All Products
Search
Document Center

Hybrid Backup Recovery:Service-linked roles for HBR

Last Updated:Aug 15, 2022

This topic describes the service-linked roles for Hybrid Backup Recovery (HBR) and how to delete these roles.

Background information

HBR needs to access other Alibaba Cloud services to implement a feature. In this case, HBR must assume service-linked roles to obtain the required permissions. For more information, see Service-linked roles.

To access Elastic Compute Service (ECS), Virtual Private Cloud (VPC), Object Storage Service (OSS), Apsara File Storage NAS, or Cloud Storage Gateway (CSG), HBR must assume the corresponding service-linked role that is automatically created.

  • AliyunServiceRoleForHbrEcsBackup

    To implement the ECS backup feature, HBR must assume the AliyunServiceRoleForHbrEcsBackup role so that HBR can access ECS and VPC.

  • AliyunServiceRoleForHbrOssBackup

    To implement the OSS backup feature, HBR must assume the AliyunServiceRoleForHbrOssBackup role so that HBR can access OSS.

  • AliyunServiceRoleForHbrNasBackup

    To implement the NAS backup feature, HBR must assume the AliyunServiceRoleForHbrNasBackup role so that HBR can access NAS.

  • AliyunServiceRoleForHbrCsgBackup

    To implement the CSG backup feature, HBR must assume the AliyunServiceRoleForHbrCsgBackup role so that HBR can access CSG.

  • AliyunServiceRoleForHbrVaultEncryption

    To encrypt backup vaults by using Key Management Service (KMS), HBR must assume the AliyunServiceRoleForHbrVaultEncryption role so that HBR can access KMS.

  • AliyunServiceRoleForHbrOtsBackup

    To implement the Tablestore backup feature, HBR must assume the AliyunServiceRoleForHbrOtsBackup role so that HBR can access Tablestore.

  • AliyunServiceRoleForHbrCrossAccountBackup

    To implement the cross-account backup feature, HBR must assume the AliyunServiceRoleForHbrCrossAccountBackup role.

Permission policies

This section describes the permission policies that are attached to each service-linked role.

  • The following permission policies are attached to the AliyunServiceRoleForHbrEcsBackup role. After HBR assumes the role, HBR can access ECS.

     {
          "Action": [
            "ecs:RunCommand",
            "ecs:CreateCommand",
            "ecs:InvokeCommand",
            "ecs:DeleteCommand",
            "ecs:DescribeCommands",
            "ecs:StopInvocation",
            "ecs:DescribeInvocationResults",
            "ecs:DescribeCloudAssistantStatus",
            "ecs:DescribeInstances",
            "ecs:DescribeInstanceRamRole",
            "ecs:DescribeInvocations"
          ],
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "ecs:AttachInstanceRamRole",
            "ecs:DetachInstanceRamRole"
          ],
          "Resource": [
            "acs:ecs:*:*:instance/*",
            "acs:ram:*:*:role/aliyunecsaccessinghbrrole"
          ],
          "Effect": "Allow"
        },
        {
          "Action": [
            "ram:GetRole",
            "ram:GetPolicy",
            "ram:ListPoliciesForRole"
          ],
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "ram:PassRole"
          ],
          "Resource": "*",
          "Effect": "Allow",
          "Condition": {
            "StringEquals": {
              "acs:Service": [
                "ecs.aliyuncs.com"
              ]
            }
          }
        },
        {
          "Action": [
            "ecs:DescribeSecurityGroups",
            "ecs:DescribeImages",
            "ecs:CreateImage",
            "ecs:DeleteImage",
            "ecs:DescribeSnapshots",
            "ecs:CreateSnapshot",
            "ecs:DeleteSnapshot",
            "ecs:DescribeSnapshotLinks",
            "ecs:DescribeAvailableResource",
            "ecs:ModifyInstanceAttribute",
            "ecs:CreateInstance",
            "ecs:DeleteInstance",
            "ecs:AllocatePublicIpAddress",
            "ecs:CreateDisk",
            "ecs:DescribeDisks",
            "ecs:AttachDisk",
            "ecs:DetachDisk",
            "ecs:DeleteDisk",
            "ecs:ResetDisk",
            "ecs:StartInstance",
            "ecs:StopInstance",
            "ecs:ReplaceSystemDisk",
            "ecs:ModifyResourceMeta"
          ],
          "Resource": "*",
          "Effect": "Allow"
        }
    

  • The following permission policies are attached to the AliyunServiceRoleForHbrEcsBackup role. After HBR assumes the role, HBR can access VPC.

    {
          "Action": [
            "vpc:DescribeVpcs",
            "vpc:DescribeVSwitches"
          ],
          "Resource": "*",
          "Effect": "Allow"
        }

  • The following permission policies are attached to the AliyunServiceRoleForHbrOssBackup role. After HBR assumes the role, HBR can access OSS.

