Cloud Governance Center:Service-linked roles in Cloud Governance Center

Scenarios

This service-linked role is created for the management account of a resource directory. This role is suitable for the following scenarios:

• When you initialize the resource structure of an enterprise, Cloud Governance Center must use this service-linked role to perform relevant operations, such as to enable a resource directory, create folders, create members, and query the trusteeship of the management account.

• When Cloud Governance Center displays and manages the resource directory of your enterprise, Cloud Governance Center must use this service-linked role to obtain real-time information about the resource directory and perform relevant operations, such as to delete folders and move members.

Create the service-linked role

When you activate Cloud Governance Center, you must create this service-linked role. For more information, see Activate Cloud Governance Center.

View the service-linked role

After the AliyunServiceRoleForGovernance service-linked role is created, you can log on to the Resource Access Management (RAM) console using the management account, and search for AliyunServiceRoleForGovernance on the Roles page. You can view the following information about the role:

• Basic information

  On the role details page, the Basic Information section displays basic information about the role, such as the role name, creation time, Alibaba Cloud Resource Name (ARN), and description.

• Access policy

  On the role details page, click the Permission Management tab. Click the access policy name to view the policy document.

  Note

  You can view the access policy of a service-linked role on the role details page, but not on the Policies page in the RAM console.

• Trust policy

  On the role details page, click the Trust Policy tab to view the trust policy document. A trust policy defines the trusted entities that can assume the RAM role. For a service-linked role, the trusted entity is an Alibaba Cloud service, which is specified in the Service field of the trust policy.

For more information about how to view a service-linked role, see View the information about a RAM role.

Delete the service-linked role

If you do not use Cloud Governance Center for an extended period of time or if you want to delete your Alibaba Cloud account, you may need to manually delete the service-linked role.

If the service-linked role is not used by cloud resources, you can manually delete the service-linked role in the RAM console. For more information, see Delete a RAM role.

Scenarios

This service-linked role is created for a member of a resource directory. This role is suitable for the following scenarios:

• The role is required when you configure a feature for a member of your resource directory. For example, if you want to configure the log delivery auditing feature, Cloud Governance Center must use the role to create a RAM role that has the required permissions. The RAM role is used to perform operations that are specific to the feature.

• When you want to delete the service-linked role, Cloud Governance Center uses the service-linked role to query the resource directory to which the member belongs and determines whether the service-linked role can be deleted.

Create the service-linked role

When Cloud Governance Center builds a landing zone, the system automatically creates this service-linked role for the required member.

View the service-linked role

After the AliyunServiceRoleForGovernanceSetup service-linked role is created, you can log on to the RAM console using the member, and search for AliyunServiceRoleForGovernanceSetup on the Roles page. You can view the following information about the role:

• Basic information

  On the role details page, the Basic Information section displays basic information about the role, such as the role name, creation time, Alibaba Cloud Resource Name (ARN), and description.

• Access policy

  On the role details page, click the Permission Management tab. Click the access policy name to view the policy document.

  Note

  You can view the access policy of a service-linked role on the role details page, but not on the Policies page in the RAM console.

• Trust policy

  On the role details page, click the Trust Policy tab to view the trust policy document. A trust policy defines the trusted entities that can assume the RAM role. For a service-linked role, the trusted entity is an Alibaba Cloud service, which is specified in the Service field of the trust policy.

Delete the service-linked role

If you do not use Cloud Governance Center for an extended period of time or if you want to delete your Alibaba Cloud account, you may need to manually delete the service-linked role.

To delete the service-linked role from a member, you must first remove the member from the resource directory.

If the service-linked role is not used by cloud resources, you can manually delete the service-linked role in the RAM console. For more information, see Delete a RAM role.

Scenarios

This service-linked role is created for a member of a resource directory. This role is suitable for the following scenarios:

• The role is required when you configure network settings for a member of your resource directory. For example, if you want to configure a Cloud Enterprise Network (CEN) instance for a shared service account, Cloud Governance Center must use the role to activate CEN, create a CEN instance, and configure routing rules.

• When you want to delete the service-linked role, Cloud Governance Center uses the service-linked role to query the resource directory to which the member belongs and determines whether the service-linked role can be deleted.

Create the service-linked role

When you initialize network settings, Cloud Governance Center automatically creates the service-linked role within the required member.

