Backup and Disaster Recovery Center (BDRC) uses service-linked roles to access other cloud services. You can delete these roles when they are no longer needed.
Background information
A service-linked role for BDRC is a RAM role that allows BDRC to access other cloud services. For more information, see Service-linked roles.
When BDRC needs to access other cloud services, it uses an automatically created service-linked role to obtain the required permissions.
-
AliyunServiceRoleForBDRC
BDRC assumes this role to access ECS, OSS, NAS, Tablestore, and Cloud Backup.
-
AliyunServiceRoleForBdrcRd
When you enable cross-account unified management and add member accounts, BDRC automatically creates AliyunServiceRoleForBdrcRd in each member account. This role allows BDRC to access ECS, OSS, NAS, Tablestore, Cloud Backup, and Resource Center resources within those accounts.
Permissions
The following are the permissions granted to each service-linked role.
AliyunServiceRoleForBDRC
BDRC requires access to ECS, OSS, NAS, Tablestore, and Cloud Backup to perform data disaster recovery operations.
-
Associated system policy: AliyunServiceRolePolicyForBDRC
-
Policy document:
{ "Version": "1", "Statement": [ { "Action": "ram:DeleteServiceLinkedRole", "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "ram:ServiceName": "bdrc.aliyuncs.com" } } }, { "Effect": "Allow", "Action": [ "ecs:DescribeRegions", "ecs:DescribeInstances", "ecs:DescribeDisks", "ecs:DescribeAutoSnapshotPolicyEx", "oss:ListBuckets", "oss:GetBucketStat", "oss:GetBucketVersioning", "oss:getBucketReplication", "nas:DescribeRegions", "nas:DescribeFileSystems", "nas:GetRecycleBinAttribute", "ots:DescribeRegions", "ots:ListInstance", "hbr:DescribeRegions", "hbr:DescribeUserBusinessStatus", "hbr:DescribeBackupPlans", "hbr:DescribeUniBackupInstances", "hbr:DescribeUniBackupPlans", "hbr:DescribeVaults" ], "Resource": "*" } ] }
AliyunServiceRoleForBdrcRd
When you enable cross-account unified management and add member accounts, BDRC creates this role in each member account to access ECS, OSS, NAS, Tablestore, Cloud Backup, and Resource Center resources for unified data protection across accounts.
-
Associated system policy: AliyunServiceRolePolicyForBdrcRd
-
Policy document:
{ "Version": "1", "Statement": [ { "Action": "ram:DeleteServiceLinkedRole", "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "ram:ServiceName": "rd.bdrc.aliyuncs.com" } } }, { "Effect": "Allow", "Action": [ "ecs:DescribeRegions", "ecs:DescribeInstances", "ecs:DescribeDisks", "ecs:DescribeAutoSnapshotPolicyEx", "ecs:ApplyAutoSnapshotPolicy", "oss:ListBuckets", "oss:GetBucketStat", "oss:GetBucketInfo", "oss:GetBucketVersioning", "oss:PutBucketVersioning", "oss:GetBucketReplication", "oss:GetBucketTagging", "nas:DescribeRegions", "nas:DescribeFileSystems", "nas:GetRecycleBinAttribute", "nas:EnableRecycleBin", "nas:UpdateRecycleBinAttribute", "ots:DescribeRegions", "ots:ListInstance", "ots:GetInstance", "hbr:DescribeRegions", "hbr:DescribeUserBusinessStatus", "hbr:DescribeBackupPlans", "hbr:DescribeUniBackupInstances", "hbr:DescribeUniBackupPlans", "hbr:DescribeVaults", "hbr:DescribePoliciesV2", "hbr:DescribePolicyBindings", "hbr:CreatePolicyBindings", "resourcecenter:GetResourceCenterServiceStatus", "resourcecenter:SearchResources", "resourcecenter:GetResourceConfiguration" ], "Resource": "*" } ] }
Delete the AliyunServiceRoleForBDRC role
If you no longer use BDRC, delete its service-linked roles for security.
Before you delete the AliyunServiceRoleForBDRC role, make sure that no BDRC resources exist within your account.
-
Log on to the RAM console.
-
In the left-side navigation pane, go to .
-
Search for the name of the role you want to delete, such as AliyunServiceRoleForBDRC.
-
In the Actions column, click Delete Role and follow the prompts.