AliyunServiceRoleForSelectDB is a Resource Access Management (RAM) service-linked role that ApsaraDB for SelectDB uses to access other Alibaba Cloud services on your behalf. The role is created automatically when you activate ApsaraDB for SelectDB — no manual setup is required. For background on service-linked roles, see Service-linked roles.
Role details
| Field | Value |
|---|---|
| Role name | AliyunServiceRoleForSelectDB |
| Attached policy | AliyunServiceRolePolicyForSelectDB |
Services accessed by the role
ApsaraDB for SelectDB uses AliyunServiceRoleForSelectDB to access the following services:
| Service | Purpose |
|---|---|
| Elastic Compute Service (ECS) | Provisions the compute resources required to create an ApsaraDB for SelectDB instance |
| Virtual Private Cloud (VPC) | Sets up the network environment required to deploy and run an ApsaraDB for SelectDB instance |
| Server Load Balancer (SLB) | Provides load balancing for ApsaraDB for SelectDB instances |
| Application Real-Time Monitoring Service (ARMS) | Enables monitoring and alerting for ApsaraDB for SelectDB instances |
| Key Management Service (KMS) | Manages encryption keys for ApsaraDB for SelectDB instances |
| ApsaraDB RDS | Manages security IP allowlists for integration with RDS instances |
| Simple Log Service (Log) | Enables log collection and management for ApsaraDB for SelectDB |
| PrivateZone (PVTZ) | Provides private DNS resolution for ApsaraDB for SelectDB instances |
| BSS API | Manages subscription and billing for dependent services |
Permissions granted to the role
The AliyunServiceRolePolicyForSelectDB policy grants the following permissions. All permissions apply to Resource: "*" unless a condition is specified.
| Service | Actions | Condition |
|---|---|---|
| Log | GetProject, ListProject, GetCursor, GetCursorTime, GetLogs, GetHistograms, GetContextLogs, PullLogs, GetLogStoreLogs, GetLogStoreHistogram, GetLogStore, ListLogStores, GetCursorOrData, ListShards, GetConfig, ListConfig, GetShipperStatus, GetCheckPoint, HeartBeat, UpdateCheckPoint, PostLogStoreLogs, CreateConsumerGroup, UpdateConsumerGroup, DeleteConsumerGroup, ListConsumerGroup, ConsumerGroupUpdateCheckPoint, ConsumerGroupHeartBeat, GetConsumerGroupCheckPoint, CreateExport, GetExport, ListExport, UpdateExport, DeleteExport, CreateJob, GetJob, ListJobs, UpdateJob, DeleteJob | None |
| ECS | AttachNetworkInterface, AuthorizeSecurityGroup, CreateNetworkInterface, CreateNetworkInterfacePermission, CreateRouteEntry, CreateSecurityGroup, DeleteNetworkInterface, DeleteNetworkInterfacePermission, DeleteRouteEntry, DeleteSecurityGroup, DescribeInstanceAttribute, DescribeInstanceStatus, DescribeInstanceTypeFamilies, DescribeInstanceTypes, DescribeInstances, DescribeInstancesFullStatus, DescribeNetworkInterfaceAttribute, DescribeNetworkInterfaces, DescribeRegions, DescribeSecurityGroupAttribute, DescribeSecurityGroups, DescribeZones, DetachNetworkInterface, ListTagResources, ModifyNetworkInterfaceAttribute, RevokeSecurityGroup, TagResources, UntagResources | None |
| VPC | CreateRouteEntry, DeleteRouteEntry, DescribeRegions, DescribeVSwitchAttributes, DescribeVSwitches, DescribeVpcAttribute, DescribeVpcs, DescribeZones, ListTagResources, ModifyBypassToaAttribute, TagResources, UntagResources | None |
| SelectDB | DescribeSecurityIPList, ModifySecurityIPList | None |
| RAM | DeleteServiceLinkedRole | ram:ServiceName = selectdb.aliyuncs.com |
| KMS | Listkeys, Listaliases, ListResourceTags, DescribeKey, UntagResource, TagResource, DescribeAccountKmsStatus | None |
| KMS | Encrypt, Decrypt, GenerateDataKey | kms:tag/acs:selectdb:instance-encryption = true |
| RDS | ModifySecurityIps, DescribeDBInstanceNetInfo, DescribeDBInstanceIPArrayList | None |
