Service-linked roles - Cloud Backup - Alibaba Cloud Documentation Center

Cloud Backup uses service-linked roles to access resources in other Alibaba Cloud services, such as Elastic Compute Service (ECS), Virtual Private Cloud (VPC), Object Storage Service (OSS), and File Storage NAS. Cloud Backup automatically creates a service-linked role when you enable a backup feature, create a backup plan, or associate a backup policy with a data source. You must manually create a service-linked role if it fails to be created automatically or if Cloud Backup does not support automatic creation.

Background information

A service-linked role is a Resource Access Management (RAM) role whose trusted entity is an Alibaba Cloud service. Cloud Backup assumes service-linked roles to obtain permissions to access resources in other cloud services.

In most cases, the system automatically creates a service-linked role when you perform an operation. You must manually create a service-linked role if it fails to be created automatically or if Cloud Backup does not support automatic creation.

Resource Access Management (RAM) provides a system policy for each service-linked role. You cannot modify the system policy. To view the system policy of a specific service-linked role, go to the details page of the role. For more information, see System policies for Cloud Backup.

Scenarios

Cloud Backup automatically creates a service-linked role in the following scenarios:

Important

Cloud Backup automatically creates a service-linked role when you enable a backup feature, create a backup plan, or attach a backup policy to a data source.

AliyunServiceRoleForHbrEcsBackup
When you use the ECS backup feature, Cloud Backup automatically creates a service-linked role named AliyunServiceRoleForHbrEcsBackup. This role grants the necessary permissions to access ECS and VPC resources.
AliyunServiceRoleForHbrOssBackup
When you use the OSS backup feature, Cloud Backup automatically creates a service-linked role named AliyunServiceRoleForHbrOssBackup. This role grants the necessary permissions to access OSS resources.
AliyunServiceRoleForHbrNasBackup
When you use the NAS backup feature, Cloud Backup automatically creates a service-linked role named AliyunServiceRoleForHbrNasBackup. This role grants the necessary permissions to access NAS resources.
AliyunServiceRoleForHbrCsgBackup
When you use the Cloud Storage Gateway (CSG) backup feature, Cloud Backup automatically creates a service-linked role named AliyunServiceRoleForHbrCsgBackup. This role grants the necessary permissions to access CSG resources.
AliyunServiceRoleForHbrVaultEncryption
When you use a Key Management Service (KMS) key to encrypt a backup vault, Cloud Backup automatically creates a service-linked role named AliyunServiceRoleForHbrVaultEncryption. This role grants the necessary permissions to access KMS resources.
AliyunServiceRoleForHbrOtsBackup
When you use the Tablestore backup feature, Cloud Backup automatically creates a service-linked role named AliyunServiceRoleForHbrOtsBackup. This role grants the necessary permissions to access Tablestore resources.
AliyunServiceRoleForHbrCrossAccountBackup
When you configure cross-account backup based on RAM role assumption, Cloud Backup automatically creates the AliyunServiceRoleForHbrCrossAccountBackup service-linked role. This role grants the necessary permissions to access your resources in other Alibaba Cloud services.
AliyunServiceRoleForHbrRd
When you configure cross-account backup based on a resource directory, Cloud Backup automatically creates the AliyunServiceRoleForHbrRd service-linked role in the account that you want to back up. This role grants the necessary permissions to access your resources in other Alibaba Cloud services.
AliyunServiceRoleForHbrEcsEncryption
When you use the ECS instance backup feature and enable cross-region replication, you must specify a KMS key for encryption in the destination region. In this case, Cloud Backup automatically creates a service-linked role named AliyunServiceRoleForHbrEcsEncryption. This role grants the necessary permissions to access your resources in KMS.
AliyunServiceRoleForHbrMagpieBridge
When you use the ECS File Backup and local file backup features, Cloud Backup automatically creates a service-linked role named AliyunServiceRoleForHbrMagpieBridge based on the communication method of the backup client. This role allows the backup client to access the Cloud Backup service.
AliyunServiceRoleForHbrPdsBackup
When you use the data synchronization feature to create a Drive and Photo Service (PDS) data source, Cloud Backup automatically creates a service-linked role named AliyunServiceRoleForHbrPdsBackup. This role grants the necessary permissions to access PDS resources.

