Service-linked role - Managed Service for OpenTelemetry - Alibaba Cloud Documentation Center

This topic describes the AliyunServiceRoleForXtrace service-linked role for Managed Service for OpenTelemetry and how to delete this role.

Background information

The AliyunServiceRoleForXtrace service-linked role is a Resource Access Management (RAM) role that Managed Service for OpenTelemetry assumes to access other Alibaba Cloud services to implement a Managed Service for OpenTelemetry feature in specific scenarios. For more information, see Service-linked roles.

Scenarios

If the monitoring feature of Managed Service for OpenTelemetry needs to access the resources of Container Service for Kubernetes (ACK), Log Service, Elastic Compute Service (ECS), and Virtual Private Cloud (VPC), Managed Service for OpenTelemetry can assume the AliyunServiceRoleForXtrace role that is automatically created to obtain access permissions.

Permissions

Permissions to access ACK resources

{
            "Action": [
                "cs:ScaleCluster",
                "cs:GetClusterById",
                "cs:GetClusters",
                "cs:GetUserConfig",
                "cs:CheckKritisInstall",
                "cs:GetKritisAttestationAuthority",
                "cs:GetKritisGenericAttestationPolicy",
                "cs:AttachInstances",
                "cs:InstallKritis",
                "cs:InstallKritisAttestationAuthority",
                "cs:InstallKritisGenericAttestationPolicy",
                "cs:UpdateClusterTags",
                "cs:UninstallKritis",
                "cs:DeleteKritisAttestationAuthority",
                "cs:DeleteKritisGenericAttestationPolicy",
                "cs:UpdateKritisAttestationAuthority",
                "cs:UpdateKritisGenericAttestationPolicy",
                "cs:UpgradeCluster",
                "cs:GetClusterLogs"
            ],
            "Resource": [
              "acs:cs:*:*:cluster/*"
            ],
            "Effect": "Allow"
        }

Permissions to access Log Service resources

{
       "Action": [
        "log:CreateProject",
        "log:GetProject",
        "log:GetLogStoreLogs",
        "log:GetHistograms",
        "log:GetLogStoreHistogram",
        "log:GetLogStore",
        "log:ListLogStores",
        "log:EnableService",
        "log:DescribeService",
        "log:CreateLogStore",
        "log:DeleteLogStore",
        "log:UpdateLogStore",
        "log:GetCursorOrData",
        "log:GetCursor",
        "log:PullLogs",
        "log:ListShards",
        "log:PostLogStoreLogs",
        "log:CreateConfig",
        "log:UpdateConfig",
        "log:DeleteConfig",
        "log:GetConfig",
        "log:ListConfig",
        "log:CreateMachineGroup",
        "log:UpdateMachineGroup",
        "log:DeleteMachineGroup",
        "log:GetMachineGroup",
        "log:ListMachineGroup",
        "log:ListMachines",
        "log:ApplyConfigToGroup",
        "log:RemoveConfigFromGroup",
        "log:GetAppliedMachineGroups",
        "log:GetAppliedConfigs",
        "log:GetShipperStatus",
        "log:RetryShipperTask",
        "log:CreateConsumerGroup",
        "log:UpdateConsumerGroup",
        "log:DeleteConsumerGroup",
        "log:ListConsumerGroup",
        "log:UpdateCheckPoint",
        "log:HeartBeat",
        "log:GetCheckPoint",
        "log:CreateIndex",
        "log:DeleteIndex",
        "log:GetIndex",
        "log:UpdateIndex",
        "log:CreateSavedSearch",
        "log:UpdateSavedSearch",
        "log:GetSavedSearch",
        "log:DeleteSavedSearch",
        "log:ListSavedSearch",
        "log:CreateDashboard",
        "log:UpdateDashboard",
        "log:GetDashboard",
        "log:DeleteDashboard",
        "log:ListDashboard",
        "log:CreateJob",
        "log:UpdateJob"
       }
]

Permissions to access ECS resources

{
       "Action": [
        "ecs:DescribeInstanceAutoRenewAttribute",
        "ecs:DescribeInstances",
        "ecs:DescribeInstanceStatus",
        "ecs:DescribeInstanceVncUrl",
        "ecs:DescribeSpotPriceHistory",
        "ecs:DescribeUserdata",
        "ecs:DescribeInstanceRamRole",
        "ecs:DescribeDisks",
        "ecs:DescribeSnapshots",
        "ecs:DescribeAutoSnapshotPolicy",
        "ecs:DescribeSnapshotLinks",
        "ecs:DescribeImages",
        "ecs:DescribeImageSharePermission",
        "ecs:DescribeClassicLinkInstances",
        "ecs:AuthorizeSecurityGroup",
        "ecs:DescribeSecurityGroupAttribute",
        "ecs:DescribeSecurityGroups",
        "ecs:AuthorizeSecurityGroupEgress",
        "ecs:DescribeSecurityGroupReferences",
        "ecs:RevokeSecurityGroup",
        "ecs:DescribeNetworkInterfaces",
        "ecs:DescribeTags",
        "ecs:DescribeRegions",
        "ecs:DescribeZones",
        "ecs:DescribeInstanceMonitorData",
        "ecs:DescribeEipMonitorData",
        "ecs:DescribeDiskMonitorData",
        "ecs:DescribeInstanceTypes",
        "ecs:DescribeInstanceTypeFamilies",
        "ecs:DescribeTasks",
        "ecs:DescribeTaskAttribute",
        "ecs:DescribeInstanceAttribute",
        "ecs:InvokeCommand",
        "ecs:CreateCommand",
        "ecs:StopInvocation",
        "ecs:DeleteCommand",
        "ecs:DescribeCommands",
        "ecs:DescribeInvocations",
        "ecs:DescribeInvocationResults",
        "ecs:ModifyCommand",
        "ecs:InstallCloudAssistant"
         ],
      "Resource": "*",
      "Effect": "Allow"
    }

Permissions to access VPC resources

{
       "Action": [
        "vpc:DescribeVpcs",
        "vpc:DescribeVSwitches",
        "vpc:DescribeEipAddresses",
        "vpc:DescribeRouterInterfaces",
        "vpc:DescribeGlobalAccelerationInstances",
        "vpc:DescribeVpnGateways",
        "vpc:DescribeNatGateways"
       ],
       "Resource": "*",
       "Effect": "Allow"
}

Permissions to access and configure Server Load Balancer (SLB) resources

{
       "Action": [
        "slb:DescribeLoadBalancers",
        "slb:DescribeLoadBalancerAttribute",
        "slb:SetLoadbalancerListenerAttributeEx",
        "slb:DescribeLoadbalancerListenersEx",
        "slb:DescribeLoadbalancerListenersEx",
        "slb:SetAccessLogsDownloadAttribute",
        "slb:DeleteAccessLogsDownloadAttribute",
        "slb:DescribeAccessLogsDownloadAttribute"
       ],
       "Resource": "*",
       "Effect": "Allow"
}

Delete the AliyunServiceRoleForXtrace role

To ensure security, you can delete the AliyunServiceRoleForXtrace role after you enable the monitoring feature of Managed Service for OpenTelemetry. After you delete the role, the data of the current account cannot be stored and displayed. Proceed with caution when you delete the service-linked role.

To delete the AliyunServiceRoleForXtrace role, perform the following steps:

Note

If application data exists in the current account, you must delete all applications before you can delete the AliyunServiceRoleForXtrace role.

Log on to the RAM console. In the left-side navigation pane, choose Identities > Roles.
On the Roles page, enter AliyunServiceRoleForXtrace in the search box. The RAM role named AliyunServiceRoleForXtrace is returned in the search result.
Click Delete Role in the Actions column.
In the Delete Role dialog box, enter the role name that you want to delete, and click Delete Role.
- If one or more Managed Service for OpenTelemetry applications exist in the current account, you must delete the applications before you can delete the AliyunServiceRoleForXtrace role. Otherwise, an error message appears.
- If all applications in the current account are deleted, you can delete the AliyunServiceRoleForXtrace role.

FAQ

Why is the system unable to automatically create the AliyunServiceRoleForXtrace service-linked role and assign the role to my RAM user?

To enable the system to automatically create or delete the AliyunServiceRoleForXtrace role, you must obtain the specified permissions. If the system does not automatically create the AliyunServiceRoleForXtrace role and assign the role to your RAM user, attach the following policy to your RAM user:

{
    "Statement": [
        {
            "Action": [
                "ram:CreateServiceLinkedRole"
            ],
            "Resource": "acs:ram:*:ID of your Alibaba Cloud account:role/*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": [
                        "xtrace.aliyuncs.com"
                    ]
                }
            }
        }
    ],
    "Version": "1"
}