This topic describes the scenarios and policies for the following service-linked roles of Resource Orchestration Service (ROS): AliyunServiceRoleForROSStackGroupsRDAdmin and AliyunServiceRoleForROSStackGroupsRDMember. This topic also describes the operations that you can perform on the service-linked roles.
Scenarios
If you want to access accounts of the resource directory within your administrator account and deploy stacks within the accounts when you use a stack group that has service-managed permissions, you must obtain permissions on specific Alibaba Cloud services. To obtain the permissions, you must create the following service-linked roles of ROS as RAM roles: AliyunServiceRoleForROSStackGroupsRDAdmin and AliyunServiceRoleForROSStackGroupsRDMember.
For more information about service-linked roles, see Service-linked roles.
Policies
Service-linked role: AliyunServiceRoleForROSStackGroupsRDAdmin
Policy: AliyunServiceRolePolicyForROSStackGroupsRDAdmin.
Description: ROS uses the service-linked role to obtain the information about accounts of the resource directory.
{ "Statement": [ { "Action": [ "resourcemanager:ListAccountsForParent", "resourcemanager:ListFoldersForParent", "resourcemanager:ListAncestors" ], "Effect": "Allow", "Resource": "*" }, { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "acs:ram:*:*:role/stackgroups-exec-*" }, { "Action": "ram:DeleteServiceLinkedRole", "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "ram:ServiceName": "stackgroups-admin.ros.aliyuncs.com" } } } ], "Version": "1" }
Service-linked role: AliyunServiceRoleForROSStackGroupsRDMember
Policy: AliyunServiceRolePolicyForROSStackGroupsRDMember.
Description: ROS uses the service-linked role to create RAM roles whose names are prefixed by
stackgroups-exec-
and uses the RAM roles to deploy stacks.{ "Statement": [ { "Action": [ "ram:CreateRole", "ram:GetRole", "ram:DeleteRole" ], "Effect": "Allow", "Resource": "acs:ram:*:*:role/stackgroups-exec-*" }, { "Action": [ "ram:AttachPolicyToRole", "ram:DetachPolicyFromRole" ], "Effect": "Allow", "Resource": [ "acs:ram:*:*:role/stackgroups-exec-*", "acs:ram:*:system:policy/AdministratorAccess" ] }, { "Action": "ram:DeleteServiceLinkedRole", "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "ram:ServiceName": "stackgroups-member.ros.aliyuncs.com" } } } ], "Version": "1" }
Create service-linked roles
When you use the administrator account to create stack instances in a service-managed stack group, you must create the AliyunServiceRoleForROSStackGroupsRDAdmin service-linked role within the administrator account. Then, the administrator account can assume the service-linked role to obtain the information about accounts of the resource directory. You must create the AliyunServiceRoleForROSStackGroupsRDMember service-linked roles within all the member accounts that you obtain in the resource directory. Then, ROS uses the service-linked roles to create RAM roles whose names are prefixed by stackgroups-exec-
. Then, the member accounts can assume the RAM roles to deploy stacks. The RAM roles whose names are prefixed by stackgroups-exec-
are deleted when you delete the stack instances.
For more information, see Step 3: Create a stack group.
Delete service-linked roles
To delete the AliyunServiceRoleForROSStackGroupsRDAdmin service-linked role within the administrator account, delete all service-managed stack groups within the account.
Delete the stack groups. For more information, see Delete a stack group.
Delete the service-linked role. For more information, see Delete a service-linked role.
To delete the AliyunServiceRoleForROSStackGroupsRDMember service-linked roles within member accounts, delete the stack instances that correspond to the member accounts.
Delete the stack instances. For more information, see Delete a stack instance.
Delete the service-linked roles. For more information, see Delete a service-linked role.