Cloud Governance Center may need to access another Alibaba Cloud service to implement a feature. In such scenarios, Cloud Governance Center must assume a specific service-linked role, which is a Resource Access Management (RAM) role, to obtain the permissions to access another Alibaba Cloud service. Cloud Governance Center provides two service-linked roles: AliyunServiceRoleForGovernance and AliyunServiceRoleForGovernanceSetup.

AliyunServiceRoleForGovernance

  • Scenarios

    The service-linked role AliyunServiceRoleForGovernance is created within the management account of a resource directory. This role is applicable to the following scenarios:

    • When you initialize the resource structure of your enterprise, Cloud Governance Center must use this service-linked role to perform relevant operations. For example, enable a resource directory, create folders, create member accounts, and query the financial settlement relationship of the management account.
    • When Cloud Governance Center displays and manages the resource directory of your enterprise, Cloud Governance Center must use this service-linked role to obtain the real-time information about the resource directory and perform relevant operations. For example, delete folders and move member accounts.
  • Role description
    • Role name: AliyunServiceRoleForGovernance
    • Policy name: AliyunServiceRolePolicyForGovernance
    • Description: This policy grants Cloud Governance Center the permissions to enable, query, and manage a resource directory, query financial settlement relationships, and delete the service-linked role AliyunServiceRoleForGovernance.
      {
        "Statement": [
          {
            "Effect": "Allow",
            "Action": [
              "resourcemanager:GetResourceDirectory",
              "resourcemanager:InitResourceDirectory",
              "resourcemanager:ListResources",
              "resourcemanager:ListFoldersForParent",
              "resourcemanager:ListAccountsForParent",
              "resourcemanager:ListAccounts",
              "resourcemanager:CreateFolder",
              "resourcemanager:CreateResourceAccount",
              "resourcemanager:GetFolder",
              "resourcemanager:GetAccount",
              "resourcemanager:UpdateFolder",
              "resourcemanager:DeleteFolder",
              "resourcemanager:MoveAccount",
              "resourcemanager:UpdateAccount",
              "resourcemanager:ListHandshakesForResourceDirectory",
              "resourcemanager:GetPayerForAccount"
            ],
            "Resource": "*"
          },
          {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
              "StringEquals": {
                "ram:ServiceName": "governance.aliyuncs.com"
              }
            }
          }
        ],
        "Version": "1"
      }
  • Create the service-linked role
    1. Log on to the Cloud Governance Center console.
    2. On the Cloud Governance Center page, click Start Governance.
    3. In the Welcome to Cloud Governance Center message, view the information about the service-linked role AliyunServiceRoleForGovernance and click OK.

      Cloud Governance Center automatically creates the service-linked role.

  • Delete the service-linked role

    Cloud Governance Center cannot automatically delete the service-linked role. You can only manually delete the service-linked role in the RAM console. For more information, see Delete a RAM role.

AliyunServiceRoleForGovernanceSetup

  • Scenarios

    The service-linked role AliyunServiceRoleForGovernanceSetup is created within a member account of a resource directory. This role is applicable to the following scenarios:

    • When you need to configure a feature within a member account in the resource directory of your enterprise, such as the delivery of audit logs within a log archive account, Cloud Governance Center must use the service-linked role AliyunServiceRoleForGovernanceSetup. In this case, Cloud Governance Center uses this service-linked role to create a RAM role dedicated to the required operations and grant the required permissions to the RAM role.
    • When you need to delete the service-linked role AliyunServiceRoleForGovernanceSetup, Cloud Governance Center must use this service-linked role to query the resource directory to which the member account belongs and determine whether the service-linked role can be deleted.
  • Role description
    • Role name: AliyunServiceRoleForGovernanceSetup
    • Policy name: AliyunServiceRolePolicyForGovernanceSetup
    • Description: This policy grants Cloud Governance Center the permissions to create a RAM role and grant permissions to the RAM role, obtain the permissions to access a resource directory, and delete the service-linked role AliyunServiceRoleForGovernanceSetup.
      {
        "Statement": [
          {
            "Effect": "Allow",
            "Action": [
              "ram:CreateRole",
              "ram:AttachPolicyToRole"
            ],
            "Resource": [
              "acs:ram:*:*:role/aliyungovernance*",
              "acs:ram:*:system:policy/AliyunGovernance*"
            ]
          },
          {
            "Effect": "Allow",
            "Action": [
              "resourcemanager:GetResourceDirectory"
            ],
            "Resource": "*"
          },
          {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
              "StringEquals": {
                "ram:ServiceName": "setup.governance.aliyuncs.com"
              }
            }
          }
        ],
        "Version": "1"
      }
  • Create the service-linked role

    When you initialize the resource structure of your enterprise, Cloud Governance Center automatically creates the service-linked role AliyunServiceRoleForGovernanceSetup within the required member account.

  • Delete the service-linked role

    Cloud Governance Center cannot automatically delete the service-linked role. You can only manually delete the service-linked role in the RAM console. For more information, see Delete a RAM role.