What is the service-linked role AliyunServiceRoleForGaVpcEndpoint and how to create the service-linked role AliyunServiceRoleForGaVpcEndpoint - Global Accelerator

If your Global Accelerator (GA) instance is not assigned the service-linked role AliyunServiceRoleForGaVpcEndpoint and you specify an Elastic Compute Service instance, elastic network interface (ENI), Classic Load Balancer (CLB) instance, Application Load Balancer (ALB) instance, or Network Load Balancer (NLB) instance as an endpoint of the Global Accelerator instance, the system automatically creates the service-linked role AliyunServiceRoleForGaVpcEndpoint. CLB is formerly known as Server Load Balancer (SLB).

Overview

AliyunServiceRoleForGaVpcEndpoint is a Global Accelerator service-linked role. If you want to specify an Elastic Compute Service instance, ENI, CLB instance, ALB instance, or NLB instance as an endpoint of Global Accelerator, you must assign the service-linked role to Global Accelerator.

Note

A service-linked role is a Resource Access Management (RAM) role that is associated with an Alibaba Cloud service. In some cases, to use a feature of a cloud service, you must first acquire the permissions to access other cloud services. Service-linked roles simplify the authorization process and prevent accidental operations. For more information about service-linked roles, see Service-linked roles.

Permissions required to create the service-linked role

By default, an Alibaba Cloud account is authorized to create the service-linked role AliyunServiceRoleForGaVpcEndpoint. RAM users must be granted the following permissions to create the service-linked role:

{
      "Action": "ram:CreateServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "vpcendpoint.ga.aliyuncs.com"
        }
      }
}

You can authorize a RAM user to create the service-linked role by using one of the following methods:

Attach the AliyunGlobalAccelerationFullAccess administrator policy to the RAM user. For more information, see Grant permissions to a RAM role.
Note
In most cases, the permissions to create the Global Accelerator service-linked role AliyunServiceRoleForGaVpcEndpoint are included in the AliyunGlobalAccelerationFullAccess administrator policy. If the RAM user has administrator permissions on Global Accelerator, the RAM user can create the service-linked role AliyunServiceRoleForGaVpcEndpoint for Global Accelerator.

Attach a custom policy to the RAM user. The following code block shows the content of the custom policy:

{
      "Action": "ram:CreateServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "vpcendpoint.ga.aliyuncs.com"
        }
      }
}

For more information, see Create a custom policy and Grant permissions to a RAM role.

Create the service-linked role

When you specify an Elastic Compute Service instance, ENI, CLB instance, ALB instance, or NLB instance as an endpoint of Global Accelerator, the system determines whether Global Accelerator is assigned the service-linked role AliyunServiceRoleForGaVpcEndpoint:

If the service-linked role AliyunServiceRoleForGaVpcEndpoint is not assigned to Global Accelerator, the system automatically creates the service-linked role and adds a policy named AliyunServiceRoleForGaVpcEndpoint to the service-linked role. The policy grants Global Accelerator the permissions to access Elastic Compute Service, ENI, CLB, ALB, or NLB. The following code block shows the content of the policy:

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Resource": "*",
      "Action": [
        "ecs:CreateNetworkInterface",
        "ecs:DeleteNetworkInterface",
        "ecs:DescribeNetworkInterfaces",
        "ecs:ModifyNetworkInterfaceAttribute",
        "ecs:DescribeSecurityGroups",
        "ecs:CreateSecurityGroup",
        "ecs:AuthorizeSecurityGroup",
        "ecs:AuthorizeSecurityGroupEgress",
        "ecs:RevokeSecurityGroup",
        "ecs:RevokeSecurityGroupEgress",
        "ecs:JoinSecurityGroup",
        "ecs:LeaveSecurityGroup",
        "ecs:DeleteSecurityGroup",
        "ecs:DescribeSecurityGroupAttribute",
        "ecs:DescribeSecurityGroups",
        "ecs:DescribeSecurityGroupReferences",
        "ecs:ModifySecurityGroupAttribute",
        "ecs:ModifySecurityGroupEgressRule",
        "ecs:ModifySecurityGroupPolicy",
        "ecs:ModifySecurityGroupRule",
        "vpc:DescribeVSwitches"
      ]
    },
    {
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "vpcendpoint.ga.aliyuncs.com"
        }
      }
    }
  ]
}

If the service-linked role AliyunServiceRoleForGaVpcEndpoint is assigned to Global Accelerator, the system does not re-create the service-linked role.

Delete the service-linked role

The system does not automatically delete the Global Accelerator service-linked role AliyunServiceRoleForGaVpcEndpoint. If you want to delete the service-linked role, you must first delete the Elastic Compute Service instance, ENI, CLB instance, ALB instance, or NLB instance that serves as an endpoint. For more information, see the following topics: