Before you use Auto Scaling, you must create the service-linked role AliyunServiceRoleForAutoScaling. Then, Auto Scaling can use the service-linked role to access cloud resources such as Elastic Compute Service (ECS) and Virtual Private Cloud (VPC). This topic describes how to manage the service-linked role AliyunServiceRoleForAutoScaling for Auto Scaling.

Prerequisites

By default, an Alibaba Cloud account has the permissions on Auto Scaling. However, if you use a RAM user, permissions on Auto Scaling are not automatically granted to the RAM user. You must manually grant the permissions to the RAM user. For information about how to grant permissions on Auto Scaling to RAM users, see Grant permissions to a RAM user. The following policies are provided:
  • System policies. The two system policies are AliyunESSFullAccess and AliyunESSReadOnlyAccess. AliyunESSFullAccess provides the management permissions on Auto Scaling. AliyunESSReadOnlyAccess provides the ready-only permissions on Auto Scaling.
  • Custom policies. The following code shows a sample custom policy:
    Note Replace the value of <account ID> with the ID of your Alibaba Cloud account.
    {
        "Statement": [
            {
                "Action": [
                    "ram:CreateServiceLinkedRole"
                ],
                "Resource": "acs:ram:*:<account ID>:role/*",
                "Effect": "Allow",
                "Condition": {
                    "StringEquals": {
                        "ram:ServiceName": [
                            "ess.aliyuncs.com"
                        ]
                    }
                }
            }
        ],
        "Version": "1"
    }

Background information

AliyunServiceRoleForAutoScaling is a service-linked role that is provided by RAM and allows Auto Scaling to access other Alibaba Cloud resources such as ECS, VPC, ApsaraDB RDS, Server Load Balancer (SLB), Operation Orchestration Service (OOS), Message Service (MNS), and CloudMonitor. For more information about service-linked roles, see Service-linked roles.
Note If you use AliyunESSDefaultRole to allow Auto Scaling to access other cloud resources, AliyunESSDefaultRole is automatically replaced by AliyunServiceRoleForAutoScaling. You can log on to the ActionTrail console to view the details.

The AliyunServiceRolePolicyForAutoScaling system policy is attached to the AliyunServiceRoleForAutoScaling service-linked role. System policies that are attached to service-linked roles are defined and used by the linked Alibaba Cloud services. You cannot add, modify, or delete permissions for service-linked roles. You can view policies attached to a RAM role in the RAM role details. For more information, see View the basic information about a RAM role.

Create AliyunServiceRoleForAutoScaling

When you use Auto Scaling, the system checks whether the AliyunServiceRoleForAutoScaling service-linked role is created for your account. If AliyunServiceRoleForAutoScaling is not created, the system prompts you that you do not have the required permissions. Perform the following steps to create AliyunServiceRoleForAutoScaling:

  1. Log on to the Auto Scaling console.
  2. Click Create Service-linked Role.
    Insufficient permissions
  3. In the Create Service Linked Role message, click OK.
    The system creates AliyunServiceRoleForAutoScaling. You can use Auto Scaling after AliyunServiceRoleForAutoScaling is created. Use Auto Scaling

Delete AliyunServiceRoleForAutoScaling

If you do not need the AliyunServiceRoleForAutoScaling service-linked role at the moment, you can delete it. For example, when you do not need scaling groups to create and manage resources or if you understand the impacts of not using the role, you can delete AliyunServiceRoleForAutoScaling. For more information, see Delete a RAM role.
Note Before you delete AliyunServiceRoleForAutoScaling, you must delete the resources of Auto Scaling in all regions within your current account, including scaling groups, scheduled tasks, and event-triggered tasks. Otherwise, AliyunServiceRoleForAutoScaling cannot be deleted.

After you delete AliyunServiceRoleForAutoScaling, you cannot use Auto Scaling to create or manage resources.