Agentic Cloud Governance Center uses five service-linked roles (SLRs) for authorized cross-service access. Each SLR serves specific governance scenarios and can be viewed or deleted in the RAM console.
Overview
A service-linked role (SLR) is a Resource Access Management (RAM) role whose trusted entity is an Alibaba Cloud service. SLRs enable authorized cross-service access. The following table lists the SLRs provided by Agentic Cloud Governance Center.
|
Service-linked role |
Service identifier |
Policy |
|
governance.aliyuncs.com |
AliyunServiceRolePolicyForGovernance |
|
|
setup.governance.aliyuncs.com |
AliyunServiceRolePolicyForGovernanceSetup |
|
|
blueprint-network.governance.aliyuncs.com |
AliyunServiceRolePolicyForGovernanceNetworkBlueprint |
|
|
blueprint-cloud-native.governance.aliyuncs.com |
AliyunServiceRolePolicyForGovernanceCloudNativeBlueprint |
|
|
health-report.governance.aliyuncs.com |
AliyunServiceRolePolicyForGovernanceHealthReport |
For more information, see Service-linked roles.
AliyunServiceRoleForGovernance
Scenarios
This SLR is created for the management account of a resource directory. It applies to the following scenarios:
-
During enterprise resource structure initialization, Agentic Cloud Governance Center uses this SLR to enable resource directories, create folders and members, and query the management account trusteeship.
-
When managing your enterprise resource directory, Agentic Cloud Governance Center uses this SLR to retrieve real-time directory information, delete folders, and move members.
Create the service-linked role
When you activate Agentic Cloud Governance Center, you must create this SLR. For more information, see Activate Agentic Cloud Governance Center.
View the service-linked role
After this SLR is created, log on to the RAM console with the management account and search for AliyunServiceRoleForGovernance on the Roles page. You can view:
-
Basic information
The Basic Information section shows the role name, creation time, ARN, and description.
-
Permission policy
On the Permissions tab, click the policy name to view the policy document.
NoteThe permission policy attached to an SLR is not visible on the Policies page. View it on the role details page instead.
-
Trust policy
On the Trust Policy tab, view the trust policy document. The trust policy defines which entity can assume the role. For an SLR, the trusted entity is a cloud service, identified by the
Servicefield.
For more information about how to view a service-linked role, see View a RAM role.
Delete the service-linked role
Deleting this SLR disables all features that depend on it. Proceed with caution.
You may need to delete this SLR if you no longer use Agentic Cloud Governance Center or want to delete your Alibaba Cloud account.
If no cloud resources use this SLR, delete it in the RAM console. For more information, see Delete a RAM role.
AliyunServiceRoleForGovernanceSetup
Scenarios
This SLR is created for members of a resource directory. It applies to the following scenarios:
-
When you configure a feature (such as log delivery auditing) for a member, Agentic Cloud Governance Center uses this SLR to create a RAM role with the required permissions for that feature.
-
When you delete this SLR, Agentic Cloud Governance Center uses it to query the member's resource directory and determine whether the SLR can be deleted.
Create the service-linked role
Agentic Cloud Governance Center automatically creates this SLR for the required member when building a landing zone.
View the service-linked role
After this SLR is created, log on to the RAM console with the member account and search for AliyunServiceRoleForGovernanceSetup on the Roles page. You can view:
-
Basic information
The Basic Information section shows the role name, creation time, ARN, and description.
-
Permission policy
On the Permissions tab, click the policy name to view the policy document.
NoteThe permission policy attached to an SLR is not visible on the Policies page. View it on the role details page instead.
-
Trust policy
On the Trust Policy tab, view the trust policy document. The trust policy defines which entity can assume the role. For an SLR, the trusted entity is a cloud service, identified by the
Servicefield.
Delete the service-linked role
Deleting this SLR disables all features that depend on it. Proceed with caution.
You may need to delete this SLR if you no longer use Agentic Cloud Governance Center or want to delete your Alibaba Cloud account.
Before deleting this SLR, remove the member from the resource directory.
If no cloud resources use this SLR, delete it in the RAM console. For more information, see Delete a RAM role.
