All Products
Search
Document Center

Alibaba Cloud DNS PrivateZone:Service linked role for PrivateZone

Last Updated:Jul 11, 2022

The service linked role AliyunServiceRoleForPvtz is a Resource Access Management (RAM) role that only Alibaba Cloud Domain Name System (DNS) PrivateZone can assume to access other Alibaba Cloud services. This topic describes the scenarios that the service linked role is applicable to and how to delete the role.

Background information

PrivateZone may need to access other Alibaba Cloud services to implement a specific feature. To meet this requirement, Alibaba Cloud provides the AliyunServiceRoleForPvtz role that allows PrivateZone to access other Alibaba Cloud services. For more information about service linked roles, see Service linked roles.

Scenarios

If you use the Resolver feature of PrivateZone to create an outbound endpoint, PrivateZone assumes the AliyunServiceRoleForPvtz role to access your Elastic Compute Service (ECS) and Virtual Private Cloud (VPC) resources. You do not need to manually create the service linked role. If the role does not exist, PrivateZone automatically creates the role when you create an outbound endpoint.

Role description

  • Role name: AliyunServiceRoleForPvtz
  • Policy name: AliyunServiceRolePolicyForPvtz
  • This permission policy grants PrivateZone the permission to access the ECS and VPC resources of the current account.
{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "ecs:DescribeSecurityGroups",
                "ecs:CreateNetworkInterface",
                "ecs:DeleteNetworkInterface",
                "ecs:AttachNetworkInterface",
                "ecs:DescribeNetworkInterface",
                "ecs:DetachNetworkInterface",
                "ecs:DescribeNetworkInterfaces",
                "ecs:DescribeInstances",
                "vpc:DescribeVSwitches",
                "vpc:DescribeZones"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

Delete the AliyunServiceRoleForPvtz role

Before you delete the AliyunServiceRoleForPvtz role, you must delete all the created outbound endpoints.

  • For more information about how to delete a service linked role, see the “Delete a service linked role” section of the Service linked roles topic.