All Products
Search
Document Center

File Storage NAS:Service-linked roles for NAS

Last Updated:Apr 28, 2026

NAS automatically creates service-linked roles when you enable specific features. This enables NAS to access other Alibaba Cloud services, such as ECS and VPC, eliminating the need to configure permissions manually.

How it works

A service-linked role is a type of Resource Access Management (RAM) role where the trusted entity is an Alibaba Cloud service. NAS uses this role to access other cloud services and resources on your behalf, so you do not need to configure permissions manually.

Typically, NAS creates the required role for you when needed. If the role fails to create automatically, or if NAS does not support automatic creation for that role, you must create the role manually.

Each service-linked role maps to a system policy that is managed by RAM. You cannot modify this policy. To view the policy content, go to the role details page in the RAM console.

Note

For more information, see service-linked roles.

Use cases

NAS automatically creates a specific service-linked role depending on the feature you use:

Role

Trigger

Accessed services

AliyunServiceRoleForNasStandard

When you create a mount target in the classic network for a general-purpose NAS file system.

ECS: Queries resource lists to authenticate access.

AliyunServiceRoleForNasExtreme

When you create a mount target for an Extreme NAS file system.

VPC and ECS

AliyunServiceRoleForNasEncryption

When you create a KMS-encrypted file system.

KMS: Retrieves key information and adds tags to prevent accidental deletion.

AliyunServiceRoleForNasLogDelivery

When you enable the NAS log analysis feature.

Log Service: Creates a project and Logstore to store logs.

AliyunServiceRoleForNasBackup

When you enable the file backup feature for a general-purpose file system.

Cloud Backup (HBR): Activates the service and creates a backup plan.

AliyunServiceRoleForNasEcsHandler

When you use the one-click mount feature in the NAS console.

Cloud Assistant: Runs commands on ECS instances to mount or unmount file systems and query the mount status.

For more information, see service-linked roles.

Permissions

The permissions for the NAS service-linked roles are as follows:

AliyunServiceRoleForNasStandard

{
 "Version": "1",
 "Statement": [
 {
 "Action": [
 "ecs:DescribeInstances" 
 ],
 "Resource": "*",
 "Effect": "Allow"
 }
 ]
}
 

AliyunServiceRoleForNasExtreme

{
 "Version": "1",
 "Statement": [
 {
 "Action": [
 "vpc:DescribeVSwitchAttributes",
 "vpc:DescribeVpcs",
 "vpc:DescribeVSwitches"
 ],
 "Resource": "*",
 "Effect": "Allow"
 },
 {
 "Action": [
 "ecs:CreateSecurityGroup", 
 "ecs:DescribeSecurityGroups",
 "ecs:DescribeSecurityGroupAttribute",
 "ecs:DeleteSecurityGroup", 
 "ecs:AuthorizeSecurityGroup", 
 "ecs:CreateNetworkInterface", 
 "ecs:DeleteNetworkInterface",
 "ecs:DescribeNetworkInterfaces",
 "ecs:CreateNetworkInterfacePermission", 
 "ecs:DescribeNetworkInterfacePermissions",
 "ecs:DeleteNetworkInterfacePermission"
 ],
 "Resource": "*",
 "Effect": "Allow"
 }
 ]
}
 

AliyunServiceRoleForNasEncryption

{
 "Statement": [
 {
 "Effect": "Allow",
 "Action": [
 "kms:Listkeys", 
 "kms:Listaliases",
 "kms:ListResourceTags",
 "kms:DescribeKey", 
 "kms:TagResource", 
 "kms:UntagResource"
 ],
 "Resource": "acs:kms:*:*:*"
 },
 {
 "Effect": "Allow",
 "Action": [
 "kms:Encrypt",
 "kms:Decrypt",
 "kms:GenerateDataKey"
 ],
 "Resource": "acs:kms:*:*:*/*",
 "Condition": {
 "StringEqualsIgnoreCase": {
 "kms:tag/acs:nas:instance-encryption": "true"
 }
 }
 }
 ],
 "Version": "1"
}
 

AliyunServiceRoleForNasLogDelivery

{
 "Version": "1",
 "Statement": [
 {
 "Action": [
 "log:PostLogStoreLogs"
 ],
 "Resource": "*",
 "Effect": "Allow"
 }
 ]
}
 

