All Products
Search
Document Center

Agentic Cloud Governance Center:Service-linked roles in Agentic Cloud Governance Center

Last Updated:Jun 26, 2026

Agentic Cloud Governance Center uses five service-linked roles (SLRs) for authorized cross-service access. Each SLR serves specific governance scenarios and can be viewed or deleted in the RAM console.

Overview

A service-linked role (SLR) is a Resource Access Management (RAM) role whose trusted entity is an Alibaba Cloud service. SLRs enable authorized cross-service access. The following table lists the SLRs provided by Agentic Cloud Governance Center.

Service-linked role

Service identifier

Policy

AliyunServiceRoleForGovernance

governance.aliyuncs.com

AliyunServiceRolePolicyForGovernance

AliyunServiceRoleForGovernanceSetup

setup.governance.aliyuncs.com

AliyunServiceRolePolicyForGovernanceSetup

AliyunServiceRoleForGovernanceNetworkBlueprint

blueprint-network.governance.aliyuncs.com

AliyunServiceRolePolicyForGovernanceNetworkBlueprint

AliyunServiceRoleForGovernanceCloudNativeBlueprint

blueprint-cloud-native.governance.aliyuncs.com

AliyunServiceRolePolicyForGovernanceCloudNativeBlueprint

AliyunServiceRoleForGovernanceHealthReport

health-report.governance.aliyuncs.com

AliyunServiceRolePolicyForGovernanceHealthReport

For more information, see Service-linked roles.

AliyunServiceRoleForGovernance

Scenarios

This SLR is created for the management account of a resource directory. It applies to the following scenarios:

  • During enterprise resource structure initialization, Agentic Cloud Governance Center uses this SLR to enable resource directories, create folders and members, and query the management account trusteeship.

  • When managing your enterprise resource directory, Agentic Cloud Governance Center uses this SLR to retrieve real-time directory information, delete folders, and move members.

Create the service-linked role

When you activate Agentic Cloud Governance Center, you must create this SLR. For more information, see Activate Agentic Cloud Governance Center.

View the service-linked role

After this SLR is created, log on to the RAM console with the management account and search for AliyunServiceRoleForGovernance on the Roles page. You can view:

  • Basic information

    The Basic Information section shows the role name, creation time, ARN, and description.

  • Permission policy

    On the Permissions tab, click the policy name to view the policy document.

    Note

    The permission policy attached to an SLR is not visible on the Policies page. View it on the role details page instead.

  • Trust policy

    On the Trust Policy tab, view the trust policy document. The trust policy defines which entity can assume the role. For an SLR, the trusted entity is a cloud service, identified by the Service field.

For more information about how to view a service-linked role, see View a RAM role.

Delete the service-linked role

Important

Deleting this SLR disables all features that depend on it. Proceed with caution.

You may need to delete this SLR if you no longer use Agentic Cloud Governance Center or want to delete your Alibaba Cloud account.

If no cloud resources use this SLR, delete it in the RAM console. For more information, see Delete a RAM role.

AliyunServiceRoleForGovernanceSetup

Scenarios

This SLR is created for members of a resource directory. It applies to the following scenarios:

  • When you configure a feature (such as log delivery auditing) for a member, Agentic Cloud Governance Center uses this SLR to create a RAM role with the required permissions for that feature.

  • When you delete this SLR, Agentic Cloud Governance Center uses it to query the member's resource directory and determine whether the SLR can be deleted.

Create the service-linked role

Agentic Cloud Governance Center automatically creates this SLR for the required member when building a landing zone.

View the service-linked role

After this SLR is created, log on to the RAM console with the member account and search for AliyunServiceRoleForGovernanceSetup on the Roles page. You can view:

  • Basic information

    The Basic Information section shows the role name, creation time, ARN, and description.

  • Permission policy

    On the Permissions tab, click the policy name to view the policy document.

    Note

    The permission policy attached to an SLR is not visible on the Policies page. View it on the role details page instead.

  • Trust policy

    On the Trust Policy tab, view the trust policy document. The trust policy defines which entity can assume the role. For an SLR, the trusted entity is a cloud service, identified by the Service field.

Delete the service-linked role

Important

Deleting this SLR disables all features that depend on it. Proceed with caution.

You may need to delete this SLR if you no longer use Agentic Cloud Governance Center or want to delete your Alibaba Cloud account.

Before deleting this SLR, remove the member from the resource directory.

