To use the log management feature of ApsaraDB for Redis, you must assign the AliyunServiceRoleForKvstore role to the ApsaraDB for Redis instance. Then, ApsaraDB for Redis can access Log Service (SLS) resources under your current Alibaba Cloud account.

Background

A service linked role is a Resource Access Management (RAM) role that is associated with a specific cloud service. In most cases, the cloud service automatically creates or deletes a service linked role as needed. You do not need to manually create or delete the service linked role. The service linked role simplifies the process to authorize a service to access other services and avoids the risks that may be caused by user errors. For more information, see Service linked roles.

Note The policy that is attached to a service linked role is predefined by the linked service. You cannot modify or delete the policy. In addition, you cannot add permissions to or remove permissions from a service linked role.

Scenarios

In this topic, the log management feature of ApsaraDB for Redis requires the resources of Log Service. To use the log management feature of ApsaraDB for Redis, you must assign the AliyunServiceRoleForKvstore role to the ApsaraDB for Redis instance.

Introduction to the AliyunServiceRoleForKvstore role

Note Log on to the RAM console, click RAM roles in the left-side navigation pane, and then enter AliyunServiceRoleForKvstore in the search box to search for and view the role.
  • Role name: AliyunServiceRoleForKvstore.
  • Policy name of the role: AliyunServiceRolePolicyForKvstore.
  • Description: ApsaraDB for Redis can use this role to access resources of Log Service and delete service linked roles. The following sample code shows the details of the policy:
    Note For more information about the policy syntax, see Policy structure and syntax.
    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Resource": "acs:log:*:*:project/nosql-*",
                "Action": [
                    "log:GetLogstoreLogs",
                    "log:ListLogStores",
                    "log:GetLogStore",
                    "log:GetIndex",
                    "log:GetLogstoreHistogram",
                    "log:GetConfig",
                    "log:ListConfig",
                    "log:GetDashboard",
                    "log:ListDashboard"
                ]
            },
            {
                "Action": "ram:DeleteServiceLinkedRole",
                "Resource": "*",
                "Effect": "Allow",
                "Condition": {
                    "StringEquals": {
                        "ram:ServiceName": "r-kvstore.aliyuncs.com"
                    }
                }
            }
        ]
    }

Permissions required for a RAM user to create a service linked role

The permission to create a service linked role is included in the administrative permission policy of the linked service (for example, AliyunESSFullAccess of ECS). Therefore, after you grant the administrator permissions of a cloud service to a RAM user, the RAM user is allowed to create the service linked role for the cloud service.

If the RAM user does not have the required permissions, you must grant the following permission to the RAM user before you authorize the service linked role. For more information about how to grant permissions, see Create a custom policy and Grant permissions to a RAM user.

{
    "Action": "ram:CreateServiceLinkedRole",
    "Resource": "*",
    "Effect": "Allow",
    "Condition": {
        "StringEquals": {
            "ram:ServiceName": "r-kvstore.aliyuncs.com"
        }
     }
}

Delete a service linked role

To delete the AliyunServiceRoleForKvstore service linked role, you must first release the ApsaraDB for Redis instance that is associated with the role. For more information, see Release an instance and Service linked roles.