AliyunServiceRoleForNasBackup

{
	"Version": "1",
	"Statement": [{
			"Action": [
				"hbr:OpenHbrService",
				"hbr:CreateTrialBackupPlan"
			],
			"Resource": "*",
			"Effect": "Allow"
		},
		{
			"Action": "ram:DeleteServiceLinkedRole",
			"Resource": "*",
			"Effect": "Allow",
			"Condition": {
				"StringEquals": {
					"ram:ServiceName": "backup.nas.aliyuncs.com"
				}
			}
		},
		{
			"Action": "ram:CreateServiceLinkedRole",
			"Resource": "*",
			"Effect": "Allow",
			"Condition": {
				"StringEquals": {
					"ram:ServiceName": "nasbackup.hbr.aliyuncs.com"
				}
			}
		}
	]
}
 

AliyunServiceRoleForNasEcsHandler

{
 "Version": "1",
 "Statement": [
 {
 "Action": "ram:DeleteServiceLinkedRole",
 "Resource": "*",
 "Effect": "Allow",
 "Condition": {
 "StringEquals": {
 "ram:ServiceName": "ecs-handler.nas.aliyuncs.com"
 }
 }
 },
 {
 "Effect": "Allow",
 "Action": [
 "ecs:InvokeCommand"
 ],
 "Resource": [
 "acs:ecs:*:*:instance/*",
 "acs:ecs:*:*:command/cmd-ACS-NAS-ClickMount-*"
 ]
 },
 {
 "Effect": "Allow",
 "Action": [
 "ecs:DescribeInstances",
 "ecs:DescribeCloudAssistantStatus"
 ],
 "Resource": [
 "acs:ecs:*:*:instance/*"
 ]
 },
 {
 "Effect": "Allow",
 "Action": [
 "ecs:DescribeInvocations",
 "ecs:DescribeInvocationResults"
 ],
 "Resource": [
 "*"
 ]
 }
 ]
}
 

Permissions required for RAM users

By default, a RAM user lacks the permission to create or delete service-linked roles. To grant these permissions, contact an administrator to attach the AliyunNASFullAccess policy to the RAM user, or add the following permissions to the Action statement in a custom policy:

  • Create a service-linked role: ram:CreateServiceLinkedRole

  • Delete a service-linked role: ram:DeleteServiceLinkedRole

For detailed instructions on how to grant permissions, see Permissions required to manage a service-linked role.

View a service-linked role

Search for a service-linked role, such as AliyunServiceRoleForNasStandard, on the Roles page of the RAM console. The role details page displays the following information:

  • Basic information

In the Basic information section, you can view the role's name, creation time, ARN, and description.

  • Policy

On the Permissions tab, click the policy name to view the policy and the cloud resources that the role can access.

  • Trust policy

On the Trust policy tab, view the trust policy. A trust policy defines which trusted entities can assume the role. The trusted entity for a service-linked role is an Alibaba Cloud service, which you can identify by the Service field in the policy.

For detailed instructions on how to view a service-linked role, see View the information about a RAM role.

Delete a service-linked role

If you no longer use a feature that requires a service-linked role, we recommend that you delete that role. For example, if you no longer create KMS-encrypted file systems, you can delete the AliyunServiceRoleForNasEncryption role. Before deleting the role, you must first delete any associated file system instances. For more information, see Delete a file system and Delete a service-linked role.

Important

After you delete a service-linked role, its dependent features no longer work. Proceed with caution.

FAQ

Why can't my RAM user automatically create a NAS service-linked role?

By default, a RAM user lacks permission to create service-linked roles. To grant this permission, attach the following policy to the RAM user. In the policy, replace YOUR_ALIBABA_CLOUD_ACCOUNT_ID with your Alibaba Cloud account ID. For detailed instructions, see Create a custom policy.

{
    "Statement": [
        {
            "Action": [
                "ram:CreateServiceLinkedRole"
            ],
            "Resource": "acs:ram:*:YOUR_ALIBABA_CLOUD_ACCOUNT_ID:role/*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": [
                        "standard.nas.aliyuncs.com",
                        "extreme.nas.aliyuncs.com",
                        "encryption.nas.aliyuncs.com",
                        "logdelivery.nas.aliyuncs.com",
                        "ecs-handler.nas.aliyuncs.com"
                    ]
                }
            }
        }
    ],
    "Version": "1"
}