All Products
Search
Document Center

ApsaraDB for MongoDB:Service-linked role

Last Updated:Nov 21, 2023

A service-linked role is a Resource Access Management (RAM) role whose trusted entity is an Alibaba Cloud service. ApsaraDB for MongoDB uses a service-linked role to access other Alibaba Cloud services or resources.

In most cases, a service-linked role is automatically created when you perform an operation. If a service-linked role fails to be created or ApsaraDB for MongoDB does not automatically create a service-linked role, you must manually create the role.

RAM provides a system policy for each service-linked role. You cannot modify the policy. To view information about the system policy of a specified service-linked role, go to the details page of the specified service-linked role.

Scenarios

When you use the audit log feature of ApsaraDB for MongoDB, ApsaraDB for MongoDB automatically creates the AliyunServiceRoleForMongoDB service-linked role. This way, ApsaraDB for MongoDB can access the resources of Simple Log Service.

Required permissions for a RAM user to use a service-linked role

If you create or delete a service-linked role as a RAM user, you must contact the administrator to grant the AliyunMongoDBFullAccess permission to the RAM user or add the following permissions to the Action statement of a custom policy:

  • Create a service-linked role: ram:CreateServiceLinkedRole

  • Delete a service-linked role: ram:DeleteServiceLinkedRole

For more information about how to grant required permissions, see the "Permissions required to create and delete a service-linked role" section of the Service-linked roles topic.

Create a service-linked role

If the audit log feature of ApsaraDB for MongoDB is enabled, the system automatically creates a service-linked role. For more information, see Enable the audit log feature.

You can manually create a service-linked role in the RAM console or by calling API operations. For more information, see the "Create a service-linked role" section of the Create a RAM role for a trusted Alibaba Cloud service topic and CreateServiceLinkedRole.

Important

After the service-linked role is created, the trusted Alibaba Cloud service can assume the role to access the cloud resources on which permissions are granted to that role. In this case, you may be charged for Simple Log Service.

View the service-linked role

After the system creates the service-linked role, you can view the following details of the role by searching for AliyunServiceRoleForMongoDB on the Roles page in the RAM console:

  • Basic information

    In the Basic Information section of the details page of the AliyunServiceRoleForMongoDB role, you can view basic information about the role, such as the role name, creation time, Alibaba Cloud Resource Name (ARN), and description.

  • Policy

    On the Permissions tab of the details page of the AliyunServiceRoleForMongoDB role, click the name of a policy to view the content of the policy and the Alibaba Cloud resources that can be accessed by the role.

  • Trust policy

    On the Trust Policy Management tab of the details page of the AliyunServiceRoleForMongoDB role, you can view the content of a trust policy. A trust policy is a policy that contains the trusted entities of a RAM role. A trusted entity refers to an entity that can assume the RAM role. The trusted entity of a service-linked role is an Alibaba Cloud service. You can view the trusted entity of a service-linked role in the Service field of a trust policy.

For more information about how to view service-linked roles, see View the information about a RAM role.

Delete the service-linked role

Important

After the service-linked role is deleted, the features that depend on the role cannot be used. Proceed with caution.

If you do not use ApsaraDB for MongoDB for a long period of time, you can delete the AliyunServiceRoleForMongoDB service-linked role in the RAM console.

Before you delete the role, the following requirements must be met:

  • Release or unsubscribe from all ApsaraDB for MongoDB instances that depend on the AliyunServiceRoleForMongoDB role. For more information, see Release an instance or .

For more information, see Delete a RAM role.