This topic describes the service linked role AliyunServiceRoleForXtrace for Tracing Analysis, and how to delete this role.

Background information

The service linked role for Tracing Analysis, AliyunServiceRoleForXtrace, is a RAM role that is defined by Tracing Analysis to access other Alibaba Cloud services in specific scenarios. For more information, see Service-linked roles.

Scenarios for using the AliyunServiceRoleForXtrace role

The service linked role AliyunServiceRoleForXtrace is automatically created. Tracing Analysis uses the AliyunServiceRoleForXtrace role to obtain the permissions to use the resources of the Container Service for Kubernetes (ACK), Log Service, Elastic Compute Service (ECS), and Virtual Private Cloud (VPC) services.

Permissions of the AliyunServiceRoleForXtrace role

The AliyunServiceRoleForXtrace role has the following permissions on relevant Alibaba Cloud services:

{
            "Action": [
                "cs:ScaleCluster",
                "cs:GetClusterById",
                "cs:GetClusters",
                "cs:GetUserConfig",
                "cs:CheckKritisInstall",
                "cs:GetKritisAttestationAuthority",
                "cs:GetKritisGenericAttestationPolicy",
                "cs:AttachInstances",
                "cs:InstallKritis",
                "cs:InstallKritisAttestationAuthority",
                "cs:InstallKritisGenericAttestationPolicy",
                "cs:UpdateClusterTags",
                "cs:UninstallKritis",
                "cs:DeleteKritisAttestationAuthority",
                "cs:DeleteKritisGenericAttestationPolicy",
                "cs:UpdateKritisAttestationAuthority",
                "cs:UpdateKritisGenericAttestationPolicy",
                "cs:UpgradeCluster",
                "cs:GetClusterLogs"
            ],
            "Resource": [
              "acs:cs:*:*:cluster/*"
            ],
            "Effect": "Allow"
        }
{
       "Action": [
        "log:CreateProject",
        "log:GetProject",
        "log:GetLogStoreLogs",
        "log:GetHistograms",
        "log:GetLogStoreHistogram",
        "log:GetLogStore",
        "log:ListLogStores",
        "log:EnableService",
        "log:DescribeService",
        "log:CreateLogStore",
        "log:DeleteLogStore",
        "log:UpdateLogStore",
        "log:GetCursorOrData",
        "log:GetCursor",
        "log:PullLogs",
        "log:ListShards",
        "log:PostLogStoreLogs",
        "log:CreateConfig",
        "log:UpdateConfig",
        "log:DeleteConfig",
        "log:GetConfig",
        "log:ListConfig",
        "log:CreateMachineGroup",
        "log:UpdateMachineGroup",
        "log:DeleteMachineGroup",
        "log:GetMachineGroup",
        "log:ListMachineGroup",
        "log:ListMachines",
        "log:ApplyConfigToGroup",
        "log:RemoveConfigFromGroup",
        "log:GetAppliedMachineGroups",
        "log:GetAppliedConfigs",
        "log:GetShipperStatus",
        "log:RetryShipperTask",
        "log:CreateConsumerGroup",
        "log:UpdateConsumerGroup",
        "log:DeleteConsumerGroup",
        "log:ListConsumerGroup",
        "log:UpdateCheckPoint",
        "log:HeartBeat",
        "log:GetCheckPoint",
        "log:CreateIndex",
        "log:DeleteIndex",
        "log:GetIndex",
        "log:UpdateIndex",
        "log:CreateSavedSearch",
        "log:UpdateSavedSearch",
        "log:GetSavedSearch",
        "log:DeleteSavedSearch",
        "log:ListSavedSearch",
        "log:CreateDashboard",
        "log:UpdateDashboard",
        "log:GetDashboard",
        "log:DeleteDashboard",
        "log:ListDashboard",
        "log:CreateJob",
        "log:UpdateJob"
       }
]
{
       "Action": [
        "ecs:DescribeInstanceAutoRenewAttribute",
        "ecs:DescribeInstances",
        "ecs:DescribeInstanceStatus",
        "ecs:DescribeInstanceVncUrl",
        "ecs:DescribeSpotPriceHistory",
        "ecs:DescribeUserdata",
        "ecs:DescribeInstanceRamRole",
        "ecs:DescribeDisks",
        "ecs:DescribeSnapshots",
        "ecs:DescribeAutoSnapshotPolicy",
        "ecs:DescribeSnapshotLinks",
        "ecs:DescribeImages",
        "ecs:DescribeImageSharePermission",
        "ecs:DescribeClassicLinkInstances",
        "ecs:AuthorizeSecurityGroup",
        "ecs:DescribeSecurityGroupAttribute",
        "ecs:DescribeSecurityGroups",
        "ecs:AuthorizeSecurityGroupEgress",
        "ecs:DescribeSecurityGroupReferences",
        "ecs:RevokeSecurityGroup",
        "ecs:DescribeNetworkInterfaces",
        "ecs:DescribeTags",
        "ecs:DescribeRegions",
        "ecs:DescribeZones",
        "ecs:DescribeInstanceMonitorData",
        "ecs:DescribeEipMonitorData",
        "ecs:DescribeDiskMonitorData",
        "ecs:DescribeInstanceTypes",
        "ecs:DescribeInstanceTypeFamilies",
        "ecs:DescribeTasks",
        "ecs:DescribeTaskAttribute",
        "ecs:DescribeInstanceAttribute",
        "ecs:InvokeCommand",
        "ecs:CreateCommand",
        "ecs:StopInvocation",
        "ecs:DeleteCommand",
        "ecs:DescribeCommands",
        "ecs:DescribeInvocations",
        "ecs:DescribeInvocationResults",
        "ecs:ModifyCommand",
        "ecs:InstallCloudAssistant"
         ],
      "Resource": "*",
      "Effect": "Allow"
    }
{
       "Action": [
        "vpc:DescribeVpcs",
        "vpc:DescribeVSwitches",
        "vpc:DescribeEipAddresses",
        "vpc:DescribeRouterInterfaces",
        "vpc:DescribeGlobalAccelerationInstances",
        "vpc:DescribeVpnGateways",
        "vpc:DescribeNatGateways"
       ],
       "Resource": "*",
       "Effect": "Allow"
}
{
       "Action": [
        "slb:DescribeLoadBalancers",
        "slb:DescribeLoadBalancerAttribute",
        "slb:SetLoadbalancerListenerAttributeEx",
        "slb:DescribeLoadbalancerListenersEx",
        "slb:DescribeLoadbalancerListenersEx",
        "slb:SetAccessLogsDownloadAttribute",
        "slb:DeleteAccessLogsDownloadAttribute",
        "slb:DescribeAccessLogsDownloadAttribute"
       ],
       "Resource": "*",
       "Effect": "Allow"
}

