This topic describes the background information, policies, usage notes, and FAQ about the service-linked roles for EventBridge.
Background information
EventBridge may need to access another Alibaba Cloud service to implement a feature. In this case, EventBridge must assume a specific service-linked role to obtain permissions to access the Alibaba Cloud service. For more information, see Service-linked roles.
EventBridge can automatically create the following service-linked roles:
- AliyunServiceRoleForEventBridgeSendToFC
- AliyunServiceRoleForEventBridgeSendToMNS
- AliyunServiceRoleForEventBridgeSendToSMS
- AliyunServiceRoleForEventBridgeSendToDirectMail
- AliyunServiceRoleForEventBridgeSourceRocketMQ
- AliyunServiceRoleForEventBridgeSourceMNS
- AliyunServiceRoleForEventBridgeSendToRocketMQ
- AliyunServiceRoleForEventBridgeConnectVPC
- AliyunServiceRoleForEventBridgeSourceActionTrail
- AliyunServiceRoleForEventBridgeSourceRabbitMQ
- AliyunServiceRoleForEventBridgeSendToRabbitMQ
- AliyunServiceRoleForEventBridgeSourceKafka
- AliyunServiceRoleForEventBridgeSendToKafka
- AliyunServiceRoleForEventBridgeSendToRDS
- AliyunServiceRoleForEventBridgeSourceCMS
- AliyunServiceRoleForEventBridgeSendToSAE
- AliyunServiceRoleForEventBridgeSourceMqtt
- AliyunServiceRoleForEventBridgeSourceSLS
AliyunServiceRoleForEventBridgeSendToFC
EventBridge assumes the AliyunServiceRoleForEventBridgeSendToFC role to obtain permissions to access Function Compute to invoke functions.
The following AliyunServiceRolePolicyForEventBridgeSendToFC policy is attached to the AliyunServiceRoleForEventBridgeSendToFC role:
{
"Version": "1",
"Statement": [
{
"Action": [
"fc:InvokeFunction",
"fc:ListServices",
"fc:ListFunctions"
"fc:ListServiceVersions",
"fc:ListAliases",
"fc:RegisterEventSource",
"fc:DeregisterEventSource",
"fc:ListEventSources"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "sendevent-fc.eventbridge.aliyuncs.com"
}
}
}
]
}AliyunServiceRoleForEventBridgeSendToMNS
EventBridge assumes the AliyunServiceRoleForEventBridgeSendToMNS role to obtain permissions to access Message Service (MNS) to send or publish messages.
The following AliyunServiceRolePolicyForEventBridgeSendToMNS policy is attached to the AliyunServiceRoleForEventBridgeSendToMNS role:
{
"Version": "1",
"Statement": [
{
"Action": [
"mns:SendMessage",
"mns:GetQueueAttributes",
"mns:PublishMessage",
"mns:ListQueue",
"mns:ListTopic",
"mns:ReceiveMessage",
"mns:BatchReceiveMessage",
"mns:PeekMessage",
"mns:BatchPeekMessage",
"mns:ChangeMessageVisibility",
"mns:DeleteMessage"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "sendevent-mns.eventbridge.aliyuncs.com"
}
}
}
]
}AliyunServiceRoleForEventBridgeSendToSMS
EventBridge assumes the AliyunServiceRoleForEventBridgeSendToSMS role to obtain permissions to access Short Message Service (SMS) to send text messages.
The following AliyunServiceRolePolicyForEventBridgeSendToSMS policy is attached to the AliyunServiceRoleForEventBridgeSendToSMS role:
{
"Version": "1",
"Statement": [
{
"Action": [
"dysms:SendSms",
"dysms:SendBatchSms",
"dysms:QuerySendDetails",
"dysms:QuerySmsSign",
"dysms:QuerySmsTemplate"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "sendevent-sms.eventbridge.aliyuncs.com"
}
}
}
]
}AliyunServiceRoleForEventBridgeSendToDirectMail
EventBridge assumes the AliyunServiceRoleForEventBridgeSendToDirectMail role to obtain permissions to access Direct Mail to send emails.
The following AliyunServiceRolePolicyForEventBridgeSendToDirectMail policy is attached to the AliyunServiceRoleForEventBridgeSendToDirectMail role:
{
"Version": "1",
"Statement": [
{
"Action": [
"dm:SingleSendMail",
"dm:BatchSendMail",
"dm:QueryMailAddressByParam"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "sendevent-directmail.eventbridge.aliyuncs.com"
}
}
}
]
}AliyunServiceRoleForEventBridgeSourceRocketMQ
EventBridge assumes the AliyunServiceRoleForEventBridgeSourceRocketMQ role to obtain permissions to access the resources in Message Queue for Apache RocketMQ.
