You can specify an Elastic Compute Service (ECS) instance or a Server Load Balancer (SLB) instance as an origin server in the GA service. In this case, if your GA instance does not assume the service linked role AliyunServiceRoleForGaVpcEndpoint, the system automatically creates the service linked role.

Overview

To specify an ECS instance or an SLB instance as an origin server, your GA instance must assume the service linked role AliyunServiceRoleForGaVpcEndpoint for the GA service.
Note A service linked role is a Resource Access Management (RAM) role. It can be assumed by only the linked service. You can use an Alibaba Cloud service to access other Alibaba Cloud services. To implement a specific feature, you must first authorize the Alibaba Cloud service to access other services. Service linked roles allow you to simplify the authorization and avoid the risks caused by user errors. For more information, see Service linked roles.

Permissions required to create the service linked role

An Alibaba Cloud account is authorized to create the service linked role AliyunServiceRoleForGaVpcEndpoint. RAM users must be granted the following permissions to create the service linked role:
{
      "Action": "ram:CreateServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "vpcendpoint.ga.aliyuncs.com"
        }
      }
}
You can authorize a RAM user to create the service linked role by using one of the following methods:
  • Attach the administrator permission policy AliyunGlobalAccelerationFullAccess to the RAM user. For more information, see Grant permissions to a RAM role.
    Note The permissions required to create the service linked role AliyunServiceRoleForGaVpcEndpoint are included in the administrator permission policy AliyunGlobalAccelerationFullAccess. You can attach the administrator permission policy to the RAM user to create the service linked role AliyunServiceRoleForGaVpcEndpoint.
  • Add a custom permission policy and attach the permission policy to the RAM user. The following code block shows the content of the custom permission policy:
    {
          "Action": "ram:CreateServiceLinkedRole",
          "Resource": "*",
          "Effect": "Allow",
          "Condition": {
            "StringEquals": {
              "ram:ServiceName": "vpcendpoint.ga.aliyuncs.com"
            }
          }
    }

    For more information, see Create a custom policy and Grant permissions to a RAM role.

Create the service linked role

When you specify an ECS instance or an SLB instance as an origin server in the GA service, the system checks whether the GA instance assumes the service linked AliyunServiceRoleForGaVpcEndpoint. In this case, the following rules apply to the GA instance:
  • If the GA instance does not assume the service linked role AliyunServiceRoleForGaVpcEndpoint, the system automatically creates the service linked role and attaches the permission policy AliyunServiceRoleForGaVpcEndpoint to the service linked role. This allows GA to access ECS and SLB. The following code block shows the content of the permission policy:
    {
      "Version": "1",
      "Statement": [
        {
          "Effect": "Allow",
          "Resource": "*",
          "Action": [
            "ecs:CreateNetworkInterface",
            "ecs:DeleteNetworkInterface",
            "ecs:DescribeNetworkInterfaces",
            "ecs:ModifyNetworkInterfaceAttribute",
            "ecs:DescribeSecurityGroups",
            "ecs:CreateSecurityGroup",
            "ecs:AuthorizeSecurityGroup",
            "ecs:AuthorizeSecurityGroupEgress",
            "ecs:RevokeSecurityGroup",
            "ecs:RevokeSecurityGroupEgress",
            "ecs:JoinSecurityGroup",
            "ecs:LeaveSecurityGroup",
            "ecs:DeleteSecurityGroup",
            "ecs:DescribeSecurityGroupAttribute",
            "ecs:DescribeSecurityGroups",
            "ecs:DescribeSecurityGroupReferences",
            "ecs:ModifySecurityGroupAttribute",
            "ecs:ModifySecurityGroupEgressRule",
            "ecs:ModifySecurityGroupPolicy",
            "ecs:ModifySecurityGroupRule",
            "vpc:DescribeVSwitches"
          ]
        },
        {
          "Action": "ram:DeleteServiceLinkedRole",
          "Resource": "*",
          "Effect": "Allow",
          "Condition": {
            "StringEquals": {
              "ram:ServiceName": "vpcendpoint.ga.aliyuncs.com"
            }
          }
        }
      ]
    }
  • If the GA instance assumes the service linked role AliyunServiceRoleForGaVpcEndpoint, the system does not create the service linked role again.

Delete the service linked role

The system does not automatically delete the service linked role AliyunServiceRoleForGaVpcEndpoint. To delete the service linked role, you must first delete the endpoint of the ECS or SLB instance. For more information, see: