This topic describes the scenarios of the service linked role for Message Queue for Apache RocketMQ, that is, AliyunServiceRoleForOns, and how to delete this role.

Background information

The AliyunServiceRoleForOns role for Message Queue for Apache RocketMQ is a Resource Access Management (RAM) role that Message Queue for Apache RocketMQ assumes to access other Alibaba Cloud services in specific scenarios. For more information, see Service linked roles.

Scenarios

Message Queue for Apache RocketMQ must obtain Cloud Monitor access permissions by using the automatically created AliyunServiceRoleForOns role for Message Queue for Apache RocketMQ to implement the monitoring and alerting feature.

Permissions of AliyunServiceRoleForOns

The AliyunServiceRoleForOns role has the following access permissions:

{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "cms:DescribeMetricRuleList",
        "cms:DescribeMetricList",
        "cms:DescribeMetricData"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "ons.aliyuncs.com"
        }
      }
    }
  ]
}

Delete the AliyunServiceRoleForOns role

After you delete the AliyunServiceRoleForOns role, you cannot use Cloud Monitor features. Proceed with caution. To use Cloud Monitor features again, you must re-create the AliyunServiceRoleForOns role. For more information about how to create the AliyunServiceRoleForOns role, see Create a service linked role.

For more information about how to delete the service linked role, see Delete a service linked role.

FAQ

Why is my RAM user unable to automatically create the AliyunServiceRoleForOns role for Message Queue for Apache RocketMQ?

If you have created a service linked role by using your Alibaba Cloud account, your RAM user inherits the role of the Alibaba Cloud account. If your RAM user does not inherit the role, log on to the RAM console and add the following permission policy:

{
    "Statement": [
        {
            "Action": [
                "ram:CreateServiceLinkedRole"
            ],
            "Resource": "acs:ram:*:Alibaba Cloud account ID:role/*",
            "Effect": "Allow",
            "Condition": {
              "StringEquals": {
                "ram:ServiceName": "ons.aliyuncs.com"
                }
            }
        }
    ],
    "Version": "1"
}
Note Replace Alibaba Cloud account ID with your Alibaba Cloud account ID.

If your RAM user cannot automatically create the AliyunServiceRoleForOns role after the permission policy is attached to it, attach one of the following permission policies to the RAM user:

  • AliyunMQFullAccess
  • AliyunMQPubOnlyAccess
  • AliyunMQSubOnlyAccess

For more information, see System policies.