A service-linked role for Cloud-native API Gateway is a predefined Resource Access Management (RAM) role that is designed for specific features. This topic describes the scenarios and management of service-linked roles for Cloud-native API Gateway.
Use cases
AliyunServiceRoleForNativeApiGw: When Cloud-native API Gateway needs to access the resources of other Alibaba Cloud services, such as virtual private cloud (VPC), Container Service for Kubernetes (ACK), Function Compute (FC), Enterprise Distributed Application Service (EDAS), Microservices Engine (MSE), Server Load Balancer (SLB), Network Load Balancer (NLB), Elastic Computing Service (ECS), and Application Real-Time Monitoring Service (ARMS), it automatically creates the
AliyunServiceRoleForNativeApiGwservice-linked role to obtain the required access permissions.AliyunServiceRoleForNativeApiGwInvokeFC: When Cloud-native API Gateway needs to call the FC service, it automatically creates the
AliyunServiceRoleForNativeApiGwInvokeFCservice-linked role to obtain the required access permissions.AliyunServiceRoleForNativeApiGwInvokeCloudFlow: When Cloud-native API Gateway needs to call the CloudFlow service, it automatically creates the
AliyunServiceRoleForNativeApiGwInvokeCloudFlowservice-linked role to obtain the required access permissions.AliyunServiceRoleForNativeApiGwInvokeKMS: When Cloud-native API Gateway needs to call the Key Management Service (KMS), it automatically creates the
AliyunServiceRoleForNativeApiGwInvokeKMSservice-linked role to obtain the required access permissions.
Permissions required for a RAM user to use a service-linked role
If you use a RAM user to create or delete a service-linked role, you must ask an administrator to grant the RAM user administrator permissions (AliyunNativeApiGwFullAccess) or add the following permissions to the Action statement of a custom policy:
Create a service-linked role:
ram:CreateServiceLinkedRoleDelete a service-linked role:
ram:DeleteServiceLinkedRole
For more information about how to grant permissions, see Permissions required to create and delete a service-linked role.
Permission details
AliyunServiceRoleForNativeApiGw
The AliyunServiceRoleForNativeApiGw service-linked role has the following access permissions:
Virtual Private Cloud (VPC)
{
"Effect": "Allow",
"Action": [
"vpc:AllocateEipAddress",
"vpc:AllocateEipAddressPro",
"vpc:DescribeEipAddresses",
"vpc:AssociateEipAddress",
"vpc:UnassociateEipAddress",
"vpc:ReleaseEipAddress",
"vpc:ModifyEipAddressAttribute",
"vpc:ModifyBypassToaAttribute",
"vpc:AddCommonBandwidthPackageIp",
"vpc:RemoveCommonBandwidthPackageIp",
"vpc:TagResources",
"vpc:DescribeVSwitches",
"vpc:DescribeVSwitchAttributes",
"vpc:DescribeVpcs",
"vpc:CreateVSwitch",
"vpc:DescribeVpcAttribute",
"vpc:DescribeVRouters",
"vpc:DescribeRouteTables",
"vpc:DescribeRouteEntryList"
],
"Resource": "*"
}Container Service for Kubernetes (ACK)
{
"Effect": "Allow",
"Action": [
"cs:DescribeClusterDetail",
"cs:DescribeClusterInnerServiceKubeconfig",
"cs:RevokeClusterInnerServiceKubeconfig",
"cs:GetUserConfig",
"cs:DescribeClusterUserKubeconfig",
"cs:GetClusterById",
"cs:GetClustersByUid",
"cs:DescribeClustersV1",
"cs:ListClusters",
"cs:GetClusters",
"cs:DescribeClusterNodePools"
],
"Resource": "*"
}Function Compute (FC)
{
"Effect": "Allow",
"Action": [
"fc:ListAliases",
"fc:ListServices",
"fc:ListServiceVersions",
"fc:ListFunctions",
"fc:ListFunctionVersions",
"fc:ListTriggers"
],
"Resource": "*"
}Enterprise Distributed Application Service (EDAS)
{
"Effect": "Allow",
"Action": [
"edas:ReadNamespace",
"edas:ReadService",
"edas:ListUserDefineRegion"
],
"Resource": "*"
}Microservices Engine (MSE)
{
"Effect": "Allow",
"Action": [
"mse:ListAnsServices",
"mse:ListEngineNamespaces",
"mse:ListClusters",
"mse:QueryConfig"
],
"Resource": "*"
}Server Load Balancer (SLB)
{
"Effect": "Allow",
"Action": [
"slb:SetLoadBalancerName",
"slb:CreateLoadBalancer",
"slb:AddBackendServers",
"slb:SetBackendServers",
"slb:RemoveBackendServers",
"slb:CreateLoadBalancerTCPListener",
