This topic describes the scenarios of using the Operation Orchestration Service (OOS) linked roles AliyunServiceRoleForOOSBandwidthScheduler and AliyunServiceRoleForOOSInstanceScheduler. This topic also describes how to delete the OOS linked roles.

Background information

OOS linked roles are Resource Access Management (RAM) roles that are used to obtain access permissions on other Alibaba Cloud services to complete a specified execution in OOS. Two OOS linked roles are provided: AliyunServiceRoleForOOSBandwidthScheduler and AliyunServiceRoleForOOSInstanceScheduler. For more information, see Service linked roles.

Scenarios

To complete the following common O&M tasks in OOS, you must call related API operations of Elastic Compute Service (ECS). You can obtain the permissions to call related API operations by using the OOS linked roles.

AliyunServiceRoleForOOSInstanceScheduler

If the RAM role required for starting or shutting down an instance does not exist, OOS automatically creates the service linked role AliyunServiceRoleForOOSInstanceScheduler. In addition, OOS attaches the policy AliyunServiceRoleForOOSInstanceSchedulerPolicy to the RAM role. OOS can assume this role to call the corresponding API operations to start or shut down the instance.

Policy document:
{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "ecs:StartInstance",
                "ecs:StopInstance",
                "ecs:DescribeInstances"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

AliyunServiceRoleForOOSBandwidthScheduler

If the RAM role required for executing temporary bandwidth upgrade does not exist, OOS automatically creates the service linked role AliyunServiceRoleForOOSBandwidthScheduler. In addition, OOS attaches the policy AliyunServiceRoleForOOSBandwidthSchedulerPolicy to the RAM role. OOS can assume this role to call the corresponding API operation to temporarily upgrade the bandwidth.

Policy document:
{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "ecs:ModifyInstanceNetworkSpec",
                "ecs:DescribeInstances"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

Delete OOS linked roles

To delete an OOS linked role, you must cancel OOS executions that depend on the OOS linked role first. For more information about how to delete a service linked role, see Delete a service linked role.