To use the log management feature of ApsaraDB for Redis, you must assign the AliyunServiceRoleForKvstore role to the ApsaraDB for Redis instance. Then, ApsaraDB for Redis can access Log Service (SLS) resources under your current Alibaba Cloud account.
Background
A service linked role is a Resource Access Management (RAM) role that is associated with a specific cloud service. In most cases, the cloud service automatically creates or deletes a service linked role as needed. You do not need to manually create or delete the service linked role. The service linked role simplifies the process to authorize a service to access other services and avoids the risks that may be caused by user errors. For more information, see Service-linked roles.
Scenarios
In this topic, the log management feature of ApsaraDB for Redis requires the resources of Log Service. To use the log management feature of ApsaraDB for Redis, you must assign the AliyunServiceRoleForKvstore role to the ApsaraDB for Redis instance.
Introduction to the AliyunServiceRoleForKvstore role
- Role name: AliyunServiceRoleForKvstore.
- Policy name of the role: AliyunServiceRolePolicyForKvstore.
- Description: ApsaraDB for Redis can use this role to access resources of Log Service
and delete service linked roles. The following sample code shows the details of the
policy:
Note For more information about the policy syntax, see Policy structure and syntax.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Resource": "acs:log:*:*:project/nosql-*", "Action": [ "log:GetLogstoreLogs", "log:ListLogStores", "log:GetLogStore", "log:GetIndex", "log:GetLogstoreHistogram", "log:GetConfig", "log:ListConfig", "log:GetDashboard", "log:ListDashboard" ] }, { "Action": "ram:DeleteServiceLinkedRole", "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "ram:ServiceName": "r-kvstore.aliyuncs.com" } } } ] }
Permissions required for a RAM user to create a service linked role
The permission to create a service linked role is included in the administrative permission policy of the linked service (for example, AliyunESSFullAccess of ECS). Therefore, after you grant the administrator permissions of a cloud service to a RAM user, the RAM user is allowed to create the service linked role for the cloud service.
If the RAM user does not have the required permissions, you must grant the following permission to the RAM user before you authorize the service linked role. For more information about how to grant permissions, see Create a custom policy and Grant permissions to a RAM user.
{
"Action": "ram:CreateServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "r-kvstore.aliyuncs.com"
}
}
}
Delete a service linked role
To delete the AliyunServiceRoleForKvstore service linked role, you must first release the ApsaraDB for Redis instance that is associated with the role. For more information, see Release instances and Delete the service-linked role AliyunServiceRoleForDAS.