All Products
Search
Document Center

EventBridge:Service-linked roles

最終更新日:Dec 11, 2024

This topic describes the background information, policy documents, usage notes, and FAQ about the service-linked roles for EventBridge.

Background information

EventBridge may need to access another Alibaba Cloud service to implement a feature. In this case, EventBridge must assume a specific service-linked role to obtain the permissions to access the Alibaba Cloud service. For more information, see Service-linked roles.

EventBridge can automatically create the following service-linked roles:

AliyunServiceRoleForEventBridgeSendToFC

EventBridge assumes the AliyunServiceRoleForEventBridgeSendToFC role to obtain the permissions to invoke functions in Function Compute.

The following sample code shows the document of the AliyunServiceRolePolicyForEventBridgeSendToFC policy that is attached to the AliyunServiceRoleForEventBridgeSendToFC role:

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "fc:InvokeFunction",
                "fc:ListServices",
                "fc:ListFunctions"
                "fc:ListServiceVersions",
                "fc:ListAliases",
                "fc:RegisterEventSource",
                "fc:DeregisterEventSource",
                "fc:ListEventSources"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "sendevent-fc.eventbridge.aliyuncs.com"
                }
            }
        }
    ]
}

AliyunServiceRoleForEventBridgeSendToMNS

EventBridge assumes the AliyunServiceRoleForEventBridgeSendToMNS role to obtain the permissions to send and publish messages in Simple Message Queue (formerly MNS) (SMQ).

The following sample code shows the document of the AliyunServiceRolePolicyForEventBridgeSendToMNS policy that is attached to the AliyunServiceRoleForEventBridgeSendToMNS role:

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "mns:SendMessage",
                "mns:GetQueueAttributes",
                "mns:PublishMessage",
                "mns:ListQueue",
                "mns:ListTopic",
                "mns:ReceiveMessage",
                "mns:BatchReceiveMessage",
                "mns:PeekMessage",
                "mns:BatchPeekMessage",
                "mns:ChangeMessageVisibility",
                "mns:DeleteMessage"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "sendevent-mns.eventbridge.aliyuncs.com"
                }
            }
        }
    ]
}

AliyunServiceRoleForEventBridgeSendToSMS

EventBridge assumes the AliyunServiceRoleForEventBridgeSendToSMS role to obtain the permissions to access Short Message Service (SMS) to send text messages.

The following sample code shows the document of the AliyunServiceRolePolicyForEventBridgeSendToSMS policy that is attached to the AliyunServiceRoleForEventBridgeSendToSMS role:

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "dysms:SendSms",
                "dysms:SendBatchSms",
                "dysms:QuerySendDetails",
                "dysms:QuerySmsSign",
                "dysms:QuerySmsTemplate"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "sendevent-sms.eventbridge.aliyuncs.com"
                }
            }
        }
    ]
}

AliyunServiceRoleForEventBridgeSendToDirectMail

EventBridge assumes the AliyunServiceRoleForEventBridgeSendToDirectMail role to obtain the permissions to access Direct Mail to send emails.

The following sample code shows the document of the AliyunServiceRolePolicyForEventBridgeSendToDirectMail policy that is attached to the AliyunServiceRoleForEventBridgeSendToDirectMail role:

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "dm:SingleSendMail",
                "dm:BatchSendMail",
                "dm:QueryMailAddressByParam"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "sendevent-directmail.eventbridge.aliyuncs.com"
                }
            }
        }
    ]
}

AliyunServiceRoleForEventBridgeSourceRocketMQ

EventBridge assumes the AliyunServiceRoleForEventBridgeSourceRocketMQ role to obtain the permissions to access resources in ApsaraMQ for RocketMQ.

