Use cases permissions and management of service-linked roles - ApsaraDB RDS

ApsaraDB RDS uses service-linked roles to access other Alibaba Cloud services on your behalf. Each role carries a predefined policy with the minimum permissions needed for specific features. This page covers the three service-linked roles that ApsaraDB RDS supports, including their permissions and how to delete them.

Role	Used for
`AliyunServiceRoleForRds`	ApsaraDB RDS for MySQL
`AliyunServiceRoleForRdsPgsqlOnEcs`	ApsaraDB RDS for PostgreSQL
`AliyunServiceRoleForRDSProxyOnEcs`	Database proxy feature of ApsaraDB RDS for PostgreSQL

A service-linked role is a RAM role. For background on RAM roles and service-linked roles, see Service-linked roles.

AliyunServiceRoleForRds

Attached policy: AliyunServiceRolePolicyForRds

Used for: ApsaraDB RDS for MySQL

Permissions

AliyunServiceRoleForRds policy

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "ecs:CreateNetworkInterface",
                "ecs:DeleteNetworkInterface",
                "ecs:AttachNetworkInterface",
                "ecs:DetachNetworkInterface",
                "ecs:DescribeNetworkInterfaces",
                "ecs:CreateNetworkInterfacePermission",
                "ecs:DescribeNetworkInterfacePermissions",
                "ecs:CreateSecurityGroup",
                "ecs:DeleteSecurityGroup",
                "ecs:DescribeSecurityGroupAttribute",
                "ecs:DescribeSecurityGroups",
                "ecs:ModifySecurityGroupAttribute",
                "ecs:AuthorizeSecurityGroup",
                "ecs:AuthorizeSecurityGroupEgress",
                "ecs:RevokeSecurityGroup",
                "ecs:RevokeSecurityGroupEgress",
                "ecs:DescribeKeyPairs",
                "ecs:ModifyImageSharePermission",
                "ecs:DescribeImages"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "vpc:DescribeVSwitches",
                "vpc:AssociateEipAddress",
                "vpc:DescribeVpcs"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "rds-ecs-service.rds.aliyuncs.com"
                }
            }
        }
    ]
}

Create the role

You can create this role in the console when you create the database. For details, see Create a database.

Delete the role

Delete all databases that depend on this role before deleting the role itself.

To delete an ApsaraDB RDS for MySQL database, see Delete a database.
To delete the service-linked role, see Service-linked roles.

AliyunServiceRoleForRdsPgsqlOnEcs

Attached policy: AliyunServiceRolePolicyForRdsPgsqlOnEcs

Used for: ApsaraDB RDS for PostgreSQL

Permissions

AliyunServiceRoleForRdsPgsqlOnEcs policy

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "ecs:CreateNetworkInterface",
                "ecs:DeleteNetworkInterface",
                "ecs:AttachNetworkInterface",
                "ecs:DetachNetworkInterface",
                "ecs:DescribeNetworkInterfaces",
                "ecs:CreateNetworkInterfacePermission",
                "ecs:DescribeNetworkInterfacePermissions",
                "ecs:CreateSecurityGroup",
                "ecs:DeleteSecurityGroup",
                "ecs:DescribeSecurityGroupAttribute",
                "ecs:DescribeSecurityGroups",
                "ecs:ModifySecurityGroupAttribute",
                "ecs:AuthorizeSecurityGroup",
                "ecs:AuthorizeSecurityGroupEgress",
                "ecs:RevokeSecurityGroup",
                "ecs:RevokeSecurityGroupEgress"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "kms:Listkeys",
                "kms:Listaliases",
                "kms:ListResourceTags",
                "kms:DescribeKey",
                "kms:UntagResource",
                "kms:TagResource",
                "kms:DescribeAccountKmsStatus"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:GenerateDataKey"
            ],
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEqualsIgnoreCase": {
                    "kms:tag/acs:rds:instance-encryption": "true"
                }
            }
        },
        {
            "Action": [
                "vpc:DescribeVSwitches",
                "vpc:DescribeVpcs"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "pgsql-onecs.rds.aliyuncs.com"
                }
            }
        }
    ]
}

Create the role

You can perform SLR authorization in the console when you create the RDS for PostgreSQL instance. For details, see Create an ApsaraDB RDS for PostgreSQL instance.

Delete the role

Release all instances associated with this role before deleting the role itself.

To release an ApsaraDB RDS for PostgreSQL instance, see Release or unsubscribe from an ApsaraDB RDS for PostgreSQL instance.
To delete the service-linked role, see Service-linked roles.

AliyunServiceRoleForRDSProxyOnEcs

Attached policy: AliyunServiceRolePolicyForRDSProxyOnEcs

Used for: Database proxy feature of ApsaraDB RDS for PostgreSQL

Permissions

AliyunServiceRoleForRDSProxyOnEcs policy

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "ecs:CreateNetworkInterface",
                "ecs:DeleteNetworkInterface",
                "ecs:AttachNetworkInterface",
                "ecs:DetachNetworkInterface",
                "ecs:DescribeNetworkInterfaces",
                "ecs:CreateNetworkInterfacePermission",
                "ecs:DescribeNetworkInterfacePermissions",
                "ecs:CreateSecurityGroup",
                "ecs:DeleteSecurityGroup",
                "ecs:DescribeSecurityGroupAttribute",
                "ecs:DescribeSecurityGroups",
                "ecs:ModifySecurityGroupAttribute",
                "ecs:AuthorizeSecurityGroup",
                "ecs:AuthorizeSecurityGroupEgress",
                "ecs:RevokeSecurityGroup",
                "ecs:RevokeSecurityGroupEgress"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "vpc:DescribeVSwitches",
                "vpc:DescribeVpcs"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "rdsproxy-onecs.rds.aliyuncs.com"
                }
            }
        }
    ]
}

Create the role

You can create this role in the console when you enable the database proxy feature for your RDS instance. For details, see Enable the database proxy feature.

Delete the role

Disable the database proxy feature before deleting this role.

To disable the database proxy feature, see Disable the database proxy feature.
To delete the service-linked role, see Service-linked roles.

API reference

Use the CreateServiceLinkedRole operation to create a service-linked role programmatically.

Parameter	Description	Example
RegionId	The ID of the region where the instance resides. Call DescribeRegions to get the list of available regions.	`cn-hangzhou`
ServiceLinkedRole	The name of the service-linked role. Valid values: `AliyunServiceRoleForRds`, `AliyunServiceRoleForRdsPgsqlOnEcs`, `AliyunServiceRoleForRDSProxyOnEcs`.	`AliyunServiceRoleForRdsPgsqlOnEcs`