All Products
Search

This Product

    TSDB Service Linked Role

    Document Center

    TSDB Service Linked Role

    Last Updated: Apr 12, 2021

    Background information

    To implement some features of TSDB for InfluxDB®, TSDB for InfluxDB® may need to be authorized to access other cloud services. The AliyunServiceRoleForTSDB service linked role is provided for TSDB for InfluxDB® to complete the authorization. For more information about service-associated roles, see Service-associated roles.

    Scenarios

    TSDB for InfluxDB® needs to access the resources of Elastic Compute Service (ECS), ApsaraDB for MongoDB, and ApsaraDB for Redis.

    AliyunServiceRoleForTSDB overview

    The name of the service linked role is AliyunServiceRoleForTSDB

    The service linked role is attached with the AliyunServiceRolePolicyForTSDB permission policy.

    The permissions specified by the permission policy allow TSDB for InfluxDB® to access the data that is stored in your ECS, ApsaraDB for MongoDB, and ApsaraDB for Redis instances. If you have the permissions that are specified by the permission policy, you can perform the following operations:

    • Manage elastic network interfaces (ENIs) and security groups. You can enable two-way access between instances that are connected to the same virtual private cloud (VPC).

    • Monitor ApsaraDB for MongoDB and ApsaraDB for Redis instances by collecting instance data. 

    { "Version":"1", "Statement":[ { "Action":[ "ecs:CreateNetworkInterface", "ecs:DescribeNetworkInterfaces", "ecs:DeleteNetworkINterface", "ecs:AttachNetworkInterface", "ecs:DetachNetworkInterface", "ecs:CreateNetworkInterfacePermission", "ecs:DescribeNetworkInterfacePermissions", "ecs:DeleteNetworkInterfacePermission", "ecs:CreateSecurityGroup", "ecs:DescirbeSecurityGroups", "ecs:DescribeSecurityGroupAttribute", "ecs:DeleteSecurityGroup", "ecs:AuthorizeSecurityGroup", "ecs:AuthorizeSecurityGroupEgress", "ecs:RevokeSecurityGroup", "ecs:RevokeSecurityGroupEgress" ], "Resource":"*", "Effect":"Allow" }, { "Action":[ "dds:DescribeDBInstances", "dds:DescribeDBInstanceAttribute" ], "Resource":"*", "Effect":"Allow" }, { "Action":[ "kvstore:DescribeRegions", "kvstore:DescribeInstances", "kvstore:DescribeInstanceAttribute" ], "Resource":"*", "Effect":"Allow" }, { "Action":"ram:DeleteServiceLinkedRole", "Resource":"*", "Effect":"Allow", "Condition":{ "StringEquals":{ "ram:ServiceName":"hitsdb.aliyuncs.com" } } } ] }

    Delete the service linked role

    Before you delete the AliyunServiceRoleForTSDB service linked role, make sure that the role is not assigned to the instances managed by your Alibaba Cloud account. For more information, see Service-associated roles.

    Grant a RAM user the required permissions to create a service linked role

    { "Action":"ram:CreateServiceLinkedRole", "Resource":"*", "Effect":"Allow", "Condition":{ "StringEquals":{ "ram:ServiceName":"hitsdb.aliyuncs.com" } } }
    Free Trial Free Trial