To implement the features of a file system, File Storage NAS (NAS) automatically creates service-linked roles for the file system. This way, the file system can access other cloud services, such as Elastic Compute Service (ECS) and Virtual Private Cloud (VPC).
Background information
A service-linked role is a Resource Access Management (RAM) role whose trusted entity is an Alibaba Cloud service. NAS use service-linked roles to access other cloud services or resources.
In most cases, the system automatically creates a service-linked role when you perform an operation. If the service-linked role fails to be automatically created or NAS does not support automatic creation, you must manually create the service-linked role.
RAM provides a system policy for each service-linked role. You cannot modify the system policy. To view the information about the system policy of a specific service-linked role, go to the details page of the role.
For more information about service-linked roles, see Service linked roles.
Scenarios
The service-linked roles of NAS are used in the following scenarios:
AliyunServiceRoleForNasStandard
When you create a mount target in the classic network for a General-purpose NAS file system, you can use the AliyunServiceRoleForNasStandard role to access ECS. This way, you can query the resource list and apply authentication logic.
AliyunServiceRoleForNasExtreme
When you create a mount target for an Extreme NAS file system, you can use the AliyunServiceRoleForNasExtreme role to access VPC and ECS.
AliyunServiceRoleForNasEncryption
When you create a file system encrypted by Key Management Service (KMS), you can use the AliyunServiceRoleForNasEncryption role to access KMS. This way, you can obtain the key that is managed by KMS and add tags to the key. This can prevent you from accidentally deleting the key that is used to access the file system.
AliyunServiceRoleForNasLogDelivery
When you enable the log analysis feature for a NAS file system, you can use the AliyunServiceRoleForNasLogDelivery role to access Simple Log Service. You can also create a project and a Logstore in Simple Log Service, and dump log data from the NAS file system to the Logstore.
AliyunServiceRoleForNasBackup
When you enable the file backup feature for a General-purpose NAS file system, you can use the AliyunServiceRoleForNasBackup role to activate Cloud Backup and create a backup plan.
AliyunServiceRoleForNasEcsHandler
When you mount a file system in the NAS console, you can use the AliyunServiceRoleForNasEcsHandler role to access Cloud Assistant. You can then use Cloud Assistant to run a Cloud Assistant command for one or more ECS instances. This way, you can mount or unmount the file system, and query the mount status of the ECS instances.
For more information, see Service-linked roles.
Permissions
The service-linked roles of NAS are granted the following permissions:
Required permissions for a RAM user to use a service-linked role
If you use a RAM user to create or delete a service-linked role, you must contact the administrator to grant the AliyunNASFullAccess permission to the RAM user or add the following permissions to the Action statement of the custom policy:
Create a service-linked role:
ram:CreateServiceLinkedRoleDelete a service-linked role:
ram:DeleteServiceLinkedRole
For more information, see Permissions required to create and delete a service-linked role.
View a service-linked role
After a service-linked role is created, you can view the following information about the service-linked role on the Roles page of the RAM console by searching for the role name, for example, AliyunServiceRoleForNasStandard.
Basic information
In the Basic Information section of the details page for the AliyunServiceRoleForNasStandard role, view the basic information of the role, including the role name, creation time, Alibaba Cloud Resource Name (ARN), and description.
Policy
On the Permissions tab of the details page for the AliyunServiceRoleForNasStandard role, click the policy name to view the policy content and the cloud resources that the role can access.
Trust policy
On the Trust Policy tab of the details page for the AliyunServiceRoleForNasStandard role, view the content of the trust policy. A trust policy describes the trusted entities of a RAM role. A trusted entity is an entity that can assume the RAM role. The trusted entity of a service-linked role is a cloud service. To obtain the trusted entity of a service-linked role, you can view the value of the
Serviceparameter in the trust policy.
For more information about how to view the information about a service-linked role, see View the information about a RAM role.
Delete a service-linked role
If you no longer need to use a service-linked role of NAS, you can delete the service-linked role. For example, you can delete the AliyunServiceRoleForNasEncryption role if you no longer need to create a file system encrypted by KMS. Before you delete a service-linked role of NAS, you must delete the associated file systems. For more information, see Delete a file system and Delete a service-linked role.
After you delete a service-linked role, the features that depend on the role cannot be used. Proceed with caution.
FAQ
Why is a service-linked role of NAS not automatically created for my RAM user?
Before a RAM user can create or delete a service-linked role of NAS, you must grant the required permissions to the RAM user. Therefore, if a service-linked role of NAS is not automatically created for a RAM user, you must attach the following policy to the RAM user. You must replace Alibaba Cloud account ID with the actual account ID. For more information, see Create custom policies.
{
"Statement": [
{
"Action": [
"ram:CreateServiceLinkedRole"
],
"Resource": "acs:ram:*:<Alibaba Cloud account ID>:role/*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": [
"standard.nas.aliyuncs.com",
"extreme.nas.aliyuncs.com",
"encryption.nas.aliyuncs.com",
"logdelivery.nas.aliyuncs.com",
"ecs-handler.nas.aliyuncs.com"
]
}
}
}
],
"Version": "1"
}