All Products
Search

This Product

    Performance Testing:Service-linked role of PTS

    Document Center

    Performance Testing:Service-linked role of PTS

    Last Updated:Nov 19, 2024

    This topic describes the service-linked role of Performance Testing Service (PTS) named AliyunServiceRoleForPts and the method used to delete the role.

    Background information

    In some cases, PTS automatically creates a service-linked role named AliyunServiceRoleForPts to obtain the access permissions on other cloud services for archiving a feature. For more information, see Service-linked roles.

    Scenarios

    If PTS wants to access the resources of a cloud service, such as Application Real-Time Monitoring Service (ARMS), ApsaraMQ for Kafka, Microservices Engine (MSE), or Enterprise Distributed Application Service (EDAS), PTS can use the AliyunServiceRoleForPts role that is automatically created by the system to obtain the access permissions on the resources. For more information about ARMS, see What is ARMS? For more information about ApsaraMQ for Kafka, see What is ApsaraMQ for Kafka? For more information about MSE, see What is MSE? For more information about EDAS, see What is EDAS?

    Permissions

    The AliyunServiceRoleForPts role is granted the access permissions on the following cloud services:

    ARMS

     {
   "Action": [
     "arms:GetPrometheusApiToken",
     "arms:OpenVCluster",
     "arms:OpenArmsService",
     "arms:CheckServiceStatus",
     "arms:ListDashboards",
     "arms:GetExploreUrl"
   ],
   "Resource": "*",
   "Effect": "Allow"
 }

    ApsaraMQ for Kafka

    {
  "Action": [
    "alikafka:GetInstanceList",
    "alikafka:GetTopicList"
  ],
  "Resource": "*",
  "Effect": "Allow"
}

    Tair (Redis OSS-compatible)

    {
  "Action": [
    "kvsrote:DescribeInstanceAttribute",
    "kvstore:DescribeInstances"
  ],
  "Resource": "*",
  "Effect": "Allow"
}

    PolarDB

    {
  "Action": [
    "polardb:DescribeDBClusters",
    "polardb:DescribeDatabases",
    "polardb:DescribeDBClusterEndpoints",
    "polardb:DescribeAccounts"
  ],
  "Resource": "*",
  "Effect": "Allow"
}

    MSE

     {
  "Action": [
    "mse:GetServiceListPage",
    "mse:GetServiceProvidersPage",
    "mse:GetServiceDetail",
    "mse:ListGatewayRoute"
  ],
  "Resource": "*",
  "Effect": "Allow"
}

    EDAS

     {
  "Action": [
    "edas:GetServiceListPage",
    "edas:GetServiceProvidersPage",
    "edas:GetServiceMethodPage"
  ],
  "Resource": "*",
  "Effect": "Allow"
}

    Simple Log Service

     {
  "Action": [
    "log:ListLogStores",
    "log:GetLogs",
    "log:GetLogStoreLogs"
  ],
  "Resource": "*",
  "Effect": "Allow"
}

    CloudMonitor

     {
  "Action": [
    "cms:NodeList",
    "cms:QueryMetricList",
    "cms:NodeStatusList",
    "cms:ListNodeStatus",
    "cms:GetNodeStatus",
    "cms:ListNode",
    "cms:ListNodeProcesses",
    "cms:CreateAgentInstallTask",
    "cms:GetProfile",
  ],
  "Resource": "*",
  "Effect": "Allow"
}

    Anti-DDoS service

     {
  "Action": [
    "ecs:DescribeInstances",
    "ecs:DescribeInstances",
    "ecs:DescribeInstanceMonitorData",
    "ecs:DescribeInstanceAttribute",
    "ecs:DescribeInstanceTypes",
    "ecs:DescribeInstanceDisks",
    "ecs:AuthorizeSecurityGroup",
    "ecs:RevokeSecurityGroup",
    "ecs:DescribeRegions",
    "ecs:DescribeSecurityGroups",
    "ecs:CreateNetworkInterface",
    "ecs:DeleteNetworkInterface",
    "ecs:DescribeNetworkInterfaces",
    "ecs:CreateNetworkInterfacePermission",
    "ecs:DescribeNetworkInterfacePermissions",
    "ecs:DeleteNetworkInterfacePermission"
  ],
  "Resource": "*",
  "Effect": "Allow"
}

    Elastic Compute Service (ECS)

