An Alibaba Cloud service may need to access other services to implement a function. In this case, the Alibaba Cloud service must be authorized. For example, Cloud Config must have the access permissions on Elastic Compute Service (ECS), ApsaraDB RDS for MySQL (RDS), and other Alibaba Cloud services before Cloud Config retrieves resource lists and change logs from these services. Alibaba Cloud provides service linked roles (SLRs) to simplify the authorization in such scenarios. This topic describes the SLR of Data Lake Analytics (DLA), AliyunServiceRoleForOpenAnalytics.

Background information

AliyunServiceRoleForOpenAnalytics is a RAM role that is used to obtain access permissions on other cloud services to implement a function of DLA. For more information, see Service linked roles.

Scenarios

DLA is a data lake analytics service developed by Alibaba Cloud. It provides both the serverless SQL engine and the serverless Spark engine. To implement functions of data lakes, DLA needs to obtain data from various Alibaba Cloud data sources such as Object Storage Service (OSS), Tablestore (formerly referred to as OTS), RDS, AnalyticDB for MySQL (ADS), MaxCompute (formerly referred to as ODPS), ECS, Virtual Private Cloud (VPC), Resource Access Management (RAM), and Message Queue (MQ). When you activate DLA, an SLR is automatically created in DLA to deliver a better user experience.

