInstanceHAConfig", "rds:DescribeDBInstanceIPArrayList", "rds:ModifySecurityIps", "dds:DescribeDBInstances", "dds:DescribeDBInstanceAttribute", "dds:DescribeSecurityIps", "dds:ModifySecurityIps", "polardb:DescribeDBClusters", "polardb:DescribeDBClusterAttribute", "polardb:DescribeDBClusterEndpoints", "polardb:DescribeDBClusterAccessWhitelist", "polardb:ModifyDBClusterAccessWhitelist" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "mns:GetQueueAttributes", "mns:GetTopicAttributes", "mns:GetSubscriptionAttributes", "mns:ListQueue", "mns:ListTopic", "mns:ListSubscriptionByTopic", "mns:SendMessage", "mns:PublishMessage" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "mq:PUB" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "dbs:DescribeBackupPlanList", "dbs:DescribeFullBackupList", "dbs:DescribeIncrementBackupList", "dbs:DescribeRestoreTaskList", "dbs:DescribeBackupGatewayList" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "ots:GetRow", "ots:BatchGetRow", "ots:GetRange", "ots:GetShardIterator", "ots:GetStreamRecord", "ots:ListStream", "ots:ListTable", "ots:ListSearchIndex", "ots:DescribeStream", "ots:DescribeTable", "ots:DescribeSearchIndex", "ots:ComputeSplitPointsBySize", "ots:CreateTable", "ots:UpdateTable", "ots:DeleteTable", "ots:PutRow", "ots:UpdateRow", "ots:DeleteRow", "ots:BatchWriteRow", "ots:CreateIndex", "ots:DropIndex", "ots:CreateSearchIndex", "ots:DeleteSearchIndex", "ots:Search" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "log:ListProject", "log:ListLogStores", "log:ListShipper", "log:GetCursorOrData", "log:BatchGetLog", "log:GetShipper", "log:GetShipperConfig", "log:BatchGetLog", "log:DeleteShipper", "log:CreateShipper" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "ecs:CreateNetworkInterfacePermission", "ecs:DeleteNetworkInterfacePermission", "ecs:CreateNetworkInterface", "ecs:DescribeNetworkInterfaces", "ecs:DescribeSecurityGroups" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "vpc:DescribeVSwitches", "vpc:DescribeVpcs" ], "Resource": "*", "Effect": "Allow" } ] }
Delete AliyunServiceRoleForOpenAnalytics
- Deactivate the DLA service for the current region and all other regions within your account. This is because DLA determines resources associated with the service-linked role based on user accounts.
- Delete AliyunServiceRoleForOpenAnalytics. For more information, see Service-linked roles.