Delete the AliyunServiceRoleForXtrace role

For security reasons, you may want to delete the service linked role AliyunServiceRoleForXtrace after you use the monitoring feature of Tracing Analysis. In this case, you must be aware that data within the current account cannot be stored or displayed after you delete the AliyunServiceRoleForXtrace role.

To delete the AliyunServiceRoleForXtrace role, perform the following steps:

Note If application data exists within the current account, you must delete all applications before you can delete the AliyunServiceRoleForXtrace role.
  1. Log on to the Resource Access Management (RAM) console. In the left-side navigation pane, click RAM Roles.
  2. On the RAM Roles page, enter AliyunServiceRoleForXtrace in the search box. The RAM role named AliyunServiceRoleForXtrace is returned in the search result.
  3. Click Delete in the Actions column.
  4. In the Delete RAM Role message, click OK.
    • If applications of Tracing Analysis exist within the current account, you must delete the applications before you can delete the AliyunServiceRoleForXtrace role. Otherwise, an error message appears.
    • If all applications within the current account are deleted, you can directly delete the AliyunServiceRoleForXtrace role.

FAQ

Why is my RAM user unable to automatically create the AliyunServiceRoleForXtrace role?

You must obtain the specified permission to automatically create or delete the AliyunServiceRoleForXtrace role. To authorize your RAM user to automatically create the AliyunServiceRoleForXtrace role, add the following permission policy for your RAM user:

{
    "Statement": [
        {
            "Action": [
                "ram:CreateServiceLinkedRole"
            ],
            "Resource": "acs:ram:*:ID of your Alibaba Cloud account:role/*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": [
                        "xtrace.aliyuncs.com"
                    ]
                }
            }
        }
    ],
    "Version": "1"
}