To implement the features of an Apsara File Storage NAS file system, NAS automatically creates service-linked roles for the file system. This way, the file system can access other cloud services, such as Elastic Compute Service (ECS) and Virtual Private Cloud (VPC).

Scenarios

The service-linked roles of NAS are used in the following scenarios:
  • AliyunServiceRoleForNasStandard

    If you create a mount target in the classic network for a General-purpose NAS file system, you can use the AliyunServiceRoleForNasStandard role to access ECS. This way, you can query the resource list and apply authentication logic.

  • AliyunServiceRoleForNasExtreme

    If you create a mount target for an Extreme NAS file system, you can use the AliyunServiceRoleForNasExtreme role to access VPC and ECS.

  • AliyunServiceRoleForNasEncryption

    If you create a file system encrypted by Key Management Service (KMS), you can use the AliyunServiceRoleForNasEncryption role to access KMS. This way, you can obtain the key that is managed by KMS and add tags to the key. This can prevent you from accidentally deleting the key, which is used to access the file system.

  • AliyunServiceRoleForNasLogDelivery

    If you enable the log analysis feature for a NAS file system, you can use the AliyunServiceRoleForNasLogDelivery role to access Log Service. You can also create a project and a Logstore in Log Service, and dump log data from the NAS file system to the Logstore.

  • AliyunServiceRoleForNasBackup

    If you want to enable the file backup feature for a General-purpose NAS file system, you can use the AliyunServiceRoleForNasBackup role to activate Hybrid Backup Recovery and create a backup plan.

  • AliyunServiceRoleForNasEcsHandler

    If you want to mount a file system in the NAS console, you can use the AliyunServiceRoleForNasEcsHandler role to access Cloud Assistant. You can then use Cloud Assistant to run a Cloud Assistant command for one or more ECS instances. This way, you can mount or unmount the file system, and query the mount status of the ECS instances.

For more information, see Service-linked roles.

Description

The service-linked roles of NAS are granted the following permissions:

{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "ecs:DescribeInstances" 
      ],
      "Resource": "*",
      "Effect": "Allow"
    }
  ]
}
      
{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "vpc:DescribeVSwitchAttributes",
        "vpc:DescribeVpcs",
        "vpc:DescribeVSwitches"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "ecs:CreateSecurityGroup",          
        "ecs:DescribeSecurityGroups",
        "ecs:DescribeSecurityGroupAttribute",
        "ecs:DeleteSecurityGroup",          
        "ecs:AuthorizeSecurityGroup",      
        "ecs:CreateNetworkInterface",       
        "ecs:DeleteNetworkInterface",
        "ecs:DescribeNetworkInterfaces",
        "ecs:CreateNetworkInterfacePermission",   
        "ecs:DescribeNetworkInterfacePermissions",
        "ecs:DeleteNetworkInterfacePermission"
      ],
      "Resource": "*",
      "Effect": "Allow"
    }
  ]
}
      
{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "kms:Listkeys",       
        "kms:Listaliases",
        "kms:ListResourceTags",
        "kms:DescribeKey",    
        "kms:TagResource",    
        "kms:UntagResource"
      ],
      "Resource": "acs:kms:*:*:*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:GenerateDataKey"
      ],
      "Resource": "acs:kms:*:*:*/*",
      "Condition": {
        "StringEqualsIgnoreCase": {
          "kms:tag/acs:nas:instance-encryption": "true"
        }
      }
    }
  ],
  "Version": "1"
}
      
{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "log:PostLogStoreLogs"
      ],
      "Resource": "*",
      "Effect": "Allow"
    }
  ]
}
      
{
	"Version": "1",
	"Statement": [{
			"Action": [
				"hbr:OpenHbrService",
				"hbr:CreateTrialBackupPlan"
			],
			"Resource": "*",
			"Effect": "Allow"
		},
		{
			"Action": "ram:DeleteServiceLinkedRole",
			"Resource": "*",
			"Effect": "Allow",
			"Condition": {
				"StringEquals": {
					"ram:ServiceName": "backup.nas.aliyuncs.com"
				}
			}
		},
		{
			"Action": "ram:CreateServiceLinkedRole",
			"Resource": "*",
			"Effect": "Allow",
			"Condition": {
				"StringEquals": {
					"ram:ServiceName": "nasbackup.hbr.aliyuncs.com"
				}
			}
		}
	]
}
      
{
  "Version": "1",
  "Statement": [
    {
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "ecs-handler.nas.aliyuncs.com"
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": [
        "ecs:InvokeCommand"
      ],
      "Resource": [
        "acs:ecs:*:*:instance/*",
        "acs:ecs:*:*:command/cmd-ACS-NAS-ClickMount-*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "ecs:DescribeInstances",
        "ecs:DescribeCloudAssistantStatus"
      ],
      "Resource": [
        "acs:ecs:*:*:instance/*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "ecs:DescribeInvocations",
        "ecs:DescribeInvocationResults"
      ],
      "Resource": [
        "*"
      ]
    }
  ]
}
      

Delete a service-linked role of NAS

If you no longer want to use a service-linked role of NAS, you can delete the service-linked role. For example, you can delete the AliyunServiceRoleForNasEncryption role if you no longer need to create a file system encrypted by KMS. Before you delete a service-linked role of NAS, you must delete the associated file systems. For more information, see Delete a file system and Delete a service-linked role.

FAQ

Why is a service-linked role of NAS not automatically created for my RAM user?

Before a RAM user can create or delete a service-linked role of NAS, you must grant the required permissions to the RAM user. Therefore, if a RAM user cannot create a service-linked role of NAS, you must attach the following policy to the RAM user. For more information, see Grant permissions to a RAM role.

{
    "Statement": [
        {
            "Action": [
                "ram:CreateServiceLinkedRole"
            ],
            "Resource": "acs:ram::Alibaba Cloud account ID:root"
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": [
                        "standard.nas.aliyuncs.com",
                        "extreme.nas.aliyuncs.com",
                        "encryption.nas.aliyuncs.com",
                        "logdelivery.nas.aliyuncs.com",
                    ]
                }
            }
        }
    ],
    "Version": "1"
}
Note You must replace Alibaba Cloud account ID with the ID of your Alibaba Cloud account.