DocsICP FilingConsole
官方文档
首页

Tablestore service-linked role

更新时间:
复制 MD 格式
产品详情
我的收藏

A Tablestore service-linked role is a RAM role that Tablestore creates to access resources of other cloud services, such as Object Storage Service (OSS) and PrivateLink. When you use related features in the console, the system automatically creates the corresponding service-linked role.

Create a service-linked role

When you use the following Tablestore features, the system automatically creates the corresponding service-linked role. Each service-linked role comes with a system policy that you cannot modify.

Feature

Service-linked role

Data delivery

AliyunServiceRoleForOTSDataDelivery

PrivateLink

AliyunServiceRoleForOTSPrivateLink

Service-linked roles

This section describes the permissions and use cases for each service-linked role.

AliyunServiceRoleForOTSDataDelivery

The data delivery feature uses this role to access OSS resources to deliver data from Tablestore to OSS. The role grants permissions for the following OSS operations: PutObject, AbortMultipartUpload, PutObjectTagging, GetObject, and DeleteObjectTagging.

  • Associated system policy: AliyunServiceRolePolicyForOTSDataDelivery

  • Policy content:

    {
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "oss:PutObject",
        "oss:AbortMultipartUpload",
        "oss:PutObjectTagging",
        "oss:GetObject",
        "oss:DeleteObjectTagging"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "datadelivery.ots.aliyuncs.com"
        }
      }
    }
  ]
}

AliyunServiceRoleForOTSPrivateLink

The PrivateLink feature uses this role to create VPC endpoints.

  • Associated system policy: AliyunServiceRolePolicyForOTSPrivateLink

  • Policy content:

    {
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "privatelink:OpenPrivateLinkService",
        "privatelink:CheckProductOpen",
        "privatelink:ListVpcEndpointServices",
        "privatelink:CreateVpcEndpoint",
        "privatelink:ListVpcEndpoints",
        "privatelink:UpdateVpcEndpointAttribute",
        "privatelink:GetVpcEndpointAttribute",
        "privatelink:ListVpcEndpointSecurityGroups",
        "privatelink:AttachSecurityGroupToVpcEndpoint",
        "privatelink:DetachSecurityGroupFromVpcEndpoint",
        "privatelink:AddZoneToVpcEndpoint",
        "privatelink:RemoveZoneFromVpcEndpoint",
        "privatelink:ListVpcEndpointZones",
        "privatelink:DeleteVpcEndpoint",
        "privatelink:ListVpcEndpointServicesByEndUser",
        "vpc:DescribeVpcs",
        "ecs:DescribeSecurityGroups",
        "vpc:DescribeVSwitches"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "pvl.ots.aliyuncs.com"
        }
      }
    },
    {
      "Action": "ram:CreateServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "privatelink.aliyuncs.com"
        }
      }
    }
  ]
}

Delete a service-linked role

If you no longer use the related features, you can delete the corresponding service-linked role in the RAM console.

Important

  • Before you delete the role, ensure that no instance in your Alibaba Cloud account is using the corresponding feature. After you delete the service-linked role, the feature will no longer work correctly.

  • Before you delete AliyunServiceRoleForOTSPrivateLink, you must first unbind the PrivateLink connection in the Tablestore console. Otherwise, the deletion will fail.

  1. Log on to the RAM console.

  2. In the navigation pane on the left, choose Identities > Roles.

  3. Search for the role that you want to delete, such as AliyunServiceRoleForOTSDataDelivery.

  4. In the Actions column, click Delete Role and follow the on-screen instructions to delete the role.

FAQ

Role creation permissions for RAM users

Only users with the required permissions can automatically create or delete a Tablestore service-linked role. If a RAM user cannot automatically create a Tablestore service-linked role, you must attach the following policy to the RAM user.

Replace Alibaba Cloud account ID with your Alibaba Cloud account ID.
{
    "Statement": [
        {
            "Action": [
                "ram:CreateServiceLinkedRole"
            ],
            "Resource": "acs:ram:*: Alibaba Cloud account ID :role/*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": [
                        "datadelivery.ots.aliyuncs.com",
                        "pvl.ots.aliyuncs.com"
                    ]
                }
            }
        }
    ],
    "Version": "1"
}
Previous:RAM policyNext:Use resource groups for fine-grained resource control