View information of AliyunServiceRoleForOpenAnalytics

  1. Log on to the Data Lake Analytics console.
  2. In the left-side navigation pane, click Overview and click Options in the upper-right corner of the Overview page.
  3. In the Cross-cloud service authorization section, view the SLR of DLA.
    • Role name: AliyunServiceRoleForOpenAnalytics
    • Role permission policy: AliyunServiceRolePolicyForOpenAnalytics
    • Permission details:
      ​{
        "Version": "1",
        "Statement": [
          {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
              "StringEquals": {
                "ram:ServiceName": "openanalytics.aliyuncs.com"
              }
            }
          },
          {
            "Action": [
              "ram:ListUsers",
              "ram:GenerateCredentialReport"
            ],
            "Resource": "*",
            "Effect": "Allow"
          },
          {
            "Action": [
              "oss:GetBucket",
              "oss:GetBucketAcl",
              "oss:GetBucketLocation",
              "oss:GetBucketInfo",
              "oss:GetBucketLogging",
              "oss:GetBucketWebsite",
              "oss:GetBucketReferer",
              "oss:GetBucketLifecycle",
              "oss:GetBucketEncryption",
              "oss:GetBucketStat",
              "oss:GetBucketMetadata",
              "oss:GetBucketTagging",
              "oss:GetBucketVersioning",
              "oss:GetSimplifiedObjectMeta",
              "oss:GetObjectMetadata",
              "oss:GetBucketStorageCapacity",
              "oss:GetBucketEncryption",
              "oss:GetObject",
              "oss:GetObjectMeta",
              "oss:GetObjectAcl",
              "oss:GetSymlink",
              "oss:GetObjectTagging",
              "oss:GetService",
              "oss:ListObjects",
              "oss:ListMultipartUploads",
              "oss:ListParts",
              "oss:ListBuckets",
              "oss:ListVpcip",
              "oss:ListVersions",
              "oss:GetBucketCname",
              "oss:GetBucketRequestPayment",
              "oss:GetBucketVpcip",
              "oss:DoesBucketExist",
              "oss:DoesObjectExist",
              "oss:ListObjectsV2",
              "oss:SelectObject",
              "oss:HeadObject",
              "oss:PutBucket",
              "oss:PutObject",
              "oss:PutObjectTagging",
              "oss:CopyObject",
              "oss:InitiateMultipartUpload",
              "oss:UploadPart",
              "oss:UploadPartCopy",
              "oss:CompleteMultipartUpload",
              "oss:AbortMultipartUpload",
              "oss:RestoreObject",
              "oss:PostObject",
              "oss:UploadFile",
              "oss:DownloadFile",
              "oss:AppendObject",
              "oss:DeleteObject",
              "oss:DeleteObjects"
            ],
            "Resource": "*",
            "Effect": "Allow"
          },
          {
            "Action": [
              "alikafka:PUB"
            ],
            "Resource": "*",
            "Effect": "Allow"
          },
          {
            "Action": [
              "rds:DescribeDBInstances",
              "rds:DescribeDBInstanceAttribute",
              "rds:DescribeDBInstanceNetInfo",
              "rds:DescribeDBInstanceHAConfig",
              "rds:DescribeDBInstanceIPArrayList",
              "rds:ModifySecurityIps",
              "dds:DescribeDBInstances",
              "dds:DescribeDBInstanceAttribute",
              "dds:DescribeSecurityIps",
              "dds:ModifySecurityIps",
              "polardb:DescribeDBClusters",
              "polardb:DescribeDBClusterAttribute",
              "polardb:DescribeDBClusterEndpoints",
              "polardb:DescribeDBClusterAccessWhitelist",
              "polardb:ModifyDBClusterAccessWhitelist"
            ],
            "Resource": "*",
            "Effect": "Allow"
          },
          {
            "Action": [
              "mns:GetQueueAttributes",
              "mns:GetTopicAttributes",
              "mns:GetSubscriptionAttributes",
              "mns:ListQueue",
              "mns:ListTopic",
              "mns:ListSubscriptionByTopic",
              "mns:SendMessage",
              "mns:PublishMessage"
            ],
            "Resource": "*",
            "Effect": "Allow"
          },
          {
            "Action": [
              "mq:PUB"
            ],
            "Resource": "*",
            "Effect": "Allow"
          },
          {
            "Action": [
              "dbs:DescribeBackupPlanList",
              "dbs:DescribeFullBackupList",
              "dbs:DescribeIncrementBackupList",
              "dbs:DescribeRestoreTaskList",
              "dbs:DescribeBackupGatewayList"
            ],
            "Resource": "*",
            "Effect": "Allow"
          },
          {
            "Action": [
              "ots:GetRow",
              "ots:BatchGetRow",
              "ots:GetRange",
              "ots:GetShardIterator",
              "ots:GetStreamRecord",
              "ots:ListStream",
              "ots:ListTable",
              "ots:ListSearchIndex",
              "ots:DescribeStream",
              "ots:DescribeTable",
              "ots:DescribeSearchIndex",
              "ots:ComputeSplitPointsBySize",
              "ots:CreateTable",
              "ots:UpdateTable",
              "ots:DeleteTable",
              "ots:PutRow",
              "ots:UpdateRow",
              "ots:DeleteRow",
              "ots:BatchWriteRow",
              "ots:CreateIndex",
              "ots:DropIndex",
              "ots:CreateSearchIndex",
              "ots:DeleteSearchIndex",
              "ots:Search"
            ],
            "Resource": "*",
            "Effect": "Allow"
          },
          {
            "Action": [
              "log:ListProject",
              "log:ListLogStores",
              "log:ListShipper",
              "log:GetCursorOrData",
              "log:BatchGetLog",
              "log:GetShipper",
              "log:GetShipperConfig",
              "log:BatchGetLog",
              "log:DeleteShipper",
              "log:CreateShipper"
            ],
            "Resource": "*",
            "Effect": "Allow"
          },
          {
            "Action": [
              "ecs:CreateNetworkInterfacePermission",
              "ecs:DeleteNetworkInterfacePermission",
              "ecs:CreateNetworkInterface",
              "ecs:DescribeNetworkInterfaces",
              "ecs:DescribeSecurityGroups"
            ],
            "Resource": "*",
            "Effect": "Allow"
          },
          {
            "Action": [
              "vpc:DescribeVSwitches",
              "vpc:DescribeVpcs"
            ],
            "Resource": "*",
            "Effect": "Allow"
          }
        ]
      }​

Delete AliyunServiceRoleForOpenAnalytics

To delete AliyunServiceRoleForOpenAnalytics, perform the following operations:
  • Disable the DLA service for the current region and all other regions under your account. This is because DLA determines resources associated with the SLR based on user accounts.
  • For more information about how to delete an SLR, see Delete a service linked role.