| ARMS | CheckServiceStatus, OpenArmsService, GetPrometheusApiToken, OpenVCluster, ListDashboards | None |
| SLB | AddBackendServers, AddTags, AddVServerGroupBackendServers, CreateLoadBalancer, CreateLoadBalancerForCloudService, CreateLoadBalancerHTTPListener, CreateLoadBalancerHTTPSListener, CreateLoadBalancerTCPListener, CreateLoadBalancerUDPListener, CreateVServerGroup, DeleteLoadBalancer, DeleteLoadBalancerListener, DeleteVServerGroup, DescribeTags, DescribeVServerGroups, DescribeLoadBalancers, DescribeVServerGroupAttribute, DescribeLoadBalancerAttribute, DescribeLoadBalancerHTTPSListenerAttribute, DescribeLoadBalancerHTTPListenerAttribute, DescribeLoadBalancerListeners, DescribeLoadBalancerTCPListenerAttribute, DescribeLoadBalancerUDPListenerAttribute, ModifyLoadBalancerInstanceSpec, ModifyLoadBalancerInternetSpec, ModifyVServerGroupBackendServers, RemoveBackendServers, RemoveTags, DescribeAccessControlLists, RemoveVServerGroupBackendServers, SetLoadBalancerHTTPListenerAttribute, SetLoadBalancerHTTPSListenerAttribute, SetLoadBalancerTCPListenerAttribute, SetLoadBalancerUDPListenerAttribute, SetLoadBalancerModificationProtection, SetLoadBalancerDeleteProtection, SetVServerGroupAttribute, ServiceManagedControl, StartLoadBalancerListener, StopLoadBalancerListener, DeleteAccessControlList, CreateAccessControlList, DescribeAccessControlListAttribute, AddAccessControlListEntry, RemoveAccessControlListEntry | None |
| PVTZ | DescribeUserServiceStatus, DescribeZones | None |
| BSS API | QueryAvailableInstances | None |
| BSS API | CreateInstance | bssapi:ProductCode = pvtz and bssapi:ProductType = pvtzpost |
| BSS | DescribeAcccount | None |
| RAM | CreateServiceLinkedRole | ram:ServiceName = eipaccess.slb.aliyuncs.com |
{
"Statement": [
{
"Action": [
"log:GetProject",
"log:ListProject",
"log:GetCursor",
"log:GetCursorTime",
"log:GetLogs",
"log:GetHistograms",
"log:GetContextLogs",
"log:PullLogs",
"log:GetLogStoreLogs",
"log:GetLogStoreHistogram",
"log:GetLogStore",
"log:ListLogStores",
"log:GetCursorOrData",
"log:ListShards",
"log:GetConfig",
"log:ListConfig",
"log:GetShipperStatus",
"log:GetCheckPoint",
"log:HeartBeat",
"log:UpdateCheckPoint",
"log:PostLogStoreLogs",
"log:CreateConsumerGroup",
"log:UpdateConsumerGroup",
"log:DeleteConsumerGroup",
"log:ListConsumerGroup",
"log:ConsumerGroupUpdateCheckPoint",
"log:ConsumerGroupHeartBeat",
"log:GetConsumerGroupCheckPoint",
"log:CreateExport",
"log:GetExport",
"log:ListExport",
"log:UpdateExport",
"log:DeleteExport",
"log:CreateJob",
"log:GetJob",
"log:ListJobs",
"log:UpdateJob",
"log:DeleteJob",
"ecs:AttachNetworkInterface",
"ecs:AuthorizeSecurityGroup",
"ecs:CreateNetworkInterface",
"ecs:CreateNetworkInterfacePermission",
"ecs:CreateRouteEntry",
"ecs:CreateSecurityGroup",
"ecs:DeleteNetworkInterface",
"ecs:DeleteNetworkInterfacePermission",
"ecs:DeleteRouteEntry",
"ecs:DeleteSecurityGroup",
"ecs:DescribeInstanceAttribute",
"ecs:DescribeInstanceStatus",
"ecs:DescribeInstanceTypeFamilies",
"ecs:DescribeInstanceTypes",
"ecs:DescribeInstances",
"ecs:DescribeInstancesFullStatus",
"ecs:DescribeNetworkInterfaceAttribute",
"ecs:DescribeNetworkInterfaces",
"ecs:DescribeRegions",
"ecs:DescribeSecurityGroupAttribute",
"ecs:DescribeSecurityGroups",
"ecs:DescribeZones",
"ecs:DetachNetworkInterface",
"ecs:ListTagResources",
"ecs:ModifyNetworkInterfaceAttribute",
"ecs:RevokeSecurityGroup",
"ecs:TagResources",
"ecs:UntagResources",
"vpc:CreateRouteEntry",
"vpc:DeleteRouteEntry",
"vpc:DescribeRegions",
"vpc:DescribeVSwitchAttributes",
"vpc:DescribeVSwitches",
"vpc:DescribeVpcAttribute",
"vpc:DescribeVpcs",
"vpc:DescribeZones",
"vpc:ListTagResources",
"vpc:ModifyBypassToaAttribute",
"vpc:TagResources",
"vpc:UntagResources",