The following sample code shows the document of the AliyunServiceRolePolicyForEventBridgeSourceRocketMQ policy that is attached to the AliyunServiceRoleForEventBridgeSourceRocketMQ role:

{
    "Version":"1",
    "Statement":[
        {
            "Action":[
                "mq:QueryInstanceBaseInfo",
                "mq:QueryConsumerStatus",
                "mq:SUB"
            ],
            "Resource":"*",
            "Effect":"Allow"
        },
        {
            "Action":"ram:DeleteServiceLinkedRole",
            "Resource":"*",
            "Effect":"Allow",
            "Condition":{
                "StringEquals":{
                    "ram:ServiceName":"source-rocketmq.eventbridge.aliyuncs.com"
                }
            }
        }
    ]
}

AliyunServiceRoleForEventBridgeSendToRocketMQ

EventBridge assumes the AliyunServiceRoleForEventBridgeSendToRocketMQ role to obtain the permissions to publish messages in ApsaraMQ for RocketMQ.

The following sample code shows the document of the AliyunServiceRolePolicyForEventBridgeSendToRocketMQ policy that is attached to the AliyunServiceRoleForEventBridgeSendToRocketMQ role:

{
    "Version":"1",
    "Statement":[
        {
            "Action":[
                "mq:PUB",
                "mq:QueryInstanceBaseInfo",
                "mq:QueryTopicStatus",
                "mq:QueryConsumerAccumulate",
                "mq:QueryConsumerStatus"
            ],
            "Resource":"*",
            "Effect":"Allow"
        },
        {
            "Action":"ram:DeleteServiceLinkedRole",
            "Resource":"*",
            "Effect":"Allow",
            "Condition":{
                "StringEquals":{
                    "ram:ServiceName":"sendevent-rocketmq.eventbridge.aliyuncs.com"
                }
            }
        }
    ]
}

AliyunServiceRoleForEventBridgeConnectVPC

EventBridge assumes the AliyunServiceRoleForEventBridgeConnectVPC role to obtain the permissions to access resources in Virtual Private Cloud (VPC).

The following sample code shows the document of the AliyunServiceRolePolicyForEventBridgeConnectVPC policy that is attached to the AliyunServiceRoleForEventBridgeConnectVPC role:

{
    "Version":"1",
    "Statement":[
        {
            "Action":[
                "vpc:DescribeVpcs",
                "vpc:DescribeVSwitches",
                "vpc:DescribeVSwitchAttributes"
            ],
            "Resource":"*",
            "Effect":"Allow"
        },
        {
            "Action":[
                "ecs:DescribeSecurityGroups",
                "ecs:CreateSecurityGroup",
                "ecs:CreateNetworkInterface",
                "ecs:DeleteNetworkInterface",
                "ecs:DescribeNetworkInterfaces",
                "ecs:CreateNetworkInterfacePermission",
                "ecs:DescribeNetworkInterfacePermissions",
                "ecs:DeleteNetworkInterfacePermission"
            ],
            "Resource":"*",
            "Effect":"Allow"
        },
        {
            "Action":"ram:DeleteServiceLinkedRole",
            "Resource":"*",
            "Effect":"Allow",
            "Condition":{
                "StringEquals":{
                    "ram:ServiceName":"connect-vpc.eventbridge.aliyuncs.com"
                }
            }
        }
    ]
}

AliyunServiceRoleForEventBridgeSourceActionTrail

EventBridge assumes the AliyunServiceRoleForEventBridgeSourceActionTrail role to obtain the permissions to access ActionTrail to query and deliver operation records.

The following sample code shows the document of the AliyunServiceRolePolicyForEventBridgeSourceActionTrail policy that is attached to the AliyunServiceRoleForEventBridgeSourceActionTrail role:

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "actiontrail:CreateServiceTrail",
                "actiontrail:DeleteServiceTrail"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "source-actiontrail.eventbridge.aliyuncs.com"
                }
            }
        }
    ]
}

AliyunServiceRoleForEventBridgeSourceRabbitMQ

EventBridge assumes the AliyunServiceRoleForEventBridgeSourceRabbitMQ role to obtain the permissions to access resources in ApsaraMQ for RabbitMQ.

