Appendix: DataWorks service-linked role - DataWorks - Alibaba Cloud Documentation Center

This topic describes the service-linked role that is automatically generated after the current logon account is granted the permissions to use EventBridge resources in DataWorks.

Background information

To use EventBridge to subscribe to and consume event messages that are generated in your workspace, the account that you use to log on to DataWorks must be granted the permissions to access your EventBridge resources. After the authorization is complete, the service-link role AliyunServiceRoleForDataWorksOpenPlatform is generated in the Resource Access Management (RAM) console. This role is used to access your resources in other Alibaba Cloud services from DataWorks Open Platform. For more information about service-linked roles in RAM, see Service-linked roles.

View the permissions of the AliyunServiceRoleForDataWorksOpenPlatform role

Log on to the RAM console. In the left-side navigation pane, choose Identities > Roles.
On the Roles page, enter AliyunServiceRoleForDataWorksOpenPlatform in the search box and click the search icon. The RAM role named AliyunServiceRoleForDataWorksOpenPlatform appears.
Click the AliyunServiceRoleForDataWorksOpenPlatform role.

On the page that appears, click the Permissions tab. On the Permissions tab, you can view the details of the AliyunServiceRolePolicyForDataWorksOpenPlatform policy that is attached to the role.

{    
   "Version": "1",    
   "Statement":[        
     {
       "Effect": "Allow",  
       "Action": [
         "eventbridge:GetEventBus",
         "eventbridge:GetRule",
         "eventbridge:CreateEventBus",
         "eventbridge:DeleteEventBus",
         "eventbridge:PutEvents",
         "eventbridge:ListEventBuses"
       ], 
       "Resource":"*"

     }, 
     {
        "Action":"ram:DeleteServiceLinkedRole",
        "Resource":"*",
        "Effect":"Allow",
        "Condition":{
          "StringEquals": {
            "ram:ServiceName": "openplatform.dataworks.aliyuncs.com"
          }
        }  
     }    
   ]   
}

Delete the AliyunServiceRoleForDataWorksOpenPlatform role

Log on to the RAM console. In the left-side navigation pane, choose Identities > Roles.
On the Roles page, enter AliyunServiceRoleForDataWorksOpenPlatform in the search box and click the search icon. The RAM role named AliyunServiceRoleForDataWorksOpenPlatform appears.
Click Delete in the Actions column.

FAQ

Problem description: Why is the service-linked role AliyunServiceRoleForDataWorksOpenPlatform not automatically created for a RAM user of my Alibaba Cloud account?

Solution: The AliyunServiceRoleForDataWorksOpenPlatform role can be automatically created for a RAM user and the RAM user can be used to delete the role only after the RAM user is granted the required permissions. To resolve this issue, you must attach the following policy to the RAM user:

{
    "Statement": [
       {
        "Action": [                
                "ram:CreateServiceLinkedRole"
            ],
          "Resource": "acs:ram:*:ID of your Alibaba Cloud account:role/*",
          "Effect": "Allow",
           "Condition": {
               "StringEquals": {
                    "ram:ServiceName": [
                        "openplatform.dataworks.aliyuncs.com"                
                   ]
                }           
           }
     }
  ],
  "Version":"1"
}

Note Replace "ID of your Alibaba Cloud account" with your actual account ID.