If no cloud resources use this SLR, delete it in the RAM console. For more information, see Delete a RAM role.

AliyunServiceRoleForGovernanceNetworkBlueprint

Scenarios

This SLR is created for members of a resource directory. It applies to the following scenarios:

  • When you configure network settings for a member (such as setting up a Cloud Enterprise Network (CEN) instance for a shared service account), Agentic Cloud Governance Center uses this SLR to activate CEN, create instances, and configure routing rules.

  • When you delete this SLR, Agentic Cloud Governance Center uses it to query the member's resource directory and determine whether the SLR can be deleted.

Create the service-linked role

Agentic Cloud Governance Center automatically creates this SLR within the required member when you initialize network settings.

View the service-linked role

After this SLR is created, log on to the RAM console with the member account and search for AliyunServiceRoleForGovernanceNetworkBlueprint on the Roles page. You can view:

  • Basic information

    The Basic Information section shows the role name, creation time, ARN, and description.

  • Permission policy

    On the Permissions tab, click the policy name to view the policy document.

    Note

    The permission policy attached to an SLR is not visible on the Policies page. View it on the role details page instead.

  • Trust policy

    On the Trust Policy tab, view the trust policy document. The trust policy defines which entity can assume the role. For an SLR, the trusted entity is a cloud service, identified by the Service field.

Delete the service-linked role

Important

Deleting this SLR disables all features that depend on it. Proceed with caution.

You may need to delete this SLR if you no longer use Agentic Cloud Governance Center or want to delete your Alibaba Cloud account.

Before deleting this SLR, remove the member from the resource directory.

If no cloud resources use this SLR, delete it in the RAM console. For more information, see Delete a RAM role.

AliyunServiceRoleForGovernanceCloudNativeBlueprint

Scenarios

This SLR is created for members of a resource directory. It applies to the following scenarios:

  • When you configure cloud-native settings for a member (such as setting up a Kubernetes cluster for a shared service account), Agentic Cloud Governance Center uses this SLR to activate Container Service for Kubernetes (ACK) and create the cluster.

  • When you delete this SLR, Agentic Cloud Governance Center uses it to query the member's resource directory and determine whether the SLR can be deleted.

Create the service-linked role

Agentic Cloud Governance Center automatically creates this SLR within the required member when you initialize cloud-native settings.

View the service-linked role

After this SLR is created, log on to the RAM console with the member account and search for AliyunServiceRoleForGovernanceCloudNativeBlueprint on the Roles page. You can view:

  • Basic information

    The Basic Information section shows the role name, creation time, ARN, and description.

  • Permission policy

    On the Permissions tab, click the policy name to view the policy document.

    Note

    The permission policy attached to an SLR is not visible on the Policies page. View it on the role details page instead.

  • Trust policy

    On the Trust Policy tab, view the trust policy document. The trust policy defines which entity can assume the role. For an SLR, the trusted entity is a cloud service, identified by the Service field.

Delete the service-linked role

Important

Deleting this SLR disables all features that depend on it. Proceed with caution.

You may need to delete this SLR if you no longer use Agentic Cloud Governance Center or want to delete your Alibaba Cloud account.

Before deleting this SLR, remove the member from the resource directory.

If no cloud resources use this SLR, delete it in the RAM console. For more information, see Delete a RAM role.

AliyunServiceRoleForGovernanceHealthReport

Scenarios

The cloud health check service uses this SLR to enable Agentic Cloud Governance Center and access the Security Center's Cloud Security Posture Management service for cloud health assessments.

Create the service-linked role

This SLR is automatically created in your account when you initiate a checkup in the cloud health check service.

View the service-linked role

After this SLR is created, log on to the RAM console with the member account and search for AliyunServiceRoleForGovernanceHealthReport on the Roles page. You can view:

  • Basic information

    The Basic Information section shows the role name, creation time, ARN, and description.

  • Permission policy

    On the Permissions tab, click the policy name to view the policy document.

    Note

    The permission policy attached to an SLR is not visible on the Policies page. View it on the role details page instead.

  • Trust policy

    On the Trust Policy tab, view the trust policy document. The trust policy defines which entity can assume the role. For an SLR, the trusted entity is a cloud service, identified by the Service field.

Delete the service-linked role

Important

Deleting this SLR disables all features that depend on it. Proceed with caution.

If you no longer use Agentic Cloud Governance Center or want to delete your Alibaba Cloud account, you may need to delete this SLR in the RAM console. For more information, see Delete a RAM role.