All Products
Search
Document Center

Cloud Governance Center:Service-linked roles in Cloud Governance Center

Last Updated:Sep 22, 2023

Cloud Governance Center provides the following service-linked roles: AliyunServiceRoleForGovernance, AliyunServiceRoleForGovernanceSetup, AliyunServiceRoleForGovernanceNetworkBlueprint, and AliyunServiceRoleForGovernanceCloudNativeBlueprint. This topic describes how to create, view, or delete the service-linked roles.

Overview

A service-linked role is a Resource Access Management (RAM) role whose trusted entity is an Alibaba Cloud service. Service-linked roles can implement authorized access across services. The following table describes the service-linked roles that are provided by Cloud Governance Center.

Service-linked role

Service identifier

Policy

AliyunServiceRoleForGovernance

governance.aliyuncs.com

AliyunServiceRolePolicyForGovernance

AliyunServiceRoleForGovernanceSetup

setup.governance.aliyuncs.com

AliyunServiceRolePolicyForGovernanceSetup

AliyunServiceRoleForGovernanceNetworkBlueprint

blueprint-network.governance.aliyuncs.com

AliyunServiceRolePolicyForGovernanceNetworkBlueprint

AliyunServiceRoleForGovernanceCloudNativeBlueprint

blueprint-cloud-native.governance.aliyuncs.com

AliyunServiceRolePolicyForGovernanceCloudNativeBlueprint

For more information, see Service-linked roles.

AliyunServiceRoleForGovernance

Scenarios

This service-linked role is created for the management account of a resource directory. This role is suitable for the following scenarios:

  • When you initialize the resource structure of an enterprise, Cloud Governance Center must use this service-linked role to perform relevant operations, such as to enable a resource directory, create folders, create members, and query the trusteeship of the management account.

  • When Cloud Governance Center displays and manages the resource directory of your enterprise, Cloud Governance Center must use this service-linked role to obtain real-time information about the resource directory and perform relevant operations, such as to delete folders and move members.

Create the service-linked role

When you activate Cloud Governance Center, you must create this service-linked role. For more information, see Activate Cloud Governance Center.

View the service-linked role

After the AliyunServiceRoleForGovernance service-linked role is created, you can log on to the Resource Access Management (RAM) console by using the management account, and search for AliyunServiceRoleForGovernance on the Roles page. You can view the following information about the role:

  • Basic information

    In the Basic Information section, you can view the basic information about the role, such as the name, creation time, Alibaba Cloud Resource Name (ARN), and description.

  • Permission policy

    On the Permissions tab, you can click the policy name to view the policy document.

    Note

    You cannot view the permission policy that is attached to a service-linked role on the Policies page in the RAM console. You can view the permission policy only on the role details page.

  • Trust policy

    On the Trust Policy Management tab, you can view the document of the trust policy that is attached to the role. A trust policy is a policy that contains the trusted entities of a RAM role. A trusted entity refers to an entity that can assume the RAM role. The trusted entity of a service-linked role is a cloud service. You can view the value of the Service field in the trust policy of the service-linked role to obtain the trusted entity.

For more information about how to view a service-linked role, see View the information about a RAM role.

Delete the service-linked role

Important

After you delete a service-linked role, the features that depend on the role cannot be used. Proceed with caution when you delete a service-linked role.

If you do not use Cloud Governance Center for a long period of time or if you want to delete your Alibaba Cloud account, you may need to manually delete the service-linked role.

If the service-linked role is not used by cloud resources, you can manually delete the service-linked role in the RAM console. For more information, see Delete a RAM role.

AliyunServiceRoleForGovernanceSetup

Scenarios

This service-linked role is created for a member account of a resource directory. This role is suitable for the following scenarios:

  • The role is required when you configure a feature for a member account of your resource directory. For example, if you want to configure the log delivery auditing feature, Cloud Governance Center must use the role to create a RAM role that has the required permissions. The RAM role is used to perform operations that are specific to the feature.

  • When you want to delete the service-linked role, Cloud Governance Center uses the service-linked role to query the resource directory to which the member belongs and determines whether the service-linked role can be deleted.

Create the service-linked role

When Cloud Governance Center builds a landing zone, the system automatically creates this service-linked role for the required member account.

View the service-linked role

After the AliyunServiceRoleForGovernanceSetup service-linked role is created, you can log on to the RAM console by using the member account, and search for AliyunServiceRoleForGovernanceSetup on the Roles page. You can view the following information about the role:

  • Basic information

    In the Basic Information section, you can view the basic information about the role, such as the name, creation time, Alibaba Cloud Resource Name (ARN), and description.

  • Permission policy

    On the Permissions tab, you can click the policy name to view the policy document.

    Note

    You cannot view the permission policy that is attached to a service-linked role on the Policies page in the RAM console. You can view the permission policy only on the role details page.

  • Trust policy

    On the Trust Policy Management tab, you can view the document of the trust policy that is attached to the role. A trust policy is a policy that contains the trusted entities of a RAM role. A trusted entity refers to an entity that can assume the RAM role. The trusted entity of a service-linked role is a cloud service. You can view the value of the Service field in the trust policy of the service-linked role to obtain the trusted entity.