The following sample code shows the document of the AliyunServiceRolePolicyForEventBridgeSourceRabbitMQ policy that is attached to the AliyunServiceRoleForEventBridgeSourceRabbitMQ role:

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "amqp:ListInstance",
                "amqp:ListVhost",
                "amqp:ListExchange",
                "amqp:GetVhost",
                "amqp:GetExchange",
                "amqp:GetQueue",
                "amqp:BasicRecover",
                "amqp:BasicCancel",
                "amqp:BasicConsume",
                "amqp:BasicAck",
                "amqp:BasicNack",
                "amqp:BasicReject",
                "amqp:QueuePurge",
                "amqp:BasicGet"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "source-rabbitmq.eventbridge.aliyuncs.com"
                }
            }
        }
    ]
}

AliyunServiceRoleForEventBridgeSendToRabbitMQ

EventBridge assumes the AliyunServiceRoleForEventBridgeSendToRabbitMQ role to obtain the permissions to publish messages in ApsaraMQ for RabbitMQ.

The following sample code shows the document of the AliyunServiceRolePolicyForEventBridgeSendToRabbitMQ policy that is attached to the AliyunServiceRoleForEventBridgeSendToRabbitMQ role:

{
    "Version":"1",
    "Statement":[
        {
            "Action":[
                "amqp:ListInstance",
                "amqp:ListVhost",
                "amqp:ListExchange",
                "amqp:GetVhost",
                "amqp:CreateExchange",
                "amqp:GetExchange",
                "amqp:CreateQueue",
                "amqp:GetQueue",
                "amqp:BasicRecover",
                "amqp:BasicPublish",
                "amqp:BasicAck",
                "amqp:BasicNack"
            ],
            "Resource":"*",
            "Effect":"Allow"
        },
        {
            "Action":"ram:DeleteServiceLinkedRole",
            "Resource":"*",
            "Effect":"Allow",
            "Condition":{
                "StringEquals":{
                    "ram:ServiceName":"sendevent-rabbitmq.eventbridge.aliyuncs.com"
                }
            }
        }
    ]
}

AliyunServiceRoleForEventBridgeSourceKafka

EventBridge assumes the AliyunServiceRoleForEventBridgeSourceKafka role to obtain the permissions to access resources in ApsaraMQ for Kafka.

The following sample code shows the document of the AliyunServiceRolePolicyForEventBridgeSourceKafka policy that is attached to the AliyunServiceRoleForEventBridgeSourceKafka role:

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "alikafka:ListInstance",
        "alikafka:ListSaslUser"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "source-kafka.eventbridge.aliyuncs.com"
        }
      }
    }
  ]
}

AliyunServiceRoleForEventBridgeSendToKafka

EventBridge assumes the AliyunServiceRoleForEventBridgeSendToKafka role to obtain the permissions to publish messages in ApsaraMQ for Kafka.

The following sample code shows the document of the AliyunServiceRolePolicyForEventBridgeSendToKafka policy that is attached to the AliyunServiceRoleForEventBridgeSendToKafka role:

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "alikafka:ListInstance",
        "alikafka:ListSaslUser"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "sendevent-kafka.eventbridge.aliyuncs.com"
        }
      }
    }
  ]
}

AliyunServiceRoleForEventBridgeSendToRDS

EventBridge assumes the AliyunServiceRoleForEventBridgeSendToRDS role to obtain the permissions to deliver data to ApsaraDB RDS.

The following sample code shows the document of the AliyunServiceRolePolicyForEventBridgeSendToRDS policy that is attached to the AliyunServiceRoleForEventBridgeSendToRDS role:

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "rds:DescribeDBInstanceAttribute",
                "rds:DescribeDatabases",
                "rds:DescribeAccounts"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "sendevent-rds.eventbridge.aliyuncs.com"
                }
            }
        }
    ]
}

AliyunServiceRoleForEventBridgeSourceCMS

EventBridge assumes the AliyunServiceRoleForEventBridgeSourceKafka role to obtain the permissions to access resources in CloudMonitor.

