Manage the service-linked role for log storage - Alibaba Cloud CDN

When you enable the log storage feature of Alibaba Cloud CDN, the system automatically creates the AliyunServiceRoleForCDNLogDelivery service-linked role. Alibaba Cloud CDN can assume this role to access resources in Object Storage Service (OSS) and Data Lake Analytics (DLA).

Background information

AliyunServiceRoleForCDNLogDelivery is a service-linked role. After you enable the log storage feature of Alibaba Cloud CDN, Alibaba Cloud CDN must assume this role to access resources in OSS and DLA and save log data to OSS and DLA. Make sure that the geographic location where the log data is stored complies with the regulations. For more information about service-linked roles, see Service-linked roles.

Create the AliyunServiceRoleForCDNLogDelivery service-linked role

The first time that you enable the log storage feature of Alibaba Cloud CDN, the system creates the AliyunServiceRoleForCDNLogDelivery service-linked role and attaches the AliyunServiceRolePolicyForCDNLogDelivery policy to the role. After the log storage feature is enabled, Alibaba Cloud CDN can assume this role to access OSS and DLA. This role allows you to perform the following operations on OSS and DLA:

OSS: Create and query OSS buckets, write data to OSS buckets, query data in OSS buckets, and delete data from OSS buckets.
DLA: Enable, query, and disable DLA tasks.

Note If the AliyunServiceRoleForCDNLogDelivery service-linked role has been created for Alibaba Cloud CDN, the system does not recreate the role.

The following code block shows the content of the policy:

{

  "Version": "1",
  "Statement": [
    {
      "Action": [
        "openanalytics:CreateInstance",
        "openanalytics:UpgradeInstance",
        "openanalytics:ReleaseInstance",
        "openanalytics:ExecuteSQL",
        "openanalytics:QueryExecute",
        "openanalytics:DescribeVirtualCluster",
        "openanalytics:ListSparkJob",
        "openanalytics:GetJobStatus",
        "openanalytics:GetJobDetail",
        "openanalytics:GetJobLog",
        "openanalytics:KillSparkJob",
        "openanalytics:SubmitSparkJob"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "oss:PutBucket",
        "oss:GetBucketInfo"
      ],
      "Effect": "Allow",
      "Resource": "acs:oss:*:*:alicdn-log-delivery-*"
    },
    {
      "Action": [
        "oss:GetObject",
        "oss:PutObject"
      ],
      "Effect": "Allow",
      "Resource": "acs:oss:*:*:alicdn-log-delivery-*/alicdn-offline-log/*"
    },
    {
      "Action": "ram:CreateServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "openanalytics.aliyuncs.com"
        }
      }
    },
    {
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "logdelivery.cdn.aliyuncs.com"
        }
      }
    }
  ]
}

Delete the AliyunServiceRoleForCDNLogDelivery service-linked role

If you no longer use the log storage feature and you want to delete the AliyunServiceRoleForCDNLogDelivery service-linked role, perform the following steps:

Disable log storage.
1. Log on to the Alibaba Cloud CDN console.
2. In the left-side navigation pane, choose Logs > Offline Logs.
3. On the Offline Logs page, click the DLA for Log Storage and Analytics tab.
4. Click Close Delivery Task.
5. Click OK.
Delete AliyunServiceRoleForCDNLogDelivery.
1. Log on to the RAM console.
2. In the left-side navigation pane, choose Identities > Roles.
3. In the Role Name column, find AliyunServiceRoleForCDNLogDelivery and click Delete in the Actions column.
  
  Note If the SLR fails to be deleted, check whether log storage has been disabled.