Service-linked roles for Alibaba Cloud Model Studio - Alibaba Cloud Model Studio

This topic describes the service-linked roles for Alibaba Cloud Model Studio and how to delete the service-linked roles.

Background information

In specific scenarios, Alibaba Cloud Model Studio needs to access other Alibaba Cloud services, including AnalyticDB (ADB), Object Storage Service (OSS), Function Compute (FC) and others. In this case, a service-linked role is required. A service-linked role is a Resource Access Management (RAM) role that an Alibaba Cloud service assumes to access other Alibaba Cloud services. For more information, see Service-linked roles.

Service-linked roles

The table below lists the service-linked roles for Alibaba Cloud Model Studio:

Role name	Description
AliyunServiceRoleForSFMAccessFC	The service-linked role that Model Studio-FC calling (SFM-AccessFC) assumes to access your services or resources in Function Compute (FC).
AliyunServiceRoleForSFMDataHubOSSImport	The service-linked role that Model Studio-OSS services (SFM-DataHubOSSImport) assumes to access your resources in OSS.
AliyunServiceRoleForSFMAccessingMNS	The service-linked role used for automatic synchronization of OSS changes. Data Center of Model Studio assumes this role to obtain OSS change messages in MNS queues.

AliyunServiceRoleForSFMAccessFC

Scenarios

When managing a workflow application in Model Studio that uses a Function Compute node, the node requires access to FC resources. This role is automatically created to obtain the access permissions.

Role name and policy

Role name: AliyunServiceRoleForSFMAccessFC

Policy: AliyunServiceRolePolicyForSFMAccessFC

Policy content:

{
    "Action":[
        "fc:ListFunctions",
        "fc:InvokeFunction"
    ],
    "Resource":"*",
  	"Effect":"Allow"
}

Delete the role

Before you delete AliyunServiceRoleForSFMAccessFC, find all published workflow applications with Function Compute nodes. Delete the Function Compute nodes and republish the workflows.

For more information about how to delete the role, see Service-linked roles.
If you fail to delete the role, you can refer to the error message returned and check the workflows that are mentioned.

AliyunServiceRoleForSFMDataHubOSSImport

Scenarios

This role is assumed by the Data Center of Model Studio to import files from OSS.

Role name and policy

Role name: AliyunServiceRoleForSFMDataHubOSSImport

Policy: AliyunServiceRolePolicyForSFMDataHubOSSImport

Policy content:

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "oss:ListBuckets",
        "oss:GetBucketLocation",
        "oss:GetBucketTagging"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "oss:DoMetaQuery",
        "oss:GetBucketInfo",
        "oss:GetBucketStat",
        "oss:GetBucketTransferAcceleration",
        "oss:GetCnameToken",
        "oss:GetMetaQueryStatus",
        "oss:GetObject",
        "oss:GetObjectTagging",
        "oss:DescribeRegions",
        "oss:ListObjects",
        "oss:ListObjectVersions"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "oss:BucketTag/bailian-datahub-access": [
            "read"
          ]
        }
      }
    },
    {
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "datahub.sfm.aliyuncs.com"
        }
      }
    }
  ]
}

Delete the role

Before you delete AliyunServiceRoleForSFMDataHubOSSImport, make sure that no import task is in progress in the Data Center, or wait until all import tasks are completed.

For more information about how to delete the role, see Service-linked roles.

AliyunServiceRoleForSFMAccessingMNS

Scenarios

Model Studio assumes this role to automatically synchronize document changes from OSS. After authorization, Model Studio uses the automatically created AliyunServiceRoleForSFMAccessingMNS and AliyunServiceRolePolicyForSFMAccessingMNS policies to access your MNS queues.

Role name and policy

Role name: AliyunServiceRoleForSFMAccessingMNS

Policy: AliyunServiceRolePolicyForSFMAccessingMNS

Policy content:

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "mns:GetQueueAttributes",
        "mns:GetSubscriptionAttributes",
        "mns:GetTopicAttributes",
        "mns:ListEventNotifications",
        "mns:GetAccountAttributes",
        "mns:ListEvents",
        "mns:ListProducts",
        "mns:ListQueue",
        "mns:ListSubscriptionByTopic",
        "mns:ListTagResources",
        "mns:ListTopic",
        "mns:ReceiveMessage",
        "mns:DeleteMessage"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "mns:CreateQueue",
        "mns:DeleteQueue",
        "mns:SetQueueAttributes"
      ],
      "Resource": "acs:mns:*:*:/queues/bailian-oss-event*"
    },
    {
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "mns-access.sfm.aliyuncs.com"
        }
      }
    }
  ]
}

Delete the role

Before you delete AliyunServiceRoleForSFMAccessingMNS, make sure all automatic synchronization rules are deleted in the Data Center.

For more information about how to delete the role, see Service-linked roles.