This topic describes the scenarios of using service-linked roles for CloudOps Orchestration Service (OOS), including AliyunServiceRoleForOOSBandwidthScheduler, AliyunServiceRoleForOOSInstanceScheduler, AliyunServiceRoleForOOSExecutionDelivery, and AliyunServiceRoleForOOSAppliactionManager. This topic also describes how to delete the service-linked roles for OOS.
Background information
The service-linked roles for OOS
are Resource Access Management (RAM) users provided for OOS to obtain access permissions on other Alibaba Cloud services to execute a specific task.
The AliyunServiceRoleForOOSExecutionDelivery role is a RAM user provided for OOS to obtain access permissions on other Alibaba Cloud services to deliver execution records.
The AliyunServiceRoleForOOSAppliactionManager role is a RAM user provided for OOS to obtain access permissions on other Alibaba Cloud services to create or delete resources. For more information, see Service-linked roles.
Scenarios
To access Elastic Compute Service (ECS) resources to complete the following O&M tasks in OOS, you can use the AliyunServiceRoleForOOSBandwidthScheduler or AliyunServiceRoleForOOSInstanceScheduler role that is automatically created by OOS to obtain the access permissions on ECS:
To access the resources of Simple Log Service and Object Storage Service (OSS) to deliver OOS execution records, you can use the AliyunServiceRoleForOOSExecutionDelivery role that is automatically created by OOS to obtain the access permissions on Simple Log Service and OSS.
To access CloudMonitor resources to automatically create or delete CloudMonitor application groups, OOS automatically creates the service-linked role named AliyunServiceRoleForOOSAppliactionManager to obtain the access permissions on CloudMonitor.OOS
AliyunServiceRoleForOOSInstanceScheduler
If the RAM role required for starting or shutting down an instance as scheduled does not exist, OOS automatically creates the service-linked role named AliyunServiceRoleForOOSInstanceScheduler. In addition, OOS attaches the AliyunServiceRoleForOOSInstanceSchedulerPolicy policy to the service-linked role. OOS can assume this role to call the corresponding API operations to start or shut down the instance as scheduled.
Policy:
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:StartInstance",
"ecs:StopInstance",
"ecs:DescribeInstances"
],
"Resource": "*",
"Effect": "Allow"
}
]
}AliyunServiceRoleForOOSBandwidthScheduler
If the RAM role required for temporarily upgrading the bandwidth of an instance does not exist, OOS automatically creates the service-linked role named AliyunServiceRoleForOOSBandwidthScheduler. In addition, OOS attaches the AliyunServiceRoleForOOSBandwidthSchedulerPolicy policy to the service-linked role. OOS can assume this role to call the corresponding API operations to temporarily upgrade the bandwidth.
Policy:
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:ModifyInstanceNetworkSpec",
"ecs:DescribeInstances"
],
"Resource": "*",
"Effect": "Allow"
}
]
}AliyunServiceRolePolicyForOOSPatchManager
If the RAM role required for scanning or installing patches does not exist, OOS automatically creates the service-linked role named AliyunServiceRoleForOOSPatchManager. In addition, OOS attaches the AliyunServiceRolePolicyForOOSPatchManager policy to the service-linked role. OOS can assume this role to scan or install patches.
Policy:
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:CreateSnapshot",
"ecs:DescribeCloudAssistantStatus",
"ecs:DescribeDisks",
"ecs:DescribeInstances",
"ecs:DescribeInvocationResults",
"ecs:DescribeInvocations",
"ecs:DescribeManagedInstances",
"ecs:DescribeSnapshots",
"ecs:RebootInstance",
"ecs:RunCommand"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ecd:CreateSnapshot",
"ecd:DescribeCloudAssistantStatus",
"ecd:DescribeDesktops",
"ecd:DescribeInvocations",
"ecd:DescribeSnapshots",
"ecd:RebootDesktops",
"ecd:RunCommand"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"oos:ListInstancePatchStates"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "patchmanager.oos.aliyuncs.com"
}
}
}
]
}AliyunServiceRoleForOOSExecutionDelivery
To access the resources of Simple Log Service and OSS to deliver OOS execution records, OOS automatically creates the service-linked role named AliyunServiceRoleForOOSExecutionDelivery to obtain the access permissions on Simple Log Service and OSS.
