This topic describes the background information, policies, usage notes, and frequently asked questions (FAQ) about the service-linked roles for EventBridge.

Background information

EventBridge may need to access another Alibaba Cloud service to implement a specific feature. In this case, EventBridge must assume a specific service-linked role, which is a Resource Access Management (RAM) role, to obtain permissions to access another Alibaba Cloud service. For more information about service-linked roles, see Service-linked roles.

EventBridge can automatically create the following service-linked roles:

AliyunServiceRoleForEventBridgeSendToFC

EventBridge assumes the AliyunServiceRoleForEventBridgeSendToFC role to obtain permissions to access Function Compute and implement features that are related to function invocation.

The following AliyunServiceRolePolicyForEventBridgeSendToFC policy is attached to the AliyunServiceRoleForEventBridgeSendToFC role:

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "fc:InvokeFunction",
                "fc:ListServices",
                "fc:ListFunctions"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "sendevent-fc.eventbridge.aliyuncs.com"
                }
            }
        }
    ]
}

AliyunServiceRoleForEventBridgeSendToMNS

EventBridge assumes the AliyunServiceRoleForEventBridgeSendToMNS role to obtain permissions to access Message Service (MNS) and implement features that are related to message sending and message publishing.

The following AliyunServiceRolePolicyForEventBridgeSendToMNS policy is attached to the AliyunServiceRoleForEventBridgeSendToMNS role:

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "mns:SendMessage",
                "mns:PublishMessage",
                "mns:ListQueue",
                "mns:ListTopic"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "sendevent-mns.eventbridge.aliyuncs.com"
                }
            }
        }
    ]
}

AliyunServiceRoleForEventBridgeSendToSMS

EventBridge assumes the AliyunServiceRoleForEventBridgeSendToSMS role to obtain permissions to access Short Message Service (SMS) and implement features that are related to text message sending.

The following AliyunServiceRolePolicyForEventBridgeSendToSMS policy is attached to the AliyunServiceRoleForEventBridgeSendToSMS role:

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "dysms:SendSms",
                "dysms:SendBatchSms",
                "dysms:QuerySendDetails",
                "dysms:QuerySmsSign",
                "dysms:QuerySmsTemplate"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "sendevent-sms.eventbridge.aliyuncs.com"
                }
            }
        }
    ]
}

AliyunServiceRoleForEventBridgeSendToDirectMail

EventBridge assumes the AliyunServiceRoleForEventBridgeSendToDirectMail role to obtain permissions to access Direct Mail and implement features that are related to email sending.

The following AliyunServiceRolePolicyForEventBridgeSendToDirectMail policy is attached to the AliyunServiceRoleForEventBridgeSendToDirectMail role:

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "dm:SingleSendMail",
                "dm:BatchSendMail",
                "dm:QueryMailAddressByParam"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "sendevent-directmail.eventbridge.aliyuncs.com"
                }
            }
        }
    ]
}

AliyunServiceRoleForEventBridgeSourceRocketMQ

EventBridge assumes the AliyunServiceRoleForEventBridgeSourceRocketMQ role to obtain Message Queue for Apache RocketMQ permissions to access Message Queue for Apache RocketMQ and implement features that are related to event publishing.

The following AliyunServiceRolePolicyForEventBridgeSourceRocketMQ policy is attached to the AliyunServiceRoleForEventBridgeSourceRocketMQ role:

{
    "Version":"1",
    "Statement":[
        {
            "Action":[
                "mq:QueryInstanceBaseInfo",
                "mq:SUB"
            ],
            "Resource":"*",
            "Effect":"Allow"
        },
        {
            "Action":"ram:DeleteServiceLinkedRole",
            "Resource":"*",
            "Effect":"Allow",
            "Condition":{
                "StringEquals":{
                    "ram:ServiceName":"source-rocketmq.eventbridge.aliyuncs.com"
                }
            }
        }
    ]
}

AliyunServiceRoleForEventBridgeConnectVPC

EventBridge assumes the AliyunServiceRoleForEventBridgeConnectVPC role to obtain permissions to access Virtual Private Cloud (VPC) and implement features related to resource access.

