AliyunServiceRoleForPolarDB is the service-linked role for PolarDB. This topic describes the scenarios of the service-linked role and how to delete the service-linked role.
Background information
PolarDB may need to access other cloud services to implement features. Alibaba Cloud provides the AliyunServiceRoleForPolarDB role that allows PolarDB to access other cloud services.
Scenarios
If you want to bind a private domain name to a private IP address of PolarDB, PolarDB must access the resources of Alibaba Cloud DNS PrivateZone. In this case, PolarDB can assume the AliyunServiceRoleForPolarDB role to obtain the required access permissions.
When you Create a PolarDB for MySQL cluster by migrating an ApsaraDB RDS for MySQL instance, Clone an ApsaraDB RDS for MySQL instance to a PolarDB for MySQL cluster, or Upgrade an ApsaraDB RDS for PostgreSQL instance to a PolarDB for PostgreSQL cluster, you need to access DTS resources. You must use the service-linked role to obtain access permissions.
When you use PolarProxy, you need to access PrivateLink. You must use the service-linked role to obtain access permissions.
The network type of PolarDB needs to access VPC. You must use the service-linked role to obtain access permissions.
AliyunServiceRoleForPolarDB
Role name: AliyunServiceRoleForPolarDB
Role policy: AliyunServiceRolePolicyForPolarDB
Policy document:
{
"Version": "1",
"Statement": [
{
"Action": [
"pvtz:DescribeUserServiceStatus",
"pvtz:DescribeZones",
"pvtz:DescribeZoneInfo",
"pvtz:DescribeZoneRecords",
"pvtz:CheckZoneName",
"pvtz:AddZone",
"pvtz:BindZoneVpc",
"pvtz:DeleteZone",
"pvtz:AddZoneRecord",
"pvtz:UpdateZoneRecord",
"pvtz:DeleteZoneRecord",
"dts:CreateDtsInstance",
"dts:ConfigureDtsJob",
"dts:StartDtsJob",
"dts:DescribePreCheckStatus",
"dts:DescribeDtsJobDetail",
"dts:DescribeDtsJobs",
"dts:ModifyDtsJob",
"dts:SuspendDtsJob",
"dts:StopDtsJob",
"dts:DeleteDtsJob",
"dts:CheckDefaultRole",
"dts:ReverseTwoWayDirection",
"dts:ModifyDtsJobEndpoint",
"privatelink:ListVpcEndpointServicesByEndUser",
"privatelink:CreateVpcEndpoint",
"privatelink:ListVpcEndpoints",
"privatelink:UpdateVpcEndpointAttribute",
"privatelink:GetVpcEndpointAttribute",
"privatelink:ListVpcEndpointSecurityGroups",
"privatelink:AttachSecurityGroupToVpcEndpoint",
"privatelink:DetachSecurityGroupFromVpcEndpoint",
"privatelink:AddZoneToVpcEndpoint",
"privatelink:RemoveZoneFromVpcEndpoint",
"privatelink:ListVpcEndpointZones",
"privatelink:DeleteVpcEndpoint",
"ecs:CreateNetworkInterface",
"ecs:DeleteNetworkInterface",
"ecs:DeleteNetworkInterfacePermission",
"ecs:AttachNetworkInterface",
"ecs:DetachNetworkInterface",
"ecs:DescribeNetworkInterfaceAttribute",
"ecs:DescribeNetworkInterfaces",
"ecs:ModifyNetworkInterfaceAttribute",
"ecs:CreateNetworkInterfacePermission",
"ecs:DescribeNetworkInterfacePermissions",
"ecs:DescribeSecurityGroupAttribute",
"ecs:DescribeSecurityGroups",
"vpc:DescribeVSwitches",
"vpc:DescribeVpcs",
"dms:AddInstance",
"dms:ListInstances",
"dms:GetInstance"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "polardb.aliyuncs.com"
}
}
},
{
"Action": "ram:CreateServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "privatelink.aliyuncs.com"
}
}
}
]
}
Delete the service-linked role
Before you delete the AliyunServiceRoleForPolarDB role, you must release the PolarDB cluster that is dependent on the role.
For more information about how to release a PolarDB cluster, see Release a cluster.