ApsaraMQ for Kafka uses service-linked roles to access other Alibaba Cloud services, such as Elastic Compute Service (ECS), Function Compute, and Key Management Service (KMS). A service-linked role is a Resource Access Management (RAM) role that the system creates automatically the first time you use the associated feature. No manual setup is required.
For more information about how service-linked roles work, see Service-linked roles.
Roles
ApsaraMQ for Kafka uses four service-linked roles:
| Role | Purpose | Auto-created when you... |
|---|---|---|
| AliyunServiceRoleForAlikafka | Manage ECS network interfaces and security groups, and query VPC resources for Kafka instances. | Activate ApsaraMQ for Kafka in the console for the first time. |
| AliyunServiceRoleForAlikafkaConnector | Access downstream services -- Function Compute, OSS, Elasticsearch, DataWorks, EventBridge, Tablestore, ApsaraDB RDS, AnalyticDB for PostgreSQL, and AnalyticDB for MySQL -- for the connector feature. | Create a connector in the console for the first time. |
| AliyunServiceRoleForAlikafkaInstanceEncryption | Access KMS to encrypt Kafka instance disks. Currently available only through API. | Deploy an instance with disk encryption by calling the StartInstance operation for the first time. |
| AliyunServiceRoleForAlikafkaETL | Access Function Compute to run ETL tasks for data analysis. | Enable ETL in the console for the first time. See Manage ETL tasks. |
Permissions
Each role has a system-managed policy that grants only the permissions its feature requires. The following sections summarize each policy. Expand the JSON blocks for full policy documents.
AliyunServiceRoleForAlikafka
Manages ECS network interfaces and security groups, and queries VPC resources to set up network connectivity for Kafka instances.
Permitted actions:
ECS -- Create, describe, and delete network interfaces, network interface permissions, and security groups. Authorize and revoke security group rules.
VPC -- Describe vSwitches and VPCs.
RAM -- Delete the service-linked role itself (scoped to
alikafka.aliyuncs.com).
AliyunServiceRoleForAlikafkaConnector
Interacts with the downstream services that connectors support, including Function Compute, databases, object storage, and event streaming.
Permitted actions:
Function Compute -- Invoke, create, delete, and list functions, services, service versions, aliases, and layers.
ApsaraDB RDS -- Describe databases.
OSS -- List buckets and get bucket ACLs.
Elasticsearch -- Describe and list instances.
DataWorks -- Create and query real-time processes.
EventBridge -- Create, update, get, delete, list, start, pause, and list metrics for event streamings.
Tablestore -- Full table and row operations, including search indexes and service management.
AnalyticDB for PostgreSQL -- Describe instances and instance attributes.
AnalyticDB for MySQL -- Describe clusters, schemas, and tables.
RAM -- Delete the service-linked role itself (scoped to
connector.alikafka.aliyuncs.com).
AliyunServiceRoleForAlikafkaInstanceEncryption
Manages KMS keys for disk encryption. Encrypt, decrypt, and data key generation operations are restricted to keys tagged with acs:alikafka:instance-encryption=true.
Permitted actions:
KMS -- List keys, list aliases, list resource tags, describe keys, tag and untag resources.
KMS (conditional) -- Encrypt, decrypt, and generate data keys only when the key is tagged with
acs:alikafka:instance-encryption=true.RAM -- Delete the service-linked role itself (scoped to
instanceencryption.alikafka.aliyuncs.com).
AliyunServiceRoleForAlikafkaETL
Manages Function Compute resources for ETL task execution and passes the default Function Compute role.
Permitted actions:
Function Compute -- Invoke, create, delete, and list functions, services, service versions, and aliases.
RAM -- Delete the service-linked role itself (scoped to
etl.alikafka.aliyuncs.com).RAM -- Pass the
aliyunfcdefaultrolerole to Function Compute.
Deletion
Deleting a service-linked role removes the permissions that ApsaraMQ for Kafka relies on for the associated feature. That feature stops working until you recreate the role. Exercise caution when you delete a service-linked role.
To recreate a deleted role, see Create a RAM role for a trusted Alibaba Cloud service and Grant permissions to a RAM role.
FAQ
A service-linked role is not created for my RAM user
If the role already exists under your Alibaba Cloud account, your RAM user inherits it automatically. If inheritance fails, create a custom policy that grants ram:CreateServiceLinkedRole for the relevant service and attach it to your RAM user.
Replace <service-name> with the value for the role you need:
| Role | Service name value |
|---|---|
| AliyunServiceRoleForAlikafka | alikafka.aliyuncs.com |
| AliyunServiceRoleForAlikafkaConnector | connector.alikafka.aliyuncs.com |
| AliyunServiceRoleForAlikafkaInstanceEncryption | instanceencryption.alikafka.aliyuncs.com |
| AliyunServiceRoleForAlikafkaETL | etl.alikafka.aliyuncs.com |
Policy template:
{
"Statement": [
{
"Action": [
"ram:CreateServiceLinkedRole"
],
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "<service-name>"
}
}
}
],
"Version": "1"
}To apply this policy:
Log on to the RAM console.
Create a custom policy with the JSON above.
Attach the policy to your RAM user.
If the role is still not created after you attach the policy, attach the AliyunKafkaFullAccess system policy to your RAM user. For more information, see Grant permissions to the RAM user.