All Products
Search
Document Center

:Service-linked role

Last Updated:Nov 17, 2023

A service-linked role is a Resource Access Management (RAM) role whose trusted entity is an Alibaba Cloud service. ApsaraDB for Redis assumes a service-linked role to access other cloud services or resources.

Scenarios

The AliyunServiceRoleForKvstore service-linked role is a RAM role that allows ApsaraDB for Redis to access other cloud services.

When you work with ApsaraDB for Redis, you may need access to other cloud services to use a feature of Redis. For example, to use the log management feature of Redis, you must obtain the permissions to access the relevant resources in Simple Log Service by means of AliyunServiceRoleForKvstore.

Permissions that are required by a RAM user to create a service-linked role

The permissions to create a service-linked role are included in the administrative policy of the linked service. The administrative policy of ApsaraDB for Redis is AliyunKvstoreFullAccess. If you attach the administrative policy of the service to a RAM identity, the RAM identity can create the service-linked role for the service.

If your RAM user has insufficient permissions, you can grant the following permissions before you associate the service-linked role with the RAM user. For information about how to grant permissions, see Create a custom policy and Grant permissions to RAM users. You can also associate the service-linked role with your Alibaba Cloud account.

{
    "Action": "ram:CreateServiceLinkedRole",
    "Resource": "*",
    "Effect": "Allow",
    "Condition": {
        "StringEquals": {
            "ram:ServiceName": "r-kvstore.aliyuncs.com"
        }
     }
}

Create a service-linked role

A service-linked role is a RAM role that is linked directly to a cloud service. When you use specific features of the service, the service automatically creates or deletes the service-linked role as needed. You do not need to manually create or delete the service-linked role. A service-linked role simplifies the process of authorizing a service to access other services and reduces the risks caused by misoperations. For more information, see Service-linked roles.

Note

The policy that is attached to a service-linked role is predefined by the linked service. You cannot modify or delete the policy. You cannot attach policies to or detach policies from a service-linked role.

View information about the service-linked role

After the system creates the service-linked role, you can view the following details of the role by searching for AliyunServiceRoleForKvstore on the Roles page in the RAM console:

  • Basic information

    In the Basic Information section of the details page of the AliyunServiceRoleForKvstore role, you can view basic information about the role, such as the name, creation time, Alibaba Cloud Resource Name (ARN), and description.

  • Policy

    On the Permissions tab of the details page of the AliyunServiceRoleForKvstore role, you can click the name of a policy to view the content of the policy and the cloud resources that can be accessed by the role.

  • Trust policy

    On the Trust Policy Management tab of the details page of the AliyunServiceRoleForKvstore role, you can view the content of the trust policy that is attached to the role. A trust policy is a policy that describes the trusted entities of a RAM role. A trusted entity refers to an entity that can assume the RAM role. The trusted entity of a service-linked role is a cloud service. You can view the value of the Service field in the trust policy of the service-linked role to obtain the trusted entity.

For more information about how to view information about a service-linked role, see View the information about a RAM role.

Delete the service-linked role

If you want to delete the AliyunServiceRoleForKvstore role, release the Redis instance that depends on the service-linked role. For more information, see Release pay-as-you-go instances and Service-linked roles.