Permissions

This section describes the permissions that are granted to each Cloud Backup service-linked role.

AliyunServiceRoleForHbrEcsBackup: the permissions to access ECS and VPC

 {
      "Action": [
        "ecs:RunCommand",
        "ecs:CreateCommand",
        "ecs:InvokeCommand",
        "ecs:DeleteCommand",
        "ecs:DescribeCommands",
        "ecs:StopInvocation",
        "ecs:DescribeInvocationResults",
        "ecs:DescribeCloudAssistantStatus",
        "ecs:DescribeInstances",
        "ecs:DescribeInstanceRamRole",
        "ecs:DescribeInvocations"
        "vpc:DescribeVpcs",
        "vpc:DescribeVSwitches"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "ecs:AttachInstanceRamRole",
        "ecs:DetachInstanceRamRole"
      ],
      "Resource": [
        "acs:ecs:*:*:instance/*",
        "acs:ram:*:*:role/aliyunecsaccessinghbrrole"
      ],
      "Effect": "Allow"
    },
    {
      "Action": [
        "ram:GetRole",
        "ram:GetPolicy",
        "ram:ListPoliciesForRole"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "ram:PassRole"
      ],
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "acs:Service": [
            "ecs.aliyuncs.com"
          ]
        }
      }
    },
    {
      "Action": [
        "ecs:DescribeSecurityGroups",
        "ecs:DescribeImages",
        "ecs:CreateImage",
        "ecs:DeleteImage",
        "ecs:DescribeSnapshots",
        "ecs:CreateSnapshot",
        "ecs:DeleteSnapshot",
        "ecs:DescribeSnapshotLinks",
        "ecs:DescribeAvailableResource",
        "ecs:ModifyInstanceAttribute",
        "ecs:CreateInstance",
        "ecs:DeleteInstance",
        "ecs:AllocatePublicIpAddress",
        "ecs:CreateDisk",
        "ecs:DescribeDisks",
        "ecs:AttachDisk",
        "ecs:DetachDisk",
        "ecs:DeleteDisk",
        "ecs:ResetDisk",
        "ecs:StartInstance",
        "ecs:StopInstance",
        "ecs:ReplaceSystemDisk",
        "ecs:ModifyResourceMeta"
      ],
      "Resource": "*",
      "Effect": "Allow"
    }

AliyunServiceRoleForHbrOssBackup: the permissions to access OSS

{
      "Action": [
        "oss:ListObjects",
        "oss:HeadBucket",
        "oss:GetBucket",
        "oss:GetBucketAcl",
        "oss:GetBucketLocation",
        "oss:GetBucketInfo",
        "oss:PutObject",
        "oss:CopyObject",
        "oss:GetObject",
        "oss:AppendObject",
        "oss:GetObjectMeta",
        "oss:PutObjectACL",
        "oss:GetObjectACL",
        "oss:PutObjectTagging",
        "oss:GetObjectTagging",
        "oss:InitiateMultipartUpload",
        "oss:UploadPart",
        "oss:UploadPartCopy",
        "oss:CompleteMultipartUpload",
        "oss:AbortMultipartUpload",
        "oss:ListMultipartUploads",
        "oss:ListParts"
      ],
      "Resource": "*",
      "Effect": "Allow"
    }

AliyunServiceRoleForHbrNasBackup: Permissions for NAS access

{
      "Action": [
        "nas:DescribeFileSystems",
        "nas:CreateMountTargetSpecial",
        "nas:DeleteMountTargetSpecial",
        "nas:CreateMountTarget",
        "nas:DeleteMountTarget",
        "nas:DescribeMountTargets",
        "nas:DescribeAccessGroups"
      ],
      "Resource": "*",
      "Effect": "Allow"
    }

