This topic describes the RAM roles that are automatically created within the management account and members of a resource directory.

Overview

The following table lists the RAM roles that are automatically created within the management account and members of a resource directory.

ObjectRAM role nameRAM role type
Management accountAliyunServiceRoleForResourceDirectoryService-linked role
MemberAliyunServiceRoleForResourceDirectoryService-linked role
ResourceDirectoryAccountAccessRoleRAM role whose trusted entity is an Alibaba Cloud account
AliyunServiceRoleFor***Service-linked role

AliyunServiceRoleForResourceDirectory

Use scenario

The AliyunServiceRoleForResourceDirectory role provides an access channel for trusted services in a resource directory. Resource Directory can assume this role to create service-linked roles for these trusted services. This way, the trusted services can assume the created service-linked roles to access other cloud services. For more information, see Service-linked roles.

Permission policy

Policy name: AliyunServiceRolePolicyForResourceDirectory

Policy document:

{
    "Version": "1",
    "Statement": [
        {
            "Action": "ram:CreateServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "resourcemanager.aliyuncs.com"
                }
            }
        }
    ]
}

Trust policy

{
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "resourcemanager.aliyuncs.com"
        ]
      }
    }
  ],
  "Version": "1"
}

Create the role

The system creates the AliyunServiceRoleForResourceDirectory role in the following scenarios:

  • Creates the role within the management account of a resource directory after the resource directory is enabled.
  • Creates the role within a member of a resource directory after the member is created in the resource directory.
  • Creates the role within an invited account after the account joins a resource directory.

Delete the role

Warning After the role is deleted, the features that depend on the role cannot be used. Proceed with caution.

The system attempts to delete the AliyunServiceRoleForResourceDirectory role in the following scenarios:

  • Deletes the role within the management account of a resource directory when the resource directory is disabled.
  • Deletes the role within a member of a resource directory when the member is deleted from the resource directory.

If the role is not used by cloud resources, you can manually delete the role. For more information, see Delete a RAM role.

ResourceDirectoryAccountAccessRole

Use scenario

The ResourceDirectoryAccountAccessRole role is used by the administrator of a resource directory to log on to a member and perform management operations. The trusted entity of this role is the management account of the resource directory.

Permission policy

Policy name: AdministratorAccess

Policy document:

{
    "Statement": [
        {
            "Action": "*",
            "Effect": "Allow",
            "Resource": "*"
        }
    ],
    "Version": "1"
}

Trust policy

{
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Effect": "Allow",
      "Principal": {
        "RAM": [
          "acs:ram::151266687691****:root"  // 151266687691**** is the ID of the management account. 
        ]
      }
    }
  ],
  "Version": "1"
}

Create the role

The system creates the ResourceDirectoryAccountAccessRole role in the following scenarios:

  • Creates the role within a member of a resource directory after the member is created in the resource directory.
  • Creates the role within an invited account after the account joins a resource directory.

Delete the role

Warning After the role is deleted, the features that depend on the role cannot be used. Proceed with caution.

The system deletes the ResourceDirectoryAccountAccessRole role within a member of a resource directory when the member is deleted from the resource directory.

If no permission policies are attached to the role, you can manually delete the role. For more information, see Delete a RAM role.

AliyunServiceRoleFor***

Use scenario

The AliyunServiceRoleFor*** role is used by trusted services to perform scheduled tasks and resolves access issues between trusted services and the Resource Directory service. For more information, see Service-linked roles.

Note Asterisks (*) in AliyunServiceRoleFor*** indicate a trusted service. For example, AliyunServiceRoleForConfig is a role for the trusted service Cloud Config.

Permission policy

Permission policies are formulated by trusted services. In most cases, a permission policy contains the following types of permissions:

  • Permissions required by the trusted service to perform scheduled tasks on specific cloud services
  • Permissions required by the trusted service to delete the role

Trust policy

{
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "***.aliyuncs.com"  // Asterisks (*) indicate a trusted service. Example: config.aliyuncs.com. 
        ]
      }
    }
  ],
  "Version": "1"
}

Create the role

When a trusted service is enabled for a resource directory, the Resource Directory service assumes the AliyunServiceRoleForResourceDirectory role and creates the AliyunServiceRoleFor*** role within each member for which the trusted service is activated in the resource directory.

Delete the role

Warning After the role is deleted, the features that depend on the role cannot be used. Proceed with caution.

When a member is deleted from a resource directory, Resource Directory broadcasts this event to the related trusted service. The trusted service determines whether to delete the AliyunServiceRoleFor*** role from the member. In most cases, the trusted service deletes the role. However, in some cases, the trusted service may not delete the role. In these cases, you can log on to the member and manually delete the role. For more information, see Delete a RAM role.