AliyunServiceRoleForServiceMesh is a service-linked role that is provided by Resource Access Management (RAM) to grant Alibaba Cloud Service Mesh (ASM) the access permissions on other Alibaba Cloud resources. This topic describes how to create and delete the service-linked role for ASM.

Background information

Service-linked roles are RAM roles that only the linked Alibaba Cloud services can assume. AliyunServiceRoleForServiceMesh is the service-linked role that is used to grant ASM the access permissions on other Alibaba Cloud services, such as Container Service for Kubernetes (ACK), Virtual Private Cloud (VPC), Server Load Balancer (SLB), Log Service, Tracing Analysis, Application Real-Time Monitoring Service (ARMS), and Cloud Enterprise Network. For more information about service-linked roles, see Service-linked roles.

Precautions

By default, Alibaba Cloud accounts have the permission to create the service-linked role for ASM. To create the service-linked role for ASM as a RAM user, you must attach the CreateServiceLinkedRole policy to the RAM user. This policy contains the permission to create the service-linked role for ASM, as shown in the following code. For more information, see Grant permissions to a RAM user.
{
    "Statement": [
        {
            "Action": "ram:CreateServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "servicemesh.aliyuncs.com"
                }
            }
        }
    ],
    "Version": "1"
}

Create the service-linked role for ASM

When you use ASM, the system checks whether the AliyunServiceRoleForServiceMesh service-linked role is created for your ASM service. If the AliyunServiceRoleForServiceMesh service-linked role is not created for your ASM service, the system instructs you to create the service-linked role. You can click Create on the Service-linked Role for ASM page to create the service-linked role.

System policies that are attached to service-linked roles are defined and used by the linked Alibaba Cloud services. You cannot add, modify, or remove permissions for service-linked roles. You can view the policies that are attached to a service-linked role on the details page of the service-linked role. For more information, see View the basic information of a RAM role.

Delete the service-linked role for ASM

If you do not need the AliyunServiceRoleForServiceMesh service-linked role for the moment and understand the impacts of not using the service-linked role, you can delete it. For example, if you do not need to use ASM or create ASM instances, you can delete the AliyunServiceRoleForServiceMesh service-linked role.
Note Before you can delete the AliyunServiceRoleForServiceMesh service-linked role, you must delete the ASM instances in all regions in the current account. Otherwise, the delete operation will fail. Each Alibaba Cloud account has only one AliyunServiceRoleForSerivceMesh service-linked role. After the AliyunServiceRoleForServiceMesh service-linked role is deleted from an Alibaba Cloud account, the Alibaba Cloud account and its RAM users can no longer use ASM or create ASM instances.
  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, click RAM Roles.
  3. On the RAM Roles page, enter AliyunServiceRoleForServiceMesh in the search box to find the AliyunServiceRoleForServiceMesh service-linked role. Then, click Delete in the Actions column of the AliyunServiceRoleForServiceMesh service-linked role.
  4. In the message that appears, click OK.
    Note If you delete a service-linked role, Deleting appears in the Actions column. The delete operation takes a few seconds to complete. After the role is deleted, a success message appears. If a service-linked role fails to be deleted, click View Details in the error message and troubleshoot the error.