All Products
Search
Document Center

CloudOps Orchestration Service:Manage service-linked roles for OOS

最終更新日:Dec 04, 2024

This topic describes the scenarios of using service-linked roles for CloudOps Orchestration Service (OOS), including AliyunServiceRoleForOOSBandwidthScheduler, AliyunServiceRoleForOOSInstanceScheduler, AliyunServiceRoleForOOSExecutionDelivery, and AliyunServiceRoleForOOSAppliactionManager. This topic also describes how to delete the service-linked roles for OOS.

Background information

The service-linked roles for OOS

are Resource Access Management (RAM) users provided for OOS to obtain access permissions on other Alibaba Cloud services to execute a specific task.

The AliyunServiceRoleForOOSExecutionDelivery role is a RAM user provided for OOS to obtain access permissions on other Alibaba Cloud services to deliver execution records.

The AliyunServiceRoleForOOSAppliactionManager role is a RAM user provided for OOS to obtain access permissions on other Alibaba Cloud services to create or delete resources. For more information, see Service-linked roles.

Scenarios

To access Elastic Compute Service (ECS) resources to complete the following O&M tasks in OOS, you can use the AliyunServiceRoleForOOSBandwidthScheduler or AliyunServiceRoleForOOSInstanceScheduler role that is automatically created by OOS to obtain the access permissions on ECS:

To access the resources of Simple Log Service and Object Storage Service (OSS) to deliver OOS execution records, you can use the AliyunServiceRoleForOOSExecutionDelivery role that is automatically created by OOS to obtain the access permissions on Simple Log Service and OSS.

To access CloudMonitor resources to automatically create or delete CloudMonitor application groups, OOS automatically creates the service-linked role named AliyunServiceRoleForOOSAppliactionManager to obtain the access permissions on CloudMonitor.OOS

AliyunServiceRoleForOOSInstanceScheduler

If the RAM role required for starting or shutting down an instance as scheduled does not exist, OOS automatically creates the service-linked role named AliyunServiceRoleForOOSInstanceScheduler. In addition, OOS attaches the AliyunServiceRoleForOOSInstanceSchedulerPolicy policy to the service-linked role. OOS can assume this role to call the corresponding API operations to start or shut down the instance as scheduled.

Policy:

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "ecs:StartInstance",
                "ecs:StopInstance",
                "ecs:DescribeInstances"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

AliyunServiceRoleForOOSBandwidthScheduler

If the RAM role required for temporarily upgrading the bandwidth of an instance does not exist, OOS automatically creates the service-linked role named AliyunServiceRoleForOOSBandwidthScheduler. In addition, OOS attaches the AliyunServiceRoleForOOSBandwidthSchedulerPolicy policy to the service-linked role. OOS can assume this role to call the corresponding API operations to temporarily upgrade the bandwidth.

Policy:

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "ecs:ModifyInstanceNetworkSpec",
                "ecs:DescribeInstances"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

AliyunServiceRolePolicyForOOSPatchManager

If the RAM role required for scanning or installing patches does not exist, OOS automatically creates the service-linked role named AliyunServiceRoleForOOSPatchManager. In addition, OOS attaches the AliyunServiceRolePolicyForOOSPatchManager policy to the service-linked role. OOS can assume this role to scan or install patches.

Policy:

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "ecs:CreateSnapshot",
                "ecs:DescribeCloudAssistantStatus",
                "ecs:DescribeDisks",
                "ecs:DescribeInstances",
                "ecs:DescribeInvocationResults",
                "ecs:DescribeInvocations",
                "ecs:DescribeManagedInstances",
                "ecs:DescribeSnapshots",
                "ecs:RebootInstance",
                "ecs:RunCommand"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "ecd:CreateSnapshot",
                "ecd:DescribeCloudAssistantStatus",
                "ecd:DescribeDesktops",
                "ecd:DescribeInvocations",
                "ecd:DescribeSnapshots",
                "ecd:RebootDesktops",
                "ecd:RunCommand"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "oos:ListInstancePatchStates"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "patchmanager.oos.aliyuncs.com"
                }
            }
        }
    ]
}

AliyunServiceRoleForOOSExecutionDelivery

To access the resources of Simple Log Service and OSS to deliver OOS execution records, OOS automatically creates the service-linked role named AliyunServiceRoleForOOSExecutionDelivery to obtain the access permissions on Simple Log Service and OSS.