"slb:DescribeLoadBalancerTCPListenerAttribute",
"slb:SetLoadBalancerTCPListenerAttribute",
"slb:CreateLoadBalancerHTTPListener",
"slb:DescribeLoadBalancerHTTPListenerAttribute",
"slb:SetLoadBalancerHTTPListenerAttribute",
"slb:CreateLoadBalancerHTTPSListener",
"slb:DescribeLoadBalancerHTTPSListenerAttribute",
"slb:SetLoadBalancerHTTPSListenerAttribute",
"slb:StartLoadBalancerListener",
"slb:StopLoadBalancerListener",
"slb:DeleteLoadBalancerListener",
"slb:DescribeLoadBalancers",
"slb:DescribeLoadBalancerAttribute",
"slb:DescribeHealthStatus",
"slb:CreateLoadBalancerForCloudService",
"slb:DeleteLoadBalancer",
"slb:ModifyLoadBalancerInternetSpec",
"slb:RemoveTags",
"slb:AddTags",
"slb:SetLoadBalancerUDPListenerAttribute",
"slb:CreateLoadBalancerUDPListener",
"slb:CreateVServerGroup",
"slb:DeleteVServerGroup",
"slb:SetVServerGroupAttribute",
"slb:ModifyVServerGroupBackendServers",
"slb:AddVServerGroupBackendServers",
"slb:ModifyLoadBalancerInstanceSpec",
"slb:ModifyLoadBalancerInternetSpec",
"slb:RemoveVServerGroupBackendServers",
"slb:SetLoadBalancerModificationProtection",
"slb:SetLoadBalancerDeleteProtection",
"slb:DescribeLoadBalancerUDPListenerAttribute ",
"slb:DescribeTags",
"slb:DescribeVServerGroups",
"slb:DescribeVServerGroupAttribute",
"slb:DescribeLoadBalancerListeners",
"slb:ListTagResources",
"slb:TagResources",
"slb:UntagResources"
],
"Resource": "*"
}Network Load Balancer (NLB)
{
"Effect": "Allow",
"Action": [
"nlb:TagResources",
"nlb:UnTagResources",
"nlb:ListTagResources",
"nlb:CreateLoadBalancer",
"nlb:DeleteLoadBalancer",
"nlb:GetLoadBalancerAttribute",
"nlb:ListLoadBalancers",
"nlb:UpdateLoadBalancerAttribute",
"nlb:UpdateLoadBalancerAddressTypeConfig",
"nlb:UpdateLoadBalancerZones",
"nlb:CreateListener",
"nlb:DeleteListener",
"nlb:ListListeners",
"nlb:UpdateListenerAttribute",
"nlb:StopListener",
"nlb:StartListener",
"nlb:GetListenerAttribute",
"nlb:GetListenerHealthStatus",
"nlb:CreateServerGroup",
"nlb:DeleteServerGroup",
"nlb:UpdateServerGroupAttribute",
"nlb:AddServersToServerGroup",
"nlb:RemoveServersFromServerGroup",
"nlb:UpdateServerGroupServersAttribute",
"nlb:ListServerGroups",
"nlb:ListServerGroupServers",
"nlb:LoadBalancerLeaveSecurityGroup",
"nlb:LoadBalancerJoinSecurityGroup",
"nlb:GetJobStatus",
"nlb:UpdateLoadBalancerProtection"
],
"Resource": "*"
}Elastic Computing Service (ECS)
{
"Effect": "Allow",
"Action": [
"ecs:CreateSecurityGroup",
"ecs:AuthorizeSecurityGroup",
"ecs:AuthorizeSecurityGroupEgress",
"ecs:RevokeSecurityGroup",
"ecs:RevokeSecurityGroupEgress",
"ecs:DeleteSecurityGroup",
"ecs:JoinSecurityGroup",
"ecs:LeaveSecurityGroup",
"ecs:DescribeSecurityGroups",
"ecs:DescribeInstances",
"ecs:CreateNetworkInterface",
"ecs:DeleteNetworkInterface",
"ecs:DescribeNetworkInterfaces",
"ecs:CreateNetworkInterfacePermission",
"ecs:DescribeNetworkInterfacePermissions",
"ecs:DeleteNetworkInterfacePermission",
"ecs:DescribeSecurityGroupAttribute",
"ecs:AddTags",
"ecs:DescribeEipAddresses",
"ecs:DescribeNetworkInterfaceAttribute",
"ecs:ModifyNetworkInterfaceAttribute",
"ecs:AssignPrivateIpAddresses",
"ecs:UnassignPrivateIpAddresses",
"ecs:AssignIpv6Addresses",
"ecs:UnassignIpv6Addresses",
"ecs:AttachNetworkInterface",
"ecs:DetachNetworkInterface",
"ecs:ListTagResources"
],
"Resource": "*"
}Application Real-Time Monitoring Service (ARMS)
{
"Effect": "Allow",
"Action": [
"arms:OpenArmsService",
"arms:GetAlertRules",
"arms:ReportCustomIncidents",
"arms:AddPrometheusInstance",
"arms:GetAuthToken",
"arms:GetClusterAllUrl",
"arms:OpenArmsServiceSecondVersion",
"arms:CheckServiceStatus",
"arms:OpenVCluster",
"arms:GetPrometheusApiToken",
"arms:ListDashboards",
"arms:GetExploreUrl",
"arms:CreateDefaultCloudProductPrometheusAlertRule",
"arms:ListNotificationPolicies",
"arms:ListDispatchRule",
"arms:CreateDispatchRule",
"arms:CreateOrUpdateNotificationPolicy",
"arms:DescribeContactGroups",
"arms:SearchContactGroup",
"arms:CreatePrometheusAlertRule"
],
"Resource": "*"
}AliyunServiceRoleForNativeApiGwInvokeFC
