Service-linked role - Cloud Backup - Alibaba Cloud Documentation Center

To access an Alibaba Cloud service such as Elastic Compute Service (ECS), Virtual Private Cloud (VPC), Object Storage Service (OSS), and File Storage NAS (NAS), Cloud Backup must assume the corresponding service-linked role. Cloud Backup automatically creates a service-linked role when you enable a backup feature, create a backup plan, or associate a backup policy with a data source. If a service-linked role fails to be automatically created or Cloud Backup does not support automatic creation, you must manually create the service-linked role.

Background information

A service-linked role is a Resource Access Management (RAM) role whose trusted entity is an Alibaba Cloud service. Cloud Backup assumes service-linked roles to obtain the permissions to access other cloud services or cloud resources.

In most cases, the system automatically creates a service-linked role when you perform an operation. If a service-linked role fails to be automatically created or Cloud Backup does not support automatic creation, you must manually create the service-linked role.

RAM provides a system policy for each service-linked role. You cannot modify the system policy. To view the information about the system policy of a specific service-linked role, go to the details page of the role. For more information, see System policies for Cloud Backup.

Use cases

Cloud Backup automatically creates a service-linked role for you in the following use cases:

Important

Cloud Backup automatically creates a service-linked role when you enable a backup feature, create a backup plan, or associate a backup policy with a data source.

AliyunServiceRoleForHbrEcsBackup
When you use the ECS backup feature, Cloud Backup automatically creates a service-linked role named AliyunServiceRoleForHbrEcsBackup. This role grants the necessary permissions to access ECS and VPC resources.
AliyunServiceRoleForHbrOssBackup
When you use the OSS backup feature, Cloud Backup automatically creates a service-linked role named AliyunServiceRoleForHbrOssBackup. This role grants the necessary permissions to access OSS resources.
AliyunServiceRoleForHbrNasBackup
When you use the NAS backup feature, Cloud Backup automatically creates a service-linked role named AliyunServiceRoleForHbrNasBackup. This role grants the necessary permissions to access NAS resources.
AliyunServiceRoleForHbrCsgBackup
When you use the Cloud Storage Gateway (CSG) backup feature, Cloud Backup automatically creates a service-linked role named AliyunServiceRoleForHbrCsgBackup. This role grants the necessary permissions to access CSG resources.
AliyunServiceRoleForHbrVaultEncryption
When you use a Key Management Service (KMS) key to encrypt a backup vault, Cloud Backup automatically creates a service-linked role named AliyunServiceRoleForHbrVaultEncryption. This role grants the necessary permissions to access KMS resources.
AliyunServiceRoleForHbrOtsBackup
When you use the Tablestore backup feature, Cloud Backup automatically creates a service-linked role named AliyunServiceRoleForHbrOtsBackup. This role grants the necessary permissions to access Tablestore resources.
AliyunServiceRoleForHbrCrossAccountBackup
When you use the cross-account backup feature, Cloud Backup automatically creates a service-linked role named AliyunServiceRoleForHbrCrossAccountBackup. This role grants the necessary permissions to access your resources in other Alibaba Cloud services.
AliyunServiceRoleForHbrEcsEncryption
When you use the ECS instance backup feature and enable cross-region replication, you must specify a KMS key for encryption in the destination region. In this case, Cloud Backup automatically creates a service-linked role named AliyunServiceRoleForHbrEcsEncryption. This role grants the necessary permissions to access your resources in KMS.
AliyunServiceRoleForHbrMagpieBridge
When you use the ECS File Backup and local file backup features, Cloud Backup automatically creates a service-linked role named AliyunServiceRoleForHbrMagpieBridge. This role allows the backup client to communicate with and access the Cloud Backup service.
AliyunServiceRoleForHbrPdsBackup
When you use the data synchronization feature to create a Drive and Photo Service (PDS) data source, Cloud Backup automatically creates a service-linked role named AliyunServiceRoleForHbrPdsBackup. This role grants the necessary permissions to access PDS resources.

Permissions

This section describes the permissions that are granted to each service-linked role of Cloud Backup.