Policy:

{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "oss:PutObject",
        "oss:GetBucketInfo",
        "log:GetProject",
        "log:GetLogStore",
        "log:CreateLogStore",
        "log:PostLogStoreLogs"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "executiondelivery.oos.aliyuncs.com"
        }
      }
    }
  ]
}

AliyunServiceRoleForOOSApplicationManager

To access CloudMonitor resources to automatically create or delete CloudMonitor application groups, OOS automatically creates the service-linked role named AliyunServiceRoleForOOSAppliactionManager to obtain the access permissions on CloudMonitor.OOS

Policy:

{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "cms:CreateDynamicTagGroup",
                "cms:DescribeDynamicTagRuleList",
                "cms:DescribeMonitorGroups",
                "cms:DeleteDynamicTagGroup"
            ],
            "Resource": "*"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "applicationmanager.oos.aliyuncs.com"
                }
            }
        }
    ],
    "Version": "1"
}

AliyunServiceRoleForOOSSystemEventOperator

If the RAM role required for accepting the default operation for a system event and authorizing the system to perform the default operation does not exist, OOS automatically creates the service-linked role named AliyunServiceRoleForOOSSystemEventOperator. In addition, OOS attaches the AliyunServiceRolePolicyForOOSSystemEventOperator policy to the service-linked role. OOS can assume this role to call the corresponding API operations to accept the default operation for the system event and authorize the system to perform the default operation.

Policy:

{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "ecs:AcceptInquiredSystemEvent",
        "ecs:StopInstance",
        "ecs:DescribeInstances",
        "ecs:StartInstance"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "systemeventoperator.oos.aliyuncs.com"
        }
      }
    }
  ]
}

Delete service-linked roles for OOS

Before you can delete the AliyunServiceRoleForOOSBandwidthScheduler or AliyunServiceRoleForOOSInstanceScheduler role, you must cancel the OOS executions that depend on the role. The AliyunServiceRoleForOOSExecutionDelivery and AliyunServiceRoleForOOSAppliactionManager roles can be directly deleted.

The following example shows how to delete the AliyunServiceRoleForOOSExecutionDelivery role:

Note

If you deliver OOS execution records and then want to delete the AliyunServiceRoleForOOSExecutionDelivery role for security purposes, you must understand the impact of deleting the role. After the AliyunServiceRoleForOOSExecutionDelivery role is deleted, OOS execution records within the current account cannot be delivered to OOS or Simple Log Service.OOS SLS

  1. Log on to the RAM console. In the left-side navigation pane, choose Identities > Roles.

  2. On the Roles page, enter AliyunServiceRoleForOOSExecutionDelivery in the search box and click the search icon. The AliyunServiceRoleForOOSExecutionDelivery role is displayed.

  3. In the Actions column, click Delete Role.

  4. In the Delete Role message, click Delete Role.

5. For more information about how to delete a service-linked role, see the "Delete a service-linked role" section of the Service-linked roles topic.

FAQ

Why am I unable to enable OOS to automatically create the service-linked role AliyunServiceRoleForOOSExecutionDelivery when I log on as a RAM user?

If you want OOS to automatically create or delete the AliyunServiceRoleForOOSExecutionDelivery role when you log on as a RAM user, you must grant the required permissions to the RAM user. In this case, you can attach the following policy to the RAM user:

{
    "Statement": [
        {
            "Action": [
                "ram:CreateServiceLinkedRole"
            ],
            "Resource": "acs:ram:*:ID of your Alibaba Cloud account:role/*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": [
                        "executiondelivery.oos.aliyuncs.com"
                    ]
                }
            }
        }
    ],
    "Version": "1"
}