Service-linked roles for Cloud Backup -

A service-linked role is a Resource Access Management (RAM) role whose trusted entity is an Alibaba Cloud service. To access an Alibaba Cloud service such as Elastic Compute Service (ECS), Virtual Private Cloud (VPC), Object Storage Service (OSS), and Apsara File Storage NAS (NAS), Cloud Backup must assume the corresponding service-linked role. Cloud Backup automatically creates a service-linked role when you enable a backup feature, create a backup plan, or associate a backup policy with a data source. If a service-linked role fails to be automatically created or Cloud Backup does not support automatic creation, you must manually create the service-linked role.

RAM provides a system policy for each service-linked role. You cannot modify the system policy. To view the information about the system policy of a specific service-linked role, go to the details page of the role. For more information, see System policies.

Scenarios

Cloud Backup automatically creates a service-linked role for you in the following scenarios:

Important

Cloud Backup automatically creates a service-linked role when you enable a backup feature, create a backup plan, or associate a backup policy with a data source.

AliyunServiceRoleForHbrEcsBackup
When you use the ECS backup feature, Cloud Backup automatically creates a service-linked role named AliyunServiceRoleForHbrEcsBackup to obtain the permissions to access ECS and VPC resources.
AliyunServiceRoleForHbrOssBackup
When you use the OSS backup feature, Cloud Backup automatically creates a service-linked role named AliyunServiceRoleForHbrOssBackup to obtain the permissions to access OSS resources.
AliyunServiceRoleForHbrNasBackup
When you use the NAS backup feature, Cloud Backup automatically creates a service-linked role named AliyunServiceRoleForHbrNasBackup to obtain the permissions to access NAS resources.
AliyunServiceRoleForHbrCsgBackup
When you use the Cloud Storage Gateway (CSG) backup feature, Cloud Backup automatically creates a service-linked role named AliyunServiceRoleForHbrCsgBackup to obtain the permissions to access CSG resources.
AliyunServiceRoleForHbrVaultEncryption
When you use a Key Management Service (KMS) key to encrypt a backup vault, Cloud Backup automatically creates a service-linked role named AliyunServiceRoleForHbrVaultEncryption to obtain the permissions to access KMS resources.
AliyunServiceRoleForHbrOtsBackup
When you use the Tablestore backup feature, Cloud Backup automatically creates a service-linked role named AliyunServiceRoleForHbrOtsBackup to obtain the permissions to access Tablestore resources.
AliyunServiceRoleForHbrCrossAccountBackup
When you use the cross-account backup feature, Cloud Backup automatically creates a service-linked role named AliyunServiceRoleForHbrCrossAccountBackup to obtain the permissions to access your resources in other cloud services.
AliyunServiceRoleForHbrEcsEncryption
If you enable the cross-region replication feature when you back up ECS instances, you must specify a KMS key. In this case, Cloud Backup automatically creates a service-linked role named AliyunServiceRoleForHbrEcsEncryption to obtain the permissions to access your resources in KMS.

Permissions

This section describes the permissions that are granted to each service-linked role of Cloud Backup.

AliyunServiceRoleForHbrEcsBackup: the permissions to access ECS

 {
      "Action": [
        "ecs:RunCommand",
        "ecs:CreateCommand",
        "ecs:InvokeCommand",
        "ecs:DeleteCommand",
        "ecs:DescribeCommands",
        "ecs:StopInvocation",
        "ecs:DescribeInvocationResults",
        "ecs:DescribeCloudAssistantStatus",
        "ecs:DescribeInstances",
        "ecs:DescribeInstanceRamRole",
        "ecs:DescribeInvocations"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "ecs:AttachInstanceRamRole",
        "ecs:DetachInstanceRamRole"
      ],
      "Resource": [
        "acs:ecs:*:*:instance/*",
        "acs:ram:*:*:role/aliyunecsaccessinghbrrole"
      ],
      "Effect": "Allow"
    },
    {
      "Action": [
        "ram:GetRole",
        "ram:GetPolicy",
        "ram:ListPoliciesForRole"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "ram:PassRole"
      ],
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "acs:Service": [
            "ecs.aliyuncs.com"
          ]
        }
      }
    },
    {
      "Action": [
        "ecs:DescribeSecurityGroups",
        "ecs:DescribeImages",
        "ecs:CreateImage",
        "ecs:DeleteImage",
        "ecs:DescribeSnapshots",
        "ecs:CreateSnapshot",
        "ecs:DeleteSnapshot",
        "ecs:DescribeSnapshotLinks",
        "ecs:DescribeAvailableResource",
        "ecs:ModifyInstanceAttribute",
        "ecs:CreateInstance",
        "ecs:DeleteInstance",
        "ecs:AllocatePublicIpAddress",
        "ecs:CreateDisk",
        "ecs:DescribeDisks",
        "ecs:AttachDisk",
        "ecs:DetachDisk",
        "ecs:DeleteDisk",
        "ecs:ResetDisk",
        "ecs:StartInstance",
        "ecs:StopInstance",
        "ecs:ReplaceSystemDisk",
        "ecs:ModifyResourceMeta"
      ],
      "Resource": "*",
      "Effect": "Allow"
    }

AliyunServiceRoleForHbrEcsBackup: the permissions to access VPC

{
      "Action": [
        "vpc:DescribeVpcs",
        "vpc:DescribeVSwitches"
      ],
      "Resource": "*",
      "Effect": "Allow"
    }

AliyunServiceRoleForHbrOssBackup: the permissions to access OSS

{
      "Action": [
        "oss:ListObjects",
        "oss:HeadBucket",
        "oss:GetBucket",
        "oss:GetBucketAcl",
        "oss:GetBucketLocation",
        "oss:GetBucketInfo",
        "oss:PutObject",
        "oss:CopyObject",
        "oss:GetObject",
        "oss:AppendObject",
        "oss:GetObjectMeta",
        "oss:PutObjectACL",
        "oss:GetObjectACL",
        "oss:PutObjectTagging",
        "oss:GetObjectTagging",
        "oss:InitiateMultipartUpload",
        "oss:UploadPart",
        "oss:UploadPartCopy",
        "oss:CompleteMultipartUpload",
        "oss:AbortMultipartUpload",
        "oss:ListMultipartUploads",
        "oss:ListParts"
      ],
      "Resource": "*",
      "Effect": "Allow"
    }

AliyunServiceRoleForHbrNasBackup: the permissions to access NAS

{
      "Action": [
        "nas:DescribeFileSystems",
        "nas:CreateMountTargetSpecial",
        "nas:DeleteMountTargetSpecial",
        "nas:CreateMountTarget",
        "nas:DeleteMountTarget",
        "nas:DescribeMountTargets",
        "nas:DescribeAccessGroups"
      ],
      "Resource": "*",
      "Effect": "Allow"
    }

AliyunServiceRoleForHbrCsgBackup: the permissions to access CSG

{
      "Action": [
        "hcs-sgw:DescribeGateways"
      ],
      "Resource": "*",
      "Effect": "Allow"
    }

AliyunServiceRoleForHbrVaultEncryption: the permissions to enable KMS-based encryption for a backup vault

{
 "Statement": [
 {
  "Action": "ram:DeleteServiceLinkedRole",
  "Resource": "*",
  "Effect": "Allow",
  "Condition": {
   "StringEquals": {
    "ram:ServiceName": "vaultencryption.hbr.aliyuncs.com"
   }
  }
 },
 {
  "Action": [
  "kms:Decrypt"
  ],
  "Resource": "*",
  "Effect": "Allow"
 }
 ],
 "Version": "1"

}

AliyunServiceRoleForHbrOtsBackup: the permissions to access Tablestore

{
  "Version": "1",
  "Statement": [
    {
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "otsbackup.hbr.aliyuncs.com"
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": [
        "ots:ListTable",
        "ots:CreateTable",
        "ots:UpdateTable",
        "ots:DescribeTable",
        "ots:BatchWriteRow",
        "ots:CreateTunnel",
        "ots:DeleteTunnel",
        "ots:ListTunnel",
        "ots:DescribeTunnel",
        "ots:ConsumeTunnel",
        "ots:GetRange",
        "ots:ListStream",
        "ots:DescribeStream"
      ],
      "Resource": "*"
    }
  ]
}

AliyunServiceRoleForHbrCrossAccountBackup: the permissions to perform cross-account backup

{
  "Version": "1",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Effect": "Allow",
      "Resource": "*"
    },
    {
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "crossbackup.hbr.aliyuncs.com"
        }
      }
    }
  ]
}

AliyunServiceRoleForHbrEcsEncryption: the permissions to enable KMS-based encryption for cross-region replication

{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "kms:ListKeys",
        "kms:ListAliases"
      ],
      "Effect": "Allow",
      "Resource": "*"
    },
    {
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "ecsencryption.hbr.aliyuncs.com"
        }
      }
    }
  ]
}

Delete a service-linked role

You may need to delete service-linked roles to ensure security. For example, if you no longer need to use the ECS backup feature, you can delete the AliyunServiceRoleForHbrEcsBackup role.

Important

Before you delete the AliyunServiceRoleForHbrEcsBackup, AliyunServiceRoleForHbrOssBackup, AliyunServiceRoleForHbrNasBackup, or AliyunServiceRoleForHbrCsgBackup role, make sure that no backup vault exists within the current account. Otherwise, the role fails to be deleted.
Before you delete the AliyunServiceRoleForHbrVaultEncryption role, make sure that no KMS-encrypted backup vault exists within the current account. Otherwise, the role fails to be deleted.

To delete the AliyunServiceRoleForHbrEcsBackup role, perform the following steps:

Log on to the RAM console.
In the left-side navigation pane, choose Identities > Roles.
On the Roles page, enter AliyunServiceRoleForHbrEcsBackup in the search box to find the role.
Click Delete Role in the Actions column.
In the Delete Role message, enter role name then click Delete Role.

If you want to delete other service-linked roles, such as AliyunServiceRoleForHbrOssBackup, AliyunServiceRoleForHbrNasBackup, AliyunServiceRoleForHbrCsgBackup, AliyunServiceRoleForHbrVaultEncryption, and AliyunServiceRoleForHbrEcsEncryption, enter the corresponding role name in the search box.