AliyunServiceRoleForHbrEcsBackup: the permissions to access ECS and VPC

 {
      "Action": [
        "ecs:RunCommand",
        "ecs:CreateCommand",
        "ecs:InvokeCommand",
        "ecs:DeleteCommand",
        "ecs:DescribeCommands",
        "ecs:StopInvocation",
        "ecs:DescribeInvocationResults",
        "ecs:DescribeCloudAssistantStatus",
        "ecs:DescribeInstances",
        "ecs:DescribeInstanceRamRole",
        "ecs:DescribeInvocations"
        "vpc:DescribeVpcs",
        "vpc:DescribeVSwitches"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "ecs:AttachInstanceRamRole",
        "ecs:DetachInstanceRamRole"
      ],
      "Resource": [
        "acs:ecs:*:*:instance/*",
        "acs:ram:*:*:role/aliyunecsaccessinghbrrole"
      ],
      "Effect": "Allow"
    },
    {
      "Action": [
        "ram:GetRole",
        "ram:GetPolicy",
        "ram:ListPoliciesForRole"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "ram:PassRole"
      ],
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "acs:Service": [
            "ecs.aliyuncs.com"
          ]
        }
      }
    },
    {
      "Action": [
        "ecs:DescribeSecurityGroups",
        "ecs:DescribeImages",
        "ecs:CreateImage",
        "ecs:DeleteImage",
        "ecs:DescribeSnapshots",
        "ecs:CreateSnapshot",
        "ecs:DeleteSnapshot",
        "ecs:DescribeSnapshotLinks",
        "ecs:DescribeAvailableResource",
        "ecs:ModifyInstanceAttribute",
        "ecs:CreateInstance",
        "ecs:DeleteInstance",
        "ecs:AllocatePublicIpAddress",
        "ecs:CreateDisk",
        "ecs:DescribeDisks",
        "ecs:AttachDisk",
        "ecs:DetachDisk",
        "ecs:DeleteDisk",
        "ecs:ResetDisk",
        "ecs:StartInstance",
        "ecs:StopInstance",
        "ecs:ReplaceSystemDisk",
        "ecs:ModifyResourceMeta"
      ],
      "Resource": "*",
      "Effect": "Allow"
    }

AliyunServiceRoleForHbrOssBackup: the permissions to access OSS

{
      "Action": [
        "oss:ListObjects",
        "oss:HeadBucket",
        "oss:GetBucket",
        "oss:GetBucketAcl",
        "oss:GetBucketLocation",
        "oss:GetBucketInfo",
        "oss:PutObject",
        "oss:CopyObject",
        "oss:GetObject",
        "oss:AppendObject",
        "oss:GetObjectMeta",
        "oss:PutObjectACL",
        "oss:GetObjectACL",
        "oss:PutObjectTagging",
        "oss:GetObjectTagging",
        "oss:InitiateMultipartUpload",
        "oss:UploadPart",
        "oss:UploadPartCopy",
        "oss:CompleteMultipartUpload",
        "oss:AbortMultipartUpload",
        "oss:ListMultipartUploads",
        "oss:ListParts"
      ],
      "Resource": "*",
      "Effect": "Allow"
    }

AliyunServiceRoleForHbrNasBackup: the permissions to access NAS

{
      "Action": [
        "nas:DescribeFileSystems",
        "nas:CreateMountTargetSpecial",
        "nas:DeleteMountTargetSpecial",
        "nas:CreateMountTarget",
        "nas:DeleteMountTarget",
        "nas:DescribeMountTargets",
        "nas:DescribeAccessGroups"
      ],
      "Resource": "*",
      "Effect": "Allow"
    }

AliyunServiceRoleForHbrCsgBackup: the permissions to access CSG

{
      "Action": [
        "hcs-sgw:DescribeGateways"
      ],
      "Resource": "*",
      "Effect": "Allow"
    }

AliyunServiceRoleForHbrVaultEncryption: the permissions to enable KMS-based encryption for a backup vault

{
 "Statement": [
 {
  "Action": "ram:DeleteServiceLinkedRole",
  "Resource": "*",
  "Effect": "Allow",
  "Condition": {
   "StringEquals": {
    "ram:ServiceName": "vaultencryption.hbr.aliyuncs.com"
   }
  }
 },
 {
  "Action": [
  "kms:Decrypt"
  ],
  "Resource": "*",
  "Effect": "Allow"
 }
 ],
 "Version": "1"

}

AliyunServiceRoleForHbrOtsBackup: the permissions to access Tablestore

{
  "Version": "1",
  "Statement": [
    {
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "otsbackup.hbr.aliyuncs.com"
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": [
        "ots:ListTable",
        "ots:CreateTable",
        "ots:UpdateTable",
        "ots:DescribeTable",
        "ots:BatchWriteRow",
        "ots:CreateTunnel",
        "ots:DeleteTunnel",
        "ots:ListTunnel",
        "ots:DescribeTunnel",
        "ots:ConsumeTunnel",
        "ots:GetRange",
        "ots:ListStream",
        "ots:DescribeStream"
      ],
      "Resource": "*"
    }
  ]
}

AliyunServiceRoleForHbrCrossAccountBackup: the permissions to perform cross-account backup