"selectdb:DescribeSecurityIPList",
"selectdb:ModifySecurityIPList"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "selectdb.aliyuncs.com"
}
}
},
{
"Action": [
"kms:Listkeys",
"kms:Listaliases",
"kms:ListResourceTags",
"kms:DescribeKey",
"kms:UntagResource",
"kms:TagResource",
"kms:DescribeAccountKmsStatus"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEqualsIgnoreCase": {
"kms:tag/acs:selectdb:instance-encryption": "true"
}
}
},
{
"Action": [
"rds:ModifySecurityIps",
"rds:DescribeDBInstanceNetInfo",
"rds:DescribeDBInstanceIPArrayList"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"arms:CheckServiceStatus",
"arms:OpenArmsService",
"arms:GetPrometheusApiToken",
"arms:OpenVCluster",
"arms:ListDashboards"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"slb:AddBackendServers",
"slb:AddTags",
"slb:AddVServerGroupBackendServers",
"slb:CreateLoadBalancer",
"slb:CreateLoadBalancerForCloudService",
"slb:CreateLoadBalancerHTTPListener",
"slb:CreateLoadBalancerHTTPSListener",
"slb:CreateLoadBalancerTCPListener",
"slb:CreateLoadBalancerUDPListener",
"slb:CreateVServerGroup",
"slb:DeleteLoadBalancer",
"slb:DeleteLoadBalancerListener",
"slb:DeleteVServerGroup",
"slb:DescribeTags",
"slb:DescribeVServerGroups",
"slb:DescribeLoadBalancers",
"slb:DescribeVServerGroupAttribute",
"slb:DescribeLoadBalancerAttribute",
"slb:DescribeLoadBalancerHTTPSListenerAttribute",
"slb:DescribeLoadBalancerHTTPListenerAttribute",
"slb:DescribeLoadBalancerListeners",
"slb:DescribeLoadBalancerTCPListenerAttribute",
"slb:DescribeLoadBalancerUDPListenerAttribute",
"slb:ModifyLoadBalancerInstanceSpec",
"slb:ModifyLoadBalancerInternetSpec",
"slb:ModifyVServerGroupBackendServers",
"slb:RemoveBackendServers",
"slb:RemoveTags",
"slb:DescribeAccessControlLists",
"slb:RemoveVServerGroupBackendServers",
"slb:SetLoadBalancerHTTPListenerAttribute",
"slb:SetLoadBalancerHTTPSListenerAttribute",
"slb:SetLoadBalancerTCPListenerAttribute",
"slb:SetLoadBalancerUDPListenerAttribute",
"slb:SetLoadBalancerModificationProtection",
"slb:SetLoadBalancerDeleteProtection",
"slb:SetVServerGroupAttribute",
"slb:ServiceManagedControl",
"slb:StartLoadBalancerListener",
"slb:StopLoadBalancerListener",
"slb:DeleteAccessControlList",
"slb:CreateAccessControlList",
"slb:DescribeAccessControlListAttribute",
"slb:AddAccessControlListEntry",
"slb:RemoveAccessControlListEntry"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"pvtz:DescribeUserServiceStatus",
"pvtz:DescribeZones"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Effect": "Allow",
"Action": [
"bssapi:QueryAvailableInstances"
],
"Resource": "*"
},
{
"Action": "bss:DescribeAcccount",
"Resource": "*",
"Effect": "Allow"
},
{
"Effect": "Allow",
"Action": [
"bssapi:CreateInstance"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"bssapi:ProductCode": "pvtz",
"bssapi:ProductType": [
"pvtzpost"
]
}
}
},
{
"Action": "ram:CreateServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "eipaccess.slb.aliyuncs.com"
}
}
}
],
"Version": "1"
}Create the AliyunServiceRoleForSelectDB role
The role is created automatically when you activate ApsaraDB for SelectDB. No manual steps are required.
If AliyunServiceRoleForSelectDB does not exist, you are prompted to activate ApsaraDB for SelectDB every time you log on to the ApsaraDB for SelectDB console. Activating the service triggers automatic role creation.
Important
ApsaraDB for SelectDB cannot function without AliyunServiceRoleForSelectDB. Do not skip the activation step.
Delete the AliyunServiceRoleForSelectDB role
Warning
After you delete the service-linked role AliyunServiceRoleForSelectDB, you cannot use ApsaraDB for SelectDB. Proceed with caution.
To delete the role, follow the steps in Delete a RAM role.