All Products
Search

This Product

    ApsaraDB RDS:Service-linked roles

    Document Center

    ApsaraDB RDS:Service-linked roles

    Last Updated:Aug 13, 2025

    This topic describes the use cases for ApsaraDB RDS service-linked roles and explains how to delete them.

    Background information

    ApsaraDB RDS currently supports the following service-linked roles:

    • AliyunServiceRoleForRds: The service-linked role for ApsaraDB RDS for MySQL.

    • AliyunServiceRoleForRdsPgsqlOnEcs: The service-linked role for ApsaraDB RDS for PostgreSQL.

    • AliyunServiceRoleForRDSProxyOnEcs: The service-linked role for the database proxy of ApsaraDB RDS for PostgreSQL.

    A service-linked role is a type of RAM role that ApsaraDB RDS uses to access other Alibaba Cloud services to provide certain features. For more information, see Service-linked roles.

    Introduction to service-linked roles

    AliyunServiceRoleForRds

    Role name

    AliyunServiceRoleForRds

    Access policy

    AliyunServiceRolePolicyForRds

    Permissions

    AliyunServiceRoleForRds policy

    {
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "ecs:CreateNetworkInterface",
                "ecs:DeleteNetworkInterface",
                "ecs:AttachNetworkInterface",
                "ecs:DetachNetworkInterface",
                "ecs:DescribeNetworkInterfaces",
                "ecs:CreateNetworkInterfacePermission",
                "ecs:DescribeNetworkInterfacePermissions",
                "ecs:CreateSecurityGroup",
                "ecs:DeleteSecurityGroup",
                "ecs:DescribeSecurityGroupAttribute",
                "ecs:DescribeSecurityGroups",
                "ecs:ModifySecurityGroupAttribute",
                "ecs:AuthorizeSecurityGroup",
                "ecs:AuthorizeSecurityGroupEgress",
                "ecs:RevokeSecurityGroup",
                "ecs:RevokeSecurityGroupEgress",
                "ecs:DescribeKeyPairs",
                "ecs:ModifyImageSharePermission",
                "ecs:DescribeImages"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "vpc:DescribeVSwitches",
                "vpc:AssociateEipAddress",
                "vpc:DescribeVpcs"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "rds-ecs-service.rds.aliyuncs.com"
                }
            }
        }
    ]
}

    Create the role

    This service-linked role authorizes ApsaraDB RDS for MySQL. When you create a database, you can follow the on-screen instructions in the console to create the role. For more information, see Create a database.

    Delete the role

    Before you delete this service-linked role, you must delete all databases that depend on the role.

    1. To delete an ApsaraDB RDS for MySQL database, see Delete a database.

    2. To delete the service-linked role, see Delete a service-linked role.

    AliyunServiceRoleForRdsPgsqlOnEcs

    Role name

    AliyunServiceRoleForRdsPgsqlOnEcs

    Access policy

    AliyunServiceRolePolicyForRdsPgsqlOnEcs

    Permissions

    AliyunServiceRoleForRdsPgsqlOnEcs policy

    {
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "ecs:CreateNetworkInterface",
                "ecs:DeleteNetworkInterface",
                "ecs:AttachNetworkInterface",
                "ecs:DetachNetworkInterface",
                "ecs:DescribeNetworkInterfaces",
                "ecs:CreateNetworkInterfacePermission",
                "ecs:DescribeNetworkInterfacePermissions",
                "ecs:CreateSecurityGroup",
                "ecs:DeleteSecurityGroup",
                "ecs:DescribeSecurityGroupAttribute",
                "ecs:DescribeSecurityGroups",
                "ecs:ModifySecurityGroupAttribute",
                "ecs:AuthorizeSecurityGroup",
                "ecs:AuthorizeSecurityGroupEgress",
                "ecs:RevokeSecurityGroup",
                "ecs:RevokeSecurityGroupEgress"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "kms:Listkeys",
                "kms:Listaliases",
                "kms:ListResourceTags",
                "kms:DescribeKey",
                "kms:UntagResource",
                "kms:TagResource",
                "kms:DescribeAccountKmsStatus"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:GenerateDataKey"
            ],
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEqualsIgnoreCase": {
                    "kms:tag/acs:rds:instance-encryption": "true"
                }
            }
        },
        {
            "Action": [
                "vpc:DescribeVSwitches",
                "vpc:DescribeVpcs"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "pgsql-onecs.rds.aliyuncs.com"
                }
            }
        }
    ]
}

    Create the role

    This role is used for Service-Linked Role (SLR) authorization for ApsaraDB RDS for PostgreSQL instances. When you create an instance, you can follow the on-screen instructions in the console to grant the SLR authorization. For more information, see Create an ApsaraDB RDS for PostgreSQL instance.

    Delete the role

    Before you delete this service-linked role, you must release all instances that depend on the role.

    1. To release an ApsaraDB RDS for PostgreSQL instance, see Release an instance.

    2. To delete the service-linked role, see Delete a service-linked role.

    AliyunServiceRoleForRDSProxyOnEcs

    Role name

    AliyunServiceRoleForRDSProxyOnEcs

    Access policy

    AliyunServiceRolePolicyForRDSProxyOnEcs

    Permissions

    AliyunServiceRoleForRDSProxyOnEcs policy

    {
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "ecs:CreateNetworkInterface",
                "ecs:DeleteNetworkInterface",
                "ecs:AttachNetworkInterface",
                "ecs:DetachNetworkInterface",
                "ecs:DescribeNetworkInterfaces",
                "ecs:CreateNetworkInterfacePermission",
                "ecs:DescribeNetworkInterfacePermissions",
                "ecs:CreateSecurityGroup",
                "ecs:DeleteSecurityGroup",
                "ecs:DescribeSecurityGroupAttribute",
                "ecs:DescribeSecurityGroups",
                "ecs:ModifySecurityGroupAttribute",
                "ecs:AuthorizeSecurityGroup",
                "ecs:AuthorizeSecurityGroupEgress",
                "ecs:RevokeSecurityGroup",
                "ecs:RevokeSecurityGroupEgress"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "vpc:DescribeVSwitches",
                "vpc:DescribeVpcs"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "rdsproxy-onecs.rds.aliyuncs.com"
                }
            }
        }
    ]
}

    Create the role

    This service-linked role authorizes the database proxy for ApsaraDB RDS for PostgreSQL. When you enable the database proxy, you can follow the on-screen instructions in the console to create the role. For more information, see Enable the database proxy.

    Delete the role

    Important

    If you want to continue using the database proxy feature or Serverless instances, do not delete this service-linked role.

    Before you delete this service-linked role, you must disable all database proxies that depend on the role.

    1. To disable the database proxy for ApsaraDB RDS for PostgreSQL, see Disable the database proxy.

    2. To delete the service-linked role, see Delete a service-linked role.

    Related API operations

    You can call the CreateServiceLinkedRole operation to create a service-linked role for an ApsaraDB RDS instance. The following table describes the parameters that you must configure.

    Parameter

    Description

    Example value

    RegionId

    The region ID. You can call the DescribeRegions operation to query available region IDs.

    cn-hangzhou

    ServiceLinkedRole

    The service-linked role.

    • AliyunServiceRoleForRds: the service-linked role for ApsaraDB RDS for MySQL.

    • AliyunServiceRoleForRdsPgsqlOnEcs: the service-linked role for ApsaraDB RDS for PostgreSQL.

    • AliyunServiceRoleForRDSProxyOnEcs: the service-linked role for the database proxy of ApsaraDB RDS for PostgreSQL.

    AliyunServiceRoleForRdsPgsqlOnEcs