Policy:
{
"Version": "1",
"Statement": [
{
"Action": [
"oss:PutObject",
"oss:GetBucketInfo",
"log:GetProject",
"log:GetLogStore",
"log:CreateLogStore",
"log:PostLogStoreLogs"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "executiondelivery.oos.aliyuncs.com"
}
}
}
]
}AliyunServiceRoleForOOSApplicationManager
To access CloudMonitor resources to automatically create or delete CloudMonitor application groups, OOS automatically creates the service-linked role named AliyunServiceRoleForOOSAppliactionManager to obtain the access permissions on CloudMonitor.OOS
Policy:
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"cms:CreateDynamicTagGroup",
"cms:DescribeDynamicTagRuleList",
"cms:DescribeMonitorGroups",
"cms:DeleteDynamicTagGroup"
],
"Resource": "*"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "applicationmanager.oos.aliyuncs.com"
}
}
}
],
"Version": "1"
}AliyunServiceRoleForOOSSystemEventOperator
If the RAM role required for accepting the default operation for a system event and authorizing the system to perform the default operation does not exist, OOS automatically creates the service-linked role named AliyunServiceRoleForOOSSystemEventOperator. In addition, OOS attaches the AliyunServiceRolePolicyForOOSSystemEventOperator policy to the service-linked role. OOS can assume this role to call the corresponding API operations to accept the default operation for the system event and authorize the system to perform the default operation.
Policy:
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:AcceptInquiredSystemEvent",
"ecs:StopInstance",
"ecs:DescribeInstances",
"ecs:StartInstance"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "systemeventoperator.oos.aliyuncs.com"
}
}
}
]
}Delete service-linked roles for OOS
Before you can delete the AliyunServiceRoleForOOSBandwidthScheduler or AliyunServiceRoleForOOSInstanceScheduler role, you must cancel the OOS executions that depend on the role. The AliyunServiceRoleForOOSExecutionDelivery and AliyunServiceRoleForOOSAppliactionManager roles can be directly deleted.
The following example shows how to delete the AliyunServiceRoleForOOSExecutionDelivery role:
If you deliver OOS execution records and then want to delete the AliyunServiceRoleForOOSExecutionDelivery role for security purposes, you must understand the impact of deleting the role. After the AliyunServiceRoleForOOSExecutionDelivery role is deleted, OOS execution records within the current account cannot be delivered to OOS or Simple Log Service.OOS SLS
Log on to the RAM console. In the left-side navigation pane, choose Identities > Roles.
On the Roles page, enter AliyunServiceRoleForOOSExecutionDelivery in the search box and click the search icon. The AliyunServiceRoleForOOSExecutionDelivery role is displayed.
In the Actions column, click Delete Role.
In the Delete Role message, click Delete Role.
5. For more information about how to delete a service-linked role, see the "Delete a service-linked role" section of the Service-linked roles topic.
FAQ
Why am I unable to enable OOS to automatically create the service-linked role AliyunServiceRoleForOOSExecutionDelivery when I log on as a RAM user?
If you want OOS to automatically create or delete the AliyunServiceRoleForOOSExecutionDelivery role when you log on as a RAM user, you must grant the required permissions to the RAM user. In this case, you can attach the following policy to the RAM user:
{
"Statement": [
{
"Action": [
"ram:CreateServiceLinkedRole"
],
"Resource": "acs:ram:*:ID of your Alibaba Cloud account:role/*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": [
"executiondelivery.oos.aliyuncs.com"
]
}
}
}
],
"Version": "1"
}