EventBridge uses Resource Access Management (RAM) service-linked roles to access other Alibaba Cloud services on your behalf. Each role is a predefined RAM role scoped to a specific integration. For example, a role might grant permission to invoke functions in Function Compute or publish messages to ApsaraMQ for RocketMQ.
Role summary
These roles are created automatically when needed. No manual setup is required. For more information about how service-linked roles work, see Service-linked roles.
EventBridge supports 17 service-linked roles, organized by function:
Event source roles
These roles grant EventBridge read access to pull events from upstream services.
| Role name | Integrated service | Purpose |
|---|---|---|
| AliyunServiceRoleForEventBridgeSourceRocketMQ | ApsaraMQ for RocketMQ | Access resources and subscribe to messages |
| AliyunServiceRoleForEventBridgeSourceRabbitMQ | ApsaraMQ for RabbitMQ | Access and consume messages from queues |
| AliyunServiceRoleForEventBridgeSourceKafka | ApsaraMQ for Kafka | List instances and SASL users |
| AliyunServiceRoleForEventBridgeSourceMqtt | ApsaraMQ for MQTT | Subscribe to messages |
| AliyunServiceRoleForEventBridgeSourceActionTrail | ActionTrail | Create and delete service trails |
| AliyunServiceRoleForEventBridgeSourceCMS | Cloud Monitor | Query system event data |
Event target roles
These roles grant EventBridge write access to deliver events to downstream services.
| Role name | Integrated service | Purpose |
|---|---|---|
| AliyunServiceRoleForEventBridgeSendToFC | Function Compute | Invoke functions and manage event sources |
| AliyunServiceRoleForEventBridgeSendToMNS | Simple Message Queue (formerly MNS) | Send and publish messages to queues and topics |
| AliyunServiceRoleForEventBridgeSendToSMS | Short Message Service | Send text messages |
| AliyunServiceRoleForEventBridgeSendToDirectMail | Direct Mail | Send emails |
| AliyunServiceRoleForEventBridgeSendToRocketMQ | ApsaraMQ for RocketMQ | Publish messages |
| AliyunServiceRoleForEventBridgeSendToRabbitMQ | ApsaraMQ for RabbitMQ | Publish messages |
| AliyunServiceRoleForEventBridgeSendToKafka | ApsaraMQ for Kafka | Publish messages |
| AliyunServiceRoleForEventBridgeSendToMqtt | ApsaraMQ for MQTT | Publish messages |
| AliyunServiceRoleForEventBridgeSendToRDS | ApsaraDB RDS | Deliver data to RDS instances |
| AliyunServiceRoleForEventBridgeSendToSAE | Serverless App Engine (SAE) | Run SAE jobs |
Infrastructure roles
| Role name | Integrated service | Purpose |
|---|---|---|
| AliyunServiceRoleForEventBridgeConnectVPC | Virtual Private Cloud (VPC) | Access VPC resources and manage network interfaces |
Policy details
Each service-linked role has an attached access policy that defines its allowed actions. Every policy also includes a conditional ram:DeleteServiceLinkedRole permission, scoped to the role's own service name.
AliyunServiceRoleForEventBridgeSendToFC
Grants permission to invoke functions in Function Compute.
Policy: AliyunServiceRolePolicyForEventBridgeSendToFC
{
"Version": "1",
"Statement": [
{
"Action": [
"fc:InvokeFunction",
"fc:ListServices",
"fc:ListFunctions"
"fc:ListServiceVersions",
"fc:ListAliases",
"fc:RegisterEventSource",
"fc:DeregisterEventSource",
"fc:ListEventSources"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "sendevent-fc.eventbridge.aliyuncs.com"
}
}
}
]
}AliyunServiceRoleForEventBridgeSendToMNS
Grants permission to send and publish messages to Simple Message Queue (formerly MNS).
