Resource Access Management:Service-linked roles

What is a service-linked role

An Alibaba Cloud service may need to access other services to implement a feature. In this case, the service must be authorized to access those services. For example, Cloud Config needs access to services like Elastic Compute Service (ECS) and ApsaraDB RDS to read your cloud resource information, such as resource lists and log data. To meet these requirements, Alibaba Cloud provides service-linked roles.

A service-linked role is a RAM role that is predefined by and linked to an Alibaba Cloud service, which simplifies cross-service authorization. In most cases, the linked service automatically creates or deletes the role when you use a specific feature. A service-linked role simplifies the process to authorize a service to access other services and reduces the risk of misconfiguration.

The policy that is attached to a service-linked role is predefined by the linked service. You cannot modify or delete the policy, nor can you attach policies to or detach policies from a service-linked role.

Create a service-linked role

Some Alibaba Cloud services automatically create service-linked roles when you perform a specific operation, such as creating a cloud resource or enabling a feature. You can view the created service-linked roles on the RAM Roles page of the RAM console, or in the response from an API or CLI call to ListRoles.

You can also manually create service-linked roles. For more information, see Create a RAM role for a trusted Alibaba Cloud service.

Delete a service-linked role

Some Alibaba Cloud services automatically delete service-linked roles when you perform a specific operation, such as deleting a cloud resource or disabling a feature. However, you can also manually delete the role in the RAM console. For more information, see Delete a RAM role.

When you attempt to delete a service-linked role, RAM first checks if the role is still being used by any cloud resources:

• If the role is not in use, you can delete it.

• If the role is still in use, the deletion will fail. The error message will indicate which resources are using the role. You must remove these resources before you can delete the service-linked role.

Permissions required to create and delete service-linked roles

A RAM user needs specific permissions to create or delete a service-linked role. The permissions are also required when service-linked roles are automatically created.

The following sample policy grants a RAM user the permissions to create and delete the service-linked role for Resource Management. You can view the value of ram:ServiceName in the Service identifier column of Services that work with service-linked roles.

{
    "Action": [
        "ram:CreateServiceLinkedRole",
        "ram:DeleteServiceLinkedRole"
    ],
    "Resource": "*",
    "Effect": "Allow",
    "Condition": {
        "StringEquals": {
            "ram:ServiceName": "resourcemanager.aliyuncs.com"
        }
    }
}

Assume a service-linked role

A service-linked role can be assumed only by the linked service. It cannot be assumed by identities such as RAM users or other RAM roles.

You can view the service that can assume a service-linked role in the Service parameter on the Trust Policy tab of the role details page.

Services that support service-linked roles

For a list of cloud services that support service-linked roles, see Services that work with service-linked roles.

For cloud services that do not support service-linked roles, you can use a normal service role to authorize them.