All Products
Search
Document Center

API Gateway:Service-linked role for ApiGateway - IntegrateWithMicroservices

Last Updated:Nov 17, 2023

This topic describes the service-linked role AliyunServiceRoleForApiGatewayIntegrateWithMicroservices that is used by the Resource Access Management (RAM) role ApiGateway - IntegrateWithMicroservices to access your resources in other Alibaba Cloud services.

Background information

ApiGateway - IntegrateWithMicroservices is a RAM role that is used by API Gateway to access your resources in Enterprise Distributed Application Service (EDAS) and Microservices Engine (MSE). For more information, see Service-linked roles.

Scenarios

When you create a backend service of the EDAS type, import backend services of the EDAS type, or import APIs from EDAS, API Gateway prompts that the system will create a service-linked role. After you approve the system request, the system automatically creates a service-linked role named AliyunServiceRoleForApiGatewayIntegrateWithMicroservices and adds a policy named AliyunServiceRolePolicyForApiGatewayIntegrateWithMicroservices to the role. This way, API Gateway has the permission to access resources in other cloud services.

AliyunServiceRoleForApiGatewayIntegrateWithMicroservices description

Role name: AliyunServiceRoleForApiGatewayIntegrateWithMicroservices Role policy: AliyunServiceRolePolicyForApiGatewayIntegrateWithMicroservices Permission description:

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "edas:ReadApplication",
        "edas:ReadNamespace",
        "edas:ReadService"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "mse:ListAnsServices",
        "mse:ListAnsInstances",
        "mse:ListClusters",
        "mse:QueryInstancesInfo",
        "mse:QueryClusterInfo"
      ],
      "Resource": "*"
    },
    {
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "microservice-integration.apigateway.aliyuncs.com"
        }
      }
    }
  ]
}

Delete the service-linked role

If you want to delete the service-linked role AliyunServiceRoleForApiGatewayIntegrateWithMicroservices, you must first delete the backend services that depend on this role. Procedure:

  1. Log on to the API Gateway console. In the left-side navigation pane, choose Open API > Backend Services.

  2. Set the search condition to Service Type and enter EDAS in the search box to search for the backend services that depend on the service-linked role. Then, click Delete in the Actions column of the service that you want to delete. Repeat the delete operation until all dependent services are deleted.

  3. Log on to the RAM console. In the left-side navigation pane, choose Identities > Roles. Find AliyunServiceRoleForApiGatewayIntegrateWithMicroservices on the Roles page. Then, click Delete in the Actions column.

FAQ

Why is AliyunServiceRoleForApiGatewayIntegrateWithMicroservices not automatically created for me as a RAM user?

You do not have the required permissions. You can require the owner of the Alibaba Cloud account to which your RAM account belongs to attach the following policy to you.

{

{
    "Statement": [
        {
            "Action": "ram:CreateServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "microservice-integration.apigateway.aliyuncs.com"
                }
            }
        }
    ],
    "Version": "1"
}