Policy: AliyunServiceRolePolicyForEventBridgeSendToMNS
{
"Version": "1",
"Statement": [
{
"Action": [
"mns:SendMessage",
"mns:GetQueueAttributes",
"mns:PublishMessage",
"mns:ListQueue",
"mns:ListTopic",
"mns:ReceiveMessage",
"mns:BatchReceiveMessage",
"mns:PeekMessage",
"mns:BatchPeekMessage",
"mns:ChangeMessageVisibility",
"mns:DeleteMessage"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "sendevent-mns.eventbridge.aliyuncs.com"
}
}
}
]
}AliyunServiceRoleForEventBridgeSendToSMS
Grants permission to send text messages through Short Message Service.
Policy: AliyunServiceRolePolicyForEventBridgeSendToSMS
{
"Version": "1",
"Statement": [
{
"Action": [
"dysms:SendSms",
"dysms:SendBatchSms",
"dysms:QuerySendDetails",
"dysms:QuerySmsSign",
"dysms:QuerySmsTemplate"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "sendevent-sms.eventbridge.aliyuncs.com"
}
}
}
]
}AliyunServiceRoleForEventBridgeSendToDirectMail
Grants permission to send emails through Direct Mail.
Policy: AliyunServiceRolePolicyForEventBridgeSendToDirectMail
{
"Version": "1",
"Statement": [
{
"Action": [
"dm:SingleSendMail",
"dm:BatchSendMail",
"dm:QueryMailAddressByParam"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "sendevent-directmail.eventbridge.aliyuncs.com"
}
}
}
]
}AliyunServiceRoleForEventBridgeSourceRocketMQ
Grants permission to access resources in ApsaraMQ for RocketMQ as an event source.
Policy: AliyunServiceRolePolicyForEventBridgeSourceRocketMQ
{
"Version":"1",
"Statement":[
{
"Action":[
"mq:QueryInstanceBaseInfo",
"mq:QueryConsumerStatus",
"mq:SUB"
],
"Resource":"*",
"Effect":"Allow"
},
{
"Action":"ram:DeleteServiceLinkedRole",
"Resource":"*",
"Effect":"Allow",
"Condition":{
"StringEquals":{
"ram:ServiceName":"source-rocketmq.eventbridge.aliyuncs.com"
}
}
}
]
}AliyunServiceRoleForEventBridgeSendToRocketMQ
Grants permission to publish messages to ApsaraMQ for RocketMQ.
Policy: AliyunServiceRolePolicyForEventBridgeSendToRocketMQ
{
"Version":"1",
"Statement":[
{
"Action":[
"mq:PUB",
"mq:QueryInstanceBaseInfo",
"mq:QueryTopicStatus",
"mq:QueryConsumerAccumulate",
"mq:QueryConsumerStatus"
],
"Resource":"*",
"Effect":"Allow"
},
{
"Action":"ram:DeleteServiceLinkedRole",
"Resource":"*",
"Effect":"Allow",
"Condition":{
"StringEquals":{
"ram:ServiceName":"sendevent-rocketmq.eventbridge.aliyuncs.com"
}
}
}
]
}AliyunServiceRoleForEventBridgeConnectVPC
Grants permission to access VPC resources and manage elastic network interfaces (ENIs) for private network connectivity.
Policy: AliyunServiceRolePolicyForEventBridgeConnectVPC
{
"Version":"1",
"Statement":[
{
"Action":[
"vpc:DescribeVpcs",
"vpc:DescribeVSwitches",
"vpc:DescribeVSwitchAttributes"
],
"Resource":"*",
"Effect":"Allow"
},
{
"Action":[
"ecs:DescribeSecurityGroups",
"ecs:CreateSecurityGroup",
"ecs:CreateNetworkInterface",
"ecs:DeleteNetworkInterface",
"ecs:DescribeNetworkInterfaces",
"ecs:CreateNetworkInterfacePermission",
"ecs:DescribeNetworkInterfacePermissions",
"ecs:DeleteNetworkInterfacePermission"
],
"Resource":"*",
"Effect":"Allow"
},
{
"Action":"ram:DeleteServiceLinkedRole",
"Resource":"*",
"Effect":"Allow",
"Condition":{
"StringEquals":{
"ram:ServiceName":"connect-vpc.eventbridge.aliyuncs.com"
}
}
}
]
}AliyunServiceRoleForEventBridgeSourceActionTrail
Grants permission to create and delete service trails in ActionTrail.
