When you enable the offline log delivery feature in Dynamic Route for CDN (DCDN), the system automatically creates the service-linked role AliyunServiceRoleForDCDNLogDelivery and grants the service-linked role the permissions to access resources in Object Storage Service (OSS) and Data Lake Analytics (DLA).

Overview

AliyunServiceRoleForDCDNLogDelivery is a service-linked role (SLR) of DCDN. When you enable the offline log delivery feature in DCDN, DCDN must assume the service-linked role to access resources in OSS and DLA. This allows DCDN to save log data to other services. Make sure that the geographic location where the log data is stored complies with the regulations. For more information, see Service linked roles.

Create the service-linked role

If this is the first time you enable the offline log delivery feature in DCDN, the system automatically creates the service-linked role AliyunServiceRoleForDCDNLogDelivery and attaches the permission policy AliyunServiceRoleForDCDNLogDelivery to the service-linked role. DCDN can assume the service-linked role to access OSS and DLA after the offline log delivery feature is enabled. You can perform the following operations in OSS and DLA:
  • OSS: Create and query OSS buckets, write to OSS buckets, query data in OSS buckets, and delete data from OSS buckets.
  • DLA: Enable, query, and disable DLA tasks.
Note If DCDN has assumed the service-linked role AliyunServiceRoleForDCDNLogDelivery, the system does not create the service-linked role again.
The following code block shows the content of the permission policy:
{

  "Version": "1",
  "Statement": [
    {
      "Action": [
        "openanalytics:CreateInstance",
        "openanalytics:UpgradeInstance",
        "openanalytics:ReleaseInstance",
        "openanalytics:ExecuteSQL",
        "openanalytics:QueryExecute",
        "openanalytics:DescribeVirtualCluster",
        "openanalytics:ListSparkJob",
        "openanalytics:GetJobStatus",
        "openanalytics:GetJobDetail",
        "openanalytics:GetJobLog",
        "openanalytics:KillSparkJob",
        "openanalytics:SubmitSparkJob"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "oss:PutBucket",
        "oss:GetBucketInfo"
      ],
      "Effect": "Allow",
      "Resource": "acs:oss:*:*:alicdn-log-delivery-*"
    },
    {
      "Action": [
        "oss:GetObject",
        "oss:PutObject"
      ],
      "Effect": "Allow",
      "Resource": "acs:oss:*:*:alicdn-log-delivery-*/alicdn-offline-log/*"
    },
    {
      "Action": "ram:CreateServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "openanalytics.aliyuncs.com"
        }
      }
    },
    {
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "logdelivery.dcdn.aliyuncs.com"
        }
      }
    }
  ]
}

Delete the service-linked role

If you no longer use the offline log delivery feature for DCDN and want to delete the service-linked role AliyunServiceRoleForDCDNLogDelivery, perform the following steps.

  1. Close the offline log delivery task.
    1. Log on to the DCDN console.
    2. In the left-side navigation pane, choose Logs > Offline Log.
    3. On the Logs page, click the Offline Log Delivery tab.
    4. Click Close Delivery Task.
    5. Click OK.
  2. Delete the service-linked role.
    1. Log on to the RAM console.
    2. In the left-side navigation pane, click RAM Roles.
    3. In the RAM Role Name column, find the service-linked role AliyunServiceRoleForDCDNLogDelivery and click Delete.
      Note If the service-linked role fails to be deleted, check whether the offline log delivery task has been closed.