Delete the service-linked role

Important

After you delete a service-linked role, the features that depend on the role cannot be used. Proceed with caution when you delete a service-linked role.

If you do not use Cloud Governance Center for a long period of time or if you want to delete your Alibaba Cloud account, you may need to manually delete the service-linked role.

Before you delete the service-linked role from the member account, you must delete the member account from the resource directory.

If the service-linked role is not used by cloud resources, you can manually delete the service-linked role in the RAM console. For more information, see Delete a RAM role.

AliyunServiceRoleForGovernanceNetworkBlueprint

Scenarios

This service-linked role is created for a member account of a resource directory. This role is suitable for the following scenarios:

  • The role is required when you configure network settings for a member account of your resource directory. For example, if you want to configure a Cloud Enterprise Network (CEN) instance for a shared service account, Cloud Governance Center must use the role to activate CEN, create a CEN instance, and configure routing rules.

  • When you want to delete the service-linked role, Cloud Governance Center uses the service-linked role to query the resource directory to which the member belongs and determines whether the service-linked role can be deleted.

Create the service-linked role

When you initialize network settings, Cloud Governance Center automatically creates the service-linked role within the required member account.

View the service-linked role

After the AliyunServiceRoleForGovernanceNetworkBlueprint service-linked role is created, you can log on to the RAM console by using the member account, and search for AliyunServiceRoleForGovernanceNetworkBlueprint on the Roles page. You can view the following information about the role:

  • Basic information

    In the Basic Information section, you can view the basic information about the role, such as the name, creation time, Alibaba Cloud Resource Name (ARN), and description.

  • Permission policy

    On the Permissions tab, you can click the policy name to view the policy document.

    Note

    You cannot view the permission policy that is attached to a service-linked role on the Policies page in the RAM console. You can view the permission policy only on the role details page.

  • Trust policy

    On the Trust Policy Management tab, you can view the document of the trust policy that is attached to the role. A trust policy is a policy that contains the trusted entities of a RAM role. A trusted entity refers to an entity that can assume the RAM role. The trusted entity of a service-linked role is a cloud service. You can view the value of the Service field in the trust policy of the service-linked role to obtain the trusted entity.

Delete the service-linked role

Important

After you delete a service-linked role, the features that depend on the role cannot be used. Proceed with caution when you delete a service-linked role.

If you do not use Cloud Governance Center for a long period of time or if you want to delete your Alibaba Cloud account, you may need to manually delete the service-linked role.

Before you delete the service-linked role from the member account, you must delete the member account from the resource directory.

If the service-linked role is not used by cloud resources, you can manually delete the service-linked role in the RAM console. For more information, see Delete a RAM role.

AliyunServiceRoleForGovernanceCloudNativeBlueprint

Scenarios

This service-linked role is created for a member account of a resource directory. This role is suitable for the following scenarios:

  • The role is required when you configure cloud-native settings for a member account of your resource directory. For example, if you want to configure a Kubernetes cluster for a shared service account, Cloud Governance Center must use the role to activate Container Service for Kubernetes (ACK) and create a Kubernetes cluster.

  • When you want to delete the service-linked role, Cloud Governance Center uses the service-linked role to query the resource directory to which the member belongs and determines whether the service-linked role can be deleted.

Create the service-linked role

When you initialize cloud-native settings, Cloud Governance Center automatically creates the service-linked role within the required member account.

View the service-linked role

After the AliyunServiceRoleForGovernanceCloudNativeBlueprint service-linked role is created, you can log on to the RAM console by using the member account, and search for AliyunServiceRoleForGovernanceCloudNativeBlueprint on the Roles page. You can view the following information about the role:

  • Basic information

    In the Basic Information section, you can view the basic information about the role, such as the name, creation time, Alibaba Cloud Resource Name (ARN), and description.

  • Permission policy

    On the Permissions tab, you can click the policy name to view the policy document.

    Note

    You cannot view the permission policy that is attached to a service-linked role on the Policies page in the RAM console. You can view the permission policy only on the role details page.

  • Trust policy

    On the Trust Policy Management tab, you can view the document of the trust policy that is attached to the role. A trust policy is a policy that contains the trusted entities of a RAM role. A trusted entity refers to an entity that can assume the RAM role. The trusted entity of a service-linked role is a cloud service. You can view the value of the Service field in the trust policy of the service-linked role to obtain the trusted entity.

Delete the service-linked role

Important

After you delete a service-linked role, the features that depend on the role cannot be used. Proceed with caution when you delete a service-linked role.

If you do not use Cloud Governance Center for a long period of time or if you want to delete your Alibaba Cloud account, you may need to manually delete the service-linked role.

Before you delete the service-linked role from the member account, you must delete the member account from the resource directory.

If the service-linked role is not used by cloud resources, you can manually delete the service-linked role in the RAM console. For more information, see Delete a RAM role.