Service-linked roles - ApsaraDB RDS - Alibaba Cloud Documentation Center

This topic describes the use scenarios of the service-linked roles that are supported by ApsaraDB RDS. This topic also describes how to delete the service-linked roles.

Background information

ApsaraDB RDS supports the following service-linked roles:

AliyunServiceRoleForRds, which is used for ApsaraDB RDS for MySQL
AliyunServiceRoleForRdsPgsqlOnEcs, which is used for ApsaraDB RDS for PostgreSQL
AliyunServiceRoleForRDSProxyOnEcs, which is used for the database proxy feature of ApsaraDB RDS for PostgreSQL

ApsaraDB RDS may require access to other Alibaba Cloud services to provide specific features. You can assign a service-linked role to ApsaraDB RDS to obtain the permissions that are required to access other Alibaba Cloud services. A service-linked role is a RAM role. For more information, see Service-linked roles.

Introduction to service-linked roles

AliyunServiceRoleForRds

Name

AliyunServiceRoleForRds

Attached policy

AliyunServiceRolePolicyForRds

Permissions

AliyunServiceRoleForRds policy document

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "ecs:CreateNetworkInterface",
                "ecs:DeleteNetworkInterface",
                "ecs:AttachNetworkInterface",
                "ecs:DetachNetworkInterface",
                "ecs:DescribeNetworkInterfaces",
                "ecs:CreateNetworkInterfacePermission",
                "ecs:DescribeNetworkInterfacePermissions",
                "ecs:CreateSecurityGroup",
                "ecs:DeleteSecurityGroup",
                "ecs:DescribeSecurityGroupAttribute",
                "ecs:DescribeSecurityGroups",
                "ecs:ModifySecurityGroupAttribute",
                "ecs:AuthorizeSecurityGroup",
                "ecs:AuthorizeSecurityGroupEgress",
                "ecs:RevokeSecurityGroup",
                "ecs:RevokeSecurityGroupEgress",
                "ecs:DescribeKeyPairs",
                "ecs:ModifyImageSharePermission",
                "ecs:DescribeImages"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "vpc:DescribeVSwitches",
                "vpc:AssociateEipAddress",
                "vpc:DescribeVpcs"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "rds-ecs-service.rds.aliyuncs.com"
                }
            }
        }
    ]
}

Create the role

This service-linked role is used to authorize ApsaraDB RDS for MySQL. You can create the role in the console when you create the database. For more information, see Create a database.

Delete the role

Before you delete a service-linked role, you must delete all databases that depend on the role.

For more information about how to delete a RDS fQL, see Delete a database.
For more information about how to delete a service-linked role, see Service-linked roles.

AliyunServiceRoleForRdsPgsqlOnEcs

Name

AliyunServiceRoleForRdsPgsqlOnEcs

Attached policy

AliyunServiceRolePolicyForRdsPgsqlOnEcs

Permissions

AliyunServiceRoleForRdsPgsqlOnEcs policy document

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "ecs:CreateNetworkInterface",
                "ecs:DeleteNetworkInterface",
                "ecs:AttachNetworkInterface",
                "ecs:DetachNetworkInterface",
                "ecs:DescribeNetworkInterfaces",
                "ecs:CreateNetworkInterfacePermission",
                "ecs:DescribeNetworkInterfacePermissions",
                "ecs:CreateSecurityGroup",
                "ecs:DeleteSecurityGroup",
                "ecs:DescribeSecurityGroupAttribute",
                "ecs:DescribeSecurityGroups",
                "ecs:ModifySecurityGroupAttribute",
                "ecs:AuthorizeSecurityGroup",
                "ecs:AuthorizeSecurityGroupEgress",
                "ecs:RevokeSecurityGroup",
                "ecs:RevokeSecurityGroupEgress"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "kms:Listkeys",
                "kms:Listaliases",
                "kms:ListResourceTags",
                "kms:DescribeKey",
                "kms:UntagResource",
                "kms:TagResource",
                "kms:DescribeAccountKmsStatus"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:GenerateDataKey"
            ],
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEqualsIgnoreCase": {
                    "kms:tag/acs:rds:instance-encryption": "true"
                }
            }
        },
        {
            "Action": [
                "vpc:DescribeVSwitches",
                "vpc:DescribeVpcs"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "pgsql-onecs.rds.aliyuncs.com"
                }
            }
        }
    ]
}

Create the role

Log on to the RAM console.
In the left-side navigation pane, choose Identities > Roles.
On the page that appears, click Create Role.
In the Select Role Type step of the Create Role wizard, select Alibaba Cloud Service and click Next.
In the Configure Role step, set the Role Type parameter to Service Linked Role and the Select Service parameter to Cloud Relational Database Postgresql-OnEcs. Then, click OK.

Delete the role

Before you delete a service-linked role, you must release all instances that are associated with the service-linked role.

For more information about how to release an ApsaraDB RDS for PostgreSQL instance, see Release or unsubscribe from an ApsaraDB RDS for PostgreSQL instance.
For more information about how to delete a service-linked role, see Service-linked roles.

AliyunServiceRoleForRDSProxyOnEcs

Name

AliyunServiceRoleForRDSProxyOnEcs

Attached policy

AliyunServiceRolePolicyForRDSProxyOnEcs

Permissions

AliyunServiceRoleForRDSProxyOnEcs policy document

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "ecs:CreateNetworkInterface",
                "ecs:DeleteNetworkInterface",
                "ecs:AttachNetworkInterface",
                "ecs:DetachNetworkInterface",
                "ecs:DescribeNetworkInterfaces",
                "ecs:CreateNetworkInterfacePermission",
                "ecs:DescribeNetworkInterfacePermissions",
                "ecs:CreateSecurityGroup",
                "ecs:DeleteSecurityGroup",
                "ecs:DescribeSecurityGroupAttribute",
                "ecs:DescribeSecurityGroups",
                "ecs:ModifySecurityGroupAttribute",
                "ecs:AuthorizeSecurityGroup",
                "ecs:AuthorizeSecurityGroupEgress",
                "ecs:RevokeSecurityGroup",
                "ecs:RevokeSecurityGroupEgress"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "vpc:DescribeVSwitches",
                "vpc:DescribeVpcs"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "rdsproxy-onecs.rds.aliyuncs.com"
                }
            }
        }
    ]
}

Create the role

This service-linked role is used to authorize the database proxy feature of ApsaraDB RDS for PostgreSQL. You can create the role in the console when you enable the database proxy feature for your RDS instance. For more information, see Enable the database proxy feature.

Delete the role

Before you delete a service-linked role, you must disable the database proxy feature that depends on the service-linked role.

For more information about how to disable the database proxy feature for an RDS instance, see Disable the database proxy feature.
For more information about how to delete a service-linked role, see Service-linked roles.

Related operations

You can call the CreateServiceLinkedRole operation to create a service-linked role for an ApsaraDB RDS instance. The following table describes the required parameters.

Parameter

Description

Example

RegionId

The ID of the region in which the instance resides. You can call the DescribeRegions operation to query the most recent region list.

cn-hangzhou

ServiceLinkedRole

The name of the service-linked role.

AliyunServiceRoleForRds: the service-linked role for ApsaraDB RDS for MySQL
AliyunServiceRoleForRdsPgsqlOnEcs: the service-linked role for ApsaraDB RDS for PostgreSQL.
AliyunServiceRoleForRDSProxyOnEcs: the service-linked role for the database proxy feature of ApsaraDB RDS for PostgreSQL.

AliyunServiceRoleForRdsPgsqlOnEcs