All Products
Search
Document Center

Backup and Disaster Recovery Center:Service-linked roles for BDRC

Last Updated:Jun 23, 2026

Backup and Disaster Recovery Center (BDRC) uses service-linked roles to access other cloud services. You can delete these roles when they are no longer needed.

Background information

A service-linked role for BDRC is a RAM role that allows BDRC to access other cloud services. For more information, see Service-linked roles.

When BDRC needs to access other cloud services, it uses an automatically created service-linked role to obtain the required permissions.

  • AliyunServiceRoleForBDRC

    BDRC assumes this role to access ECS, OSS, NAS, Tablestore, and Cloud Backup.

  • AliyunServiceRoleForBdrcRd

    When you enable cross-account unified management and add member accounts, BDRC automatically creates AliyunServiceRoleForBdrcRd in each member account. This role allows BDRC to access ECS, OSS, NAS, Tablestore, Cloud Backup, and Resource Center resources within those accounts.

Permissions

The following are the permissions granted to each service-linked role.

AliyunServiceRoleForBDRC

BDRC requires access to ECS, OSS, NAS, Tablestore, and Cloud Backup to perform data disaster recovery operations.

  • Associated system policy: AliyunServiceRolePolicyForBDRC

  • Policy document:

    {
      "Version": "1",
      "Statement": [
        {
          "Action": "ram:DeleteServiceLinkedRole",
          "Resource": "*",
          "Effect": "Allow",
          "Condition": {
            "StringEquals": {
              "ram:ServiceName": "bdrc.aliyuncs.com"
            }
          }
        },
        {
          "Effect": "Allow",
          "Action": [
            "ecs:DescribeRegions",
            "ecs:DescribeInstances",
            "ecs:DescribeDisks",
            "ecs:DescribeAutoSnapshotPolicyEx",
            "oss:ListBuckets",
            "oss:GetBucketStat",
            "oss:GetBucketVersioning",
            "oss:getBucketReplication",
            "nas:DescribeRegions",
            "nas:DescribeFileSystems",
            "nas:GetRecycleBinAttribute",
            "ots:DescribeRegions",
            "ots:ListInstance",
            "hbr:DescribeRegions",
            "hbr:DescribeUserBusinessStatus",
            "hbr:DescribeBackupPlans",
            "hbr:DescribeUniBackupInstances",
            "hbr:DescribeUniBackupPlans",
            "hbr:DescribeVaults"
          ],
          "Resource": "*"
        }
      ]
    }

AliyunServiceRoleForBdrcRd

When you enable cross-account unified management and add member accounts, BDRC creates this role in each member account to access ECS, OSS, NAS, Tablestore, Cloud Backup, and Resource Center resources for unified data protection across accounts.

  • Associated system policy: AliyunServiceRolePolicyForBdrcRd

  • Policy document:

    {
      "Version": "1",
      "Statement": [
        {
          "Action": "ram:DeleteServiceLinkedRole",
          "Resource": "*",
          "Effect": "Allow",
          "Condition": {
            "StringEquals": {
              "ram:ServiceName": "rd.bdrc.aliyuncs.com"
            }
          }
        },
        {
          "Effect": "Allow",
          "Action": [
            "ecs:DescribeRegions",
            "ecs:DescribeInstances",
            "ecs:DescribeDisks",
            "ecs:DescribeAutoSnapshotPolicyEx",
            "ecs:ApplyAutoSnapshotPolicy",
            "oss:ListBuckets",
            "oss:GetBucketStat",
            "oss:GetBucketInfo",
            "oss:GetBucketVersioning",
            "oss:PutBucketVersioning",
            "oss:GetBucketReplication",
            "oss:GetBucketTagging",
            "nas:DescribeRegions",
            "nas:DescribeFileSystems",
            "nas:GetRecycleBinAttribute",
            "nas:EnableRecycleBin",
            "nas:UpdateRecycleBinAttribute",
            "ots:DescribeRegions",
            "ots:ListInstance",
            "ots:GetInstance",
            "hbr:DescribeRegions",
            "hbr:DescribeUserBusinessStatus",
            "hbr:DescribeBackupPlans",
            "hbr:DescribeUniBackupInstances",
            "hbr:DescribeUniBackupPlans",
            "hbr:DescribeVaults",
            "hbr:DescribePoliciesV2",
            "hbr:DescribePolicyBindings",
            "hbr:CreatePolicyBindings",
            "resourcecenter:GetResourceCenterServiceStatus",
            "resourcecenter:SearchResources",
            "resourcecenter:GetResourceConfiguration"
          ],
          "Resource": "*"
        }
      ]
    }

Delete the AliyunServiceRoleForBDRC role

If you no longer use BDRC, delete its service-linked roles for security.

Important

Before you delete the AliyunServiceRoleForBDRC role, make sure that no BDRC resources exist within your account.

  1. Log on to the RAM console.

  2. In the left-side navigation pane, go to Identities > Roles.

  3. Search for the name of the role you want to delete, such as AliyunServiceRoleForBDRC.

  4. In the Actions column, click Delete Role and follow the prompts.