All Products
Search
Document Center

Cloud Backup:Service-linked roles for Cloud Backup

Last Updated:Sep 20, 2023

This topic describes the service-linked roles for Cloud Backup and how to delete these roles.

Background information

Cloud Backup needs to access other Alibaba Cloud services to implement a feature. In this case, Cloud Backup must assume service-linked roles to obtain the required permissions. For more information, see Service-linked roles.

To access Elastic Compute Service (ECS), Virtual Private Cloud (VPC), Object Storage Service (OSS), Apsara File Storage NAS, or Cloud Storage Gateway (CSG), Cloud Backup must assume the corresponding service-linked role that is automatically created.

  • AliyunServiceRoleForHbrEcsBackup

    To implement the ECS backup feature, Cloud Backup must assume the AliyunServiceRoleForHbrEcsBackup role so that Cloud Backup can access ECS and VPC.

  • AliyunServiceRoleForHbrOssBackup

    To implement the OSS backup feature, Cloud Backup must assume the AliyunServiceRoleForHbrOssBackup role so that Cloud Backup can access OSS.

  • AliyunServiceRoleForHbrNasBackup

    To implement the NAS backup feature, Cloud Backup must assume the AliyunServiceRoleForHbrNasBackup role so that Cloud Backup can access NAS.

  • AliyunServiceRoleForHbrCsgBackup

    To implement the CSG backup feature, Cloud Backup must assume the AliyunServiceRoleForHbrCsgBackup role so that Cloud Backup can access CSG.

  • AliyunServiceRoleForHbrVaultEncryption

    To encrypt backup vaults by using Key Management Service (KMS), Cloud Backup must assume the AliyunServiceRoleForHbrVaultEncryption role so that Cloud Backup can access KMS.

  • AliyunServiceRoleForHbrOtsBackup

    To implement the Tablestore backup feature, Cloud Backup must assume the AliyunServiceRoleForHbrOtsBackup role so that Cloud Backup can access Tablestore.

  • AliyunServiceRoleForHbrCrossAccountBackup

    To implement the cross-account backup feature, Cloud Backup must assume the AliyunServiceRoleForHbrCrossAccountBackup role.

  • AliyunServiceRoleForHbrEcsEncryption

    To specify KMS-managed keys for remote encryption to implement geo-replication in an ECS instance backup, Cloud Backup must assume the AliyunServiceRoleForHbrEcsEncryption role.

Permission policies

This section describes the permission policies that are attached to each service-linked role.

  • The following permission policies are attached to the AliyunServiceRoleForHbrEcsBackup role. After Cloud Backup assumes the role, Cloud Backup can access ECS.

     {
          "Action": [
            "ecs:RunCommand",
            "ecs:CreateCommand",
            "ecs:InvokeCommand",
            "ecs:DeleteCommand",
            "ecs:DescribeCommands",
            "ecs:StopInvocation",
            "ecs:DescribeInvocationResults",
            "ecs:DescribeCloudAssistantStatus",
            "ecs:DescribeInstances",
            "ecs:DescribeInstanceRamRole",
            "ecs:DescribeInvocations"
          ],
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "ecs:AttachInstanceRamRole",
            "ecs:DetachInstanceRamRole"
          ],
          "Resource": [
            "acs:ecs:*:*:instance/*",
            "acs:ram:*:*:role/aliyunecsaccessinghbrrole"
          ],
          "Effect": "Allow"
        },
        {
          "Action": [
            "ram:GetRole",
            "ram:GetPolicy",
            "ram:ListPoliciesForRole"
          ],
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "ram:PassRole"
          ],
          "Resource": "*",
          "Effect": "Allow",
          "Condition": {
            "StringEquals": {
              "acs:Service": [
                "ecs.aliyuncs.com"
              ]
            }
          }
        },
        {
          "Action": [
            "ecs:DescribeSecurityGroups",
            "ecs:DescribeImages",
            "ecs:CreateImage",
            "ecs:DeleteImage",
            "ecs:DescribeSnapshots",
            "ecs:CreateSnapshot",
            "ecs:DeleteSnapshot",
            "ecs:DescribeSnapshotLinks",
            "ecs:DescribeAvailableResource",
            "ecs:ModifyInstanceAttribute",
            "ecs:CreateInstance",
            "ecs:DeleteInstance",
            "ecs:AllocatePublicIpAddress",
            "ecs:CreateDisk",
            "ecs:DescribeDisks",
            "ecs:AttachDisk",
            "ecs:DetachDisk",
            "ecs:DeleteDisk",
            "ecs:ResetDisk",
            "ecs:StartInstance",
            "ecs:StopInstance",
            "ecs:ReplaceSystemDisk",
            "ecs:ModifyResourceMeta"
          ],
          "Resource": "*",
          "Effect": "Allow"
        }
    

  • The following permission policies are attached to the AliyunServiceRoleForHbrEcsBackup role. After Cloud Backup assumes the role, Cloud Backup can access VPC.

    {
          "Action": [
            "vpc:DescribeVpcs",
            "vpc:DescribeVSwitches"
          ],
          "Resource": "*",
          "Effect": "Allow"
        }

  • The following permission policies are attached to the AliyunServiceRoleForHbrOssBackup role. After Cloud Backup assumes the role, Cloud Backup can access OSS.

