The service-linked role AliyunServiceRoleForActionTrail is a RAM role that ActionTrail assumes to access other Alibaba Cloud services. This topic describes the scenarios that the service-linked role is applicable to, the permissions of the role, and how to create and delete the role.

Scenarios

The AliyunServiceRoleForActionTrail role is applicable to the following scenarios:

  • Access Log Service

    If you specify a Log Service project to store event logs, ActionTrail assumes the AliyunServiceRoleForActionTrail role to obtain the permissions to create a Logstore in the specified project and write event logs to the Logstore.

  • Access Object Storage Service (OSS)

    If you specify an OSS bucket to store event logs, ActionTrail assumes the AliyunServiceRoleForActionTrail role to obtain the permissions to write event logs to the specified OSS bucket.

  • Access Message Service (MNS)

    If you specify an OSS bucket to store event logs and an MNS topic to receive messages for event delivery, ActionTrail assumes the AliyunServiceRoleForActionTrail role to obtain the permissions to send messages to the MNS topic.

  • Access Resource Directory

    Assume that you create a multi-account trail to deliver the event logs of all member accounts in a resource directory to a specified storage object. In this case, ActionTrail assumes the AliyunServiceRoleForActionTrail role to obtain the permissions to access the resource directory and retrieve the member accounts in the resource directory.

For more information about service-linked roles, see Service-linked roles.

Permissions

Role: AliyunServiceRoleForActionTrail

Policy: AliyunServiceRolePolicyForActionTrail

After the service-linked role is attached to ActionTrail, ActionTrail is granted the permissions to access resources of other Alibaba Cloud services such as OSS, Log Service, MNS, and Resource Directory.

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "oss:ListObjects",
                "oss:PutObject",
                "oss:GetBucketLocation"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "log:GetProject"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "log:PostLogStoreLogs",
                "log:CreateLogstore",
                "log:GetLogstore",
                "log:CreateIndex",
                "log:UpdateIndex",
                "log:GetIndex"
            ],
            "Resource": [
                "acs:log:*:*:project/*/logstore/actiontrail_*",
                "acs:log:*:*:project/*/logstore/innertrail_*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "log:CreateDashboard",
                "log:UpdateDashboard"
            ],
            "Resource": "acs:log:*:*:project/*/dashboard/*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "log:CreateSavedSearch",
                "log:UpdateSavedSearch"
            ],
            "Resource": [
                "acs:log:*:*:project/*/savedsearch/actiontrail_*",
                "acs:log:*:*:project/*/savedsearch/innertrail_*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "mns:PublishMessage"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "resourcemanager:GetResourceDirectory",
                "resourcemanager:ListAccounts",
                "resourcemanager:GetResourceDirectoryAccount"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "actiontrail.aliyuncs.com"
                }
            }
        }
    ]
}

Create the AliyunServiceRoleForActionTrail role

ActionTrail automatically creates the AliyunServiceRoleForActionTrail role if it does not exist when you perform one of the following operations for the first time:

  • Create a trail by calling the CreateTrail operation.
  • Create a trail in the ActionTrail console.

Delete the AliyunServiceRoleForActionTrail role

Before you delete the AliyunServiceRoleForActionTrail role, you must delete all trails in the ActionTrail console. For more information, see Delete a single-account trail and Delete a multi-account trail.

You can delete the AliyunServiceRoleForActionTrail role in the RAM console. For more information, see Delete a RAM role.