     {
  "Action": [
    "yundun-ddoscoo:DescribeInstances",
    "yundun-ddoscoo:DescribeInstanceDetails",
    "yundun-ddoscoo:DescribeInstanceList",
    "yundun-ddoscoo:DescribeInstanceSpecs",
    "yundun-ddoscoo:DescribeDomains",
    "yundun-ddoscoo:DescribeLayer7InstanceRelations"
  ],
  "Resource": "*",
  "Effect": "Allow"
}

    Elastic IP Addresses (EIPs)

     {
  "Action": [
    "eip:DescribeEipAddresses",
    "eip:DescribeEipMonitorData"
  ],
  "Resource": "*",
  "Effect": "Allow"
}

    ApsaraDB RDS for MySQL

     {
  "Action": [
    "rds:DescribeDatabases",
    "rds:DescribeDBInstanceDetail",
    "rds:DescribeDBInstances",
    "rds:DescribeDBInstanceAttribute",
    "rds:DescribeSlowLogs",
    "rds:DescribeSlowLogRecords",
    "rds:DescribeErrorLogs",
    "rds:DescribeRegions"
  ],
  "Resource": "*",
  "Effect": "Allow"
}

    Server Load Balancer (SLB)

     {
  "Action": [
    "slb:DescribeLoadBalancers",
    "slb:DescribeLoadBalancerAttribute",
    "slb:DescribeHealthStatus",
    "slb:DescribeRegions"
  ],
  "Resource": "*",
  "Effect": "Allow"
}

    Web Application Firewall (WAF)

     {
  "Action": [
    "yundun-waf:DescribePayInfo",
    "yundun-waf:DescribeDomainNames",
    "yundun-waf:DescribeDomainConfig"
  ],
  "Resource": "*",
  "Effect": "Allow"
}

    Virtual private clouds (VPCs)

     {
  "Action": [
    "vpc:DescribeVpcs",
    "vpc:DescribeVSwitches",
    "vpc:DescribeVSwitchAttributes"
  ],
  "Resource": "*",
  "Effect": "Allow"
}

    Alibaba Cloud Container Service for Kubernetes (ACK)

     {
  "Action": [
    "cs:ListClusters",
    "cs:GetClusterById",
    "cs:DescribeClusterInnerServiceKubeconfig",
    "cs:RevokeClusterInnerServiceKubeconfig"
  ],
  "Resource": "*",
  "Effect": "Allow"
}

    Data Management (DMS)

     {
  "Action": [
    "dms:SearchDatabase",
    "dms:ListTables",
    "dms:GetMetaTableDetailInfo",
    "dms:CreateStructSyncOrder",
    "dms:GetOrderBaseInfo"
  ],
  "Resource": "*",
  "Effect": "Allow"
}

    Transactions and Bills Management (BSS)

     {
  "Action": [
    "bss:CreateOrder"
  ],
  "Resource": "*",
  "Effect": "Allow"
}

    Deletion procedure

    If you use PTS and want to delete the AliyunServiceRoleForPts role for security reasons, you must clarify the impacts of the role deletion: After the AliyunServiceRoleForPts role is deleted, the service testing and service stress testing features cannot be used.

    To delete the AliyunServiceRoleForPts role, perform the following steps:

    1. Log on to the RAM console by using your Alibaba Cloud account. In the left-side navigation pane, choose Identities > Roles.

    2. On the Roles page, enter AliyunServiceRoleForPts in the search box on the right of Create Role. The service-linked role of PTS named AliyunServiceRoleForPts is displayed.

    3. In the Actions column corresponding to the AliyunServiceRoleForPts role, click Delete Role.

    4. In the Delete Role message, click Delete Role.

    FAQ

    Why does my RAM user fail to automatically create the AliyunServiceRoleForPts role?

    You need the specified permissions to automatically create or delete the AliyunServiceRoleForPts role. Therefore, if your RAM user cannot automatically create the AliyunServiceRoleForPts role, you must attach the following permission policy to the RAM user. 

    {
    "Statement": [
        {
            "Action": [
                "ram:CreateServiceLinkedRole"
            ],
            "Resource": "acs:ram:*:<Alibaba Cloud account ID>:role/*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": [
                        "pts.aliyuncs.com"
                    ]
                }
            }
        }
    ],
    "Version": "1"
}
    Note

    Replace Alibaba Cloud account ID with the ID of your Alibaba Cloud account.