TSDB Service Linked Role - TSDB for InfluxDB®| Alibaba Cloud Documentation Center

Background information

To implement some features of TSDB for InfluxDB®, TSDB for InfluxDB® may need to be authorized to access other cloud services. The AliyunServiceRoleForTSDB service linked role is provided for TSDB for InfluxDB® to complete the authorization. For more information about service linked roles, see Service linked roles.

Scenarios

TSDB for InfluxDB® needs to access the resources of Elastic Compute Service (ECS), ApsaraDB for MongoDB, and ApsaraDB for Redis.

AliyunServiceRoleForTSDB overview

The name of the service linked role is AliyunServiceRoleForTSDB

The service linked role is attached with the AliyunServiceRolePolicyForTSDB permission policy.

The permissions specified by the permission policy allow TSDB for InfluxDB® to access the data that is stored in your ECS, ApsaraDB for MongoDB, and ApsaraDB for Redis instances.

If you have the permissions that are specified by the permission policy, you can perform the following operations:

Manage elastic network interfaces (ENIs) and security groups. You can enable two-way access between instances that are connected to the same virtual private cloud (VPC).
Monitor ApsaraDB for MongoDB and ApsaraDB for Redis instances by collecting instance data.

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "ecs:CreateNetworkInterface",
                "ecs:DescribeNetworkInterfaces",
                "ecs:DeleteNetworkINterface",
                "ecs:AttachNetworkInterface",
                "ecs:DetachNetworkInterface",
                "ecs:CreateNetworkInterfacePermission",
                "ecs:DescribeNetworkInterfacePermissions",
                "ecs:DeleteNetworkInterfacePermission",
                "ecs:CreateSecurityGroup",
                "ecs:DescirbeSecurityGroups",
                "ecs:DescribeSecurityGroupAttribute",
                "ecs:DeleteSecurityGroup",
                "ecs:AuthorizeSecurityGroup",
                "ecs:AuthorizeSecurityGroupEgress",
                "ecs:RevokeSecurityGroup",
                "ecs:RevokeSecurityGroupEgress"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "dds:DescribeDBInstances",
                "dds:DescribeDBInstanceAttribute"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "kvstore:DescribeRegions",
                "kvstore:DescribeInstances",
                "kvstore:DescribeInstanceAttribute"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "hitsdb.aliyuncs.com"
                }
            }
        }
    ]
}

Delete the service linked role

Before you delete the AliyunServiceRoleForTSDB service linked role, make sure that the role is not assigned to the instances managed by your Alibaba Cloud account. For more information, see Delete a service linked role.

Grant a RAM user the required permissions to create a service linked role

{
    "Action": "ram:CreateServiceLinkedRole",
    "Resource": "*",
    "Effect": "Allow",
    "Condition": {
        "StringEquals": {
            "ram:ServiceName": "hitsdb.aliyuncs.com"
        }
     }
}