    {
          "Action": [
            "oss:ListObjects",
            "oss:HeadBucket",
            "oss:GetBucket",
            "oss:GetBucketAcl",
            "oss:GetBucketLocation",
            "oss:GetBucketInfo",
            "oss:PutObject",
            "oss:CopyObject",
            "oss:GetObject",
            "oss:AppendObject",
            "oss:GetObjectMeta",
            "oss:PutObjectACL",
            "oss:GetObjectACL",
            "oss:PutObjectTagging",
            "oss:GetObjectTagging",
            "oss:InitiateMultipartUpload",
            "oss:UploadPart",
            "oss:UploadPartCopy",
            "oss:CompleteMultipartUpload",
            "oss:AbortMultipartUpload",
            "oss:ListMultipartUploads",
            "oss:ListParts"
          ],
          "Resource": "*",
          "Effect": "Allow"
        }

  • The following permission policies are attached to the AliyunServiceRoleForHbrNasBackup role. After Cloud Backup assumes the role, Cloud Backup can access NAS.

    {
          "Action": [
            "nas:DescribeFileSystems",
            "nas:CreateMountTargetSpecial",
            "nas:DeleteMountTargetSpecial",
            "nas:CreateMountTarget",
            "nas:DeleteMountTarget",
            "nas:DescribeMountTargets",
            "nas:DescribeAccessGroups"
          ],
          "Resource": "*",
          "Effect": "Allow"
        }

  • The following permission policies are attached to the AliyunServiceRoleForHbrCsgBackup role. After Cloud Backup assumes the role, Cloud Backup can access CSG.

    {
          "Action": [
            "hcs-sgw:DescribeGateways"
          ],
          "Resource": "*",
          "Effect": "Allow"
        }
  • The following permission policies are attached to the AliyunServiceRoleForHbrVaultEncryption role. After Cloud Backup assumes the role, Cloud Backup can access KMS to encrypt data in a backup vault.

    {
     "Statement": [
     {
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
       "StringEquals": {
        "ram:ServiceName": "vaultencryption.hbr.aliyuncs.com"
       }
      }
     },
     {
      "Action": [
      "kms:Decrypt"
      ],
      "Resource": "*",
      "Effect": "Allow"
     }
     ],
     "Version": "1"
    
    }

  • The following permission policies are attached to the AliyunServiceRoleForHbrOtsBackup role. After Cloud Backup assumes the role, Cloud Backup can access Tablestore.

    {
      "Version": "1",
      "Statement": [
        {
          "Action": "ram:DeleteServiceLinkedRole",
          "Resource": "*",
          "Effect": "Allow",
          "Condition": {
            "StringEquals": {
              "ram:ServiceName": "otsbackup.hbr.aliyuncs.com"
            }
          }
        },
        {
          "Effect": "Allow",
          "Action": [
            "ots:ListTable",
            "ots:CreateTable",
            "ots:UpdateTable",
            "ots:DescribeTable",
            "ots:BatchWriteRow",
            "ots:CreateTunnel",
            "ots:DeleteTunnel",
            "ots:ListTunnel",
            "ots:DescribeTunnel",
            "ots:ConsumeTunnel",
            "ots:GetRange",
            "ots:ListStream",
            "ots:DescribeStream"
          ],
          "Resource": "*"
        }
      ]
    }
  • The following permission policies are attached to the AliyunServiceRoleForHbrCrossAccountBackup role. After Cloud Backup assumes the role, Cloud Backup can perform cross-account backup.

    {
      "Version": "1",
      "Statement": [
        {
          "Action": "sts:AssumeRole",
          "Effect": "Allow",
          "Resource": "*"
        },
        {
          "Action": "ram:DeleteServiceLinkedRole",
          "Resource": "*",
          "Effect": "Allow",
          "Condition": {
            "StringEquals": {
              "ram:ServiceName": "crossbackup.hbr.aliyuncs.com"
            }
          }
        }
      ]
    }
  • The following permission policies are attached to the AliyunServiceRoleForHbrEcsEncryption role. After Cloud Backup assumes the role, Cloud Backup can access KMS to enable geo-replication.

    {
      "Version": "1",
      "Statement": [
        {
          "Action": [
            "kms:ListKeys",
            "kms:ListAliases"
          ],
          "Effect": "Allow",
          "Resource": "*"
        },
        {
          "Action": "ram:DeleteServiceLinkedRole",
          "Resource": "*",
          "Effect": "Allow",
          "Condition": {
            "StringEquals": {
              "ram:ServiceName": "ecsencryption.hbr.aliyuncs.com"
            }
          }
        }
      ]
    }

Delete a service-linked role

You may need to delete service-linked roles to ensure security. For example, if you no longer need to use the ECS backup feature, you can delete the AliyunServiceRoleForHbrEcsBackup role.

Important

  • Before you delete the AliyunServiceRoleForHbrEcsBackup, AliyunServiceRoleForHbrOssBackup, AliyunServiceRoleForHbrNasBackup, or AliyunServiceRoleForHbrCsgBackup role, make sure that no backup vault exists within the current account. Otherwise, the role fails to be deleted.

  • Before you delete the AliyunServiceRoleForHbrVaultEncryption role, make sure that no KMS-encrypted backup vault exists within the current account. Otherwise, the role fails to be deleted.

To delete the AliyunServiceRoleForHbrEcsBackup role, perform the following steps:

  1. Log on to the RAM console.

  2. In the left-side navigation pane, choose Identities > Roles.

  3. On the Roles page, enter AliyunServiceRoleForHbrEcsBackup in the search box to find the role.

  4. Click Delete in the Actions column.

  5. In the Delete Role message, click OK.

If you want to delete other service-linked roles, such as AliyunServiceRoleForHbrOssBackup, AliyunServiceRoleForHbrNasBackup, AliyunServiceRoleForHbrCsgBackup, AliyunServiceRoleForHbrVaultEncryption, and AliyunServiceRoleForHbrEcsEncryption, enter the corresponding role name in the search box.