View the service-linked role

After the AliyunServiceRoleForGovernanceNetworkBlueprint service-linked role is created, you can log on to the RAM console using the member, and search for AliyunServiceRoleForGovernanceNetworkBlueprint on the Roles page. You can view the following information about the role:

• Basic information

  On the role details page, the Basic Information section displays basic information about the role, such as the role name, creation time, Alibaba Cloud Resource Name (ARN), and description.

• Access policy

  On the role details page, click the Permission Management tab. Click the access policy name to view the policy document.

  Note

  You can view the access policy of a service-linked role on the role details page, but not on the Policies page in the RAM console.

• Trust policy

  On the role details page, click the Trust Policy tab to view the trust policy document. A trust policy defines the trusted entities that can assume the RAM role. For a service-linked role, the trusted entity is an Alibaba Cloud service, which is specified in the Service field of the trust policy.

Delete the service-linked role

If you do not use Cloud Governance Center for an extended period of time or if you want to delete your Alibaba Cloud account, you may need to manually delete the service-linked role.

Before you can delete a service-linked role, you must remove the member from the resource directory.

If the service-linked role is not used by cloud resources, you can manually delete the service-linked role in the RAM console. For more information, see Delete a RAM role.

Scenarios

This service-linked role is created for a member of a resource directory. This role is suitable for the following scenarios:

• The role is required when you configure cloud-native settings for a member of your resource directory. For example, if you want to configure a Kubernetes cluster for a shared service account, Cloud Governance Center must use the role to activate Container Service for Kubernetes (ACK) and create a Kubernetes cluster.

• When you want to delete the service-linked role, Cloud Governance Center uses the service-linked role to query the resource directory to which the member belongs and determines whether the service-linked role can be deleted.

Create the service-linked role

When you initialize cloud-native settings, Cloud Governance Center automatically creates the service-linked role within the required member.

View the service-linked role

After the AliyunServiceRoleForGovernanceCloudNativeBlueprint service-linked role is created, you can log on to the RAM console using the member, and search for AliyunServiceRoleForGovernanceCloudNativeBlueprint on the Roles page. You can view the following information about the role:

• Basic information

  On the role details page, the Basic Information section displays basic information about the role, such as the role name, creation time, Alibaba Cloud Resource Name (ARN), and description.

• Access policy

  On the role details page, click the Permission Management tab. Click the access policy name to view the policy document.

  Note

  You can view the access policy of a service-linked role on the role details page, but not on the Policies page in the RAM console.

• Trust policy

  On the role details page, click the Trust Policy tab to view the trust policy document. A trust policy defines the trusted entities that can assume the RAM role. For a service-linked role, the trusted entity is an Alibaba Cloud service, which is specified in the Service field of the trust policy.

Delete the service-linked role

If you do not use Cloud Governance Center for an extended period of time or if you want to delete your Alibaba Cloud account, you may need to manually delete the service-linked role.

You must remove the member from the resource directory before deleting its service-linked role.

If the service-linked role is not used by cloud resources, you can manually delete the service-linked role in the RAM console. For more information, see Delete a RAM role.

Scenarios

During cloud health diagnostics, this service-linked role is required to activate Cloud Governance Center and access Cloud Security Posture Management (CSPM) in Security Center to assess your cloud health status.

Create the service-linked role

When you start diagnostics, this service-linked role is created in the current account.

View the service-linked role

After the service-linked role is created, log on to the account. In the RAM console, go to the Roles page and search for AliyunServiceRoleForGovernanceHealthReport to view the following information about the role:

• Basic information

  On the role details page, the Basic Information section displays basic information about the role, such as the role name, creation time, Alibaba Cloud Resource Name (ARN), and description.

• Access policy

  On the role details page, click the Permission Management tab. Click the access policy name to view the policy document.

  Note

  You can view the access policy of a service-linked role on the role details page, but not on the Policies page in the RAM console.

• Trust policy

  On the role details page, click the Trust Policy tab to view the trust policy document. A trust policy defines the trusted entities that can assume the RAM role. For a service-linked role, the trusted entity is an Alibaba Cloud service, which is specified in the Service field of the trust policy.

Delete the service-linked role

If you no longer use cloud health diagnostics or want to unregister your Alibaba Cloud account, you may need to manually delete the service-linked role.

You can manually delete the service-linked role in the RAM console. For more information, see Delete a RAM role.