This topic describes the scenarios, policies, creation, and deletion of the service-linked role for the Resource Meta Center (RMC) service. This role is named AliyunServiceRoleForResourceMetaCenter.
Scenarios
RMC uses the service-linked role AliyunServiceRoleForResourceMetaCenter to access the resources of other Alibaba Cloud services and obtain the metadata of the resources. The metadata includes resource names, IP addresses, and tags. You can use resource metadata to query the desired resources.
For more information about the service-linked role, see Service-linked roles.
Role description
Role name: AliyunServiceRoleForResourceMetaCenter
Policy: AliyunServiceRolePolicyForResourceMetaCenter
Permission description: the permissions to access other Alibaba Cloud services and create and delete service-linked role
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:Describe*",
"ess:Describe*",
"vpc:Describe*",
"vpc:List*",
"vpc:Get*",
"rds:DescribeDBInstance*",
"rds:DescribeRegions",
"rds:DescribeBackup*",
"rds:DescribeParameters",
"rds:DescribeSQLCollector*",
"rds:DescribeParameterGroup*",
"rds:DescribeGadInstance*",
"slb:Describe*",
"*:DescribeTags",
"oss:GetService",
"oss:GetBucket*",
"oss:ListBuckets",
"oss:ListObjects",
"ram:List*",
"ram:Get*",
"actiontrail:LookupEvents",
"actiontrail:Describe*",
"actiontrail:Get*",
"actiontrail:List*",
"ots:BatchGet*",
"ots:Describe*",
"ots:Get*",
"ots:List*",
"ocs:Describe*",
"cms:Get*",
"cms:List*",
"cms:Query*",
"cms:BatchQuery*",
"cms:Describe*",
"kvstore:Describe*",
"fc:Get*",
"fc:List*",
"kms:DescribeKey",
"kms:DescribeRegions",
"kms:ListAliases",
"kms:ListAliasesByKeyId",
"kms:ListKeys",
"kms:DescribeKeyVersion",
"kms:ListKeyVersions",
"kms:ListSecrets",
"kms:ListResourceTags",
"kms:DescribeSecret",
"cdn:Describe*",
"yundun*:Get*",
"yundun*:Describe*",
"yundun*:Query*",
"yundun*:List*",
"polardb:Describe*",
"dds:Describe*",
"cen:Describe*",
"mns:List*",
"mns:Get*",
"resourcemanager:Get*",
"resourcemanager:List*",
"composer:GetFlow",
"composer:DescribeFlow",
"nas:Describe*",
"hbase:Describe*",
"hbase:Get*",
"hbase:List*",
"hbase:Query*",
"cs:Get*",
"cs:List*",
"dms:List*",
"dms:Get*",
"mq:OnsInstanceInServiceList",
"mq:OnsInstanceBaseInfo",
"mq:OnsTopicList",
"mq:OnsGroupList",
"mq:QueryInstanceBaseInfo",
"mq:List*",
"alidns:Describe*",
"alidns:List*",
"mse:Query*",
"mse:List*",
"mse:Get*",
"ros:Describe*",
"ros:Get*",
"ros:List*",
"elasticsearch:List*",
"elasticsearch:Describe*",
"dcdn:Describe*",
"hcs-sgw:Describe*",
"eci:Describe*",
"privatelink:List*",
"privatelink:Get*",
"yundun-antiddosbag:Describe*",
"yundun-cert:Describe*",
"brain-industrial:List*",
"brain-industrial:Get*",
"imagesearch:List*",
"imagesearch:Describe*",
"hitsdb:Describe*",
"apigateway:Describe*",
"cmn:List*",
"cmn:Get*",
"ledgerdb:Describe*",
"pvtz:Describe*",
"oos:Search*",
"oos:List*",
"oos:Get*",
"adb:Describe*",
"edas:Read*",
"drds:Describe*",
"gpdb:Describe*",
"log:ListProject",
"log:GetProject",
"log:ListLogStores",
"log:GetLogStore",
"eventbridge:Get*",
"eventbridge:List*",
"*:ListTagResources",
"emr:List*",
"emr:Describe*",
"iot:List*",
"iot:Get*",
"iot:Query*",
"smartag:Describe*",
"smartag:List*",
"alb:List*",
"alb:Get*",
"opensearch:List*",
"opensearch:Describe*",
"oceanbase:Describe*",
"oceanbase:List*",
"bpstudio:Get*",
"bpstudio:List*",
"cr:List*",
"cr:GetInstance",
"cr:GetNamespace",
"cr:GetRepository",
"alikafka:List*",
"alikafka:Get*",
"dts:Describe*",
"arms:Get*",
"arms:List*",
"arms:Describe*",
"polardbx:Describe*",
"hbr:Describe*",
"live:Describe*",
"vod:Describe*",
"vod:List*",
"vod:Get*",
"lindorm:Get*",
"ga:List*",
"ga:Get*",
"ga:Describe*",
"searchengine:Get*",
"searchengine:List*",
"smc:Describe*",
"dysms:QuerySmsTemplate*",
"dysms:ListTagResources",
"ddi:List*",
"ddi:Describe*",
"cloudsso:List*",
"cloudsso:Get*",
"baas:DescribeFabricOrganizations",
"baas:DescribeFabricOrganization",
"baas:DescribeFabricConsortiums",
"cloudphone:List*",
"scdn:Describe*",
"config:List*",
"config:Get*",
"composer:List*",
"composer:Get*",
"dm:QueryTemplate*",
"dm:DescTemplate*",
"dm:QueryDomain*",
"dm:DescDomain*",
"resourcesharing:List*",
"domain:Query*",
"dyvms:List",
"fnf:List*",
"fnf:Describe*",
"ebs:Describe*",
"rocketmq:List*",
"rocketmq:Get*",
"dbs:Describe*",
"clickhouse:Describe*",
"dhs:List*",
"dhs:Get*",
"gdb:Describe*",
"eipanycast:List*",
"eipanycast:Describe*",
"eais:Describe*",
"odps:List*",
"odps:Get*",
"dataworks:List*",
"dataworks:Get*"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "rmc.resourcemanager.aliyuncs.com"
}
}
},
{
"Action": "ram:CreateServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "rmc.resourcemanager.aliyuncs.com"
}
}
},
{
"Action": [
"arms:GetPrometheusApiToken"
],
"Effect": "Deny",
"Resource": "*"
}
]
}Create the service-linked role AliyunServiceRoleForResourceMetaCenter
Before you can use resource metadata, such as resource names, IP addresses, or tags, to query the desired resources, you must activate the RMC service. When you activate the RMC service, the system automatically creates the service-linked role AliyunServiceRoleForResourceMetaCenter for RMC. For more information, see Search for resources in a resource group or Query resources that belong to different resource groups.
Delete the service-linked role AliyunServiceRoleForResourceMetaCenter
If you no longer need to use resource metadata to query resources, you can delete the service-linked role AliyunServiceRoleForResourceMetaCenter in the Resource Access Management (RAM) console. For more information, see Delete a RAM role.