Service-linked role for microservices integration - AliyunServiceRoleForApiGatewayIntegrateWithMicroservices - API Gateway

This topic describes the service-linked role AliyunServiceRoleForApiGatewayIntegrateWithMicroservices that is used by the Resource Access Management (RAM) role ApiGateway - IntegrateWithMicroservices to access your resources in other Alibaba Cloud services.

Background

ApiGateway - IntegrateWithMicroservices is a RAM role that is used by API Gateway to access your resources in Enterprise Distributed Application Service (EDAS) and Microservices Engine (MSE). For more information about service-linked roles, see Service-linked roles.

Scenarios

When you create a backend service of the EDAS type, import backend services of the EDAS type, or import APIs from EDAS, API Gateway prompts that the system will create a service-linked role. After you approve the system request, the system automatically creates a service-linked role named AliyunServiceRoleForApiGatewayIntegrateWithMicroservices and attaches a policy named AliyunServiceRolePolicyForApiGatewayIntegrateWithMicroservices to the role. This way, API Gateway has the permission to access resources in other cloud services.

AliyunServiceRoleForApiGatewayIntegrateWithMicroservices description

Role name: AliyunServiceRoleForApiGatewayIntegrateWithMicroservices Role policy: AliyunServiceRolePolicyForApiGatewayIntegrateWithMicroservices Policy content:

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "edas:ReadApplication",
        "edas:ReadNamespace",
        "edas:ReadService"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "mse:ListAnsServices",
        "mse:ListAnsInstances",
        "mse:ListClusters",
        "mse:QueryInstancesInfo",
        "mse:QueryClusterInfo"
      ],
      "Resource": "*"
    },
    {
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "microservice-integration.apigateway.aliyuncs.com"
        }
      }
    }
  ]
}

Delete AliyunServiceRoleForApiGatewayIntegrateWithMicroservices

If you want to delete the service-linked role AliyunServiceRoleForApiGatewayIntegrateWithMicroservices, you must first delete the backend services that depend on this role. Procedure:

Log on to the API Gateway console. In the left-side navigation pane, choose Manage APIs > Backend Services.
On the Backend Services page, select EDAS from the Type drop-down list to filter out backend services of the EDAS type. Then, find the service that you want to delete and click Delete in the Actions column.
Go to the RAM console. In the left-side navigation pane, choose Identities > Roles. Find the role AliyunServiceRoleForApiGatewayIntegrateWithMicroservices and click Delete Role in the Actions column.

FAQ

Why is AliyunServiceRoleForApiGatewayIntegrateWithMicroservices not automatically created for me as a RAM user?

You do not have the required permissions. You can require the owner of the Alibaba Cloud account to which your RAM account belongs to attach the following policy to you.

{

{
    "Statement": [
        {
            "Action": "ram:CreateServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "microservice-integration.apigateway.aliyuncs.com"
                }
            }
        }
    ],
    "Version": "1"
}