AliyunServiceRoleForHbrCsgBackup: Permissions to access CSG

{
      "Action": [
        "hcs-sgw:DescribeGateways"
      ],
      "Resource": "*",
      "Effect": "Allow"
    }

AliyunServiceRoleForHbrVaultEncryption: Permissions to access KMS for backup vault encryption

{
 "Statement": [
 {
  "Action": "ram:DeleteServiceLinkedRole",
  "Resource": "*",
  "Effect": "Allow",
  "Condition": {
   "StringEquals": {
    "ram:ServiceName": "vaultencryption.hbr.aliyuncs.com"
   }
  }
 },
 {
  "Action": [
  "kms:Decrypt"
  ],
  "Resource": "*",
  "Effect": "Allow"
 }
 ],
 "Version": "1"

}

AliyunServiceRoleForHbrOtsBackup: Permissions to access Tablestore

{
  "Version": "1",
  "Statement": [
    {
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "otsbackup.hbr.aliyuncs.com"
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": [
        "ots:ListTable",
        "ots:CreateTable",
        "ots:UpdateTable",
        "ots:DescribeTable",
        "ots:BatchWriteRow",
        "ots:CreateTunnel",
        "ots:DeleteTunnel",
        "ots:ListTunnel",
        "ots:DescribeTunnel",
        "ots:ConsumeTunnel",
        "ots:GetRange",
        "ots:ListStream",
        "ots:DescribeStream"
      ],
      "Resource": "*"
    }
  ]
}

AliyunServiceRoleForHbrCrossAccountBackup: Permissions required for cross-account backup

{
  "Version": "1",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Effect": "Allow",
      "Resource": "*"
    },
    {
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "crossbackup.hbr.aliyuncs.com"
        }
      }
    }
  ]
}

