All Products
Search
Document Center

Elastic Compute Service:Manage the service-linked role for Auto Provisioning

Last Updated:Mar 18, 2024

AliyunServiceRoleForAutoProvisioning is a service-linked role provided by Resource Access Management (RAM) for Auto Provisioning. Auto Provisioning can assume the role to obtain access to the associated Alibaba Cloud services, such as Elastic Compute Service (ECS), Virtual Private Cloud (VPC), ApsaraDB RDS, and CloudMonitor. Before you create an auto provisioning group, make sure that your Alibaba Cloud account has the AliyunServiceRoleForAutoProvisioning service-linked role. This topic describes how to create and delete the service-linked role for Auto Provisioning.

For more information, see Service-linked roles.

Prerequisites

If you are a RAM user, make sure that you are granted by an administrator the permissions to perform operations on auto provisioning groups. For more information, see Grant permissions to a RAM role.

The following policy is attached to the RAM user to grant the permissions to operate auto provisioning groups.

Important

Replace <account ID> in the policy with the ID of your Alibaba Cloud account.

Policy

{
"Statement": [
{
"Action": [
"ram:CreateServiceLinkedRole"
],
"Resource": "acs:ram:*:<account ID>:role/*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": [
"autoprovisioning.ecs.aliyuncs.com"
]
}
}
}
],
"Version": "1"
}

Create AliyunServiceRoleForAutoProvisioning

When you create an auto provisioning group, the system checks whether your Alibaba Cloud account has the AliyunServiceRoleForAutoProvisioning service-linked role. If your account does not have the role, you are prompted to create the role. After you confirm the prompt, the role is automatically created. You can also manually create the role. For more information, see Create a service-linked role.

Important

The permissions of service-linked roles are defined and used by cloud services. You cannot add permissions to, remove permissions from, or modify permissions for service-linked roles. You can view the permissions of the role on the role details page. For more information, see View the information about a RAM role.

Delete AliyunServiceRoleForAutoProvisioning

If you no longer require AliyunServiceRoleForAutoProvisioning, you can delete it. For more information, see Delete a RAM role.

Important
  • Before you can delete AliyunServiceRoleForAutoProvisioning, you must delete the auto provisioning groups in all regions in your account. Otherwise, the role cannot be deleted. For more information, see Delete auto provisioning groups.

  • After AliyunServiceRoleForAutoProvisioning is deleted, you cannot use Auto Provisioning to create or manage resources.

References

For information about how to create an auto provisioning group, see Create an auto provisioning group.