The following AliyunServiceRolePolicyForEventBridgeConnectVPC policy is attached to the AliyunServiceRoleForEventBridgeConnectVPC role:

{
    "Version":"1",
    "Statement":[
        {
            "Action":[
                "vpc:DescribeVpcs",
                "vpc:DescribeVSwitches",
                "vpc:DescribeVSwitchAttributes"
            ],
            "Resource":"*",
            "Effect":"Allow"
        },
        {
            "Action":[
                "ecs:DescribeSecurityGroups",
                "ecs:CreateNetworkInterface",
                "ecs:DeleteNetworkInterface",
                "ecs:DescribeNetworkInterfaces",
                "ecs:CreateNetworkInterfacePermission",
                "ecs:DescribeNetworkInterfacePermissions",
                "ecs:DeleteNetworkInterfacePermission"
            ],
            "Resource":"*",
            "Effect":"Allow"
        },
        {
            "Action":"ram:DeleteServiceLinkedRole",
            "Resource":"*",
            "Effect":"Allow",
            "Condition":{
                "StringEquals":{
                    "ram:ServiceName":"connect-vpc.eventbridge.aliyuncs.com"
                }
            }
        }
    ]
}

AliyunServiceRoleForEventBridgeSourceActionTrail

Service linked roles AliyunServiceRoleForEventBridgeSourceActionTrail can be granted access to ActionTrail to query and post operation records.

The following AliyunServiceRolePolicyForEventBridgeSourceRocketMQ policy is attached to the AliyunServiceRoleForEventBridgeSourceRocketMQ role:

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "actiontrail:CreateServiceTrail",
                "actiontrail:DeleteServiceTrail"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "source-actiontrail.eventbridge.aliyuncs.com"
                }
            }
        }
    ]
}

AliyunServiceRoleForEventBridgeSourceRabbitMQ

EventBridge assumes the AliyunServiceRoleForEventBridgeSourceRocketMQ role to obtain permissions to access Message Queue for Apache RocketMQ and implement features that are related to event publishing.

The following AliyunServiceRolePolicyForEventBridgeSourceRocketMQ policy is attached to the AliyunServiceRoleForEventBridgeSourceRocketMQ role:

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "amqp:GetVhost",
                "amqp:BasicRecover",
                "amqp:BasicCancel",
                "amqp:BasicConsume",
                "amqp:BasicAck",
                "amqp:BasicNack",
                "amqp:BasicReject",
                "amqp:QueuePurge",
                "amqp:BasicGet"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "source-rabbitmq.eventbridge.aliyuncs.com"
                }
            }
        }
    ]
}

Usage notes

If you delete a service-linked role, EventBridge cannot publish events to the corresponding Alibaba Cloud service. Exercise caution when you delete the role. To use the corresponding feature, you must create the required role again. For more information about the procedure, see Create a service linked role.

For more information about how to delete a service-linked role, see Delete a service-linked role.

FAQ

Why is a service-linked role for EventBridge not automatically created for my RAM user?

If a service-linked role has been created for your Alibaba Cloud account, your RAM user inherits the service-linked role of your Alibaba Cloud account. If your RAM user fails to inherit the service-linked role, log on to the RAM console, create the following custom policy, and then attach the custom policy to the RAM user:

{
    "Version":"1",
    "Statement":[
        {
            "Action":"ram:CreateServiceLinkedRole",
            "Resource":"acs:ram:*:Alibaba Cloud account ID:role/*",
            "Effect":"Allow",
            "Condition":{
                "StringEquals":{
                    "ram:ServiceName":[
                        "sendevent-fc.eventbridge.aliyuncs.com",
                        "sendevent-mns.eventbridge.aliyuncs.com",
                        "sendevent-sms.eventbridge.aliyuncs.com",
                        "sendevent-directmail.eventbridge.aliyuncs.com",
                        "source-rocketmq.eventbridge.aliyuncs.com",
                        "connect-vpc.eventbridge.aliyuncs.com",
                        "source-actiontrail.eventbridge.aliyuncs.com",
                        "source-rabbitmq.eventbridge.aliyuncs.com"
                    ]
                }
            }
        }
    ]
}
Note Replace the Alibaba Cloud account ID in the example with the ID of your Alibaba Cloud account.

If the service-linked role is still not automatically created for your RAM user after you attach the policy to the RAM user, attach the AliyunEventBridgeFullAccess policy to the RAM user. For more information about policies, see Policies.