AliyunServiceRoleForGovernanceNetworkBlueprint
Scenarios
This SLR is created for members of a resource directory. It applies to the following scenarios:
-
When you configure network settings for a member (such as setting up a Cloud Enterprise Network (CEN) instance for a shared service account), Agentic Cloud Governance Center uses this SLR to activate CEN, create instances, and configure routing rules.
-
When you delete this SLR, Agentic Cloud Governance Center uses it to query the member's resource directory and determine whether the SLR can be deleted.
Create the service-linked role
Agentic Cloud Governance Center automatically creates this SLR within the required member when you initialize network settings.
View the service-linked role
After this SLR is created, log on to the RAM console with the member account and search for AliyunServiceRoleForGovernanceNetworkBlueprint on the Roles page. You can view:
-
Basic information
The Basic Information section shows the role name, creation time, ARN, and description.
-
Permission policy
On the Permissions tab, click the policy name to view the policy document.
NoteThe permission policy attached to an SLR is not visible on the Policies page. View it on the role details page instead.
-
Trust policy
On the Trust Policy tab, view the trust policy document. The trust policy defines which entity can assume the role. For an SLR, the trusted entity is a cloud service, identified by the
Servicefield.
Delete the service-linked role
Deleting this SLR disables all features that depend on it. Proceed with caution.
You may need to delete this SLR if you no longer use Agentic Cloud Governance Center or want to delete your Alibaba Cloud account.
Before deleting this SLR, remove the member from the resource directory.
If no cloud resources use this SLR, delete it in the RAM console. For more information, see Delete a RAM role.
AliyunServiceRoleForGovernanceCloudNativeBlueprint
Scenarios
This SLR is created for members of a resource directory. It applies to the following scenarios:
-
When you configure cloud-native settings for a member (such as setting up a Kubernetes cluster for a shared service account), Agentic Cloud Governance Center uses this SLR to activate Container Service for Kubernetes (ACK) and create the cluster.
-
When you delete this SLR, Agentic Cloud Governance Center uses it to query the member's resource directory and determine whether the SLR can be deleted.
Create the service-linked role
Agentic Cloud Governance Center automatically creates this SLR within the required member when you initialize cloud-native settings.
View the service-linked role
After this SLR is created, log on to the RAM console with the member account and search for AliyunServiceRoleForGovernanceCloudNativeBlueprint on the Roles page. You can view:
-
Basic information
The Basic Information section shows the role name, creation time, ARN, and description.
-
Permission policy
On the Permissions tab, click the policy name to view the policy document.
NoteThe permission policy attached to an SLR is not visible on the Policies page. View it on the role details page instead.
-
Trust policy
On the Trust Policy tab, view the trust policy document. The trust policy defines which entity can assume the role. For an SLR, the trusted entity is a cloud service, identified by the
Servicefield.
Delete the service-linked role
Deleting this SLR disables all features that depend on it. Proceed with caution.
You may need to delete this SLR if you no longer use Agentic Cloud Governance Center or want to delete your Alibaba Cloud account.
Before deleting this SLR, remove the member from the resource directory.
If no cloud resources use this SLR, delete it in the RAM console. For more information, see Delete a RAM role.
AliyunServiceRoleForGovernanceHealthReport
Scenarios
The cloud health check service uses this SLR to enable Agentic Cloud Governance Center and access the Security Center's Cloud Security Posture Management service for cloud health assessments.
Create the service-linked role
This SLR is automatically created in your account when you initiate a checkup in the cloud health check service.
View the service-linked role
After this SLR is created, log on to the RAM console with the member account and search for AliyunServiceRoleForGovernanceHealthReport on the Roles page. You can view:
-
Basic information
The Basic Information section shows the role name, creation time, ARN, and description.
-
Permission policy
On the Permissions tab, click the policy name to view the policy document.
NoteThe permission policy attached to an SLR is not visible on the Policies page. View it on the role details page instead.
-
Trust policy
On the Trust Policy tab, view the trust policy document. The trust policy defines which entity can assume the role. For an SLR, the trusted entity is a cloud service, identified by the
Servicefield.
Delete the service-linked role
Deleting this SLR disables all features that depend on it. Proceed with caution.
If you no longer use Agentic Cloud Governance Center or want to delete your Alibaba Cloud account, you may need to delete this SLR in the RAM console. For more information, see Delete a RAM role.