This topic describes the scenarios, permission policies, creation, and deletion of the service linked role for the Resource Directory feature. This role is named AliyunServiceRoleForResourceDirectory.

Scenarios

The AliyunServiceRoleForResourceDirectory role provides a trusted access channel for services that are integrated into Resource Directory. Resource Directory can assume this role and then create service linked roles for these integrated services. This allows the related accounts to access cloud services that are associated with the integrated services.

For more information, see Service linked roles.

Permissions

Role name: AliyunServiceRoleForResourceDirectory.

Permission policy: AliyunServiceRolePolicyForResourceDirectory.

Permissions: This role can be used to create or delete service linked roles for services that are integrated into Resource Directory.

 {
    "Version": "1",
    "Statement": [
        {
            "Action": "ram:CreateServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "resourcemanager.aliyuncs.com"
                }
            }
        }
    ]
}

Create the service linked role for Resource Directory

The system automatically creates the AliyunServiceRoleForResourceDirectory role in the following scenarios:

  • Creates the role under the master account after a resource directory is enabled.
  • Creates the role under a member account after the member account is created.
  • Creates the role under an invited account after the invited account joins a resource directory.

Delete the service linked role for Resource Directory

The system automatically attempts to delete the AliyunServiceRoleForResourceDirectory role in the following scenarios:

  • Deletes the role under the master account when a resource directory is disabled.
  • Deletes the role under a member account when the member account is deleted from a resource directory.

If the role is not used by any cloud resources, you can manually delete the role. For more information, see Delete a RAM role.