This topic describes the scenarios of using service-linked roles for CloudOps Orchestration Service (OOS), including AliyunServiceRoleForOOSBandwidthScheduler, AliyunServiceRoleForOOSInstanceScheduler, AliyunServiceRoleForOOSExecutionDelivery, and AliyunServiceRoleForOOSAppliactionManager. This topic also describes how to delete the service-linked roles for OOS.
Background information
A service-linked role for OOS is a Resource Access Management (RAM) role that is used to obtain access permissions on other Alibaba Cloud services for OOS. The AliyunServiceRoleForOOSBandwidthScheduler and AliyunServiceRoleForOOSInstanceScheduler roles are used to complete an OOS execution.
The AliyunServiceRoleForOOSExecutionDelivery role is used to deliver OOS execution records.
The AliyunServiceRoleForOOSAppliactionManager role is used to create or delete resources. For more information, see Service-linked roles.
Scenarios
To access Elastic Compute Service (ECS) resources to complete the following O&M tasks in OOS, you can use the AliyunServiceRoleForOOSBandwidthScheduler or AliyunServiceRoleForOOSInstanceScheduler role that is automatically created by OOS to obtain the access permissions on ECS:
To access the resources of Log Service and Object Storage Service (OSS) to deliver OOS execution records, you can use the AliyunServiceRoleForOOSExecutionDelivery role that is automatically created by OOS to obtain the access permissions on Log Service and OSS.
To access CloudMonitor resources to automatically create or delete CloudMonitor application groups, you can use the AliyunServiceRoleForOOSAppliactionManager role that is automatically created by OOS to obtain the access permissions on CloudMonitor.
AliyunServiceRoleForOOSInstanceScheduler
If the RAM role required for starting or shutting down an instance as scheduled does not exist, OOS automatically creates the service-linked role named AliyunServiceRoleForOOSInstanceScheduler. In addition, OOS attaches the AliyunServiceRoleForOOSInstanceSchedulerPolicy policy to the service-linked role. OOS can assume this role to call the corresponding API operations to start or shut down the instance as scheduled.
Policy:
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:StartInstance",
"ecs:StopInstance",
"ecs:DescribeInstances"
],
"Resource": "*",
"Effect": "Allow"
}
]
}AliyunServiceRoleForOOSBandwidthScheduler
If the RAM role required for temporarily upgrading the bandwidth of an instance does not exist, OOS automatically creates the service-linked role named AliyunServiceRoleForOOSBandwidthScheduler. In addition, OOS attaches the AliyunServiceRoleForOOSBandwidthSchedulerPolicy policy to the service-linked role. OOS can assume this role to call the corresponding API operations to temporarily upgrade the bandwidth.
Policy:
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:ModifyInstanceNetworkSpec",
"ecs:DescribeInstances"
],
"Resource": "*",
"Effect": "Allow"
}
]
}AliyunServiceRoleForOOSExecutionDelivery
To access the resources of Log Service and OSS to deliver OOS execution records, OOS automatically creates the service-linked role named AliyunServiceRoleForOOSExecutionDelivery to obtain the access permissions on Log Service and OSS.
Policy:
{
"Version": "1",
"Statement": [
{
"Action": [
"oss:PutObject",
"oss:GetBucketInfo",
"log:GetProject",
"log:GetLogStore",
"log:CreateLogStore",
"log:PostLogStoreLogs"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "executiondelivery.oos.aliyuncs.com"
}
}
}
]
}AliyunServiceRoleForOOSAppliactionManager
To access CloudMonitor resources to automatically create or delete CloudMonitor application groups, OOS automatically creates the service-linked role named AliyunServiceRoleForOOSAppliactionManager to obtain the access permissions on CloudMonitor.
Policy:
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"cms:CreateDynamicTagGroup",
"cms:DescribeDynamicTagRuleList",
"cms:DescribeMonitorGroups",
"cms:DeleteDynamicTagGroup"
],
"Resource": "*"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "applicationmanager.oos.aliyuncs.com"
}
}
}
],
"Version": "1"
}AliyunServiceRoleForOOSSystemEventOperator
If the RAM role required for accepting the default operation for a system event and authorizing the system to perform the default operation does not exist, OOS automatically creates the service-linked role named AliyunServiceRoleForOOSSystemEventOperator. In addition, OOS attaches the AliyunServiceRolePolicyForOOSSystemEventOperator policy to the service-linked role. OOS can assume this role to call the corresponding API operations to accept the default operation for the system event and authorize the system to perform the default operation.
Policy:
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:AcceptInquiredSystemEvent",
"ecs:StopInstance",
"ecs:DescribeInstances",
"ecs:StartInstance"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "systemeventoperator.oos.aliyuncs.com"
}
}
}
]
}Delete service-linked roles for OOS
Before you can delete the AliyunServiceRoleForOOSBandwidthScheduler or AliyunServiceRoleForOOSInstanceScheduler role, you must cancel OOS executions that depend on the service-linked role for OOS. The AliyunServiceRoleForOOSExecutionDelivery and AliyunServiceRoleForOOSAppliactionManager roles can be directly deleted.
The following example shows how to delete the AliyunServiceRoleForOOSExecutionDelivery role:
If you deliver OOS execution records and then want to delete the AliyunServiceRoleForOOSExecutionDelivery role for security purposes, you must understand the impact after you delete the role. After the AliyunServiceRoleForOOSExecutionDelivery role is deleted, OOS execution records within the current account cannot be delivered to OSS or Log Service.
Log on to the RAM console. In the left-side navigation pane, choose Identities > Roles.
On the Roles page, enter AliyunServiceRoleForOOSExecutionDelivery in the search box. The AliyunServiceRoleForOOSExecutionDelivery role is displayed.
In the Actions column, click Delete.
In the Delete Role message, click OK.
For more information about how to delete a service-linked role, see Service-linked roles.
FAQ
Why am I unable to enable OOS to automatically create the service-linked role named AliyunServiceRoleForOOSExecutionDelivery when I log on as a RAM user?
If you want OOS to automatically create or delete the AliyunServiceRoleForOOSExecutionDelivery role when you log on as a RAM user, you must grant the required permissions to the RAM user. In this case, you can attach the following policy to the RAM user:
{ "Statement": [ { "Action": [ "ram:CreateServiceLinkedRole" ], "Resource": "acs:ram:*:Alibaba Cloud account ID:role/*", "Effect": "Allow", "Condition": { "StringEquals": { "ram:ServiceName": [ "executiondelivery.oos.aliyuncs.com" ] } } } ], "Version": "1" }