All Products
Search

This Product

    Managed Service for OpenTelemetry:Service-linked role for Managed Service for OpenTelemetry

    Document Center

    Managed Service for OpenTelemetry:Service-linked role for Managed Service for OpenTelemetry

    Last Updated:Mar 10, 2026

    Managed Service for OpenTelemetry uses the AliyunServiceRoleForXtrace service-linked role to access other Alibaba Cloud services on your behalf. This Resource Access Management (RAM) role grants the minimum permissions required for monitoring features to function.

    For general information about service-linked roles, see Service-linked roles.

    When this role is used

    Managed Service for OpenTelemetry monitors applications that span multiple Alibaba Cloud services. To collect the required data, it automatically creates and assumes the AliyunServiceRoleForXtrace role to access the following services:

    ServiceAccess scope
    Container Service for Kubernetes (ACK)Query cluster details, manage configurations, and retrieve logs
    Simple Log Service (SLS)Create and manage projects, Logstores, indexes, dashboards, and machine groups for trace data storage
    Elastic Compute Service (ECS)Describe instances, disks, security groups, and network interfaces; run Cloud Assistant commands for agent deployment
    Virtual Private Cloud (VPC)Describe VPCs, vSwitches, elastic IP addresses (EIPs), and gateways for network topology discovery
    Server Load Balancer (SLB)Describe load balancers, manage listener attributes, and configure access log settings

    Permissions

    The following sections list the exact permissions granted to the AliyunServiceRoleForXtrace role, grouped by service.

    ACK permissions

    These permissions allow the role to query and manage Kubernetes cluster resources.

    Resource: acs:cs:*:*:cluster/*

    {
  "Action": [
    "cs:ScaleCluster",
    "cs:GetClusterById",
    "cs:GetClusters",
    "cs:GetUserConfig",
    "cs:CheckKritisInstall",
    "cs:GetKritisAttestationAuthority",
    "cs:GetKritisGenericAttestationPolicy",
    "cs:AttachInstances",
    "cs:InstallKritis",
    "cs:InstallKritisAttestationAuthority",
    "cs:InstallKritisGenericAttestationPolicy",
    "cs:UpdateClusterTags",
    "cs:UninstallKritis",
    "cs:DeleteKritisAttestationAuthority",
    "cs:DeleteKritisGenericAttestationPolicy",
    "cs:UpdateKritisAttestationAuthority",
    "cs:UpdateKritisGenericAttestationPolicy",
    "cs:UpgradeCluster",
    "cs:GetClusterLogs"
  ],
  "Resource": "acs:cs:*:*:cluster/*",
  "Effect": "Allow"
}

    SLS permissions

    These permissions allow the role to create and manage log projects, Logstores, indexes, machine groups, consumer groups, dashboards, and saved searches for trace data ingestion and analysis.

    Resource: *

    {
  "Action": [
    "log:CreateProject",
    "log:GetProject",
    "log:GetLogStoreLogs",
    "log:GetHistograms",
    "log:GetLogStoreHistogram",
    "log:GetLogStore",
    "log:ListLogStores",
    "log:EnableService",
    "log:DescribeService",
    "log:CreateLogStore",
    "log:DeleteLogStore",
    "log:UpdateLogStore",
    "log:GetCursorOrData",
    "log:GetCursor",
    "log:PullLogs",
    "log:ListShards",
    "log:PostLogStoreLogs",
    "log:CreateConfig",
    "log:UpdateConfig",
    "log:DeleteConfig",
    "log:GetConfig",
    "log:ListConfig",
    "log:CreateMachineGroup",
    "log:UpdateMachineGroup",
    "log:DeleteMachineGroup",
    "log:GetMachineGroup",
    "log:ListMachineGroup",
    "log:ListMachines",
    "log:ApplyConfigToGroup",
    "log:RemoveConfigFromGroup",
    "log:GetAppliedMachineGroups",
    "log:GetAppliedConfigs",
    "log:GetShipperStatus",
    "log:RetryShipperTask",
    "log:CreateConsumerGroup",
    "log:UpdateConsumerGroup",
    "log:DeleteConsumerGroup",
    "log:ListConsumerGroup",
    "log:UpdateCheckPoint",
    "log:HeartBeat",
    "log:GetCheckPoint",
    "log:CreateIndex",
    "log:DeleteIndex",
    "log:GetIndex",
    "log:UpdateIndex",
    "log:CreateSavedSearch",
    "log:UpdateSavedSearch",
    "log:GetSavedSearch",
    "log:DeleteSavedSearch",
    "log:ListSavedSearch",
    "log:CreateDashboard",
    "log:UpdateDashboard",
    "log:GetDashboard",
    "log:DeleteDashboard",
    "log:ListDashboard",
    "log:CreateJob",
    "log:UpdateJob"
  ],
  "Resource": "*",
  "Effect": "Allow"
}

    ECS permissions

    These permissions allow the role to describe instances, disks, snapshots, images, security groups, network interfaces, and monitoring data. The role can also run Cloud Assistant commands for agent deployment.

