Manage the service-linked role for Operation Content and Result Delivery - Deployment & Maintenance| Alibaba Cloud Documentation Center

The Operation Content and Result Delivery feature provided by Cloud Assistant allows you to deliver O&M task execution records to specified Object Storage Service (OSS) buckets or Log Service Logstores for persistent storage. AliyunServiceRoleForECSArchiving is the Resource Access Management (RAM) service-linked role provided by Cloud Assistant for this feature to obtain access permissions on resources of other Alibaba Cloud services.

Background information

A service-linked role is a role that is linked to a service and includes the permissions required to call other services. For example, the AliyunServiceRoleForECSArchiving service-linked role includes the access permissions on Log Service and OSS resources that are required for the Operation Content and Result Delivery feature to deliver Cloud Assistant task execution records. For more information about service-linked roles, see Service-linked roles.

Create the AliyunServiceRoleForECSArchiving role

When you use the Operation Content and Result Delivery feature, the system checks whether the AliyunServiceRoleForECSArchiving role exists. If the role does not exist, the system creates the role. The AliyunServiceRolePolicyForECSArchiving policy is attached to the AliyunServiceRoleForECSArchiving role. Cloud Assistant can assume the role to take on the permissions of the role.

The policy attached to a service-linked role is predefined by the linked service. You cannot add, modify, or delete the policy. You can view policies attached to a role and policy details in the RAM console. For more information, see View the basic information about a RAM role and View the basic information about a policy. The following code shows the content of the AliyunServiceRoleForECSArchiving policy:

{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "oss:PutObject",
        "oss:GetBucketInfo",
        "log:GetProject",
        "log:GetLogStore",
        "log:CreateLogStore",
        "log:PostLogStoreLogs",
        "log:GetIndex",
        "log:CreateIndex"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "archiving.ecs.aliyuncs.com"
        }
      }
    }
  ]
}

Delete the AliyunServiceRoleForECSArchiving role

If the AliyunServiceRoleForECSArchiving role within your account is no longer needed, you can manually delete the role.

Log on to the RAM console.
In the left-side navigation pane, choose Identities > Roles.
In the search box, enter AliyunServiceRoleForECSArchiving.
The AliyunServiceRoleForECSArchiving role is displayed in the search result.
In the Actions column, click Delete.
Click OK.
When the Operation Content and Result Delivery feature is enabled in one or more regions, the AliyunServiceRoleForECSArchiving role cannot be deleted and an error is reported if you attempt to delete the role. This prevents this role from being deleted by accident to ensure the availability of the Operation Content and Result Delivery feature. You can look into the error message for the regions in which the Operation Content and Result Delivery feature is enabled, as shown in the following figure. Then, you can disable the feature in the regions and try to delete the role again.

For more information about how to delete service-linked roles, see Delete the service-linked role AliyunServiceRoleForDAS.

FAQ

Why cannot the AliyunServiceRoleForECSArchiving role be automatically created when I use a RAM user?

If you want to log on to the ECS console as a RAM user to use the Operation Content and Result Delivery feature, you must first use your Alibaba Cloud account to create and attach a policy to grant the RAM user the required permissions. Then, the AliyunServiceRoleForECSArchiving role can be automatically created. For more information, see Grant permissions to a RAM user. The following code indicates the policy that you must create and attach to the RAM user:

Note Replace <account ID> with the ID of your Alibaba Cloud account.

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "ram:CreateServiceLinkedRole"
            ],
            "Resource": "acs:ram:*:<account ID>:role/*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": [
                        "archiving.ecs.aliyuncs.com"
                    ]
                }
            }
        }
    ]
}