Policy: AliyunServiceRolePolicyForEventBridgeSourceActionTrail
{
"Version": "1",
"Statement": [
{
"Action": [
"actiontrail:CreateServiceTrail",
"actiontrail:DeleteServiceTrail"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "source-actiontrail.eventbridge.aliyuncs.com"
}
}
}
]
}AliyunServiceRoleForEventBridgeSourceRabbitMQ
Grants permission to access resources in ApsaraMQ for RabbitMQ as an event source.
Policy: AliyunServiceRolePolicyForEventBridgeSourceRabbitMQ
{
"Version": "1",
"Statement": [
{
"Action": [
"amqp:ListInstance",
"amqp:ListVhost",
"amqp:ListExchange",
"amqp:GetVhost",
"amqp:GetExchange",
"amqp:GetQueue",
"amqp:BasicRecover",
"amqp:BasicCancel",
"amqp:BasicConsume",
"amqp:BasicAck",
"amqp:BasicNack",
"amqp:BasicReject",
"amqp:QueuePurge",
"amqp:BasicGet"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "source-rabbitmq.eventbridge.aliyuncs.com"
}
}
}
]
}AliyunServiceRoleForEventBridgeSendToRabbitMQ
Grants permission to publish messages to ApsaraMQ for RabbitMQ.
Policy: AliyunServiceRolePolicyForEventBridgeSendToRabbitMQ
{
"Version":"1",
"Statement":[
{
"Action":[
"amqp:ListInstance",
"amqp:ListVhost",
"amqp:ListExchange",
"amqp:GetVhost",
"amqp:CreateExchange",
"amqp:GetExchange",
"amqp:CreateQueue",
"amqp:GetQueue",
"amqp:BasicRecover",
"amqp:BasicPublish",
"amqp:BasicAck",
"amqp:BasicNack"
],
"Resource":"*",
"Effect":"Allow"
},
{
"Action":"ram:DeleteServiceLinkedRole",
"Resource":"*",
"Effect":"Allow",
"Condition":{
"StringEquals":{
"ram:ServiceName":"sendevent-rabbitmq.eventbridge.aliyuncs.com"
}
}
}
]
}AliyunServiceRoleForEventBridgeSourceKafka
Grants permission to access ApsaraMQ for Kafka as an event source.
Policy: AliyunServiceRolePolicyForEventBridgeSourceKafka
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"alikafka:ListInstance",
"alikafka:ListSaslUser"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"ram:ServiceName": "source-kafka.eventbridge.aliyuncs.com"
}
}
}
]
}AliyunServiceRoleForEventBridgeSendToKafka
Grants permission to publish messages to ApsaraMQ for Kafka.
Policy: AliyunServiceRolePolicyForEventBridgeSendToKafka
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"alikafka:ListInstance",
"alikafka:ListSaslUser"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"ram:ServiceName": "sendevent-kafka.eventbridge.aliyuncs.com"
}
}
}
]
}AliyunServiceRoleForEventBridgeSendToRDS
Grants permission to deliver data to ApsaraDB RDS.
Policy: AliyunServiceRolePolicyForEventBridgeSendToRDS
{
"Version": "1",
"Statement": [
{
"Action": [
"rds:DescribeDBInstanceAttribute",
"rds:DescribeDatabases",
"rds:DescribeAccounts"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "sendevent-rds.eventbridge.aliyuncs.com"
}
}
}
]
}AliyunServiceRoleForEventBridgeSourceCMS
Grants permission to query system event data in Cloud Monitor.
