All Products
Search
Document Center

Time Series Database:Service-linked role of TSDB

Last Updated:Jan 17, 2022

This topic describes the AliyunServiceRoleForTSDB service-linked role of Time Series Database (TSDB).

Background information

To implement some of its features, TSDB for InfluxDB® may need to be authorized to access other cloud services. The AliyunServiceRoleForTSDB service-linked role is provided for TSDB for InfluxDB® to complete the authorization. For more information about service-linked roles, see Service-linked roles.

Scenarios

TSDB for InfluxDB® needs to access the resources of Elastic Compute Service (ECS), ApsaraDB for MongoDB, and ApsaraDB for Redis.

Introduction to AliyunServiceRoleForTSDB

The name of the service-linked role is AliyunServiceRoleForTSDB.

The service-linked role is attached with the AliyunServiceRolePolicyForTSDB policy.

The permissions specified by the policy allow TSDB for InfluxDB® to access the data in your ECS, ApsaraDB for MongoDB, and ApsaraDB for Redis instances.

If you have the permissions that are specified by the policy, you can perform the following operations:

  • Manage elastic network interfaces (ENIs) and security groups to enable two-way access between instances that are located in the same virtual private cloud (VPC).

  • Monitor ApsaraDB for MongoDB and ApsaraDB for Redis instances by collecting instance data.

{
"Version":"1",
"Statement":[
{
"Action":[
"ecs:CreateNetworkInterface",
"ecs:DescribeNetworkInterfaces",
"ecs:DeleteNetworkINterface",
"ecs:AttachNetworkInterface",
"ecs:DetachNetworkInterface",
"ecs:CreateNetworkInterfacePermission",
"ecs:DescribeNetworkInterfacePermissions",
"ecs:DeleteNetworkInterfacePermission",
"ecs:CreateSecurityGroup",
"ecs:DescirbeSecurityGroups",
"ecs:DescribeSecurityGroupAttribute",
"ecs:DeleteSecurityGroup",
"ecs:AuthorizeSecurityGroup",
"ecs:AuthorizeSecurityGroupEgress",
"ecs:RevokeSecurityGroup",
"ecs:RevokeSecurityGroupEgress"
],
"Resource":"*",
"Effect":"Allow"
},
{
"Action":[
"dds:DescribeDBInstances",
"dds:DescribeDBInstanceAttribute"
],
"Resource":"*",
"Effect":"Allow"
},
{
"Action":[
"kvstore:DescribeRegions",
"kvstore:DescribeInstances",
"kvstore:DescribeInstanceAttribute"
],
"Resource":"*",
"Effect":"Allow"
},
{
"Action":"ram:DeleteServiceLinkedRole",
"Resource":"*",
"Effect":"Allow",
"Condition":{
"StringEquals":{
"ram:ServiceName":"hitsdb.aliyuncs.com"
}
}
}
]
}

Delete the service-linked role

Before you delete the AliyunServiceRoleForTSDB role, make sure that the role is not assigned to the instances managed by your Alibaba Cloud account. For more information, see the "Delete a service-linked role" section in Service-linked roles.

Permissions required for a RAM user to create the service-linked role

{
"Action":"ram:CreateServiceLinkedRole",
"Resource":"*",
"Effect":"Allow",
"Condition":{
"StringEquals":{
"ram:ServiceName":"hitsdb.aliyuncs.com"
}
}
}