This topic describes the service-linked roles for Cloud Backup and how to delete these roles.
Background information
Cloud Backup needs to access other Alibaba Cloud services to implement a feature. In this case, Cloud Backup must assume service-linked roles to obtain the required permissions. For more information, see Service-linked roles.
To access Elastic Compute Service (ECS), Virtual Private Cloud (VPC), Object Storage Service (OSS), or Apsara File Storage NAS, Cloud Backup must assume the corresponding service-linked role that is automatically created.
AliyunServiceRoleForHbrEcsBackup
To implement the ECS backup feature, Cloud Backup must assume the AliyunServiceRoleForHbrEcsBackup role so that Cloud Backup can access ECS and VPC.
AliyunServiceRoleForHbrOssBackup
To implement the OSS backup feature, Cloud Backup must assume the AliyunServiceRoleForHbrOssBackup role so that Cloud Backup can access OSS.
AliyunServiceRoleForHbrNasBackup
To implement the NAS backup feature, Cloud Backup must assume the AliyunServiceRoleForHbrNasBackup role so that Cloud Backup can access NAS.
AliyunServiceRoleForHbrVaultEncryption
To encrypt backup vaults by using Key Management Service (KMS), Cloud Backup must assume the AliyunServiceRoleForHbrVaultEncryption role so that Cloud Backup can access KMS.
AliyunServiceRoleForHbrOtsBackup
To implement the Tablestore backup feature, Cloud Backup must assume the AliyunServiceRoleForHbrOtsBackup role so that Cloud Backup can access Tablestore.
AliyunServiceRoleForHbrCrossAccountBackup
To implement the cross-account backup feature, Cloud Backup must assume the AliyunServiceRoleForHbrCrossAccountBackup role.
AliyunServiceRoleForHbrEcsEncryption
To specify KMS-managed keys for remote encryption to implement geo-replication in an ECS instance backup, Cloud Backup must assume the AliyunServiceRoleForHbrEcsEncryption role.
Permission policies
This section describes the permission policies that are attached to each service-linked role.
Delete a service-linked role
You may need to delete service-linked roles to ensure security. For example, if you no longer need to use the ECS backup feature, you can delete the AliyunServiceRoleForHbrEcsBackup role.
Before you delete the AliyunServiceRoleForHbrEcsBackup, AliyunServiceRoleForHbrOssBackup, or AliyunServiceRoleForHbrNasBackup role, make sure that no backup vault exists within the current account. Otherwise, the role fails to be deleted.
Before you delete the AliyunServiceRoleForHbrVaultEncryption role, make sure that no KMS-encrypted backup vault exists within the current account. Otherwise, the role fails to be deleted.
To delete the AliyunServiceRoleForHbrEcsBackup role, perform the following steps:
Log on to the RAM console.
In the left-side navigation pane, choose Identities > Roles.
On the Roles page, enter AliyunServiceRoleForHbrEcsBackup in the search box to find the role.
Click Delete Role in the Actions column.
In the Delete Role message, enter role name then click Delete Role.
If you want to delete other service-linked roles, such as AliyunServiceRoleForHbrOssBackup, AliyunServiceRoleForHbrNasBackup, AliyunServiceRoleForHbrVaultEncryption, and AliyunServiceRoleForHbrEcsEncryption, enter the corresponding role name in the search box.