This topic describes service-linked roles for Cloud Storage Gateway (CSG).
Background information
A service-linked role is a Resource Access Management (RAM) role whose trusted entity is an Alibaba Cloud service. CSG assumes service-linked roles to obtain the permissions to access other cloud services or cloud resources.
In most cases, the system automatically creates a service-linked role when you perform an operation that requires access to a different cloud service. If a service-linked role fails to be automatically created or CSG does not permit automatic creation, you must manually create the service-linked role.
RAM provides a system policy for each service-linked role. You cannot modify the system policy. To view information about the system policy of a specific service-linked role, go to the details page of the role.
For more information, see Service-linked roles.
Scenarios
CSG automatically creates a service-linked role for you in the following scenarios:
AliyunServiceRoleForHCSSGW
The first time you log on to the CSG console and authorize the use of a service-linked role, CSG automatically creates the service-linked role AliyunServiceRoleForHCSSGW. The service-linked role allows CSG to access Elastic Compute Service (ECS), Virtual Private Cloud (VPC), Object Storage Service (OSS), Simple Message Queue (SMQ), and Key Management Service (KMS).
AliyunServiceRoleForHCSSGWLogMonitor
The first time you use log monitoring in the CSG console and authorize the use of a service-linked role, CSG automatically creates the service-linked role AliyunServiceRoleForHCSSGWLogMonitor. The service-linked role allows CSG to access Simple Log Service (SLS).
Permissions
AliyunServiceRoleForHCSSGW
To create the service-linked role AliyunServiceRoleForHCSSGW as a RAM user, the AliyunHCSSGWFullAccess policy must be attached to the RAM user.
AliyunServiceRoleForHCSSGW grants CSG the permissions to access the following cloud services or resources:
Elastic network interfaces (ENIs) and security groups in ECS
CSG must have the following permissions to access ENIs and security groups:
{ "Action": [ "ecs:CreateNetworkInterface", "ecs:DeleteNetworkInterface", "ecs:DescribeNetworkInterfaces", "ecs:CreateNetworkInterfacePermission", "ecs:DescribeNetworkInterfacePermissions", "ecs:DeleteNetworkInterfacePermission", "ecs:CreateSecurityGroup", "ecs:DescribeSecurityGroups", "ecs:AuthorizeSecurityGroup", "ecs:DeleteSecurityGroup", "ecs:JoinSecurityGroup" ], "Resource": "*", "Effect": "Allow" }VPC
CSG must have the following permissions to access VPC resources:
{ "Action": [ "vpc:DescribeVpcs", "vpc:DescribeVSwitches" ], "Resource": "*", "Effect": "Allow" }OSS
CSG must have the following permissions to upload, download, and manage OSS resources:
{ "Action": [ "oss:ListBuckets", "oss:ListObjects", "oss:GetObject", "oss:PutObject", "oss:DeleteObject", "oss:HeadObject", "oss:CopyObject", "oss:InitiateMultipartUpload", "oss:UploadPart", "oss:UploadPartCopy", "oss:CompleteMultipartUpload", "oss:AbortMultipartUpload", "oss:ListMultipartUploads", "oss:ListParts", "oss:GetBucketStat", "oss:GetBucketWebsite", "oss:GetBucketInfo", "oss:GetBucketEncryption", "oss:PutBucketEncryption", "oss:DeleteBucketEncryption", "oss:RestoreObject", "oss:PutObjectTagging", "oss:GetObjectTagging", "oss:DeleteObjectTagging" ], "Resource": "*", "Effect": "Allow" }KMS
CSG must have the following permissions to perform server-side encryption or client-side encryption:
{ "Action": [ "kms:DescribeKey", "kms:Encrypt", "kms:Decrypt", "kms:GenerateDataKey" ], "Resource": "*", "Effect": "Allow" }SMQ
CSG must have the following permissions to configure express synchronization for gateways:
{ "Action": [ "mns:SendMessage", "mns:ReceiveMessage", "mns:PublishMessage", "mns:DeleteMessage", "mns:GetQueueAttributes", "mns:GetTopicAttributes", "mns:CreateTopic", "mns:DeleteTopic", "mns:CreateQueue", "mns:DeleteQueue", "mns:PutEventNotifications", "mns:DeleteEventNotifications", "mns:UpdateEventNotifications", "mns:GetEvent", "mns:Subscribe", "mns:Unsubscribe", "mns:ListTopic", "mns:ListQueue", "mns:ListSubscriptionByTopic" ], "Resource": "*", "Effect": "Allow" }Transactions and bills
CSG must have the following permissions to collect and display the billing information of gateways:
{ "Action": [ "bss:DescribePrice" ], "Resource": "*", "Effect": "Allow" }
AliyunServiceRoleForHCSSGWLogMonitor
To create the service-linked role AliyunServiceRoleForHCSSGWLogMonitor as a RAM user, the AliyunHCSSGWFullAccess policy must be attached to the RAM user.
AliyunServiceRoleForHCSSGWLogMonitor grants CSG the permissions to access the following cloud service:
SLS
CSG must have the following permissions to configure log monitoring for gateways:
{ "Action": [ "log:PostLogStoreLogs", "log:GetLogStore" ], "Resource": "*", "Effect": "Allow" }
Permissions required for a RAM user to manage service-linked roles
A RAM user must be assigned the system policy AliyunHCSSGWFullAccess or a custom policy that includes the following permissions in the Action statement:
ram:CreateServiceLinkedRole. The permission allows the RAM user to create a service-linked role.ram:DeleteServiceLinkedRole. The permission allows the RAM user to delete a service-linked role.
For more information, see Permissions required to create and delete a service-linked role.
View information about a service-linked role
After a service-linked role is created, you can query the following information about the service-linked role on the Roles page of the RAM console by searching for the role name, for example, AliyunServiceRoleForHCSSGW.
Basic information
In the Basic Information section, you can view the basic information about the role, such as the name, creation time, ARN, and description.
Policies
On the Permissions tab, you can click the name of a policy to view the policy content and the cloud resources that the role can access.
Trust policy
On the Trust Policy tab, you can view the trust policy that is attached to the role. A trust policy describes the trusted entities of a RAM role. A trusted entity refers to an entity that can assume the RAM role. The trusted entity of a service-linked role is a cloud service. To obtain the trusted entity of a service-linked role, you can view the value of the
Serviceparameter in the trust policy.
For information about how to view the details of a service-linked role, see View the information about a RAM role.
Delete a service-linked role
Before you delete a service-linked role of CSG, you must delete the associated gateways. For more information, see Delete a service-linked role.
After a service-linked role is deleted, the features that depend on the role cannot be used. Proceed with caution.
FAQ
Why is a service-linked role not automatically created when I access CSG as a RAM user?
The RAM user does not have the required permissions to automatically create a service-linked role for CSG. The system creates a CSG service-linked role only for users that have the required permissions. To fix the issue, attach the following policy to the RAM user. You must replace Alibaba Cloud account ID with the actual account ID. For more information, see Create a custom policy.
{
"Statement": [
{
"Action": [
"ram:CreateServiceLinkedRole"
],
"Resource": "acs:ram:*:Alibaba Cloud account ID:role/*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": [
"hcs-sgw.aliyuncs.com ",
"logmonitor.hcs-sgw.aliyuncs.com",
]
}
}
}
],
"Version": "1"
}