The service linked role AliyunServiceRoleForActionTrail is a Resource Access Management (RAM) role that only ActionTrail can assume to access other Alibaba Cloud services. This topic describes the scenarios that the service linked role is applicable to, the details of the role, and how to create and delete the role.

Scenarios

The AliyunServiceRoleForActionTrail role is applicable to the following scenarios:

  • Access Log Service

    If you specify a Log Service project to store event logs, ActionTrail uses the AliyunServiceRoleForActionTrail role to obtain the permissions to create a Logstore in the specified project and write logs to the Logstore.

  • Access Object Storage Service (OSS)

    If you specify an OSS bucket to store event logs, ActionTrail uses the AliyunServiceRoleForActionTrail role to obtain the permission to write logs to the specified OSS bucket.

  • Access Message Service (MNS)

    If you specify an OSS bucket to store event logs and specify an MNS topic to receive messages for event delivery, ActionTrail uses the AliyunServiceRoleForActionTrail role to obtain the permission to send messages to the MNS topic.

  • Access Resource Management

    Assume that you create a multi-account trail to deliver the events of all member accounts in a resource directory to a specified storage object. In this case, ActionTrail uses the AliyunServiceRoleForActionTrail role to obtain the permissions to access the resource directory and retrieve the member accounts in the directory.

For more information about service linked roles, see Service linked roles.

Role description

Role name: AliyunServiceRoleForActionTrail

Policy name: AliyunServiceRolePolicyForActionTrail

This permission policy grants ActionTrail the permissions to read the resource configurations of the current account.

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "oss:ListObjects",
                "oss:PutObject",
                "oss:GetBucketLocation"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "log:PostLogStoreLogs",
                "log:CreateLogstore"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "mns:PublishMessage"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "resourcemanager:GetResourceDirectory",
                "resourcemanager:ListAccounts",
                "resourcemanager:GetResourceDirectoryAccount"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

Create the AliyunServiceRoleForActionTrail role

ActionTrail automatically creates the AliyunServiceRoleForActionTrail role if it does not exist when you perform one of the following operations for the first time:

  • Create a trail by calling the CreateTrail operation.
  • Create a trail in the ActionTrail console. In this case, a message appears in the console, notifying you that the role will be automatically created.

Delete the AliyunServiceRoleForActionTrail role

Before you delete the AliyunServiceRoleForActionTrail role, you must delete all the created trails in the ActionTrail console. For more information about how to delete a trail, see Delete a single-account trail and Delete a multi-account trail.

You can delete the AliyunServiceRoleForActionTrail role in the RAM console. For more information, see Delete a RAM role.