The following AliyunServiceRolePolicyForEventBridgeSourceRocketMQ policy is attached to the AliyunServiceRoleForEventBridgeSourceRocketMQ role:
{
"Version":"1",
"Statement":[
{
"Action":[
"mq:QueryInstanceBaseInfo",
"mq:QueryConsumerStatus",
"mq:SUB"
],
"Resource":"*",
"Effect":"Allow"
},
{
"Action":"ram:DeleteServiceLinkedRole",
"Resource":"*",
"Effect":"Allow",
"Condition":{
"StringEquals":{
"ram:ServiceName":"source-rocketmq.eventbridge.aliyuncs.com"
}
}
}
]
}AliyunServiceRoleForEventBridgeSourceMNS
EventBridge assumes the AliyunServiceRoleForEventBridgeSourceMNS role to obtain permissions to access the resources in MNS.
The following AliyunServiceRolePolicyForEventBridgeSourceMNS policy is attached to the AliyunServiceRoleForEventBridgeSourceMNS role:
{
"Version":"1",
"Statement":[
{
"Action":[
"mns:ListQueue",
"mns:ReceiveMessage",
"mns:BatchReceiveMessage",
"mns:PeekMessage",
"mns:BatchPeekMessage",
"mns:ChangeMessageVisibility"
],
"Resource":"*",
"Effect":"Allow"
},
{
"Action":"ram:DeleteServiceLinkedRole",
"Resource":"*",
"Effect":"Allow",
"Condition":{
"StringEquals":{
"ram:ServiceName":"source-mns.eventbridge.aliyuncs.com"
}
}
}
]
}AliyunServiceRoleForEventBridgeSendToRocketMQ
EventBridge assumes the AliyunServiceRoleForEventBridgeSendToRocketMQ role to obtain permissions to access Message Queue for Apache RocketMQ to publish messages.
The following AliyunServiceRolePolicyForEventBridgeSendToRocketMQ policy is attached to the AliyunServiceRoleForEventBridgeSendToRocketMQ role:
{
"Version":"1",
"Statement":[
{
"Action":[
"mq:PUB",
"mq:QueryInstanceBaseInfo",
"mq:QueryTopicStatus",
"mq:QueryConsumerAccumulate",
"mq:QueryConsumerStatus"
],
"Resource":"*",
"Effect":"Allow"
},
{
"Action":"ram:DeleteServiceLinkedRole",
"Resource":"*",
"Effect":"Allow",
"Condition":{
"StringEquals":{
"ram:ServiceName":"sendevent-rocketmq.eventbridge.aliyuncs.com"
}
}
}
]
}AliyunServiceRoleForEventBridgeConnectVPC
EventBridge assumes the AliyunServiceRoleForEventBridgeConnectVPC role to obtain permissions to access the resources in Virtual Private Cloud (VPC).
The following AliyunServiceRolePolicyForEventBridgeConnectVPC policy is attached to the AliyunServiceRoleForEventBridgeConnectVPC role:
{
"Version":"1",
"Statement":[
{
"Action":[
"vpc:DescribeVpcs",
"vpc:DescribeVSwitches",
"vpc:DescribeVSwitchAttributes"
],
"Resource":"*",
"Effect":"Allow"
},
{
"Action":[
"ecs:DescribeSecurityGroups",
"ecs:CreateSecurityGroup",
"ecs:CreateNetworkInterface",
"ecs:DeleteNetworkInterface",
"ecs:DescribeNetworkInterfaces",
"ecs:CreateNetworkInterfacePermission",
"ecs:DescribeNetworkInterfacePermissions",
"ecs:DeleteNetworkInterfacePermission"
],
"Resource":"*",
"Effect":"Allow"
},
{
"Action":"ram:DeleteServiceLinkedRole",
"Resource":"*",
"Effect":"Allow",
"Condition":{
"StringEquals":{
"ram:ServiceName":"connect-vpc.eventbridge.aliyuncs.com"
}
}
}
]
}AliyunServiceRoleForEventBridgeSourceActionTrail
EventBridge assumes the AliyunServiceRoleForEventBridgeSourceActionTrail role to obtain permissions to access ActionTrail to query and deliver operation records.
