This topic describes the background information, policies, and additional considerations for the service-linked roles of ApsaraMQ for Kafka. This topic also provides answers to frequently asked questions about these roles.

Background information

An Alibaba Cloud service may need to access other Alibaba Cloud services to implement a feature. In this case, the Alibaba Cloud service must assume the corresponding service-linked role to obtain the permissions that are required to access other Alibaba Cloud services. A service-linked role is a Resource Access Management (RAM) role. The first time you use the feature in the console of the Alibaba Cloud service, the system automatically creates the service-linked role and notifies you that the service-linked role is created. For more information, see Service-linked roles.

ApsaraMQ for Kafka can assume the following service-linked roles:

  • AliyunServiceRoleForAlikafka: ApsaraMQ for Kafka assumes this role to access other Alibaba Cloud services. The first time you activate ApsaraMQ for Kafka in the ApsaraMQ for Kafka console, the system automatically creates the AliyunServiceRoleForAlikafka role and notifies you that the role is created.
  • AliyunServiceRoleForAlikafkaConnector: ApsaraMQ for Kafka assumes this role to obtain the access permissions on the services to which connectors can connect. This way, Message Queue for Apache Kafka implements the connector feature. The first time you create a connector in the ApsaraMQ for Kafka console, the system automatically creates the AliyunServiceRoleForAlikafkaConnector role and notifies you that the role is created. For more information, see Create a Function Compute sink connector.

  • AliyunServiceRoleForAlikafkaInstanceEncryption: ApsaraMQ for Kafka assumes this role to obtain the permissions to access Key Management Service (KMS) and use the encryption feature that is provided by KMS. This way, your Message Queue for Apache Kafka instance can use the encryption feature. The instance encryption feature can be used only by calling API operations. This feature will be provided in the console in future versions. The first time you deploy an instance that has disk encryption enabled by calling the StartInstance operation that is provided in ApsaraMQ for Kafka, the system automatically creates the AliyunServiceRoleForAlikafkaInstanceEncryption role for your account.
  • AliyunServiceRoleForAlikafkaETL: ApsaraMQ for Kafka assumes this role to create extract, transform, and load (ETL) tasks to perform data analysis. The first time you enable the ETL feature in the ApsaraMQ for Kafka console, the system automatically creates the AliyunServiceRoleForAlikafkaETL role and notifies you that the role is created. For more information, see Manage ETL tasks.

