When you enable a feature for a Cloud Parallel File Storage (CPFS) file system, File Storage NAS automatically creates a service-linked role for CPFS. This role grants CPFS permissions to access other Alibaba Cloud services, such as Elastic Compute Service (ECS) and Virtual Private Cloud (VPC).
Background information
A service-linked role is a type of Resource Access Management (RAM) role whose trusted entity is an Alibaba Cloud service. Cloud Parallel File Storage (CPFS) uses service-linked roles to obtain permissions to access other Alibaba Cloud services and cloud resources.
Typically, a service-linked role is automatically created when you perform an operation. If the automatic creation fails or if CPFS does not support automatic creation, you must manually create the service-linked role.
Resource Access Management (RAM) provides a system policy for each service-linked role. This policy cannot be modified. To view the policy document, go to the product page of the specific service-linked role.
For more information about service-linked roles, see Service-linked roles.
Scenarios
Service-linked roles for CPFS are used in the following scenarios:
AliyunServiceRoleForNasCpfsNetwork
To create or delete an elastic network interface (ENI) or a security group, CPFS assumes the AliyunServiceRoleForNasCpfsNetwork role to access your Virtual Private Cloud (VPC) and Elastic Compute Service (ECS) services.
AliyunServiceRoleForNasCpfsClient
To create or delete an ECS instance, a Cloud Assistant instance, any authorization information, or a security group, CPFS assumes the AliyunServiceRoleForNasCpfsClient role to access your VPC and ECS services.
AliyunServiceRoleForNasOssDataFlow
When you use the dataflow feature of a CPFS file system, CPFS assumes the AliyunServiceRoleForNasOssDataFlow role to query, read, and write data in the specified bucket in Object Storage Service (OSS).
AliyunServiceRoleForNasEventNotification
When you use the dataflow feature of a CPFS file system, CPFS assumes the AliyunServiceRoleForNasEventNotification role to create and modify the EventBridge parameters.
For more information, see Service-linked roles.
Permissions
This section describes the permission policies attached to service-linked roles for CPFS.
Permissions required for a RAM user to use service-linked roles
If you use a Resource Access Management (RAM) user to create or delete a service-linked role, contact an administrator to grant administrator permissions (AliyunNASFullAccess) to the RAM user. Alternatively, you can add the following permissions to the Action statement of a custom policy for the RAM user:
Create a service-linked role:
ram:CreateServiceLinkedRoleDelete a service-linked role:
ram:DeleteServiceLinkedRole
For more information about how to grant permissions, see Permissions required to create and delete a service-linked role.
View a service-linked role
After a service-linked role is created, go to the Roles page of the Resource Access Management (RAM) console. You can search for the service-linked role by its name, such as AliyunServiceRoleForNasStandard, to view the following information about the role:
Basic information
In the Basic Information section on the product page for the AliyunServiceRoleForNasStandard role, you can view basic information about the role. This includes the role name, creation time, Alibaba Cloud Resource Name (ARN), and description.
Permission policy
On the Permission Management tab of the product page for the AliyunServiceRoleForNasStandard role, click the policy name to view the policy document and the cloud resources that the role can access.
Trust policy
On the Trust Policy tab of the product page for the AliyunServiceRoleForNasStandard role, you can view the trust policy document. A trust policy defines the trusted entities of a RAM role. A trusted entity is an identity that can assume the RAM role. For a service-linked role, the trusted entity is an Alibaba Cloud service. You can view the trusted entity in the
Servicefield of the trust policy.
For more information about how to view a service-linked role, see View the information about a RAM role.
Delete a service-linked role for CPFS
If you no longer need a service-linked role for CPFS, you can delete it. For example, you may want to delete the role if you stop using the data stream feature of a CPFS file system. Before you can delete the role, you must first delete the CPFS file system instance that is associated with the role. For more information, see Delete a file system and Delete a service-linked role.
FAQ
Why are service-linked roles for CPFS not automatically created when I log on as a RAM user?
A Resource Access Management (RAM) user must have specific permissions to automatically create or delete service-linked roles for CPFS. If a service-linked role for CPFS is not automatically created for a RAM user, you must grant the following system policies and custom policies to the user. For more information, see Create a custom permission policy.
System policies
AliyunVPCFullAccess: grants full permissions on VPC.
AliyunBSSFullAccess: grants full permissions on Billing Management.
AliyunNASFullAccess: grants full permissions on NAS.
AliyunECSNetworkInterfaceManagementAccess: grants the permissions to manage ECS ENIs.
Custom policy
To manage mount targets, the
cpfs-network.nas.aliyuncs.comandcpfs-client.nas.aliyuncs.compermissions are required.To manage data streams, the
oss-dataflow.nas.aliyuncs.comandevent-notification.nas.aliyuncs.compermissions are required.
For example:
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ram:CreateServiceLinkedRole" ], "Resource": "*", "Condition": { "StringEquals": { "ram:ServiceName": [ "cpfs-network.nas.aliyuncs.com", "cpfs-client.nas.aliyuncs.com", "oss-dataflow.nas.aliyuncs.com", "event-notification.nas.aliyuncs.com" ] } } } ] }