Cloud Governance Center provides the following service-linked roles: AliyunServiceRoleForGovernance, AliyunServiceRoleForGovernanceSetup, and AliyunServiceRoleForGovernanceNetworkBlueprint. This topic describes how to create, view, or delete the service-linked roles.

Background information

For more information about service-linked roles, see Service-linked roles.

Note You can use a service-linked role to access Alibaba Cloud resources on which the role has permissions across Alibaba Cloud services. You may be charged when you use a service-linked role to create Alibaba Cloud resources in specific scenarios.

AliyunServiceRoleForGovernance

Scenarios

The service-linked role AliyunServiceRoleForGovernance is created for the management account of a resource directory. This role is suitable for the following scenarios:

  • When you initialize the resource structure of your enterprise, Cloud Governance Center must use this service-linked role to perform relevant operations. For example, enable a resource directory, create folders, create members, and query the financial settlement relationship of the management account.
  • When Cloud Governance Center displays and manages the resource directory of your enterprise, Cloud Governance Center must use this service-linked role to obtain the real-time information about the resource directory and perform relevant operations. For example, delete folders and move members.

Create the service-linked role

  1. Log on to the Cloud Governance Center console.
  2. On the Cloud Governance Center page, click Start Governance.
  3. In the Welcome to Cloud Governance Center message, view the information about the service-linked role AliyunServiceRoleForGovernance and click OK.
    Cloud Governance Center automatically creates the service-linked role.

View the service-linked role

After the service-linked role AliyunServiceRoleForGovernance is created, you can log on to the Resource Access Management (RAM) console with the management account to view the details of the role. The details include the basic information, trust policy, and permission policy named AliyunServiceRolePolicyForGovernance.

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, choose Identities > Roles.
  3. On the Roles page, find the required RAM role.
  4. View the basic information about the RAM role.
    In the Basic Information section, view information such as Role Name, Created, and ARN.
  5. View the trust policy that is attached to the RAM role.
    On the page that appears, click the Trust Policy Management tab and view the trust policy that is attached to the RAM role.
  6. View a policy that is attached to the RAM role.
    1. On the page that appears, click the Permissions tab.
    2. Click the name of policy that you want to view.
    3. On the Policy Document tab, view the policy document.

Delete the service-linked role

Cloud Governance Center cannot automatically delete the service-linked role. You must manually delete the service-linked role in the RAM console. For more information, see Delete a RAM role.

AliyunServiceRoleForGovernanceSetup

Scenarios

The service-linked role AliyunServiceRoleForGovernanceSetup is created for a member account. This role is suitable for the following scenarios:

  • When you configure a feature for a member account of your resource directory, the role is required. For example, if you want to configure the audit log delivery feature, Cloud Governance Center must use the role to create a RAM role that has the required permissions. The RAM role is used to perform operations that are specific to the feature.
  • If you delete the service-linked role AliyunServiceRoleForGovernanceSetup, Cloud Governance Center uses this service-linked role to query the resource directory to which the member belongs and determines whether the service-linked role can be deleted.

Create the service-linked role.

When you build a landing zone in the Cloud Governance Center console, the system automatically creates the service-linked role AliyunServiceRoleForGovernanceSetup for the required member account.

View the service-linked role.

After the service-linked role AliyunServiceRoleForGovernanceSetup is created, you can log on to the RAM console with the member account to view the details of the role. The details include the basic information, trust policy, and permission policy named AliyunServiceRolePolicyForGovernanceSetup.

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, choose Identities > Roles.
  3. On the Roles page, find the required RAM role.
  4. View the basic information about the RAM role.
    In the Basic Information section, view information such as Role Name, Created, and ARN.
  5. View the trust policy that is attached to the RAM role.
    On the page that appears, click the Trust Policy Management tab and view the trust policy that is attached to the RAM role.
  6. View a policy that is attached to the RAM role.
    1. On the page that appears, click the Permissions tab.
    2. Click the name of policy that you want to view.
    3. On the Policy Document tab, view the policy document.

Delete the service-linked role

Before you can delete the service-linked role from the member account, you must delete the member account from the resource directory.

Cloud Governance Center cannot automatically delete the service-linked role. You must manually delete the service-linked role in the RAM console. For more information, see Delete a RAM role.

AliyunServiceRoleForGovernanceNetworkBlueprint

Scenarios

The service-linked role AliyunServiceRoleForGovernanceNetworkBlueprint is created for a member account. This role is suitable for the following scenarios:

  • When you configure network settings for a member account of your resource directory, the role is required. For example, if you want to configure a Cloud Enterprise Network (CEN) instance for a shared service account, Cloud Governance Center must use the role to activate CEN, create a CEN instance, and configure routing rules.
  • If you delete the service-linked role AliyunServiceRoleForGovernanceSetup, Cloud Governance Center uses this service-linked role to query the resource directory to which the member belongs and determines whether the service-linked role can be deleted.

Create the service-linked role.

When Cloud Governance Center initializes network settings, the system automatically creates the service-linked role AliyunServiceRoleForGovernanceSetup for the required member account.

View the service-linked role

After the service-linked role AliyunServiceRoleForGovernanceNetworkBlueprint is created, you can log on to the RAM console with the member account to view the details of the role. The details include the basic information, trust policy, and permission policy named AliyunServiceRolePolicyForGovernanceNetworkBlueprint.

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, choose Identities > Roles.
  3. On the Roles page, find the required RAM role.
  4. View the basic information about the RAM role.
    In the Basic Information section, view information such as Role Name, Created, and ARN.
  5. View the trust policy that is attached to the RAM role.
    On the page that appears, click the Trust Policy Management tab and view the trust policy that is attached to the RAM role.
  6. View a policy that is attached to the RAM role.
    1. On the page that appears, click the Permissions tab.
    2. Click the name of policy that you want to view.
    3. On the Policy Document tab, view the policy document.

Delete the service-linked role

Before you can delete the service-linked role from the member account, you must delete the member account from the resource directory.

Cloud Governance Center cannot automatically delete the service-linked role. You must manually delete the service-linked role in the RAM console. For more information, see Delete a RAM role.