This topic describes the background information, policies, usage notes, and FAQ about the service-linked roles for ApsaraMQ for RabbitMQ.

Background information

An Alibaba Cloud service may need to access other Alibaba Cloud services to implement a feature. To do this, the Alibaba Cloud service must assume a service-linked role to obtain the permissions to access other Alibaba Cloud services. The service-linked role is a Resource Access Management (RAM) role. When you use this feature in the console of the Alibaba Cloud service for the first time, the system automatically creates service-linked roles. For more information about service-linked roles, see Service-linked roles.

ApsaraMQ for RabbitMQ can assume the following service-linked roles:

  • AliyunServiceRoleForAmqpMonitoring: ApsaraMQ for RabbitMQ can assume this role to access CloudMonitor and Application Real-Time Monitoring Service (ARMS) to implement the monitoring and alerting feature and the dashboard feature. When you use the monitoring and alerting feature and the dashboard feature in the ApsaraMQ for RabbitMQ console for the first time, the system automatically creates the AliyunServiceRoleForAmqpMonitoring role. For more information, see Monitoring and alerting and Dashboard.
  • AliyunServiceRoleForAmqpLogDelivery: ApsaraMQ for RabbitMQ assumes this role to obtain the permissions to access Log Service for message log management. When you use the message log management feature in the ApsaraMQ for RabbitMQ console for the first time, the system automatically creates the AliyunServiceRoleForAmqpLogDelivery role. For more information, see Configure message logs.

Policies

  • Policies attached to the AliyunServiceRoleForAmqpMonitoring role:
    {
        "Version": "1",
        "Statement": [
            {
                "Action": [
                    "cms:DescribeMetricRuleList",
                    "cms:DescribeMetricList",
                    "cms:DescribeMetricData"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "arms:OpenVCluster",
                    "arms:ListDashboards",
                    "arms:CheckServiceStatus"
                   ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": "ram:DeleteServiceLinkedRole",
                "Resource": "*",
                "Effect": "Allow",
                "Condition": {
                    "StringEquals": {
                        "ram:ServiceName": "monitoring.amqp.aliyuncs.com"
                    }
                }
            }
        ]
    }
  • Policies attached to the AliyunServiceRoleForAmqpLogDelivery role:
    {
        "Version": "1",
        "Statement": [
            {
                "Action": [
                    "log:ListProject",
                    "log:ListLogStores",
                    "log:PostLogStoreLogs"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": "ram:DeleteServiceLinkedRole",
                "Resource": "*",
                "Effect": "Allow",
                "Condition": {
                    "StringEquals": {
                        "ram:ServiceName": "logdelivery.amqp.aliyuncs.com"
                    }
                }
            }
        ]
    }

Usage notes

When you delete a service-linked role that is automatically created by the system, the dependent feature can no longer be used due to insufficient permissions. Exercise caution when you delete a service-linked role. For information about how to create a service-linked role again and attach policies to the service-linked role, see Create a RAM role for a trusted Alibaba Cloud service and Grant permissions to a RAM role.

FAQ

How do I resolve the issue that the ApsaraMQ for RabbitMQ service-linked roles AliyunServiceRoleForAmqpMonitoring and AliyunServiceRoleForAmqpLogDelivery cannot be automatically created for my RAM user?

If a service-linked role is created for your Alibaba Cloud account, your RAM user inherits the service-linked role. If your RAM user fails to inherit the service-linked role, log on to the RAM console, create the following custom policy, and then attach the custom policy to the RAM user:

{
    "Statement": [
        {
            "Action": [
                "ram:CreateServiceLinkedRole"
            ],
            "Resource": "acs:ram:*:${accountid}:role/*",
            "Effect": "Allow",
            "Condition": {
              "StringEquals": {
                    "ram:ServiceName": [
                        "logdelivery.amqp.aliyuncs.com",
                        "monitoring.amqp.aliyuncs.com"
                    ]
                }
            }
        }
    ],
    "Version": "1"
}
Note Replace ${accountid} with the ID of your Alibaba Cloud account.

If the service-linked role is still not automatically created for your RAM user after you attach the required policy to the RAM user, attach the AliyunAMQPFullAccess policy to the RAM user. For more information, see Grant permissions to the RAM user.