AliyunServiceRoleForHbrRd: Permissions for cross-account backup

{
  "Version": "1",
  "Statement": [
    {
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "rd.hbr.aliyuncs.com"
        }
      }
    },
    {
      "Action": [
        "hbr:ClientSendMessage",
        "hbr:ClientReceiveMessage"
      ],
      "Resource": "acs:hbr:*:*:messageClient/*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "ecs:RunCommand",
        "ecs:CreateCommand",
        "ecs:InvokeCommand",
        "ecs:DeleteCommand",
        "ecs:DescribeCommands",
        "ecs:StopInvocation",
        "ecs:DescribeInvocationResults",
        "ecs:DescribeCloudAssistantStatus",
        "ecs:DescribeInstances",
        "ecs:DescribeInstanceRamRole",
        "ecs:DescribeInvocations",
        "ecs:CreateSnapshotGroup",
        "ecs:DescribeSnapshotGroups",
        "ecs:DeleteSnapshotGroup",
        "ecs:CopySnapshot",
        "ecs:DescribeSnapshotLinks",
        "ecs:UntagResources",
        "ecs:ModifySnapshotCategory",
        "ecs:DescribeSecurityGroups",
        "ecs:DescribeImages",
        "ecs:CreateImage",
        "ecs:DeleteImage",
        "ecs:DescribeSnapshots",
        "ecs:CreateSnapshot",
        "ecs:ModifySnapshotAttribute",
        "ecs:DeleteSnapshot",
        "ecs:DescribeSnapshotLinks",
        "ecs:DescribeAvailableResource",
        "ecs:ModifyInstanceAttribute",
        "ecs:CreateInstance",
        "ecs:DeleteInstance",
        "ecs:AllocatePublicIpAddress",
        "ecs:CreateDisk",
        "ecs:DescribeDisks",
        "ecs:AttachDisk",
        "ecs:DetachDisk",
        "ecs:DeleteDisk",
        "ecs:ResetDisk",
        "ecs:StartInstance",
        "ecs:StopInstance",
        "ecs:ReplaceSystemDisk",
        "ecs:ModifyResourceMeta",
        "ecs:TagResources",
        "ecs:GetSnapshotInfo",
        "ecs:GetSnapshotBlock",
        "ecs:ListSnapshotBlocks",
        "ecs:ListChangedBlocks"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "ecs:AttachInstanceRamRole",
        "ecs:DetachInstanceRamRole"
      ],
      "Resource": [
        "acs:ecs:*:*:instance/*",
        "acs:ram:*:*:role/aliyunecsaccessinghbrrole"
      ],
      "Effect": "Allow"
    },
    {
      "Action": [
        "vpc:DescribeVpcs",
        "vpc:DescribeVSwitches"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "nas:DescribeFileSystems",
        "nas:CreateMountTargetSpecial",
        "nas:DeleteMountTargetSpecial",
        "nas:CreateMountTarget",
        "nas:DeleteMountTarget",
        "nas:DescribeMountTargets",
        "nas:DescribeAccessGroups",
        "nas:CreateAccessGroup",
        "nas:CreateAccessRule",
        "nas:DescribeSmbAcl",
        "nas:DescribeAccessRules"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "oss:ListBuckets",
        "oss:GetBucketTagging",
        "oss:GetBucketInventory",
        "oss:HeadBucket",
        "oss:GetBucket",
        "oss:GetBucketAcl",
        "oss:GetBucketLocation",
        "oss:GetBucketInfo",
        "oss:GetBucketStat",
        "oss:GetBucketVersioning",
        "oss:ListObjects"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "oss:PutObject",
        "oss:CopyObject",
        "oss:GetObject",
        "oss:AppendObject",
        "oss:GetObjectMeta",
        "oss:PutObjectACL",
        "oss:GetObjectACL",
        "oss:PutObjectTagging",
        "oss:GetObjectTagging",
        "oss:InitiateMultipartUpload",
        "oss:UploadPart",
        "oss:UploadPartCopy",
        "oss:CompleteMultipartUpload",
        "oss:AbortMultipartUpload",
        "oss:ListMultipartUploads",
        "oss:ListParts",
        "oss:DeleteObject"
      ],
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEqualsIgnoreCase": {
          "oss:BucketSysTag/acs:hbr:backup": "true"
        }
      }
    },
    {
      "Action": [
        "ots:ListInstance",
        "ots:GetInstance",
        "ots:ListTable",
        "ots:CreateTable",
        "ots:UpdateTable",
        "ots:DescribeTable",
        "ots:BatchWriteRow",
        "ots:CreateTunnel",
        "ots:DeleteTunnel",
        "ots:ListTunnel",
        "ots:DescribeTunnel",
        "ots:ConsumeTunnel",
        "ots:GetRange",
        "ots:ListStream",
        "ots:DescribeStream",
        "ots:CreateIndex",
        "ots:CreateSearchIndex",
        "ots:DescribeSearchIndex",
        "ots:ListSearchIndex"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": "bssapi:QueryAvailableInstances",
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "cms:QueryMetricList"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "kms:ListKeys",
        "kms:ListAlias"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "tag:ListResourcesByTag",
        "tag:ListTagResources",
        "tag:ListTagKeys",
        "tag:ListTagValues"
      ],
      "Resource": "*",
      "Effect": "Allow"
    }
  ]
}

AliyunServiceRoleForHbrEcsEncryption: Grants permissions to access KMS and enable cross-region replication.

{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "kms:ListKeys",
        "kms:ListAliases"
      ],
      "Effect": "Allow",
      "Resource": "*"
    },
    {
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "ecsencryption.hbr.aliyuncs.com"
        }
      }
    }
  ]
}

AliyunServiceRoleForHbrMagpieBridge: Grants Cloud Backup clients permissions to access the Cloud Backup service.

