AnalyticDB for PostgreSQL uses a service-linked role to access your resources in other Alibaba Cloud services. A service-linked role is a Resource Access Management (RAM) role whose trusted entity is an Alibaba Cloud service. The service creates and manages this role automatically, so you don't need to configure permissions manually or worry about unintended operations.
How it works
When you use AnalyticDB for PostgreSQL features that require access to other cloud services, the service automatically creates the AliyunServiceRoleForADBPG role in your account. When those features are no longer needed and you release all dependent instances, you can delete the role.
The policy attached to AliyunServiceRoleForADBPG is predefined by AnalyticDB for PostgreSQL. You cannot modify or delete the policy, or attach and detach policies from this role.
For more information about service-linked roles, see Service-linked roles.
Permissions required for RAM users
RAM users cannot create or delete service-linked roles by default. To grant this access, assign the RAM user one of the following:
AliyunGPDBFullAccess — grants full access to AnalyticDB for PostgreSQL, including service-linked role management.
A custom policy with the specific actions listed below.
To create a custom policy, set the Action parameter to the actions you need:
| Operation | Action |
|---|---|
| Create a service-linked role | ram:CreateServiceLinkedRole |
| Delete a service-linked role | ram:DeleteServiceLinkedRole |
For the full policy syntax and resource scope, see the Permissions required to create and delete a service-linked role section of the Service-linked roles topic.
View the service-linked role
After the role is created, find it in the RAM console:
Log in to the RAM console.
In the left navigation pane, click Roles.
Search for
AliyunServiceRoleForADBPGand click the role name.
The role details page shows:
Basic information — role name, creation time, Alibaba Cloud Resource Name (ARN), and description.
Policy — on the Permissions tab, click a policy name to view its content and the cloud resources the role can access.
Trust policy — on the Trust Policy Management tab, view the trusted entities of the role. Check the
Servicefield to confirm that AnalyticDB for PostgreSQL is the trusted entity.
For detailed steps, see View the information about a RAM role.
Delete the service-linked role
Before deleting AliyunServiceRoleForADBPG, release all AnalyticDB for PostgreSQL instances that depend on the role. Once the instances are released, delete the role from the RAM console.
To release instances, see Release an instance.
To delete the role, see the Delete a service-linked role section of the Service-linked roles topic.