The following AliyunServiceRolePolicyForEventBridgeSourceActionTrail policy is attached to the AliyunServiceRoleForEventBridgeSourceActionTrail role:
{
"Version": "1",
"Statement": [
{
"Action": [
"actiontrail:CreateServiceTrail",
"actiontrail:DeleteServiceTrail"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "source-actiontrail.eventbridge.aliyuncs.com"
}
}
}
]
}AliyunServiceRoleForEventBridgeSourceRabbitMQ
EventBridge assumes the AliyunServiceRoleForEventBridgeSourceRabbitMQ role to obtain permissions to access the resources in Message Queue for RabbitMQ.
The following AliyunServiceRolePolicyForEventBridgeSourceRabbitMQ policy is attached to the AliyunServiceRoleForEventBridgeSourceRabbitMQ role:
{
"Version": "1",
"Statement": [
{
"Action": [
"amqp:ListInstance",
"amqp:ListVhost",
"amqp:ListExchange",
"amqp:GetVhost",
"amqp:GetExchange",
"amqp:GetQueue",
"amqp:BasicRecover",
"amqp:BasicCancel",
"amqp:BasicConsume",
"amqp:BasicAck",
"amqp:BasicNack",
"amqp:BasicReject",
"amqp:QueuePurge",
"amqp:BasicGet"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "source-rabbitmq.eventbridge.aliyuncs.com"
}
}
}
]
}AliyunServiceRoleForEventBridgeSendToRabbitMQ
EventBridge assumes the AliyunServiceRoleForEventBridgeSendToRabbitMQ role to obtain permissions to access Message Queue for RabbitMQ to publish messages.
The following AliyunServiceRolePolicyForEventBridgeSendToRabbitMQ policy is attached to the AliyunServiceRoleForEventBridgeSendToRabbitMQ role:
{
"Version":"1",
"Statement":[
{
"Action":[
"amqp:ListInstance",
"amqp:ListVhost",
"amqp:ListExchange",
"amqp:GetVhost",
"amqp:CreateExchange",
"amqp:GetExchange",
"amqp:CreateQueue",
"amqp:GetQueue",
"amqp:BasicRecover",
"amqp:BasicPublish",
"amqp:BasicAck",
"amqp:BasicNack"
],
"Resource":"*",
"Effect":"Allow"
},
{
"Action":"ram:DeleteServiceLinkedRole",
"Resource":"*",
"Effect":"Allow",
"Condition":{
"StringEquals":{
"ram:ServiceName":"sendevent-rabbitmq.eventbridge.aliyuncs.com"
}
}
}
]
}AliyunServiceRoleForEventBridgeSourceKafka
EventBridge assumes the AliyunServiceRoleForEventBridgeSourceKafka role to obtain permissions to access the resources in Message Queue for Apache Kafka
The following AliyunServiceRolePolicyForEventBridgeSourceKafka policy is attached to the AliyunServiceRoleForEventBridgeSourceKafka role:
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"alikafka:ListInstance",
"alikafka:ListSaslUser"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"ram:ServiceName": "source-kafka.eventbridge.aliyuncs.com"
}
}
}
]
}AliyunServiceRoleForEventBridgeSendToKafka
EventBridge assumes the AliyunServiceRoleForEventBridgeSendToKafka role to obtain permissions to access Message Queue for Apache Kafka to publish messages.
The following AliyunServiceRolePolicyForEventBridgeSendToKafka policy is attached to the AliyunServiceRoleForEventBridgeSendToKafka role:
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"alikafka:ListInstance",
"alikafka:ListSaslUser"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"ram:ServiceName": "sendevent-kafka.eventbridge.aliyuncs.com"
}
}
}
]
}AliyunServiceRoleForEventBridgeSendToRDS
EventBridge assumes the AliyunServiceRoleForEventBridgeSendToRDS role to obtain permissions to access ApsaraDB RDS to deliver data to ApsaraDB RDS.
The following AliyunServiceRolePolicyForEventBridgeSendToRDS policy is attached to the AliyunServiceRoleForEventBridgeSendToRDS role:
{
"Version": "1",
"Statement": [
{
"Action": [
"rds:DescribeDBInstanceAttribute",
"rds:DescribeDatabases",
"rds:DescribeAccounts"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "sendevent-rds.eventbridge.aliyuncs.com"
}
}
}
]
}AliyunServiceRoleForEventBridgeSourceCMS
EventBridge assumes the AliyunServiceRoleForEventBridgeSourceKafka role to obtain permissions to access the resources in CloudMonitor.
