This topic describes the use scenarios, permission policies, creation, and deletion of the service-linked role for the Resource Directory service. This role is named AliyunServiceRoleForResourceDirectory.

Scenarios

The AliyunServiceRoleForResourceDirectory role provides a trusted access channel for services that are integrated with Resource Directory. Resource Directory can assume this role and create service-linked roles for these integrated services. This way, Resource Directory can access cloud services that are associated with the integrated services.

For more information, see Service-linked roles.

Role description

Role name: AliyunServiceRoleForResourceDirectory.

Permission policy: AliyunServiceRolePolicyForResourceDirectory.

Permissions: This role can be used to create or delete service-linked roles for services that are integrated with Resource Directory.

 {
    "Version": "1",
    "Statement": [
        {
            "Action": "ram:CreateServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "resourcemanager.aliyuncs.com"
                }
            }
        }
    ]
}

Create the service-linked role for Resource Directory

The system automatically creates the AliyunServiceRoleForResourceDirectory role in the following scenarios:

  • Creates the role within the management account of a resource directory after the resource directory is enabled.
  • Creates the role within a member of a resource directory after the member is created in the resource directory.
  • Creates the role within an invited account after the invited account joins a resource directory.

Delete the service-linked role for Resource Directory

The system attempts to automatically delete the AliyunServiceRoleForResourceDirectory role in the following scenarios:

  • Deletes the role within the management account of a resource directory when the resource directory is disabled.
  • Deletes the role within a member of a resource directory when the member is deleted from the resource directory.

If the role is not used by cloud resources, you can manually delete the role. For more information, see Delete a RAM role.