AliyunServiceRoleForOceanbaseMigrationAssessment - - Alibaba Cloud Documentation Center

This topic describes the permission policy and application scenarios of AliyunServiceRoleForOceanbaseMigrationAssessment, a role linked to the migration assessment service of ApsaraDB for OceanBase, as well as how to delete the role.

Background information

In some scenarios, the migration assessment service needs to obtain the access permission on other cloud services under your Alibaba Cloud account to implement its features. AliyunServiceRoleForOceanbaseMigrationAssessment is a Resource Access Management (RAM) role provided by Alibaba Cloud for such scenarios. For more information, see Service-linked roles.

Role name: AliyunServiceRoleForOceanbaseMigrationAssessment
Role permission policy: AliyunServicePolicyForOceanbaseMigrationAssessment

The permissions are described as follows:

{
 "Version": "1",
 "Statement": [
 {
 "Effect": "Allow",
 "Action": [
 "ecs:CreateSecurityGroup",
 "ecs:DescribeSecurityGroups",
 "ecs:DeleteSecurityGroup",
 "ecs:AuthorizeSecurityGroup",
 "ecs:DescribeSecurityGroupAttribute"
 ],
 "Resource": "*"
 },
 {
 "Effect": "Allow",
 "Action": [
 "privatelink:ListVpcEndpoints",
 "privatelink:ListVpcEndpointZones",
 "privatelink:CreateVpcEndpoint",
 "privatelink:RemoveZoneFromVpcEndpoint",
 "privatelink:GetVpcEndpointAttribute",
 "privatelink:DeleteVpcEndpoint"
 ],
 "Resource": "*"
 },
 {
 "Effect": "Allow",
 "Action": [
 "vpc:ListFullNatEntries",
 "vpc:CreateFullNatEntry",
 "vpc:DeleteFullNatEntry"
 ],
 "Resource": "*"
 },
 {
 "Action": "ram:DeleteServiceLinkedRole",
 "Resource": "*",
 "Effect": "Allow",
 "Condition": {
 "StringEquals": {
 "ram:ServiceName": "migration-assessment.oceanbase.aliyuncs.com"
 }
 }
 },
 {
 "Action": "ram:CreateServiceLinkedRole",
 "Resource": "*",
 "Effect": "Allow",
 "Condition": {
 "StringEquals": {
 "ram:ServiceName": "privatelink.aliyuncs.com"
 }
 }
 }
 ]
}

Application scenarios

The migration assessment service must create security groups and endpoints under your Alibaba Cloud account to establish a network channel between your virtual private cloud (VPC) and the VPC where the migration assessment service resides. After the assessment is complete, the migration assessment service will delete the security groups and endpoints created under your Alibaba Cloud account.

Delete AliyunServiceRoleForOceanbaseMigrationAssessment

Stop the running compatibility assessment tasks. For more information, see Stop an assessment task.
Log on to the RAM console as the RAM administrator.
In the left-side navigation pane, choose Identities > Roles.
On the Roles page, search for AliyunServiceRoleForOceanbaseMigrationAssessment and then click Delete Role in the Actions column.
In the Delete Role dialog box, enter the role name and click Delete Role.
Note
- If the RAM role is granted a permission policy, the grant is revoked when the role is deleted.
- If the role deletion fails, you can click Role Deletion in the upper-right corner of the Roles page to view details.