All Products
Search
Document Center

Service-linked roles for HBR

Last Updated: Oct 18, 2021

This topic describes the service-linked roles for Hybrid Backup Recovery (HBR): AliyunServiceRoleForHbrEcsBackup, AliyunServiceRoleForHbrOssBackup, AliyunServiceRoleForHbrNasBackup, AliyunServiceRoleForHbrCsgBackup, and AliyunServiceRoleForHbrVaultEncryption. This topic also describes how to delete these RAM roles.

Background information

HBR needs to access other Alibaba Cloud services to implement a feature. In this case, HBR must assume service-linked roles to obtain required permissions. For more information, see Service-linked roles.

To access Elastic Compute Service (ECS), Virtual Private Cloud (VPC), Object Storage Service (OSS), Apsara File Storage NAS, or Cloud Storage Gateway (CSG), HBR must assume the corresponding service-linked role that is automatically created.

  • HBR must assume the AliyunServiceRoleForHbrEcsBackup role so that the ECS backup feature of HBR can access ECS and VPC.

  • HBR must assume the AliyunServiceRoleForHbrOssBackup role so that the OSS backup feature of HBR can access OSS.

  • HBR must assume the AliyunServiceRoleForHbrNasBackup role so that the NAS backup feature of HBR can access NAS.

  • HBR must assume the AliyunServiceRoleForHbrCsgBackup role so that the CSG backup feature of HBR can access CSG.

  • To encrypt backup vaults by using Key Management Service (KMS), HBR requires access to KMS. In this case, HBR must assume the AliyunServiceRoleForHbrVaultEncryption role.

Permissions of service-linked roles

This section describes the permission policies that are attached to each service-linked role.

  • The following policies are attached to the AliyunServiceRoleForHbrEcsBackup role. After HBR assumes the role, HBR can access ECS.

     {
          "Action": [
            "ecs:RunCommand",
            "ecs:CreateCommand",
            "ecs:InvokeCommand",
            "ecs:DeleteCommand",
            "ecs:DescribeCommands",
            "ecs:StopInvocation",
            "ecs:DescribeInvocationResults",
            "ecs:DescribeCloudAssistantStatus",
            "ecs:DescribeInstances",
            "ecs:DescribeInstanceRamRole",
            "ecs:DescribeInvocations"
          ],
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "ecs:AttachInstanceRamRole",
            "ecs:DetachInstanceRamRole"
          ],
          "Resource": [
            "acs:ecs:*:*:instance/*",
            "acs:ram:*:*:role/aliyunecsaccessinghbrrole"
          ],
          "Effect": "Allow"
        },
        {
          "Action": [
            "ram:GetRole",
            "ram:GetPolicy",
            "ram:ListPoliciesForRole"
          ],
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "ram:PassRole"
          ],
          "Resource": "*",
          "Effect": "Allow",
          "Condition": {
            "StringEquals": {
              "acs:Service": [
                "ecs.aliyuncs.com"
              ]
            }
          }
        },
        {
          "Action": [
            "ecs:DescribeSecurityGroups",
            "ecs:DescribeImages",
            "ecs:CreateImage",
            "ecs:DeleteImage",
            "ecs:DescribeSnapshots",
            "ecs:CreateSnapshot",
            "ecs:DeleteSnapshot",
            "ecs:DescribeSnapshotLinks",
            "ecs:DescribeAvailableResource",
            "ecs:ModifyInstanceAttribute",
            "ecs:CreateInstance",
            "ecs:DeleteInstance",
            "ecs:AllocatePublicIpAddress",
            "ecs:CreateDisk",
            "ecs:DescribeDisks",
            "ecs:AttachDisk",
            "ecs:DetachDisk",
            "ecs:DeleteDisk",
            "ecs:ResetDisk",
            "ecs:StartInstance",
            "ecs:StopInstance",
            "ecs:ReplaceSystemDisk",
            "ecs:ModifyResourceMeta"
          ],
          "Resource": "*",
          "Effect": "Allow"
        }
    

  • The following policies are attached to the AliyunServiceRoleForHbrEcsBackup role. After HBR assumes the role, HBR can access VPC.

