Service-Linked Roles for Secure MongoDB Access Control - ApsaraDB for MongoDB - Alibaba Cloud - ApsaraDB for MongoDB

ApsaraDB for MongoDB uses a service-linked role to access other Alibaba Cloud services on your behalf. A service-linked role is a Resource Access Management (RAM) role whose trusted entity is an Alibaba Cloud service, not an individual user or application. RAM attaches a system policy to each service-linked role automatically — you cannot modify this policy.

In most cases, the role is created automatically when you enable a feature that requires it. If automatic creation fails, create the role manually.

How it works

When you enable the audit log feature, ApsaraDB for MongoDB automatically creates the AliyunServiceRoleForMongoDB service-linked role. This role grants ApsaraDB for MongoDB access to Simple Log Service (SLS) resources needed to store and manage your audit logs.

The role has three key properties:

Role name: AliyunServiceRoleForMongoDB
Trusted service: ApsaraDB for MongoDB, shown in the Service field of the trust policy
Permissions policy: a system policy that grants access to SLS resources — viewable on the Permissions tab of the role details page

Important

After the role is created, ApsaraDB for MongoDB can access SLS on your behalf. This may result in charges from Simple Log Service.

Permissions required for RAM users

If your account is a RAM user, you need the AliyunMongoDBFullAccess permission, or a custom policy that includes the following actions:

Action	Required for
`ram:CreateServiceLinkedRole`	Creating the service-linked role
`ram:DeleteServiceLinkedRole`	Deleting the service-linked role

For instructions on granting these permissions, see the "Permissions required to create and delete a service-linked role" section in Service-linked roles.

Create the service-linked role

The role is created automatically when you enable the audit log feature. No manual steps are needed in most cases.

If the role was not created automatically, create it manually using either of these methods:

RAM console: Follow the "Create a service-linked role" section in Create a RAM role for a trusted Alibaba Cloud service.
API: Call the CreateServiceLinkedRole operation.

View the service-linked role

After the role is created, find it on the Roles page in the RAM console by searching for AliyunServiceRoleForMongoDB. The role details page shows:

Basic information — role name, creation time, Alibaba Cloud Resource Name (ARN), and description
Permissions tab — the system policy content and the Alibaba Cloud resources the role can access
Trust Policy Management tab — the trust policy, including the Service field that identifies ApsaraDB for MongoDB as the trusted entity

For more details, see View the information about a RAM role.

Delete the service-linked role

Important

After the service-linked role is deleted, the features that depend on the role cannot be used. Proceed with caution.

Before deleting the role, release or unsubscribe from all ApsaraDB for MongoDB instances that use AliyunServiceRoleForMongoDB. See Release an instance for instructions.

After all dependent instances are released, delete the role in the RAM console. For step-by-step instructions, see Delete a RAM role.