To implement the features of an Apsara File Storage NAS file system, NAS automatically creates service-linked roles for the file system. This way, the file system can access other cloud services, such as Elastic Compute Service (ECS) and Virtual Private Cloud (VPC).
Scenarios
The service-linked roles of NAS are used in the following scenarios:
AliyunServiceRoleForNasStandard
If you create a mount target in the classic network for a General-purpose NAS file system, you can use the AliyunServiceRoleForNasStandard role to access ECS. This way, you can query the resource list and apply authentication logic.
AliyunServiceRoleForNasExtreme
If you create a mount target for an Extreme NAS file system, you can use the AliyunServiceRoleForNasExtreme role to access VPC and ECS.
AliyunServiceRoleForNasEncryption
If you create a file system encrypted by Key Management Service (KMS), you can use the AliyunServiceRoleForNasEncryption role to access KMS. This way, you can obtain the key that is managed by KMS and add tags to the key. This can prevent you from accidentally deleting the key that is used to access the file system.
AliyunServiceRoleForNasLogDelivery
If you enable the log analysis feature for a NAS file system, you can use the AliyunServiceRoleForNasLogDelivery role to access Log Service. You can also create a project and a Logstore in Log Service, and dump log data from the NAS file system to the Logstore.
AliyunServiceRoleForNasBackup
If you enable the file backup feature for a General-purpose NAS file system, you can use the AliyunServiceRoleForNasBackup role to activate Hybrid Backup Recovery (HBR) and create a backup plan.
AliyunServiceRoleForNasEcsHandler
If you mount a file system in the NAS console, you can use the AliyunServiceRoleForNasEcsHandler role to access Cloud Assistant. You can then use Cloud Assistant to run a Cloud Assistant command for one or more ECS instances. This way, you can mount or unmount the file system, and query the mount status of the ECS instances.
For more information about service-linked roles, see Service linked roles.
Permissions
The service-linked roles of NAS are granted the following permissions:
Delete a service-linked role of NAS
If you no longer need to use a service-linked role of NAS, you can delete the service-linked role. For example, you can delete the AliyunServiceRoleForNasEncryption role if you no longer need to create a file system encrypted by KMS. Before you delete a service-linked role of NAS, you must delete the associated file systems. For more information, see Delete a file system and the "Delete a service-linked role" section in Service-linked roles.
FAQ
Why is a service-linked role of NAS not automatically created for my RAM user?
Before a RAM user can create or delete a service-linked role of NAS, you must grant the required permissions to the RAM user. Therefore, if a service-linked role of NAS is not automatically created for a RAM user, you must attach the following policy to the RAM user. You must replace ID of your Alibaba Cloud account with the actual account ID. For more information, see Grant permissions to a RAM role.
{
"Statement": [
{
"Action": [
"ram:CreateServiceLinkedRole"
],
"Resource": "acs:ram:*:ID of your Alibaba Cloud account:role/*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": [
"standard.nas.aliyuncs.com",
"extreme.nas.aliyuncs.com",
"encryption.nas.aliyuncs.com",
"logdelivery.nas.aliyuncs.com",
"ecs-handler.nas.aliyuncs.com"
]
}
}
}
],
"Version": "1"
}