AliyunServiceRoleForECSArchiving is the service-linked role for Cloud Assistant. This topic describes how to use the service-linked role to authorize Cloud Assistant to access cloud resources.
Background information
AliyunServiceRoleForECSArchiving is a service-linked role that is provided by Resource Access Management (RAM). The service-linked role is used to authorize Cloud Assistant to access resources in other Alibaba Cloud services. Cloud Assistant can assume the AliyunServiceRoleForECSArchiving role to deliver O&M task execution records and session records to a specific Object Storage Service (OSS) bucket or Simple Log Service project for persistent storage. For more information about service-linked roles, see Service-linked roles.
Policy attached to AliyunServiceRoleForECSArchiving
Role: AliyunServiceRoleForECSArchiving
Policy: AliyunServiceRolePolicyForECSArchiving
The following code shows the content of the AliyunServiceRolePolicyForECSArchiving policy:
{
"Version": "1",
"Statement": [
{
"Action": [
"oss:PutObject",
"oss:GetBucketInfo",
"log:GetProject",
"log:GetLogStore",
"log:CreateLogStore",
"log:PostLogStoreLogs",
"log:GetIndex",
"log:CreateIndex",
"oss:GetObject"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "archiving.ecs.aliyuncs.com"
}
}
}
]
}
Create the AliyunServiceRoleForECSArchiving role
When you use the Operation Content and Result Delivery feature and the Session Record Delivery feature, the system checks whether the AliyunServiceRoleForECSArchiving role exists in your account. If the role does not exist, the system creates the role.
The AliyunServiceRolePolicyForECSArchiving policy is attached to the AliyunServiceRoleForECSArchiving role. System policies that are attached to service-linked roles are defined and used by the linked Alibaba Cloud services. You cannot add, modify, or remove permissions for service-linked roles.
Delete the AliyunServiceRoleForECSArchiving role
If you no longer need the AliyunServiceRoleForECSArchiving role, you can delete it. For example, if you no longer need to deliver O&M task execution records or session records for persistent storage, you can perform the following steps to delete the AliyunServiceRoleForECSArchiving role: For more information, see Delete a RAM role.
To allow you to use the Operation Content and Result Delivery feature and the Session Record Delivery feature, Cloud Assistant must assume the AliyunServiceRoleForECSArchiving role. If you perform an operation to delete the role when the features are enabled in a region, an error message is returned and the delete operation fails. This prevents the role from being accidentally deleted. In the message, you can find the regions where the features are enabled. Before you can delete the role, you must disable the features in the regions.
Disable the Operation Content and Result Delivery feature
In the upper-right corner of the ECS Cloud Assistant page, click Operation Content and Result Delivery. In the Operation Content and Result Delivery dialog box, clear Deliver to Log Service and Deliver to OSS and then click Determine to disable the Operation Content and Result Delivery feature.
Disable the Session Record Delivery feature
In the Connect dialog box for an instance, click Deliver Session Records in the Session Manager section. In the Deliver Session Records dialog box, clear Deliver to Log Service and Deliver to OSS, and then click Determine to disable the Session Record Delivery feature.
FAQ
Why is the AliyunServiceRoleForECSArchiving role not automatically created when I use a RAM user?
If you want to log on to the ECS console as a RAM user, you must first use an Alibaba Cloud account to create and attach a policy to grant the RAM user the required permissions. Then, the AliyunServiceRoleForECSArchiving role can be automatically created. For more information, see Grant permissions to a RAM role. The following code shows the content of the policy that you must create and attach to the RAM user:
Replace <account ID> with the UID of your Alibaba Cloud account.
{
"Version": "1",
"Statement": [
{
"Action": [
"ram:CreateServiceLinkedRole"
],
"Resource": "acs:ram:*:<account ID>:role/*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": [
"archiving.ecs.aliyuncs.com"
]
}
}
}
]
}