The service linked role for Cloud Config, AliyunServiceRoleForConfig, is the Resource Access Management (RAM) role that authorizes Cloud Config to access other Alibaba Cloud services in certain scenarios.

Note For more information, see Service linked roles.

Scenarios

The AliyunServiceRoleForConfig role is applicable to the following scenarios:
  • When Cloud Config calls the APIs of other Alibaba Cloud services to query the resource configurations of the current account, Cloud Config uses the AliyunServiceRoleForConfig role to obtain the permission of cloud resource configuration information.
  • If you specify an Object Storage Service (OSS) bucket to store snapshots of resource configuration changes, Cloud Config uses the AliyunServiceRoleForConfig role to obtain the permission to write snapshots to the OSS bucket.

Create the AliyunServiceRoleForConfig role

You can create the AliyunServiceRoleForConfig role in the Cloud Config console.
  • Cloud Config for individuals

    You must allow Cloud Config to create the AliyunServiceRoleForConfig role before you can use Cloud Config to manage resource configurations of your Alibaba Cloud account. For more information, see Authorize Cloud Config to access your resources.

  • Cloud Config for Enterprise

    When you use the master account to upgrade Cloud Config to Cloud Config for Enterprise, Cloud Config automatically creates the AliyunServiceRoleForConfig role for all member accounts.

    For more information, see Overview.

Delete the AliyunServiceRoleForConfig role

Currently, Cloud Config does not support deleting the AliyunServiceRoleForConfig role. If you want to delete the role, submit a ticket.

Role description

The details of the AliyunServiceRoleForConfig role are as follows:

  • Name: AliyunServiceRoleForConfig
  • Permission policy attached to the role: AliyunServiceRolePolicyForConfig
  • This permission policy grants Cloud Config the permissions to read the resource configurations of the current account and to write snapshots of resource configuration changes to an OSS bucket.
    "Action": [
                    "ecs:Describe*",
                    "ess:Describe*",
                    "vpc:Describe*",
                    "rds:DescribeDBInstance*",
                    "rds:DescribeRegions",
                    "rds:DescribeBackup*",
                    "slb:Describe*",
                    "*:DescribeTags",
                    "oss:GetService",
                    "oss:GetBucket*",
                    "oss:ListBuckets",
                    "oss:ListObjects",
                    "ram:List*",
                    "ram:Get*",
                    "actiontrail:LookupEvents",
                    "actiontrail:Describe*",
                    "actiontrail:Get*",
                    "ots:BatchGet*",
                    "ots:Describe*",
                    "ots:Get*",
                    "ots:List*",
                    "ocs:Describe*",
                    "cms:Get*",
                    "cms:List*",
                    "cms:Query*",
                    "cms:BatchQuery*",
                    "cms:Describe*",
                    "kvstore:Describe*",
                    "fc:Get*",
                    "fc:List*",
                    "kms:DescribeKey",
                    "kms:DescribeRegions",
                    "kms:ListAliases",
                    "kms:ListAliasesByKeyId",
                    "kms:ListKeys",
                    "cdn:Describe*",
                    "yundun*:Get*",
                    "yundun*:Describe*",
                    "yundun*:Query*",
                    "yundun*:List*",
                    "polardb:Describe*",
                    "dds:Describe*",
                    "cen:Describe*",
                    "mns:ListTopic",
                    "mns:GetTopicAttributes",
                    "resourcemanager:GetAccount",
                    "resourcemanager:ListAccountsForParent",
                    "resourcemanager:ListAccounts",
                    "resourcemanager:GetFolder",
                    "resourcemanager:ListFoldersForParent",
                    "resourcemanager:ListAncestors",
                    "resourcemanager:GetResourceDirectory",
                    "composer:GetFlow",
                    "composer:DescribeFlow"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "oss:PutObject",
                    "fc:InvokeFunction",
                    "mns:PublishMessage",
                    "composer:GroupInvokeFlow"
                ],
                "Resource": "*",
                "Effect": "Allow"
            }