{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "hbr:ClientSendMessage",
        "hbr:ClientReceiveMessage"
      ],
      "Resource": "acs:hbr:*:*:messageClient/*",
      "Effect": "Allow"
    },
    {
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "magpiebridge.hbr.aliyuncs.com"
        }
      }
    }
  ]
}

AliyunServiceRoleForHbrPdsBackup: Grants permissions to access Drive and Photo Service

{
  "Version": "1",
  "Statement": [
    {
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "pdsbackup.hbr.aliyuncs.com"
        }
      }
    },
    {
      "Action": [
        "pds:ListDomains",
        "pds:GetDomain",
        "pds:ListDrive",
        "pds:GetDrive",
        "pds:CreateFile",
        "pds:GetFile",
        "pds:ListFiles",
        "pds:DownloadFile"
      ],
      "Resource": "*",
      "Effect": "Allow"
    }
  ]
}

Required permissions for a RAM user to use a service-linked role

If you use a RAM user to create or delete a service-linked role, an administrator must grant the RAM user administrator permissions (AliyunHBRFullAccess), or add the following permissions to the Action statement of a custom policy:

Create a service-linked role: ram:CreateServiceLinkedRole
Delete a service-linked role: ram:DeleteServiceLinkedRole

For more information, see Permissions required to manage service-linked roles.

View a service-linked role

After a service-linked role is created, you can view the following information about the role on the Roles page of the RAM console:

Basic information
In the Basic Information section on the details page for the service-linked role, you can view basic information about the role, including the role name, creation time, Alibaba Cloud Resource Name (ARN), and description.
Access policy
On the Permission Management tab of the service-linked role details page, click the policy name to view the policy document and the cloud resources that the role is authorized to access.
Trust policy
On the Trust Policy Management tab of the role details page, you can view the trust policy. A trust policy defines the trusted entities that can assume the RAM role. For a service-linked role, the trusted entity is an Alibaba Cloud service, which is specified in the Service field of the trust policy.

For more information about how to view a service-linked role, see View a RAM role.

Delete a service-linked role

If you no longer use the ECS backup feature, delete the service-linked role for security purposes.

Important

After you delete a service-linked role, the features that depend on the role cannot be used. Proceed with caution.
Before you delete a service-linked role, you must remove all resources that depend on it. Otherwise, the role cannot be deleted. The requirements are as follows:
- AliyunServiceRoleForHbrEcsBackup: No backup repositories exist. All backups for ECS File Backup Essential Edition instances are canceled, and all ECS Backup Essential Edition instances are detached or removed.
- AliyunServiceRoleForHbrOssBackup, AliyunServiceRoleForHbrNasBackup, AliyunServiceRoleForHbrOtsBackup, AliyunServiceRoleForHbrCsgBackup, or AliyunServiceRoleForHbrCrossAccountBackup: There must be no backup vaults in the current account.
- AliyunServiceRoleForHbrEcsEncryption: A KMS key must not be specified to encrypt cross-region replication data of ECS instance backups when a backup policy is attached.
- AliyunServiceRoleForHbrVaultEncryption: There must be no backup vaults that use KMS for encryption.
- AliyunServiceRoleForHbrMagpieBridge: The ECS File Backup and local file clients have been uninstalled.
- AliyunServiceRoleForHbrPdsBackup: No PDS data sources are available for data synchronization in the current account.

The following steps describe how to delete the AliyunServiceRoleForHbrEcsBackup role:

Note

The steps to delete other Cloud Backup service-linked roles are similar. Replace the RAM role name with the name of the role that you want to delete.

Log on to the RAM console.
In the navigation pane on the left, choose Identity Management > Roles.
On the Roles page, enter AliyunServiceRoleForHbrEcsBackup in the search box to find the AliyunServiceRoleForHbrEcsBackup RAM role.
In the Actions column, click Delete Role.
In the Delete Role dialog box, enter the role name again and click Delete Role.

For more information, see Delete a RAM role.