A service-linked role is a Resource Access Management (RAM) role whose trusted entity is an Alibaba Cloud service. AnalyticDB for PostgreSQL uses a service-linked role to access your resources in other cloud services.
Scenarios
When you work with AnalyticDB for PostgreSQL, you may need access other cloud services by means of the AliyunServiceRoleForADBPG role to use a feature of AnalyticDB for PostgreSQL. For more information, see Service-linked roles.
Required permissions for a RAM user to use a service-linked role
If you want to create or delete a service-link role as a RAM user, you must ask the administrator to grant the RAM user the AliyunGPDBFullAccess permission. Alternatively, you can set the Action parameter of a custom policy to the following permissions:
Create a service-link role:
ram:CreateServiceLinkedRoleDelete a service-linked role:
ram:DeleteServiceLinkedRole
For more information, see the "Permissions required to create and delete a service-linked role" section of the Service-linked roles topic.
Create a service-linked role
A service-linked role is a RAM role that is linked directly to a cloud service. When you use specific features of the service, the service automatically creates or deletes the service-linked role as needed. You do not need to manually create or delete the service-linked role. A service-linked role simplifies the process of authorizing a service to access other services and reduces the risks caused by misoperations.
The policy that is attached to a service-linked role is predefined by the linked service. You cannot modify or delete the policy. You cannot attach policies to or detach policies from a service-linked role.
View information about the service-linked role
After the system creates the service-linked role, you can view the following details of the role by searching for AliyunServiceRoleForADBPG on the Roles page in the RAM console:
Basic information
In the Basic Information section of the details page of the AliyunServiceRoleForADBPG role, you can view basic information about the role, such as the name, creation time, Alibaba Cloud Resource Name (ARN), and description.
Policy
On the Permissions tab of the details page of the AliyunServiceRoleForADBPG role, you can click the name of a policy to view the content of the policy and the cloud resources that can be accessed by the role.
Trust policy
On the Trust Policy Management tab of the details page of the AliyunServiceRoleForADBPG role, you can view the content of the trust policy that is attached to the role. A trust policy is a policy that describes the trusted entities of a RAM role. A trusted entity refers to an entity that can assume the RAM role. The trusted entity of a service-linked role is a cloud service. You can view the value of the
Servicefield in the trust policy of the service-linked role to obtain the trusted entity.
For information about how to view information about a service-linked role, see View the information about a RAM role.
Delete the service-linked role
If you want to delete the AliyunServiceRoleForADBPG role, release all instances that depend on the service-linked role.
For information about how to release AnalyticDB for PostgreSQL instances, see Release an instance.
For information about how to delete the service-linked role, see the "Delete a service-linked role" section of the Service-linked roles topic.