After you purchase a DataBase Audit instance, you must grant permissions before you use the service for the first time. This allows DataBase Audit to access other Alibaba Cloud services to create and store raw logs in Simple Log Service (SLS). This topic describes how to grant DataBase Audit access to cloud resources and how to delete the service-linked role.
Prerequisites
You have purchased a DataBase Audit instance. For more information, see Purchase a DataBase Audit instance (New purchases are discontinued).
Scenarios
If DataBase Audit needs to access resources of other Alibaba Cloud services, such as Simple Log Service (SLS), a virtual private cloud (VPC), or security groups, Alibaba Cloud automatically creates the service-linked role for DataBase Audit, AliyunServiceRoleForDbaudit. This role grants DataBase Audit access to the associated Alibaba Cloud services.
Grant access to cloud resources
Log on to the DataBase Audit console.
In the Welcome to DataBase Audit dialog box, click Confirm Create.
After you grant authorization, Alibaba Cloud automatically creates the service-linked role for Database Audit, AliyunServiceRoleForDbaudit. The AliyunServiceRoleForDbaudit role allows your Database Audit instance to access resources from Alibaba Cloud services such as SLS and VPC.
View the service-linked role
After the AliyunServiceRoleForDbaudit service-linked role is created, you can view its details in the Resource Access Management (RAM) console. The details include the basic information, trust policy, and access policy of the role.
Log on to the Resource Access Management (RAM) console.
In the navigation pane on the left, choose .
On the Roles page, enter AliyunServiceRoleForDbaudit in the search box and then click the role name AliyunServiceRoleForDbaudit.
View the basic information of the role.
On the role details page, find the Basic Information section to view information such as the RAM role name, creation time, and ARN.
View the trust policy of the role.
On the role details page, click the Trust Policy tab. The `Service` field indicates which Alibaba Cloud service can assume this role:
"Service": ["dbaudit.aliyuncs.com"].View the access policy of the role.
On the role details page, click the Permissions tab.
Click the access policy name AliyunServiceRolePolicyForDbaudit.
On the Policy Document tab, view the details of the access policy.
NoteYou cannot directly view the access policy of a service-linked role in the policy list of the RAM console.
Delete AliyunServiceRoleForDbaudit
If you use DataBase Audit and need to delete the service-linked role AliyunServiceRoleForDbaudit, you must first release all your DataBase Audit instances. You can delete the role only after all instances are released. The following steps describe how to delete AliyunServiceRoleForDbaudit.
Log on to the RAM console.
In the navigation pane on the left, choose .
On the Roles page, enter AliyunServiceRoleForDbaudit in the search box.
The service-linked role named AliyunServiceRoleForDbaudit is displayed.
In the Actions column for the role, click Delete Role.
In the Delete RAM Role dialog box, enter the role name to confirm the deletion, and then click OK.
FAQ
Why can't a RAM user automatically create the AliyunServiceRoleForDbaudit service-linked role for DataBase Audit?
A Resource Access Management (RAM) user must have specific permissions to automatically create or delete the AliyunServiceRoleForDbaudit service-linked role. If a RAM user cannot create the role, you must attach the following access policy to the RAM user. For more information, see Manage RAM user permissions.
{
"Statement": [
{
"Action": [
"ram:CreateServiceLinkedRole"
],
"Resource": "acs:ram:*:Alibaba Cloud account ID:role/*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": [
"dbaudit.aliyuncs.com"
]
}
}
}
],
"Version": "1"
}References
For more information about service-linked roles, see Service-linked roles.