    {
          "Action": [
            "vpc:DescribeVpcs",
            "vpc:DescribeVSwitches"
          ],
          "Resource": "*",
          "Effect": "Allow"
        }

  • The following policies are attached to the AliyunServiceRoleForHbrOssBackup role. After HBR assumes the role, HBR can access OSS.

    {
          "Action": [
            "oss:ListObjects",
            "oss:HeadBucket",
            "oss:GetBucket",
            "oss:GetBucketAcl",
            "oss:GetBucketLocation",
            "oss:GetBucketInfo",
            "oss:PutObject",
            "oss:CopyObject",
            "oss:GetObject",
            "oss:AppendObject",
            "oss:GetObjectMeta",
            "oss:PutObjectACL",
            "oss:GetObjectACL",
            "oss:PutObjectTagging",
            "oss:GetObjectTagging",
            "oss:InitiateMultipartUpload",
            "oss:UploadPart",
            "oss:UploadPartCopy",
            "oss:CompleteMultipartUpload",
            "oss:AbortMultipartUpload",
            "oss:ListMultipartUploads",
            "oss:ListParts"
          ],
          "Resource": "*",
          "Effect": "Allow"
        }

  • The following policies are attached to the AliyunServiceRoleForHbrNasBackup role. After HBR assumes the role, HBR can access NAS.

    {
          "Action": [
            "nas:DescribeFileSystems",
            "nas:CreateMountTargetSpecial",
            "nas:DeleteMountTargetSpecial",
            "nas:CreateMountTarget",
            "nas:DeleteMountTarget",
            "nas:DescribeMountTargets",
            "nas:DescribeAccessGroups"
          ],
          "Resource": "*",
          "Effect": "Allow"
        }

  • The following policies are attached to the AliyunServiceRoleForHbrCsgBackup role. After HBR assumes the role, HBR can access CSG.

    {
          "Action": [
            "hcs-sgw:DescribeGateways"
          ],
          "Resource": "*",
          "Effect": "Allow"
        }
  • The following policies are attached to the AliyunServiceRoleForHbrVaultEncryption role. After HBR assumes the role, HBR can access KMS.

    {
    
     "Statement": [
    
     {
    
      "Action": "ram:DeleteServiceLinkedRole",
    
      "Resource": "*",
    
      "Effect": "Allow",
    
      "Condition": {
    
       "StringEquals": {
    
        "ram:ServiceName": "vaultencryption.hbr.aliyuncs.com"
    
       }
    
      }
    
     },
    
     {
    
      "Action": [
    
      "kms:Decrypt"
    
      ],
    
      "Resource": "*",
    
      "Effect": "Allow"
    
     }
    
     ],
    
     "Version": "1"
    
    }

Delete service-linked roles

You may need to delete service-linked roles to ensure security. For example, if you no longer need to use the ECS backup feature, you can delete the AliyunServiceRoleForHbrEcsBackup role.

Notice

  • Before you delete the AliyunServiceRoleForHbrEcsBackup, AliyunServiceRoleForHbrOssBackup, AliyunServiceRoleForHbrNasBackup, or AliyunServiceRoleForHbrCsgBackup role, make sure that no backup vault exists within the current account. Otherwise, the role fails to be deleted.

  • Before you delete the AliyunServiceRoleForHbrVaultEncryption role, make sure that no KMS-encrypted backup vault exists within the current account. Otherwise, the role fails to be deleted.

To delete the AliyunServiceRoleForHbrEcsBackup role, perform the following steps:

  1. Log on to the RAM console.

  2. In the left-side navigation pane, click RAM Roles.

  3. On the RAM Roles page, enter AliyunServiceRoleForHbrEcsBackup in the search box to find the role.

  4. In the Actions column, click Delete.

  5. In the Delete RAM Role dialog box, click OK.

If you want to delete the AliyunServiceRoleForHbrOssBackup, AliyunServiceRoleForHbrNasBackup, or AliyunServiceRoleForHbrCsgBackup role, enter the corresponding role name in the search box.