    {
          "Action": [
            "oss:ListObjects",
            "oss:HeadBucket",
            "oss:GetBucket",
            "oss:GetBucketAcl",
            "oss:GetBucketLocation",
            "oss:GetBucketInfo",
            "oss:PutObject",
            "oss:CopyObject",
            "oss:GetObject",
            "oss:AppendObject",
            "oss:GetObjectMeta",
            "oss:PutObjectACL",
            "oss:GetObjectACL",
            "oss:PutObjectTagging",
            "oss:GetObjectTagging",
            "oss:InitiateMultipartUpload",
            "oss:UploadPart",
            "oss:UploadPartCopy",
            "oss:CompleteMultipartUpload",
            "oss:AbortMultipartUpload",
            "oss:ListMultipartUploads",
            "oss:ListParts"
          ],
          "Resource": "*",
          "Effect": "Allow"
        }

  • The following permission policies are attached to the AliyunServiceRoleForHbrNasBackup role. After HBR assumes the role, HBR can access NAS.

    {
          "Action": [
            "nas:DescribeFileSystems",
            "nas:CreateMountTargetSpecial",
            "nas:DeleteMountTargetSpecial",
            "nas:CreateMountTarget",
            "nas:DeleteMountTarget",
            "nas:DescribeMountTargets",
            "nas:DescribeAccessGroups"
          ],
          "Resource": "*",
          "Effect": "Allow"
        }

  • The following permission policies are attached to the AliyunServiceRoleForHbrCsgBackup role. After HBR assumes the role, HBR can access CSG.

    {
          "Action": [
            "hcs-sgw:DescribeGateways"
          ],
          "Resource": "*",
          "Effect": "Allow"
        }
  • The following permission policies are attached to the AliyunServiceRoleForHbrVaultEncryption role. After HBR assumes the role, HBR can access KMS.

    {
    
     "Statement": [
    
     {
    
      "Action": "ram:DeleteServiceLinkedRole",
    
      "Resource": "*",
    
      "Effect": "Allow",
    
      "Condition": {
    
       "StringEquals": {
    
        "ram:ServiceName": "vaultencryption.hbr.aliyuncs.com"
    
       }
    
      }
    
     },
    
     {
    
      "Action": [
    
      "kms:Decrypt"
    
      ],
    
      "Resource": "*",
    
      "Effect": "Allow"
    
     }
    
     ],
    
     "Version": "1"
    
    }

  • The following permission policies are attached to the AliyunServiceRoleForHbrOtsBackup role. After HBR assumes the role, HBR can access Tablestore.

    {
      "Version": "1",
      "Statement": [
        {
          "Action": "ram:DeleteServiceLinkedRole",
          "Resource": "*",
          "Effect": "Allow",
          "Condition": {
            "StringEquals": {
              "ram:ServiceName": "otsbackup.hbr.aliyuncs.com"
            }
          }
        },
        {
          "Effect": "Allow",
          "Action": [
            "ots:ListTable",
            "ots:CreateTable",
            "ots:UpdateTable",
            "ots:DescribeTable",
            "ots:BatchWriteRow",
            "ots:CreateTunnel",
            "ots:DeleteTunnel",
            "ots:ListTunnel",
            "ots:DescribeTunnel",
            "ots:ConsumeTunnel",
            "ots:GetRange",
            "ots:ListStream",
            "ots:DescribeStream"
          ],
          "Resource": "*"
        }
      ]
    }
  • The following permission policies are attached to the AliyunServiceRoleForHbrCrossAccountBackup role. After HBR assumes the role, HBR can perform cross-account backup.

    {
      "Version": "1",
      "Statement": [
        {
          "Action": "sts:AssumeRole",
          "Effect": "Allow",
          "Resource": "*"
        },
        {
          "Action": "ram:DeleteServiceLinkedRole",
          "Resource": "*",
          "Effect": "Allow",
          "Condition": {
            "StringEquals": {
              "ram:ServiceName": "crossbackup.hbr.aliyuncs.com"
            }
          }
        }
      ]
    }

Delete a service-linked role

You may need to delete service-linked roles to ensure security. For example, if you no longer need to use the ECS backup feature, you can delete the AliyunServiceRoleForHbrEcsBackup role.

Notice

  • Before you delete a service-linked role, such as AliyunServiceRoleForHbrEcsBackup, AliyunServiceRoleForHbrOssBackup, AliyunServiceRoleForHbrNasBackup, or AliyunServiceRoleForHbrCsgBackup role, make sure that no backup vault exists within the current account. Otherwise, the role fails to be deleted.

  • Before you delete the AliyunServiceRoleForHbrVaultEncryption role, make sure that no KMS-encrypted backup vault exists within the current account. Otherwise, the role fails to be deleted.

To delete the AliyunServiceRoleForHbrEcsBackup role, perform the following steps:

  1. Log on to the RAM console.

  2. In the left-side navigation pane, choose Identities > Roles.

  3. On the Roles page, enter AliyunServiceRoleForHbrEcsBackup in the search box to find the role.

  4. Click Delete in the Actions column.

  5. In the Delete RAM Role dialog box, click OK.

If you want to delete other service-linked roles, such as AliyunServiceRoleForHbrOssBackup, AliyunServiceRoleForHbrNasBackup, AliyunServiceRoleForHbrCsgBackup, and AliyunServiceRoleForHbrVaultEncryption, enter the corresponding role name in the search box.