{
  "Version": "1",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Effect": "Allow",
      "Resource": "*"
    },
    {
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "crossbackup.hbr.aliyuncs.com"
        }
      }
    }
  ]
}

AliyunServiceRoleForHbrEcsEncryption: the permissions to enable KMS-based encryption for cross-region replication

{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "kms:ListKeys",
        "kms:ListAliases"
      ],
      "Effect": "Allow",
      "Resource": "*"
    },
    {
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "ecsencryption.hbr.aliyuncs.com"
        }
      }
    }
  ]
}

AliyunServiceRoleForHbrMagpieBridge: the permissions to access Cloud Backup using a client

{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "hbr:ClientSendMessage",
        "hbr:ClientReceiveMessage"
      ],
      "Resource": "acs:hbr:*:*:messageClient/*",
      "Effect": "Allow"
    },
    {
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "magpiebridge.hbr.aliyuncs.com"
        }
      }
    }
  ]
}

AliyunServiceRoleForHbrPdsBackup: Permissions to access Drive and Photo Service

{
  "Version": "1",
  "Statement": [
    {
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "pdsbackup.hbr.aliyuncs.com"
        }
      }
    },
    {
      "Action": [
        "pds:ListDomains",
        "pds:GetDomain",
        "pds:ListDrive",
        "pds:GetDrive",
        "pds:CreateFile",
        "pds:GetFile",
        "pds:ListFiles",
        "pds:DownloadFile"
      ],
      "Resource": "*",
      "Effect": "Allow"
    }
  ]
}

Required permissions for a RAM user to use a service-linked role

If you use a RAM user to create or delete a service-linked role, an administrator must grant administrator permissions (AliyunHBRFullAccess) to the RAM user or add the following permissions to the Action statement of a custom policy:

Create a service-linked role: ram:CreateServiceLinkedRole
Delete a service-linked role: ram:DeleteServiceLinkedRole

For more information, see Permissions required to create and delete service-linked roles.

View a service-linked role

After a service-linked role is created, view the following information about the service-linked role on the Roles page of the RAM console.

Basic Information
In the Basic Information section of the details page for the service-linked role, view the basic information of the role, including the role name, creation time, Alibaba Cloud Resource Name (ARN), and description.
Policy
On the Permissions tab of the details page for the service-linked role, click the policy name to view the policy content and the cloud resources that the role can access.
Trust Policy
On the Trust Policy tab of the role details page, view the trust policy. A trust policy defines the trusted entities that can assume the RAM role. For a service-linked role, the trusted entity is an Alibaba Cloud service, which you can view in the Service field of the trust policy.

For more information about how to view the information about a service-linked role, see View the information about a RAM role.

Delete a service-linked role

You may need to delete service-linked roles to ensure security. For example, if you no longer need to use the ECS backup feature, delete the AliyunServiceRoleForHbrEcsBackup role.

Important

After you delete a service-linked role, the features that depend on the role cannot be used. Proceed with caution.
Before you delete a service-linked role, you must remove all dependent backup resources. Otherwise, the role cannot be deleted. The requirements are as follows:
- AliyunServiceRoleForHbrEcsBackup: All backup vaults must be deleted. Backups for all instances of ECS File Backup Essential Edition must be canceled, and all instances of ECS Backup Essential Edition must be unbound or removed.
- AliyunServiceRoleForHbrOssBackup, AliyunServiceRoleForHbrNasBackup, AliyunServiceRoleForHbrOtsBackup, AliyunServiceRoleForHbrCsgBackup, or AliyunServiceRoleForHbrCrossAccountBackup: A backup repository does not exist in the current account.
- AliyunServiceRoleForHbrEcsEncryption: Used to encrypt the cross-region replication of an ECS instance backup when you associate a backup policy without specifying a KMS key.
- AliyunServiceRoleForHbrVaultEncryption: No backup repositories use KMS for encryption.
- AliyunServiceRoleForHbrMagpieBridge: The ECS file backup client and the local file client must be uninstalled.
- AliyunServiceRoleForHbrPdsBackup: No PDS data sources are available for data synchronization in the current account.

The following steps describe how to delete the AliyunServiceRoleForHbrEcsBackup role:

Note

The steps to delete other Cloud Backup service-linked roles are similar. You can replace the RAM role name with the name of the role that you want to delete.

Log on to the RAM console.
In the navigation pane on the left, choose Identities > Roles.
On the Roles page, enter AliyunServiceRoleForHbrEcsBackup in the search box to find the role.
Click Delete Role in the Actions column.
In the Delete Role dialog box, enter the role name and click Delete Role.

For more information, see Delete a RAM role.