The AliyunServiceRoleForNativeApiGwInvokeFC service-linked role has the following access permissions:
{
"Effect": "Allow",
"Action": "fc:InvokeFunction",
"Resource": "*"
}AliyunServiceRoleForNativeApiGwInvokeCloudFlow
The AliyunServiceRoleForNativeApiGwInvokeCloudFlow service-linked role has the following access permissions:
{
"Effect": "Allow",
"Action": [
"fnf:StartExecution",
"fnf:StartSyncExecution"
],
"Resource": "*"
}AliyunServiceRoleForNativeApiGwInvokeKMS
The AliyunServiceRoleForNativeApiGwInvokeKMS service-linked role has the following access permissions:
{
"Effect": "Allow",
"Action": [
"kms:ListKmsInstances",
"kms:ListKeys",
"kms:GenerateDataKey",
"kms:Decrypt",
"kms:CreateSecret",
"kms:DeleteSecret",
"kms:UpdateSecret",
"kms:DescribeSecret",
"kms:GetSecretValue",
"kms:PutSecretValue",
"kms:TagResource",
"kms:UntagResource"
],
"Resource": "*"
}View a service-linked role
After a service-linked role is created, you can go to the Roles page of the RAM console and search for the service-linked role, such as AliyunServiceRoleForNativeApiGw, to view the following information:
Basic information
On the role details page, in the Basic Information section, you can view the basic information about the role. This includes the role name, creation time, role ARN, and remarks.
Access policy
On the role details page, on the Permissions tab, you can click the access policy name to view the policy document and the cloud resources that the role can access.
Trust policy
On the role details page, on the Trust Policy tab, you can view the trust policy document. A trust policy is a policy that describes the trusted entities of a RAM role. A trusted entity is an entity that can assume the RAM role. The trusted entity of a service-linked role is an Alibaba Cloud service. You can view the trusted entity in the
Servicefield of the trust policy.
For more information about how to view a RAM role, see View a RAM role.
Delete a service-linked role
If you no longer use Cloud-native API Gateway, you can manually delete the service-linked role in the RAM console.
Log on to the RAM console with your Alibaba Cloud account. In the navigation pane on the left, choose .
On the Roles page, enter the name of the role that you want to delete, such as
AliyunServiceRoleForNativeApiGw, in the search box.Find the role in the search results and click Delete Role in the Actions column.
In the dialog box that appears, enter the role name to confirm the deletion, and then click Delete Role.
After you delete the service-linked role for Cloud-native API Gateway, features that depend on the role will not work correctly. Proceed with caution.
FAQ
Why can't my RAM user automatically create the AliyunServiceRoleForNativeApiGw service-linked role?
A RAM user must have the required permissions to automatically create or delete the AliyunServiceRoleForNativeApiGw service-linked role. If a RAM user cannot automatically create the role, add the following access policy for that RAM user.
{
"Statement": [
{
"Action": [
"ram:CreateServiceLinkedRole"
],
"Resource": "acs:ram:*:Alibaba Cloud account ID:role/*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": [
"nativeapigw.aliyuncs.com"
]
}
}
}
],
"Version": "1"
}Replace Alibaba Cloud account ID with your actual Alibaba Cloud account ID.
Why can't my RAM user automatically create the AliyunServiceRoleForNativeApiGwInvokeFC service-linked role?
A RAM user must have the required permissions to automatically create or delete the AliyunServiceRoleForNativeApiGwInvokeFC service-linked role. If a RAM user cannot automatically create the role, add the following access policy for that RAM user.
{
"Statement": [
{
"Action": [
"ram:CreateServiceLinkedRole"
],
"Resource": "acs:ram:*:Alibaba Cloud account ID:role/*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": [
"invokefc.nativeapigw.aliyuncs.com"
]
}
}
}
],
"Version": "1"
}Replace Alibaba Cloud account ID with your actual Alibaba Cloud account ID.
References
For more information about service-linked roles, see Service-linked roles.