Policy: AliyunServiceRolePolicyForEventBridgeSourceCMS
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cms:DescribeSystemEventAttribute",
"cms:DescribeSystemEventCount",
"cms:DescribeSystemEventHistogram"
],
"Resource": "*"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "source-cms.eventbridge.aliyuncs.com"
}
}
}
]
}AliyunServiceRoleForEventBridgeSendToSAE
Grants permission to run jobs in Serverless App Engine (SAE).
Policy: AliyunServiceRolePolicyForEventBridgeSendToSAE
{
"Version": "1",
"Statement": [
{
"Action": [
"sae:ExecJob"
],
"Resource": "*"
"Effect": "Allow"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "sendevent-sae.eventbridge.aliyuncs.com"
}
}
}
]
}AliyunServiceRoleForEventBridgeSourceMqtt
Grants permission to subscribe to messages in ApsaraMQ for MQTT as an event source.
Policy: AliyunServiceRolePolicyForEventBridgeSourceMqtt
{
"Version": "1",
"Statement": [
{
"Action": [
"mq:SUB"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "source-mqtt.eventbridge.aliyuncs.com"
}
}
}
]
}AliyunServiceRoleForEventBridgeSendToMqtt
Grants permission to publish messages to ApsaraMQ for MQTT.
Policy: AliyunServiceRolePolicyForEventBridgeSendToMqtt
{
"Version": "1",
"Statement": [
{
"Effect":"Allow",
"Action":[
"mq:MqttInstanceAccess"
],
"Resource": "*"
},
{
"Action": [
"mq:PUB"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Effect": "Allow",
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"ram:ServiceName": "sendevent-mqtt.eventbridge.aliyuncs.com"
}
}
}
]
}Delete a service-linked role
Deleting a service-linked role revokes the permissions EventBridge needs to deliver events to the corresponding service. Exercise caution when you delete service-linked roles.
To restore the integration, recreate the role. For instructions, see Create a service-linked role.
For deletion steps, see Delete a service-linked role.
FAQ
Why can't my RAM user automatically create a service-linked role?
A RAM user inherits the service-linked role from the Alibaba Cloud account. If a RAM user cannot automatically create a service-linked role, attach a custom policy to the RAM user through the RAM console. Use the following policy document:
{
"Version":"1",
"Statement":[
{
"Action":"ram:CreateServiceLinkedRole",
"Resource":"acs:ram:*:<Alibaba Cloud account ID>:role/*",
"Effect":"Allow",
"Condition":{
"StringEquals":{
"ram:ServiceName":[
"sendevent-fc.eventbridge.aliyuncs.com",
"sendevent-mns.eventbridge.aliyuncs.com",
"sendevent-sms.eventbridge.aliyuncs.com",
"sendevent-directmail.eventbridge.aliyuncs.com",
"source-rocketmq.eventbridge.aliyuncs.com",
"source-mns.eventbridge.aliyuncs.com",
"source-cms.eventbridge.aliyuncs.com",
"source-mqtt.eventbridge.aliyuncs.com",
"source-sls.eventbridge.aliyuncs.com",
"sendevent-sae.eventbridge.aliyuncs.com",
"sendevent-rocketmq.eventbridge.aliyuncs.com",
"connect-vpc.eventbridge.aliyuncs.com",
"source-actiontrail.eventbridge.aliyuncs.com",
"source-rabbitmq.eventbridge.aliyuncs.com",
"sendevent-rabbitmq.eventbridge.aliyuncs.com",
"source-kafka.eventbridge.aliyuncs.com",
"sendevent-kafka.eventbridge.aliyuncs.com",
"sendevent-rds.eventbridge.aliyuncs.com",
"sendevent-arms.eventbridge.aliyuncs.com",
"sendevent-mqtt.eventbridge.aliyuncs.com"
]
}
}
}
]
}Replace <Alibaba Cloud account ID> with the actual ID of your Alibaba Cloud account.
If the RAM user still cannot create the role after you attach this policy, grant the AliyunEventBridgeFullAccess system policy to the RAM user instead. For details, see Access policies and examples.