NAS automatically creates service-linked roles when you enable specific features. This enables NAS to access other Alibaba Cloud services, such as ECS and VPC, eliminating the need to configure permissions manually.
How it works
A service-linked role is a type of Resource Access Management (RAM) role where the trusted entity is an Alibaba Cloud service. NAS uses this role to access other cloud services and resources on your behalf, so you do not need to configure permissions manually.
Typically, NAS creates the required role for you when needed. If the role fails to create automatically, or if NAS does not support automatic creation for that role, you must create the role manually.
Each service-linked role maps to a system policy that is managed by RAM. You cannot modify this policy. To view the policy content, go to the role details page in the RAM console.
For more information, see service-linked roles.
Use cases
NAS automatically creates a specific service-linked role depending on the feature you use:
|
Role |
Trigger |
Accessed services |
|
AliyunServiceRoleForNasStandard |
When you create a mount target in the classic network for a general-purpose NAS file system. |
ECS: Queries resource lists to authenticate access. |
|
AliyunServiceRoleForNasExtreme |
When you create a mount target for an Extreme NAS file system. |
VPC and ECS |
|
AliyunServiceRoleForNasEncryption |
When you create a KMS-encrypted file system. |
KMS: Retrieves key information and adds tags to prevent accidental deletion. |
|
AliyunServiceRoleForNasLogDelivery |
When you enable the NAS log analysis feature. |
Log Service: Creates a project and Logstore to store logs. |
|
AliyunServiceRoleForNasBackup |
When you enable the file backup feature for a general-purpose file system. |
Cloud Backup (HBR): Activates the service and creates a backup plan. |
|
AliyunServiceRoleForNasEcsHandler |
When you use the one-click mount feature in the NAS console. |
Cloud Assistant: Runs commands on ECS instances to mount or unmount file systems and query the mount status. |
For more information, see service-linked roles.
Permissions
The permissions for the NAS service-linked roles are as follows:
Permissions required for RAM users
By default, a RAM user lacks the permission to create or delete service-linked roles. To grant these permissions, contact an administrator to attach the AliyunNASFullAccess policy to the RAM user, or add the following permissions to the Action statement in a custom policy:
Create a service-linked role:
ram:CreateServiceLinkedRoleDelete a service-linked role:
ram:DeleteServiceLinkedRole
For detailed instructions on how to grant permissions, see Permissions required to manage a service-linked role.
View a service-linked role
Search for a service-linked role, such as AliyunServiceRoleForNasStandard, on the Roles page of the RAM console. The role details page displays the following information:
Basic information
In the Basic information section, you can view the role's name, creation time, ARN, and description.
Policy
On the Permissions tab, click the policy name to view the policy and the cloud resources that the role can access.
Trust policy
On the Trust policy tab, view the trust policy. A trust policy defines which trusted entities can assume the role. The trusted entity for a service-linked role is an Alibaba Cloud service, which you can identify by the Service field in the policy.
For detailed instructions on how to view a service-linked role, see View the information about a RAM role.
Delete a service-linked role
If you no longer use a feature that requires a service-linked role, we recommend that you delete that role. For example, if you no longer create KMS-encrypted file systems, you can delete the AliyunServiceRoleForNasEncryption role. Before deleting the role, you must first delete any associated file system instances. For more information, see Delete a file system and Delete a service-linked role.
After you delete a service-linked role, its dependent features no longer work. Proceed with caution.
FAQ
Why can't my RAM user automatically create a NAS service-linked role?
By default, a RAM user lacks permission to create service-linked roles. To grant this permission, attach the following policy to the RAM user. In the policy, replace YOUR_ALIBABA_CLOUD_ACCOUNT_ID with your Alibaba Cloud account ID. For detailed instructions, see Create a custom policy.
{
"Statement": [
{
"Action": [
"ram:CreateServiceLinkedRole"
],
"Resource": "acs:ram:*:YOUR_ALIBABA_CLOUD_ACCOUNT_ID:role/*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": [
"standard.nas.aliyuncs.com",
"extreme.nas.aliyuncs.com",
"encryption.nas.aliyuncs.com",
"logdelivery.nas.aliyuncs.com",
"ecs-handler.nas.aliyuncs.com"
]
}
}
}
],
"Version": "1"
}