Grant permissions for data service to access OSS using service-linked roles and custom policies - IoT Platform - Alibaba Cloud - IoT Platform

When DataService Studio for IoT Platform ingests data from cloud product data sources, service-linked roles (SLRs) are required for both Alibaba Cloud accounts and RAM users.

Background information

For more information, see Service-linked roles.

Usage notes

IoT Platform allows you to sync data files from OSS Buckets to custom storage tables in DataService Studio.

To sync data from an OSS Bucket, DataService Studio requires access permissions to your OSS resources.

When you log on to IoT Platform with an Alibaba Cloud account, an SLR is created automatically. For more information about the role, see the "Alibaba Cloud account role" section in this topic.

The SLR, AliyunServiceRoleForIoTCloudSource, is created when you add a cloud product data source. For more information, see Create a cloud product data source.
When you log on to IoT Platform as a RAM user, an SLR cannot be automatically created and associated with an access policy. You must manually create an access policy and grant the required permissions to the RAM user. For specific instructions, see the "RAM user permissions" section in this topic.

Using the Alibaba Cloud account role

Role description

Role name: AliyunServiceRoleForIoTCloudSource.
Role access policy: AliyunServiceRolePolicyForIoTCloudSource.

Policy content:

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "oss:GetObject",
                "oss:ListBuckets",
                "oss:ListObjects"
            ],
            "Resource": [
                "*"
            ],
            "Condition": {}
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "iot-cloud-source.iot.aliyuncs.com"
                }
            }
        }
    ]
}

Delete the role

If you no longer need to sync data from your OSS Bucket to DataService Studio for IoT Platform, delete the service-linked role AliyunServiceRoleForIoTCloudSource.

Delete all cloud product data source sync tasks from DataService Studio in all IoT Platform instances under your account.

For more information, see Delete a cloud product data source.
In the RAM console, delete the service-linked role AliyunServiceRoleForIoTCloudSource.

For more information, see Service-linked roles.

RAM user permissions

Grant access permissions to a RAM user

Create a custom permission policy in script edit mode. Use a custom Name for the access policy, such as AliyunCreateSLRForIoTCloudSource. The policy content is as follows.

{
	"Version": "1",
	"Statement": [
	    {
		    "Action": "ram:CreateServiceLinkedRole",
		    "Resource": "*",
		    "Effect": "Allow",
		    "Condition": {
			    "StringEquals": {
				    "ram:ServiceName": "iot-cloud-source.iot.aliyuncs.com"
			    }
		    }
	    }
	]
}

Grant permissions to a RAM user. Add the AliyunCreateSLRForIoTCloudSource permission to the specified RAM user.

Revoke RAM user permissions

If you no longer need to sync data from your OSS Bucket to DataService Studio for IoT Platform, revoke the AliyunCreateSLRForIoTCloudSource access policy from the specified RAM user.

In all IoT Platform instances that the RAM user can access, delete all cloud product data source sync tasks from DataService Studio.

For more information, see Delete a cloud product data source.
In the RAM console, revoke the AliyunCreateSLRForIoTCloudSource permission from the RAM user.

For more information, see Revoke permissions from a RAM user.
In the RAM console, delete the AliyunCreateSLRForIoTCloudSource access policy.

For more information, see Delete a custom permission policy.