Anti-DDoS Origin needs access to other Alibaba Cloud services and resources to protect your infrastructure. A service-linked role is a Resource Access Management (RAM) role whose trusted entity is an Alibaba Cloud service — not a user. Anti-DDoS Origin assumes this role automatically, so you don't need to create or configure the permissions manually.
This topic describes how to create, view, and delete the Anti-DDoS Origin service-linked role.
How it works
The first time you use Anti-DDoS Origin, it automatically creates a service-linked role named AliyunServiceRoleForDDoSBgp and attaches the system policy AliyunServiceRolePolicyForDDoSBgp to it. Anti-DDoS Origin then assumes this role to access the cloud services and resources it needs.
To review the specific actions granted by this policy, click the policy name on the Roles page of the RAM console.
Grant RAM users permission to manage the service-linked role
To allow a RAM user to create or delete a service-linked role, grant the RAM user one of the following:
Full access (recommended): Ask your administrator to grant the RAM user the
AliyunYundunAntiDDoSBagFullAccesspolicy.Minimum permissions: Add the following actions to the
Actionstatement of a custom policy:Action Purpose ram:CreateServiceLinkedRoleCreate the service-linked role ram:DeleteServiceLinkedRoleDelete the service-linked role
For more information, see Permissions required to create and delete a service-linked role.
Create the service-linked role
Anti-DDoS Origin creates AliyunServiceRoleForDDoSBgp automatically the first time you use the service. To trigger this:
Log on to the Traffic Security console.
In the left-side navigation pane, choose Network Security > Anti-DDoS Origin > Instance Management.
In the Service-linked role for Anti-DDoS Origin message, click OK.
If AliyunServiceRoleForDDoSBgp already exists, the message does not appear.
Alibaba Cloud creates the AliyunServiceRoleForDDoSBgp service-linked role.
View the service-linked role
After AliyunServiceRoleForDDoSBgp is created, find it on the Roles page of the RAM console. On the role details page, you can review the following information:
| Section | What you can view |
|---|---|
| Basic information | Role name, creation time, Alibaba Cloud Resource Name (ARN), and description |
| Permissions tab | Click a policy name to see the policy content and the cloud resources the role can access |
| Trust policy tab | The trust policy content; the Service field identifies the trusted entity (a cloud service) |
For details on navigating the role details page, see View the information about a RAM role.
Delete the service-linked role
Deleting the service-linked role disables all Anti-DDoS Origin features that depend on it. Proceed only if you no longer use Anti-DDoS Origin.
If you no longer use Anti-DDoS Origin, you can manually delete the AliyunServiceRoleForDDoSBgp service-linked role in the RAM console.
For step-by-step instructions, see Delete a RAM role.