To use the data delivery feature of Tablestore, you must have the permissions to access Object Storage Service (OSS) resources. To grant the permissions to access OSS resources, the system automatically creates the Tablestore service-linked role AliyunServiceRoleForOTSDataDelivery in the Tablestore console.
Background information
A service-linked role is a Resource Access Management (RAM) role whose trusted entity is an Alibaba Cloud service. Tablestore assumes a service-linked role to access other cloud services or resources.
In most cases, a service-linked role is automatically created when you perform an operation. If the system fails to create a service-linked role or Tablestore does not support automatic creation of a service-linked role, you can manually create a service-linked role.
RAM provides a system policy for each service-linked role. You cannot modify the system policy. To view information about the system policy of a specific service-linked role, go to the details page of the role.
For more information about service-linked roles, see Service linked roles.
Scenarios
When you use the data delivery feature of Tablestore, Tablestore automatically creates the service-linked role AliyunServiceRoleForOTSDataDelivery to authorize Tablestore to access OSS resources.
Required permissions for a RAM user to use a service-linked role
If you want to create or delete a service-linked role as a RAM user, you must contact the administrator to attach the AliyunXXXFullAccess policy to the RAM user or specify the following permissions in the Action
element of a custom policy:
Permissions required to create a service-link role:
ram:CreateServiceLinkedRole
Permissions required to delete a service-linked role:
ram:DeleteServiceLinkedRole
For more information, see Permissions required to create and delete a service-linked role.
Create a service-linked role
To allow you to use the data delivery feature of Tablestore, the system automatically creates the Tablestore service-linked role AliyunServiceRoleForOTSDataDelivery in the Tablestore console.
The policy for AliyunServiceRoleForOTSDataDelivery is AliyunServiceRolePolicyForOTSDataDelivery. The policy supports the following operations on OSS resources: PutObject, AbortMultipartUpload, PutObjectTagging, GetObject, and DeleteObjectTagging.
View information about a service-linked role
After the system creates a service-linked role, you can search AliyunServiceRoleForOTSDataDelivery on the Roles page of the RAM console to view the following information about the service-linked role:
Basic Information
In the Basic Information section of the AliyunServiceRoleForOTSDataDelivery page, you can view the basic information about the role, including the role name, creation time, ARN, and description.
Permissions
On the Permissions tab of the AliyunServiceRoleForOTSDataDelivery page, click the policy name to view the policy content and the cloud resources that the role has permissions to access.
Trust Policy
On the Trust Policy tab of the AliyunServiceRoleForOTSDataDelivery page, you can view the content of the trust policy. A trust policy describes the trusted entities of a RAM role. A trusted entity refers to an entity that can assume the RAM role. The trusted entity of a service-linked role is a cloud service. You can view the value of the
Service
field in the trust policy of the service-linked role to obtain the trusted entity.
For information about how to view the details of a service-linked role, see View the information about a RAM role.
Delete a service-linked role
Before you delete the AliyunServiceRoleForOTSDataDelivery service-linked role, make sure that the data delivery feature is not in use for all instances in the current account.
After you delete the Tablestore service-linked role, data in the current account cannot be delivered to OSS.
To delete the service-linked role, perform the following steps:
Log on to the RAM console.
In the left-side navigation pane, choose Identities > Roles.
On the Roles page, enter AliyunServiceRoleForOTSDataDelivery in the search box and then click the icon or press Enter.
Click Delete Role in the Actions column of the RAM role.
In the Delete Role dialog box, enter the role name and then click Delete Role.
If the data delivery feature is in use for instances in the current account, you cannot delete the AliyunServiceRoleForOTSDataDelivery service-linked role. To delete the role, you must delete the delivery tasks from the instances.
If no instances in the current account are using the data delivery feature, you can delete the role.
FAQ
Why is the system unable to create the Tablestore service-linked role AliyunServiceRoleForOTSDataDelivery for a RAM user?
The system creates the Tablestore service-linked role only for users who have the required permissions. If the Tablestore service-linked role cannot be automatically created for a RAM user, you must attach the following policy to the RAM user.
You must replace Alibaba Cloud account ID with the actual account ID.
{
"Statement": [
{
"Action": [
"ram:CreateServiceLinkedRole"
],
"Resource": "acs:ram:*: Alibaba Cloud account ID:role/*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": [
"arms.aliyuncs.com"
]
}
}
}
],
"Version": "1"
}