Service Mesh (ASM) uses a RAM service-linked role named AliyunServiceRoleForServiceMesh to access other Alibaba Cloud services on your behalf. Each Alibaba Cloud account has only one AliyunServiceRoleForServiceMesh role.
Overview
A service-linked role is a Resource Access Management (RAM) role that only the linked Alibaba Cloud service can assume. ASM uses AliyunServiceRoleForServiceMesh to access the following services:
| Service | Abbreviation |
|---|---|
| Container Service for Kubernetes | ACK |
| Virtual Private Cloud | VPC |
| Classic Load Balancer | CLB |
| Simple Log Service | SLS |
| Managed Service for OpenTelemetry | - |
| Application Real-Time Monitoring Service | ARMS |
| Cloud Enterprise Network | CEN |
The system policies attached to service-linked roles are defined by the linked service. You cannot add, modify, or remove these permissions. To view the attached policies, see View the information about a RAM role.
For more information about service-linked roles, see Service-linked roles.
Prerequisites
Alibaba Cloud accounts have permissions to create the service-linked role by default. To grant a RAM user permission to create the role, attach the following custom policy to the RAM user. For details, see Grant permissions to the RAM user.
{
"Statement": [
{
"Action": "ram:CreateServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "servicemesh.aliyuncs.com"
}
}
}
],
"Version": "1"
}Create the service-linked role
When you access ASM, the system checks whether AliyunServiceRoleForServiceMesh exists. If the role does not exist, ASM prompts you to create it.
On the Service-linked Role for ASM page, click Create.
Delete the service-linked role
Delete AliyunServiceRoleForServiceMesh if you no longer need ASM or want to stop using it temporarily.
Before you delete the role, you must delete all ASM instances across every region in the current account. Otherwise, the deletion fails.
Each Alibaba Cloud account has only one AliyunServiceRoleForServiceMesh role. After deletion, the account and all its RAM users lose the ability to use ASM or create ASM instances.
Log on to the RAM console.
In the left-side navigation pane, choose Identities > Roles.
On the Roles page, enter AliyunServiceRoleForServiceMesh in the search box.
Find the AliyunServiceRoleForServiceMesh role and click Delete Role in the Actions column.
In the Delete Role dialog box, click Delete Role.
NoteDuring deletion, Deleting appears in the Actions column. The operation takes a few seconds. After the role is deleted, a success message appears. If the deletion fails, click View Details in the error message to troubleshoot.