Policies

  • The following policy is attached to the AliyunServiceRoleForAlikafka role:
    {
        "Version": "1",
        "Statement": [
            {
                "Action": [
                    "ecs:CreateNetworkInterface",
                    "ecs:DeleteNetworkInterface",
                    "ecs:DescribeNetworkInterfaces",
                    "ecs:CreateNetworkInterfacePermission",
                    "ecs:DescribeNetworkInterfacePermissions",
                    "ecs:DeleteNetworkInterfacePermission",
                    "ecs:CreateSecurityGroup",
                    "ecs:AuthorizeSecurityGroup",
                    "ecs:DescribeSecurityGroupAttribute",
                    "ecs:RevokeSecurityGroup",
                    "ecs:DeleteSecurityGroup",
                    "ecs:DescribeSecurityGroups"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "vpc:DescribeVSwitches",
                    "vpc:DescribeVpcs"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Effect": "Allow",
                "Action": "ram:DeleteServiceLinkedRole",
                "Resource": "*",
                "Condition": {
                    "StringEquals": {
                        "ram:ServiceName": "alikafka.aliyuncs.com"
                    }
                }
            }
        ]
    }
  • The following policy is attached to the AliyunServiceRoleForAlikafkaConnector role:
    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "fc:InvokeFunction",
                    "fc:GetFunction",
                    "fc:ListServices",
                    "fc:ListFunctions",
                    "fc:ListServiceVersions",
                    "fc:ListAliases",
                    "fc:CreateService",
                    "fc:DeleteService",
                    "fc:CreateFunction",
                    "fc:DeleteFunction",
                    "fc:CreateLayerVersion",
                    "fc:ListLayers"
                ],
                "Resource": "*"
            },
            {
                "Action": [
                    "rds:DescribeDatabases"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "oss:ListBuckets",
                    "oss:GetBucketAcl"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "elasticsearch:DescribeInstance",
                    "elasticsearch:ListInstance"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "dataworks:CreateRealTimeProcess",
                    "dataworks:QueryRealTimeProcessStatus"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "eventbridge:CreateEventStreaming",
                    "eventbridge:UpdateEventStreaming",
                    "eventbridge:GetEventStreaming",
                    "eventbridge:DeleteEventStreaming",
                    "eventbridge:ListEventStreamings",
                    "eventbridge:StartEventStreaming",
                    "eventbridge:PauseEventStreaming",
                    "eventbridge:ListEventStreamingMetrics"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "ots:GetInstance",
                    "ots:ListInstance",
                    "ots:ListTable",
                    "ots:CreateTable",
                    "ots:UpdateTable",
                    "ots:DescribeTable",
                    "ots:GetRow",
                    "ots:PutRow",
                    "ots:UpdateRow",
                    "ots:DeleteRow",
                    "ots:GetRange",
                    "ots:BatchGetRow",
                    "ots:BatchWriteRow",
                    "ots:BulkImport",
                    "ots:Search",
                    "ots:OpenOtsService",
                    "ots:GetOtsServiceStatus",
                    "ots:InsertInstance",
                    "ots:DeleteTable",
                    "ots:CreateSearchIndex",
                    "ots:DeleteSearchIndex",
                    "ots:UpdateSearchIndex"
                ],
                "Effect": "Allow",
                "Resource": "*"
            },
            {
                "Action": [
                    "gpdb:DescribeDBInstances",
                    "gpdb:DescribeDBInstanceAttribute"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "adb:DescribeDBClusters",
                    "adb:DescribeSchemas",
                    "adb:DescribeTables"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Effect": "Allow",
                "Action": "ram:DeleteServiceLinkedRole",
                "Resource": "*",
                "Condition": {
                    "StringEquals": {
                        "ram:ServiceName": "connector.alikafka.aliyuncs.com"
                    }
                }
            }
        ]
    }
  • The following policy is attached to the AliyunServiceRoleForAlikafkaInstanceEncryption role:
    {
        "Version":"1",
        "Statement":[
            {
                "Action":[
                    "kms:Listkeys",
                    "kms:Listaliases",
                    "kms:ListResourceTags",
                    "kms:DescribeKey",
                    "kms:TagResource",
                    "kms:UntagResource"
                ],
                "Resource":"*",
                "Effect":"Allow"
            },
            {
                "Action":[
                    "kms:Encrypt",
                    "kms:Decrypt",
                    "kms:GenerateDataKey"
                ],
                "Resource":"*",
                "Effect":"Allow",
                "Condition":{
                    "StringEqualsIgnoreCase":{
                        "kms:tag/acs:alikafka:instance-encryption":"true"
                    }
                }
            },
            {
                "Action":"ram:DeleteServiceLinkedRole",
                "Resource":"*",
                "Effect":"Allow",
                "Condition":{
                    "StringEquals":{
                        "ram:ServiceName":"instanceencryption.alikafka.aliyuncs.com"
                    }
                }
            }
        ]
    }
  • The following policy is attached to the AliyunServiceRoleForAlikafkaETL role:
    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "fc:InvokeFunction",
                    "fc:GetFunction",
                    "fc:ListServices",
                    "fc:ListFunctions",
                    "fc:ListServiceVersions",
                    "fc:ListAliases",
                    "fc:CreateService",
                    "fc:DeleteService",
                    "fc:CreateFunction",
                    "fc:DeleteFunction"
                ],
                "Resource": "*"
            },
            {
                "Effect": "Allow",
                "Action": "ram:DeleteServiceLinkedRole",
                "Resource": "*",
                "Condition": {
                    "StringEquals": {
                        "ram:ServiceName": "etl.alikafka.aliyuncs.com"
                    }
                }
            },
            {
                "Effect": "Allow",
                "Action": "ram:PassRole",
                "Resource": "acs:ram:*:*:role/aliyunfcdefaultrole",
                "Condition": {
                    "StringEquals": {
                        "acs:Service": "fc.aliyuncs.com"
                    }
                }
            }
        ]
    }

