Background information
To implement some features of TSDB for InfluxDB®, TSDB for InfluxDB® may need to be authorized to access other cloud services. The AliyunServiceRoleForTSDB service linked role is provided for TSDB for InfluxDB® to complete the authorization. For more information about service linked roles, see Service linked roles.
Scenarios
TSDB for InfluxDB® needs to access the resources of Elastic Compute Service (ECS), ApsaraDB for MongoDB, and ApsaraDB for Redis.
AliyunServiceRoleForTSDB overview
The name of the service linked role is AliyunServiceRoleForTSDB
The service linked role is attached with the AliyunServiceRolePolicyForTSDB permission policy.
The permissions specified by the permission policy allow TSDB for InfluxDB® to access the data that is stored in your ECS, ApsaraDB for MongoDB, and ApsaraDB for Redis instances.
If you have the permissions that are specified by the permission policy, you can perform the following operations:
- Manage elastic network interfaces (ENIs) and security groups. You can enable two-way access between instances that are connected to the same virtual private cloud (VPC).
- Monitor ApsaraDB for MongoDB and ApsaraDB for Redis instances by collecting instance data.
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:CreateNetworkInterface",
"ecs:DescribeNetworkInterfaces",
"ecs:DeleteNetworkINterface",
"ecs:AttachNetworkInterface",
"ecs:DetachNetworkInterface",
"ecs:CreateNetworkInterfacePermission",
"ecs:DescribeNetworkInterfacePermissions",
"ecs:DeleteNetworkInterfacePermission",
"ecs:CreateSecurityGroup",
"ecs:DescirbeSecurityGroups",
"ecs:DescribeSecurityGroupAttribute",
"ecs:DeleteSecurityGroup",
"ecs:AuthorizeSecurityGroup",
"ecs:AuthorizeSecurityGroupEgress",
"ecs:RevokeSecurityGroup",
"ecs:RevokeSecurityGroupEgress"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"dds:DescribeDBInstances",
"dds:DescribeDBInstanceAttribute"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"kvstore:DescribeRegions",
"kvstore:DescribeInstances",
"kvstore:DescribeInstanceAttribute"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "hitsdb.aliyuncs.com"
}
}
}
]
}
Delete the service linked role
Before you delete the AliyunServiceRoleForTSDB service linked role, make sure that the role is not assigned to the instances managed by your Alibaba Cloud account. For more information, see Delete a service linked role.
Grant a RAM user the required permissions to create a service linked role
{
"Action": "ram:CreateServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "hitsdb.aliyuncs.com"
}
}
}