The following AliyunServiceRolePolicyForEventBridgeSourceCMS policy is attached to the AliyunServiceRoleForEventBridgeSourceCMS role:
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cms:DescribeSystemEventAttribute",
"cms:DescribeSystemEventCount",
"cms:DescribeSystemEventHistogram"
],
"Resource": "*"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "source-cms.eventbridge.aliyuncs.com"
}
}
}
]
}AliyunServiceRoleForEventBridgeSendToSAE
EventBridge assumes the AliyunServiceRoleForEventBridgeSendToSAE role to access Serverless App Engine (SAE) to deliver data to SAE.
The following AliyunServiceRolePolicyForEventBridgeSendToSAE policy is attached to the AliyunServiceRoleForEventBridgeSendToSAE role:
{
"Version": "1",
"Statement": [
{
"Action": [
"sae:ExecJob"
],
"Resource": "*"
"Effect": "Allow"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "sendevent-sae.eventbridge.aliyuncs.com"
}
}
}
]
}AliyunServiceRoleForEventBridgeSourceMqtt
EventBridge assumes the AliyunServiceRoleForEventBridgeSourceCMS role to obtain permissions to access the resources in Message Queue for MQTT.
The following AliyunServiceRolePolicyForEventBridgeSourceMqtt policy is attached to the AliyunServiceRoleForEventBridgeSourceMqtt role:
{
"Version": "1",
"Statement": [
{
"Action": [
"mq:SUB"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "source-mqtt.eventbridge.aliyuncs.com"
}
}
}
]
}AliyunServiceRoleForEventBridgeSourceSLS
EventBridge assumes the AliyunServiceRoleForEventBridgeSourceSLS role to obtain permissions to access the resources in Log Service.
The following AliyunServiceRolePolicyForEventBridgeSourceSLS policy is attached to the AliyunServiceRoleForEventBridgeSourceSLS role:
{
"Version": "1",
"Statement": [
{
"Action": [
"log:ListConsumerGroup",
"log:GetConsumerGroupCheckPoint",
"log:ConsumerGroupUpdateCheckPoint",
"log:GetCursorOrData",
"log:ListShards"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "source-sls.eventbridge.aliyuncs.com"
}
}
}
]
}Usage notes
If you delete a service-linked role, EventBridge cannot publish events to the corresponding Alibaba Cloud service. Exercise caution when you delete the role. To use the corresponding feature, you must create the role again. For more information, see Create a service-linked role.
For more information about how to delete a service-linked role, see Delete a service-linked role.
FAQ
Q: Why is a service-linked role for EventBridge not automatically created for my RAM user?
A: If a service-linked role has been created for your Alibaba Cloud account, your RAM user inherits the service-linked role of your Alibaba Cloud account. If your RAM user cannot inherit the service-linked role, log on to the RAM console, create the following custom policy, and then attach the custom policy to the RAM user:
{
"Version":"1",
"Statement":[
{
"Action":"ram:CreateServiceLinkedRole",
"Resource":"acs:ram:*:Alibaba Cloud account ID:role/*",
"Effect":"Allow",
"Condition":{
"StringEquals":{
"ram:ServiceName":[
"sendevent-fc.eventbridge.aliyuncs.com",
"sendevent-mns.eventbridge.aliyuncs.com",
"sendevent-sms.eventbridge.aliyuncs.com",
"sendevent-directmail.eventbridge.aliyuncs.com",
"source-rocketmq.eventbridge.aliyuncs.com",
"source-mns.eventbridge.aliyuncs.com",
"source-cms.eventbridge.aliyuncs.com",
"source-mqtt.eventbridge.aliyuncs.com",
"source-sls.eventbridge.aliyuncs.com",
"sendevent-sae.eventbridge.aliyuncs.com",
"sendevent-rocketmq.eventbridge.aliyuncs.com",
"connect-vpc.eventbridge.aliyuncs.com",
"source-actiontrail.eventbridge.aliyuncs.com",
"source-rabbitmq.eventbridge.aliyuncs.com",
"sendevent-rabbitmq.eventbridge.aliyuncs.com",
"source-kafka.eventbridge.aliyuncs.com",
"sendevent-kafka.eventbridge.aliyuncs.com",
"sendevent-rds.eventbridge.aliyuncs.com",
"sendevent-arms.eventbridge.aliyuncs.com"
]
}
}
}
]
}If the service-linked role is not automatically created for your RAM user after you grant the permission to the RAM user, attach the AliyunEventBridgeFullAccess policy to the RAM user. For more information about policies, see Policies.