The service-linked role AliyunServiceRoleForActionTrail is a RAM role that ActionTrail assumes to access other Alibaba Cloud services. This topic describes the scenarios that the service-linked role is applicable to, the permissions of the role, and how to create and delete the role.
Scenarios
The AliyunServiceRoleForActionTrail role is applicable to the following scenarios:
Access Log Service
If you specify a Log Service project to store event logs, ActionTrail assumes the AliyunServiceRoleForActionTrail role to obtain the permissions to create a Logstore in the specified project and write event logs to the Logstore.
Access Object Storage Service (OSS)
If you specify an OSS bucket to store event logs, ActionTrail assumes the AliyunServiceRoleForActionTrail role to obtain the permissions to write event logs to the specified OSS bucket.
Access Message Service (MNS)
If you specify an OSS bucket to store event logs and an MNS topic to receive messages for event delivery, ActionTrail assumes the AliyunServiceRoleForActionTrail role to obtain the permissions to send messages to the MNS topic.
Access Resource Directory
If you create a multi-account trail to deliver the event logs of all members in a resource directory to the specified storage object, ActionTrail assumes the AliyunServiceRoleForActionTrail role to obtain the permissions to access the resource directory and retrieve the members in the resource directory.
For more information, see Service-linked roles.
Permissions
Role: AliyunServiceRoleForActionTrail
Policy: AliyunServiceRolePolicyForActionTrail
After the service-linked role is assigned to ActionTrail, ActionTrail is granted the permissions to access resources of other Alibaba Cloud services such as OSS, Log Service, MNS, and Resource Directory.
{
"Version": "1",
"Statement": [
{
"Action": [
"oss:ListObjects",
"oss:PutObject",
"oss:GetBucketInfo",
"oss:GetBucketLifecycle",
"oss:GetBucketLocation",
"kms:ListKeys",
"kms:Listalias",
"kms:ListAliasesByKeyId",
"kms:DescribeKey",
"kms:GenerateDataKey",
"kms:Decrypt"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"log:GetProject",
"log:ListJobs"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"log:PostLogStoreLogs",
"log:CreateLogstore",
"log:GetLogstore",
"log:CreateIndex",
"log:UpdateIndex",
"log:GetIndex",
"log:GetLogStoreLogs"
],
"Resource": [
"acs:log:*:*:project/*/logstore/actiontrail_*",
"acs:log:*:*:project/*/logstore/innertrail_*",
"acs:log:*:*:project/*/logstore/insights_*"
],
"Effect": "Allow"
},
{
"Action": [
"log:CreateDashboard",
"log:UpdateDashboard"
],
"Resource": "acs:log:*:*:project/*/dashboard/*",
"Effect": "Allow"
},
{
"Action": [
"log:CreateSavedSearch",
"log:UpdateSavedSearch"
],
"Resource": [
"acs:log:*:*:project/*/savedsearch/actiontrail_*",
"acs:log:*:*:project/*/savedsearch/innertrail_*",
"acs:log:*:*:project/*/savedsearch/insights_*"
],
"Effect": "Allow"
},
{
"Action": [
"mns:PublishMessage"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"resourcemanager:GetResourceDirectory",
"resourcemanager:ListAccounts",
"resourcemanager:GetResourceDirectoryAccount"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"cms:DescribeMetricList",
"cms:QueryMetricList"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "actiontrail.aliyuncs.com"
}
}
},
{
"Effect": "Allow",
"Action": "odps:updateUsersToAdmin",
"Resource": "acs:odps:*:*:projects/actiontrail_*"
}
]
}Create the AliyunServiceRoleForActionTrail role
ActionTrail automatically creates the AliyunServiceRoleForActionTrail role if this role does not exist when you perform one of the following operations for the first time:
Create a trail by calling the CreateTrail operation.
Create a trail in the ActionTrail console.
Delete the AliyunServiceRoleForActionTrail role
Before you delete the AliyunServiceRoleForActionTrail role, you must delete all trails in the ActionTrail console. For more information, see Delete a single-account trail and Delete a multi-account trail.
You can delete the AliyunServiceRoleForActionTrail role in the RAM console. For more information, see Delete a RAM role.