This topic describes the scenarios of the service-linked role AliyunServiceRoleForSelectDB for ApsaraDB for SelectDB. This topic also describes how to create and delete the service-linked role.
Background information
The service-linked role for ApsaraDB for SelectDB is a Resource Access Management (RAM) role that is used to access other Alibaba Cloud services to implement specific features of ApsaraDB for SelectDB. For more information, see Service-linked roles.
Scenarios
The service-linked role AliyunServiceRoleForSelectDB is applicable to, but not limited to, the following scenarios:
Access Elastic Compute Service (ECS): You must access ECS to obtain the required computing resources managed by ECS before you can create an ApsaraDB for SelectDB instance.
Access Virtual Private Cloud (VPC): You must access VPC to obtain the required network environment managed by VPC before you can deploy and run an ApsaraDB for SelectDB instance.
Access Server Load Balancer (SLB): You must access SLB to use the load balancing service for your ApsaraDB for SelectDB instances.
Access Application Real-Time Monitoring Service (ARMS): You must access ARMS to monitor your ApsaraDB for SelectDB instances and configure alerting.
Role description
Role name: AliyunServiceRoleForSelectDB
Policy attached to the role: AliyunServiceRolePolicyForSelectDB
Permissions:
{ "Statement": [ { "Action": [ "log:GetProject", "log:ListProject", "log:GetCursor", "log:GetCursorTime", "log:GetLogs", "log:GetHistograms", "log:GetContextLogs", "log:PullLogs", "log:GetLogStoreLogs", "log:GetLogStoreHistogram", "log:GetLogStore", "log:ListLogStores", "log:GetCursorOrData", "log:ListShards", "log:GetConfig", "log:ListConfig", "log:GetShipperStatus", "log:GetCheckPoint", "log:HeartBeat", "log:UpdateCheckPoint", "log:PostLogStoreLogs", "log:CreateConsumerGroup", "log:UpdateConsumerGroup", "log:DeleteConsumerGroup", "log:ListConsumerGroup", "log:ConsumerGroupUpdateCheckPoint", "log:ConsumerGroupHeartBeat", "log:GetConsumerGroupCheckPoint", "log:CreateExport", "log:GetExport", "log:ListExport", "log:UpdateExport", "log:DeleteExport", "log:CreateJob", "log:GetJob", "log:ListJobs", "log:UpdateJob", "log:DeleteJob", "ecs:AttachNetworkInterface", "ecs:AuthorizeSecurityGroup", "ecs:CreateNetworkInterface", "ecs:CreateNetworkInterfacePermission", "ecs:CreateRouteEntry", "ecs:CreateSecurityGroup", "ecs:DeleteNetworkInterface", "ecs:DeleteNetworkInterfacePermission", "ecs:DeleteRouteEntry", "ecs:DeleteSecurityGroup", "ecs:DescribeInstanceAttribute", "ecs:DescribeInstanceStatus", "ecs:DescribeInstanceTypeFamilies", "ecs:DescribeInstanceTypes", "ecs:DescribeInstances", "ecs:DescribeInstancesFullStatus", "ecs:DescribeNetworkInterfaceAttribute", "ecs:DescribeNetworkInterfaces", "ecs:DescribeRegions", "ecs:DescribeSecurityGroupAttribute", "ecs:DescribeSecurityGroups", "ecs:DescribeZones", "ecs:DetachNetworkInterface", "ecs:ListTagResources", "ecs:ModifyNetworkInterfaceAttribute", "ecs:RevokeSecurityGroup", "ecs:TagResources", "ecs:UntagResources", "vpc:CreateRouteEntry", "vpc:DeleteRouteEntry", "vpc:DescribeRegions", "vpc:DescribeVSwitchAttributes", "vpc:DescribeVSwitches", "vpc:DescribeVpcAttribute", "vpc:DescribeVpcs", "vpc:DescribeZones", "vpc:ListTagResources", "vpc:ModifyBypassToaAttribute", "vpc:TagResources", "vpc:UntagResources", "selectdb:DescribeSecurityIPList", "selectdb:ModifySecurityIPList" ], "Resource": "*", "Effect": "Allow" }, { "Action": "ram:DeleteServiceLinkedRole", "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "ram:ServiceName": "selectdb.aliyuncs.com" } } }, { "Action": [ "kms:Listkeys", "kms:Listaliases", "kms:ListResourceTags", "kms:DescribeKey", "kms:UntagResource", "kms:TagResource", "kms:DescribeAccountKmsStatus" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:GenerateDataKey" ], "Resource": "*", "Effect": "Allow", "Condition": { "StringEqualsIgnoreCase": { "kms:tag/acs:selectdb:instance-encryption": "true" } } }, { "Action": [ "rds:ModifySecurityIps", "rds:DescribeDBInstanceNetInfo", "rds:DescribeDBInstanceIPArrayList" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "arms:CheckServiceStatus", "arms:OpenArmsService", "arms:GetPrometheusApiToken", "arms:OpenVCluster", "arms:ListDashboards" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "slb:AddBackendServers", "slb:AddTags", "slb:AddVServerGroupBackendServers", "slb:CreateLoadBalancer", "slb:CreateLoadBalancerForCloudService", "slb:CreateLoadBalancerHTTPListener", "slb:CreateLoadBalancerHTTPSListener", "slb:CreateLoadBalancerTCPListener", "slb:CreateLoadBalancerUDPListener", "slb:CreateVServerGroup", "slb:DeleteLoadBalancer", "slb:DeleteLoadBalancerListener", "slb:DeleteVServerGroup", "slb:DescribeTags", "slb:DescribeVServerGroups", "slb:DescribeLoadBalancers", "slb:DescribeVServerGroupAttribute", "slb:DescribeLoadBalancerAttribute", "slb:DescribeLoadBalancerHTTPSListenerAttribute", "slb:DescribeLoadBalancerHTTPListenerAttribute", "slb:DescribeLoadBalancerListeners", "slb:DescribeLoadBalancerTCPListenerAttribute", "slb:DescribeLoadBalancerUDPListenerAttribute", "slb:ModifyLoadBalancerInstanceSpec", "slb:ModifyLoadBalancerInternetSpec", "slb:ModifyVServerGroupBackendServers", "slb:RemoveBackendServers", "slb:RemoveTags", "slb:DescribeAccessControlLists", "slb:RemoveVServerGroupBackendServers", "slb:SetLoadBalancerHTTPListenerAttribute", "slb:SetLoadBalancerHTTPSListenerAttribute", "slb:SetLoadBalancerTCPListenerAttribute", "slb:SetLoadBalancerUDPListenerAttribute", "slb:SetLoadBalancerModificationProtection", "slb:SetLoadBalancerDeleteProtection", "slb:SetVServerGroupAttribute", "slb:ServiceManagedControl", "slb:StartLoadBalancerListener", "slb:StopLoadBalancerListener", "slb:DeleteAccessControlList", "slb:CreateAccessControlList", "slb:DescribeAccessControlListAttribute", "slb:AddAccessControlListEntry", "slb:RemoveAccessControlListEntry" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "pvtz:DescribeUserServiceStatus", "pvtz:DescribeZones" ], "Resource": "*", "Effect": "Allow" }, { "Effect": "Allow", "Action": [ "bssapi:QueryAvailableInstances" ], "Resource": "*" }, { "Action": "bss:DescribeAcccount", "Resource": "*", "Effect": "Allow" }, { "Effect": "Allow", "Action": [ "bssapi:CreateInstance" ], "Resource": "*", "Condition": { "StringEquals": { "bssapi:ProductCode": "pvtz", "bssapi:ProductType": [ "pvtzpost" ] } } }, { "Action": "ram:CreateServiceLinkedRole", "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "ram:ServiceName": "eipaccess.slb.aliyuncs.com" } } } ], "Version": "1" }
Create the AliyunServiceRoleForSelectDB role
If the service-linked role AliyunServiceRoleForSelectDB is not created, you are prompted to activate ApsaraDB for SelectDB every time you log on to the ApsaraDB for SelectDB console. After you activate ApsaraDB for SelectDB, the system automatically creates the service-linked role AliyunServiceRoleForSelectDB.
If the service-linked role AliyunServiceRoleForSelectDB is not created, you cannot use ApsaraDB for SelectDB.
Delete the AliyunServiceRoleForSelectDB role
You can delete the AliyunServiceRoleForSelectDB role in the RAM console. For more information, see Delete a RAM role.
After you delete the service-linked role AliyunServiceRoleForSelectDB, you cannot use ApsaraDB for SelectDB. Proceed with caution.