This topic describes the use scenarios, policy, creation, and deletion of the service-linked role AliyunServiceRoleForCloudSSO for CloudSSO.

Scenarios

The service-linked role AliyunServiceRoleForCloudSSO has permissions to manage Resource Access Management (RAM) roles, policies, and service providers (SPs). This role allows you to configure resource directory permissions in a centralized manner.

For more information about service-linked roles, see Service-linked roles.

Description

Role name: AliyunServiceRoleForCloudSSO

Policy: AliyunServiceRolePolicyForCloudSSO

 {
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "ram:CreateSAMLProvider",
                "ram:CreatePolicy",
                "ram:ListRoles",
                "ram:ListPolicies"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "ram:ListPolicyVersions",
                "ram:DeletePolicyVersion",
                "ram:CreatePolicyVersion",
                "ram:DeletePolicy"
            ],
            "Resource": [
                "acs:ram:*:*:policy/AliyunReservedSSO*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "ram:GetSAMLProvider",
                "ram:DeleteSAMLProvider",
                "ram:GetRole",
                "ram:CreateRole",
                "ram:DeleteRole",
                "ram:GetPolicy",
                "ram:AttachPolicyToRole",
                "ram:DetachPolicyFromRole",
                "ram:ListPoliciesForRole"
            ],
            "Resource": [
                "acs:ram:*:*:saml-provider/AliyunReservedSSO*",
                "acs:ram:*:*:role/aliyunreservedsso*",
                "acs:ram:*:*:policy/*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "ram:DeleteServiceLinkedRole",
                "ram:GetServiceLinkedRoleDeletionStatus"
            ],
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "cloudsso.aliyuncs.com"
                }
            }
        }
    ]
}

Role creation

The service-linked role AliyunServiceRoleForCloudSSO is automatically created.

  • When you create the CloudSSO directory, the service-linked role is automatically created within the enterprise management account.
  • When you assign an access configuration for a member account in your resource directory for the first time in the CloudSSO console, the service-linked role is automatically created within the member account.

Role deletion

After you delete the CloudSSO directory, you can manually delete the service-linked role AliyunServiceRoleForCloudSSO. For more information, see Delete a RAM role.

If a member account is removed from your resource directory, the service-linked role AliyunServiceRoleForCloudSSO created for the member account is automatically deleted.