All Products
Document Center

TSDB Service Linked Role

Last Updated: Apr 12, 2021

Background information

To implement some features of TSDB for InfluxDB®, TSDB for InfluxDB® may need to be authorized to access other cloud services. The AliyunServiceRoleForTSDB service linked role is provided for TSDB for InfluxDB® to complete the authorization. For more information about service-associated roles, see Service-associated roles.


TSDB for InfluxDB® needs to access the resources of Elastic Compute Service (ECS), ApsaraDB for MongoDB, and ApsaraDB for Redis.

AliyunServiceRoleForTSDB overview

The name of the service linked role is AliyunServiceRoleForTSDB

The service linked role is attached with the AliyunServiceRolePolicyForTSDB permission policy.

The permissions specified by the permission policy allow TSDB for InfluxDB® to access the data that is stored in your ECS, ApsaraDB for MongoDB, and ApsaraDB for Redis instances. If you have the permissions that are specified by the permission policy, you can perform the following operations:

  • Manage elastic network interfaces (ENIs) and security groups. You can enable two-way access between instances that are connected to the same virtual private cloud (VPC).

  • Monitor ApsaraDB for MongoDB and ApsaraDB for Redis instances by collecting instance data.

{ "Version":"1", "Statement":[ { "Action":[ "ecs:CreateNetworkInterface", "ecs:DescribeNetworkInterfaces", "ecs:DeleteNetworkINterface", "ecs:AttachNetworkInterface", "ecs:DetachNetworkInterface", "ecs:CreateNetworkInterfacePermission", "ecs:DescribeNetworkInterfacePermissions", "ecs:DeleteNetworkInterfacePermission", "ecs:CreateSecurityGroup", "ecs:DescirbeSecurityGroups", "ecs:DescribeSecurityGroupAttribute", "ecs:DeleteSecurityGroup", "ecs:AuthorizeSecurityGroup", "ecs:AuthorizeSecurityGroupEgress", "ecs:RevokeSecurityGroup", "ecs:RevokeSecurityGroupEgress" ], "Resource":"*", "Effect":"Allow" }, { "Action":[ "dds:DescribeDBInstances", "dds:DescribeDBInstanceAttribute" ], "Resource":"*", "Effect":"Allow" }, { "Action":[ "kvstore:DescribeRegions", "kvstore:DescribeInstances", "kvstore:DescribeInstanceAttribute" ], "Resource":"*", "Effect":"Allow" }, { "Action":"ram:DeleteServiceLinkedRole", "Resource":"*", "Effect":"Allow", "Condition":{ "StringEquals":{ "ram:ServiceName":"" } } } ] }

Delete the service linked role

Before you delete the AliyunServiceRoleForTSDB service linked role, make sure that the role is not assigned to the instances managed by your Alibaba Cloud account. For more information, see Service-associated roles.

Grant a RAM user the required permissions to create a service linked role

{ "Action":"ram:CreateServiceLinkedRole", "Resource":"*", "Effect":"Allow", "Condition":{ "StringEquals":{ "ram:ServiceName":"" } } }