All Products
Search

This Product

    Alibaba Cloud Model Studio:Service-linked roles

    Document Center

    Alibaba Cloud Model Studio:Service-linked roles

    Last Updated:Mar 13, 2025

    Model Studio requires access permissions to other Alibaba Cloud resources and services through service-linked roles (SLR). When you authorize related features in Model Studio for the first time, the system automatically creates corresponding service-linked roles. This topic describes the service-linked roles and how to delete them.

    Service-linked roles created by Model Studio

    You can view all service-linked roles on the Roles page in the RAM console.

    Name

    Description

    AliyunServiceRoleForSFMAccessFC

    Workflow application uses this role to access your resources in Function Compute (FC).

    AliyunServiceRoleForSFMDataHubOSSImport

    Data Management uses this role to access your resources in Object Storage Service (OSS).

    AliyunServiceRoleForSFMAccessingMNS

    Data Management uses this role to access Simple Message Queue (SMQ, formerly MNS) queues for OSS change messages.

    AliyunServiceRoleForSFMAccessFC

    Scenarios

    The Function Compute nodes in workflow applications use this role to access your resources in FC.

    Role name and policy

    Role name: AliyunServiceRoleForSFMAccessFC

    System policy: AliyunServiceRolePolicyForSFMAccessFC

    Policy description:

    Resource Access Management (RAM) associates a system policy with each service-linked role. The policy cannot be modified.
    {
  "Action": [
    "fc:ListFunctions",
    "fc:InvokeFunction"
  ],
  "Resource": "*",
  "Effect": "Allow"
}

    Delete the role

    Warning

    After this role is deleted, workflow applications cannot create or use Function Compute nodes. Proceed with caution!

    Before you delete AliyunServiceRoleForSFMAccessFC, you must delete all Function Compute nodes from published workflow applications and republish the workflows.

    For instructions on how to delete the role, see Service-linked roles.

    AliyunServiceRoleForSFMDataHubOSSImport

    Scenarios

    Data Management uses this service-linked role to access and import your data in OSS.

    Role name and policy

    Role name: AliyunServiceRoleForSFMDataHubOSSImport

    System policy: AliyunServiceRolePolicyForSFMDataHubOSSImport

    Policy description:

    RAM associates a system policy with each service-linked role. The policy cannot be modified.
    {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "oss:ListBuckets",
        "oss:GetBucketLocation",
        "oss:GetBucketTagging"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "oss:DoMetaQuery",
        "oss:GetBucketInfo",
        "oss:GetBucketStat",
        "oss:GetBucketTransferAcceleration",
        "oss:GetCnameToken",
        "oss:GetMetaQueryStatus",
        "oss:GetObject",
        "oss:GetObjectTagging",
        "oss:DescribeRegions",
        "oss:ListObjects",
        "oss:ListObjectVersions"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "oss:BucketTag/bailian-datahub-access": [
            "read"
          ]
        }
      }
    },
    {
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "datahub.sfm.aliyuncs.com"
        }
      }
    }
  ]
}

    Delete the role

    Warning

    After this role is deleted, Data Management will not be able to access your resources in OSS. Proceed with caution!

    Before you delete AliyunServiceRoleForSFMDataHubOSSImport, make sure that no import task is in progress in Data Management.

    For instructions on how to delete the role, see Service-linked roles.

    AliyunServiceRoleForSFMAccessingMNS

    Scenarios

    Data Management uses this role to access SMQ queues for OSS change messages to automatically synchronize changes of your data in OSS.

    Role name and policy

    Role name: AliyunServiceRoleForSFMAccessingMNS

    System policy: AliyunServiceRolePolicyForSFMAccessingMNS

    Policy description:

    RAM associates a system policy with each service-linked role. The policy cannot be modified.
    {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "mns:GetQueueAttributes",
        "mns:GetSubscriptionAttributes",
        "mns:GetTopicAttributes",
        "mns:ListEventNotifications",
        "mns:GetAccountAttributes",
        "mns:ListEvents",
        "mns:ListProducts",
        "mns:ListQueue",
        "mns:ListSubscriptionByTopic",
        "mns:ListTagResources",
        "mns:ListTopic",
        "mns:ReceiveMessage",
        "mns:DeleteMessage"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "mns:CreateQueue",
        "mns:DeleteQueue",
        "mns:SetQueueAttributes"
      ],
      "Resource": "acs:mns:*:*:/queues/bailian-oss-event*"
    },
    {
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "mns-access.sfm.aliyuncs.com"
        }
      }
    }
  ]
}

    Delete the role

    This policy is defined and used by Model Studio only. Do not modify, delete, or grant this policy to any RAM user or role other than the service-linked role.