This topic describes the background information, policies, precautions, and FAQ about the service-linked roles for Message Queue for Apache RocketMQ.

Background information

An Alibaba Cloud service may require access to other Alibaba Cloud services to enable a feature. In this case, you can assign a service-linked role to the Alibaba Cloud service to obtain the permissions that are required to access other Alibaba Cloud services. A service-linked role is a Resource Access Management (RAM) role. The first time you use the feature in the console of the Alibaba Cloud service, the system automatically creates the service-linked role and notifies you that the service-linked role is created. For more information about the service-linked roles, see Service-linked roles.

Message Queue for Apache RocketMQ provides the AliyunServiceRoleForOns service-linked role. Message Queue for Apache RocketMQ can assume the role to obtain the following permissions:
  • Access CloudMonitor to enable the monitoring and alerting feature. For more information about the monitoring and alerting feature, see Monitoring and alerting.
  • Access Prometheus Service of Application Real-Time Monitoring Service (ARMS) to enable the dashboard feature. For more information about the dashboard feature, see Dashboard.

Policy content

AliyunServiceRoleForOns
The following sample code shows the AliyunServiceRolePolicyForOns policy that is attached to the AliyunServiceRoleForOns service-linked role:
{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "cms:DescribeMetricRuleList",
                "cms:DescribeMetricList",
                "cms:DescribeMetricData"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "arms:OpenVCluster",
                "arms:ListDashboards",
                "arms:CheckServiceStatus"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "ons.aliyuncs.com"
                }
            }
        }
    ]
}

Precautions

If you delete a service-linked role that is automatically created by the system, you can no longer use the related feature due to insufficient permissions. Exercise caution when you delete a service-linked role. For more information about how to create the service-linked role again and grant permissions to the service-linked role, see Create a RAM role for a trusted Alibaba Cloud service and Grant permissions to a RAM role.

For more information about how to delete a service-linked role, see Delete a service-linked role.

FAQ

Why is my RAM user unable to automatically create the AliyunServiceRoleForOns service-linked role for Message Queue for Apache RocketMQ?

If the service-linked role is created for your Alibaba Cloud account, your RAM user inherits the service-linked role of your Alibaba Cloud account. If your RAM user does not inherit the role, log on to the RAM console and add the following permission policy: 

{
    "Statement": [
        {
            "Action": [
                "ram:CreateServiceLinkedRole"
            ],
            "Resource": "acs:ram:*:Alibaba Cloud account ID:role/*",
            "Effect": "Allow",
            "Condition": {
              "StringEquals": {
                "ram:ServiceName":  "ons.aliyuncs.com"    
                }
            }
        }
    ],
    "Version": "1"
}
Note Replace Alibaba Cloud account ID with the ID of your Alibaba Cloud account.

If your RAM user cannot automatically create the service-linked role after the policy is attached to the RAM user, attach one of the following policies to the RAM user:

  • AliyunMQFullAccess
  • AliyunMQPubOnlyAccess
  • AliyunMQSubOnlyAccess

For more information about the policy, see System policy.