All Products
Search
Document Center

ApsaraDB RDS:Service-linked roles

Last Updated:Nov 15, 2023

This topic describes the use scenarios of the service-linked roles that are supported by ApsaraDB RDS. This topic also describes how to delete the service-linked roles.

Background information

ApsaraDB RDS supports the following service-linked roles:

  • AliyunServiceRoleForRdsPgsqlOnEcs, which is used for ApsaraDB RDS for PostgreSQL

  • AliyunServiceRoleForRDSProxyOnEcs, which is used for the database proxy feature of ApsaraDB RDS for PostgreSQL

ApsaraDB RDS may require access to other Alibaba Cloud services to provide specific features. You can assign a service-linked role to ApsaraDB RDS to obtain the permissions that are required to access other Alibaba Cloud services. A service-linked role is a RAM role. For more information, see Service-linked roles.

Introduction to service-linked roles

AliyunServiceRoleForRdsPgsqlOnEcs

Name

AliyunServiceRoleForRdsPgsqlOnEcs

Attached policy

AliyunServiceRolePolicyForRdsPgsqlOnEcs

Permissions

AliyunServiceRoleForRdsPgsqlOnEcs policy document

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "ecs:CreateNetworkInterface",
                "ecs:DeleteNetworkInterface",
                "ecs:AttachNetworkInterface",
                "ecs:DetachNetworkInterface",
                "ecs:DescribeNetworkInterfaces",
                "ecs:CreateNetworkInterfacePermission",
                "ecs:DescribeNetworkInterfacePermissions",
                "ecs:CreateSecurityGroup",
                "ecs:DeleteSecurityGroup",
                "ecs:DescribeSecurityGroupAttribute",
                "ecs:DescribeSecurityGroups",
                "ecs:ModifySecurityGroupAttribute",
                "ecs:AuthorizeSecurityGroup",
                "ecs:AuthorizeSecurityGroupEgress",
                "ecs:RevokeSecurityGroup",
                "ecs:RevokeSecurityGroupEgress"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "kms:Listkeys",
                "kms:Listaliases",
                "kms:ListResourceTags",
                "kms:DescribeKey",
                "kms:UntagResource",
                "kms:TagResource",
                "kms:DescribeAccountKmsStatus"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:GenerateDataKey"
            ],
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEqualsIgnoreCase": {
                    "kms:tag/acs:rds:instance-encryption": "true"
                }
            }
        },
        {
            "Action": [
                "vpc:DescribeVSwitches",
                "vpc:DescribeVpcs"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "pgsql-onecs.rds.aliyuncs.com"
                }
            }
        }
    ]
}

Create the role

  1. Log on to the RAM console.

  2. In the left-side navigation pane, choose Identities > Roles.

  3. On the page that appears, click Create Role.

  4. In the Select Role Type step of the Create Role wizard, select Alibaba Cloud Service and click Next.

  5. In the Configure Role step, set the Role Type parameter to Service Linked Role and the Select Service parameter to Cloud Relational Database Postgresql-OnEcs. Then, click OK.

    image..png

Delete the role

Before you delete a service-linked role, you must release all instances that are associated with the service-linked role.

AliyunServiceRoleForRDSProxyOnEcs

Name

AliyunServiceRoleForRDSProxyOnEcs

Attached policy

AliyunServiceRolePolicyForRDSProxyOnEcs

Permissions

AliyunServiceRoleForRDSProxyOnEcs policy document

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "ecs:CreateNetworkInterface",
                "ecs:DeleteNetworkInterface",
                "ecs:AttachNetworkInterface",
                "ecs:DetachNetworkInterface",
                "ecs:DescribeNetworkInterfaces",
                "ecs:CreateNetworkInterfacePermission",
                "ecs:DescribeNetworkInterfacePermissions",
                "ecs:CreateSecurityGroup",
                "ecs:DeleteSecurityGroup",
                "ecs:DescribeSecurityGroupAttribute",
                "ecs:DescribeSecurityGroups",
                "ecs:ModifySecurityGroupAttribute",
                "ecs:AuthorizeSecurityGroup",
                "ecs:AuthorizeSecurityGroupEgress",
                "ecs:RevokeSecurityGroup",
                "ecs:RevokeSecurityGroupEgress"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "vpc:DescribeVSwitches",
                "vpc:DescribeVpcs"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "rdsproxy-onecs.rds.aliyuncs.com"
                }
            }
        }
    ]
}

Create the role

This service-linked role is used to authorize the database proxy feature of ApsaraDB RDS for PostgreSQL. You can create the role in the console when you enable the database proxy feature for your RDS instance. For more information, see Enable and configure the database proxy feature for an ApsaraDB RDS for PostgreSQL instance.

Delete the role

Before you delete a service-linked role, you must disable the database proxy feature that depends on the service-linked role.

Related operations

You can call the CreateServiceLinkedRole operation to create a service-linked role for an ApsaraDB RDS for PostgreSQL instance. The following table describes the required parameters.

Parameter

Description

Example

RegionId

The ID of the region in which the instance resides. You can call the DescribeRegions operation to query the most recent region list.

cn-hangzhou

ServiceLinkedRole

The name of the service-linked role.

  • AliyunServiceRoleForRdsPgsqlOnEcs: the service-linked role for ApsaraDB RDS for PostgreSQL.

  • AliyunServiceRoleForRDSProxyOnEcs: the service-linked role for the database proxy feature of ApsaraDB RDS for PostgreSQL.

AliyunServiceRoleForRdsPgsqlOnEcs