The following sample code shows the document of the AliyunServiceRolePolicyForEventBridgeSourceCMS policy that is attached to the AliyunServiceRoleForEventBridgeSourceCMS role:

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "cms:DescribeSystemEventAttribute",
                "cms:DescribeSystemEventCount",
                "cms:DescribeSystemEventHistogram"
            ],
            "Resource": "*"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "source-cms.eventbridge.aliyuncs.com"
                }
            }
        }
    ]
}

AliyunServiceRoleForEventBridgeSendToSAE

EventBridge assumes the AliyunServiceRoleForEventBridgeSendToSAE role to access Serverless App Engine (SAE) to deliver data to SAE.

The following sample code shows the document of the AliyunServiceRolePolicyForEventBridgeSendToSAE policy that is attached to the AliyunServiceRoleForEventBridgeSendToSAE role:

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
              "sae:ExecJob"
            ],
            "Resource": "*"
            "Effect": "Allow"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "sendevent-sae.eventbridge.aliyuncs.com"
                }
            }
        }
    ]
}

AliyunServiceRoleForEventBridgeSourceMqtt

EventBridge assumes the AliyunServiceRoleForEventBridgeSourceCMS role to obtain the permissions to access resources in ApsaraMQ for MQTT.

The following sample code shows the document of the AliyunServiceRolePolicyForEventBridgeSourceMqtt policy that is attached to the AliyunServiceRoleForEventBridgeSourceMqtt role:

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "mq:SUB"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "source-mqtt.eventbridge.aliyuncs.com"
                }
            }
        }
    ]
}

Usage notes

If you delete a service-linked role, EventBridge cannot publish events to the corresponding Alibaba Cloud service. Proceed with caution. To use the corresponding feature, you must re-create the required role. For more information, see Create a service-linked role.

For information about how to delete a service-linked role, see Delete a service-linked role.

FAQ

Why is a service-linked role for EventBridge not automatically created for my Resource Access Management (RAM) user?

If a service-linked role is created for your Alibaba Cloud account, your RAM user inherits the service-linked role of your Alibaba Cloud account. If your RAM user cannot inherit the service-linked role, log on to the RAM console, create the following custom policy, and then attach the custom policy to the RAM user.

{
    "Version":"1",
    "Statement":[
        {
            "Action":"ram:CreateServiceLinkedRole",
            "Resource":"acs:ram:*:Alibaba Cloud account ID:role/*",
            "Effect":"Allow",
            "Condition":{
                "StringEquals":{
                    "ram:ServiceName":[
                        "sendevent-fc.eventbridge.aliyuncs.com",
                        "sendevent-mns.eventbridge.aliyuncs.com",
                        "sendevent-sms.eventbridge.aliyuncs.com",
                        "sendevent-directmail.eventbridge.aliyuncs.com",
                        "source-rocketmq.eventbridge.aliyuncs.com",
                        "source-mns.eventbridge.aliyuncs.com",
                        "source-cms.eventbridge.aliyuncs.com",
                        "source-mqtt.eventbridge.aliyuncs.com",
                        "source-sls.eventbridge.aliyuncs.com",
                        "sendevent-sae.eventbridge.aliyuncs.com",
                        "sendevent-rocketmq.eventbridge.aliyuncs.com",
                        "connect-vpc.eventbridge.aliyuncs.com",
                        "source-actiontrail.eventbridge.aliyuncs.com",
                        "source-rabbitmq.eventbridge.aliyuncs.com",                      
                        "sendevent-rabbitmq.eventbridge.aliyuncs.com",
                        "source-kafka.eventbridge.aliyuncs.com",
                        "sendevent-kafka.eventbridge.aliyuncs.com",
                        "sendevent-rds.eventbridge.aliyuncs.com",
                        "sendevent-arms.eventbridge.aliyuncs.com"
                    ]
                }
            }
        }
    ]
}
Note

Replace Alibaba Cloud account ID with the ID of your Alibaba Cloud account.

If a service-linked role is still not automatically created for your RAM user after you attach the custom policy to the RAM user, attach the AliyunEventBridgeFullAccess policy to the RAM user. For information about sample policies attached to RAM users, see Policies and examples.