Additional considerations

If you delete a service-linked role that is automatically created by the system, you can no longer use the dependent feature due to insufficient permissions. Exercise caution when you delete a service-linked role. For more information about how to create the service-linked role again and grant permissions to the service-linked role, see Create a RAM role for a trusted Alibaba Cloud service and Grant permissions to a RAM role.

FAQ

  • What do I do if the AliyunServiceRoleForAlikafka role that is linked to ApsaraMQ for Kafka is not automatically created for my RAM user?

    If the service-linked role is created for your Alibaba Cloud account, your RAM user inherits the service-linked role from your Alibaba Cloud account. If your RAM user fails to inherit the service-linked role, log on to the RAM console, create the following custom policy, and then attach the custom policy to the RAM user:

    {
        "Statement": [
            {
                "Action": [
                    "ram:CreateServiceLinkedRole"
                ],
                "Resource": "*",
                "Effect": "Allow",
                "Condition": {
                  "StringEquals": {
                    "ram:ServiceName": "alikafka.aliyuncs.com"
                    }
                }
            }
        ],
        "Version": "1"
    }
  • What do I do if the AliyunServiceRoleForAlikafkaConnector role that is linked to ApsaraMQ for Kafka is not automatically created for my RAM user?

    If the service-linked role is created for your Alibaba Cloud account, your RAM user inherits the service-linked role from your Alibaba Cloud account. If your RAM user fails to inherit the service-linked role, log on to the RAM console, create the following custom policy, and then attach the custom policy to the RAM user:

    {
        "Statement": [
            {
                "Action": [
                    "ram:CreateServiceLinkedRole"
                ],
                "Resource": "*",
                "Effect": "Allow",
                "Condition": {
                  "StringEquals": {
                    "ram:ServiceName": "connector.alikafka.aliyuncs.com"
                    }
                }
            }
        ],
        "Version": "1"
    }
  • What do I do if the AliyunServiceRoleForAlikafkaInstanceEncryption role that is linked to ApsaraMQ for Kafka is not automatically created for my RAM user?

    If the service-linked role is created for your Alibaba Cloud account, your RAM user inherits the service-linked role from your Alibaba Cloud account. If your RAM user fails to inherit the service-linked role, log on to the RAM console, create the following custom policy, and then attach the custom policy to the RAM user:

    {
        "Statement":[
            {
                "Action":[
                    "ram:CreateServiceLinkedRole"
                ],
                "Resource":"*",
                "Effect":"Allow",
                "Condition":{
                    "StringEquals":{
                        "ram:ServiceName":"instanceencryption.alikafka.aliyuncs.com"
                    }
                }
            }
        ],
        "Version":"1"
    }
  • What do I do if the AliyunServiceRoleForAlikafkaETL role that is linked to ApsaraMQ for Kafka is not automatically created for my RAM user?

    If the service-linked role is created for your Alibaba Cloud account, your RAM user inherits the service-linked role from your Alibaba Cloud account. If your RAM user fails to inherit the service-linked role, log on to the RAM console, create the following custom policy, and then attach the custom policy to the RAM user:

    {
        "Statement":[
            {
                "Action":[
                    "ram:CreateServiceLinkedRole"
                ],
                "Resource":"*",
                "Effect":"Allow",
                "Condition":{
                    "StringEquals":{
                        "ram:ServiceName":"etl.alikafka.aliyuncs.com"
                    }
                }
            }
        ],
        "Version":"1"
    }

If the service-linked role is still not automatically created for your RAM user after you attach the policy to the RAM user, attach the AliyunKafkaFullAccess policy to the RAM user. For more information, see Grant permissions to the RAM user.