    Resource: *

    {
  "Action": [
    "ecs:DescribeInstanceAutoRenewAttribute",
    "ecs:DescribeInstances",
    "ecs:DescribeInstanceStatus",
    "ecs:DescribeInstanceVncUrl",
    "ecs:DescribeSpotPriceHistory",
    "ecs:DescribeUserdata",
    "ecs:DescribeInstanceRamRole",
    "ecs:DescribeDisks",
    "ecs:DescribeSnapshots",
    "ecs:DescribeAutoSnapshotPolicy",
    "ecs:DescribeSnapshotLinks",
    "ecs:DescribeImages",
    "ecs:DescribeImageSharePermission",
    "ecs:DescribeClassicLinkInstances",
    "ecs:AuthorizeSecurityGroup",
    "ecs:DescribeSecurityGroupAttribute",
    "ecs:DescribeSecurityGroups",
    "ecs:AuthorizeSecurityGroupEgress",
    "ecs:DescribeSecurityGroupReferences",
    "ecs:RevokeSecurityGroup",
    "ecs:DescribeNetworkInterfaces",
    "ecs:DescribeTags",
    "ecs:DescribeRegions",
    "ecs:DescribeZones",
    "ecs:DescribeInstanceMonitorData",
    "ecs:DescribeEipMonitorData",
    "ecs:DescribeDiskMonitorData",
    "ecs:DescribeInstanceTypes",
    "ecs:DescribeInstanceTypeFamilies",
    "ecs:DescribeTasks",
    "ecs:DescribeTaskAttribute",
    "ecs:DescribeInstanceAttribute",
    "ecs:InvokeCommand",
    "ecs:CreateCommand",
    "ecs:StopInvocation",
    "ecs:DeleteCommand",
    "ecs:DescribeCommands",
    "ecs:DescribeInvocations",
    "ecs:DescribeInvocationResults",
    "ecs:ModifyCommand",
    "ecs:InstallCloudAssistant"
  ],
  "Resource": "*",
  "Effect": "Allow"
}

    VPC permissions

    These permissions allow the role to describe VPCs, vSwitches, EIPs, router interfaces, Global Acceleration instances, VPN gateways, and NAT gateways for network topology discovery.

    Resource: *

    {
  "Action": [
    "vpc:DescribeVpcs",
    "vpc:DescribeVSwitches",
    "vpc:DescribeEipAddresses",
    "vpc:DescribeRouterInterfaces",
    "vpc:DescribeGlobalAccelerationInstances",
    "vpc:DescribeVpnGateways",
    "vpc:DescribeNatGateways"
  ],
  "Resource": "*",
  "Effect": "Allow"
}

    SLB permissions

    These permissions allow the role to describe load balancers, manage listener attributes, and configure access log settings.

    Resource: *

    {
  "Action": [
    "slb:DescribeLoadBalancers",
    "slb:DescribeLoadBalancerAttribute",
    "slb:SetLoadbalancerListenerAttributeEx",
    "slb:DescribeLoadbalancerListenersEx",
    "slb:SetAccessLogsDownloadAttribute",
    "slb:DeleteAccessLogsDownloadAttribute",
    "slb:DescribeAccessLogsDownloadAttribute"
  ],
  "Resource": "*",
  "Effect": "Allow"
}

    Delete the AliyunServiceRoleForXtrace role

    After you enable the monitoring feature, you can delete the AliyunServiceRoleForXtrace role if it is no longer needed. Deleting this role revokes all cross-service access permissions, which means Managed Service for OpenTelemetry can no longer store or display data for the current account. Proceed with caution.

    Note

    Delete all Managed Service for OpenTelemetry applications in the current account before you delete the role. The deletion fails if any applications still exist.

    1. Log on to the RAM console.

    2. In the left-side navigation pane, choose Identities > Roles.

    3. On the Roles page, enter AliyunServiceRoleForXtrace in the search box.

    4. Click Delete Role in the Actions column.

    5. In the Delete Role dialog box, enter the role name and click Delete Role.

    FAQ

    Why can't the system automatically create the AliyunServiceRoleForXtrace role for my RAM user?

    Your RAM user lacks the ram:CreateServiceLinkedRole permission. Attach the following policy to your RAM user to grant this permission:

    {
    "Statement": [
        {
            "Action": [
                "ram:CreateServiceLinkedRole"
            ],
            "Resource": "acs:ram:*:<your-alibaba-cloud-account-id>:role/*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": [
                        "xtrace.aliyuncs.com"
                    ]
                }
            }
        }
    ],
    "Version": "1"
}

    Replace <your-alibaba-cloud-account-id> with the ID of your Alibaba Cloud account.