how do I effectively manage the service-linked role for Auto Scaling - Auto Scaling

Before you use Auto Scaling, you must create a service-linked role named AliyunServiceRoleForAutoScaling. The service-linked role allows Auto Scaling to access associated cloud services such as Elastic Compute Service (ECS) and Virtual Private Cloud (VPC). This topic describes how to manage the service-linked role for Auto Scaling.

Prerequisites

By default, an Alibaba Cloud account has the permissions on Auto Scaling. If you want to use a Resource Access Management (RAM) user to access Auto Scaling, the RAM user must have the permissions on Auto Scaling. For information about how to grant permissions to a RAM user, see Grant permissions to a RAM user. You can attach one of the following policies to a RAM user:

System policies: the AliyunESSFullAccess policy that provides the management permissions on Auto Scaling and the AliyunESSReadOnlyAccess policy that provides the read-only permissions on Auto Scaling.

Custom policies: policies that you create in the RAM console. The following code provides a sample custom policy:

Note

Replace the value of <account ID> with the ID of your Alibaba Cloud account.

{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "ram:CreateServiceLinkedRole"
      ],
      "Resource": "acs:ram:*:<account ID>:role/*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": [
            "ess.aliyuncs.com"
          ]
        }
      }
    }
  ]
}

Background information

The AliyunServiceRoleForAutoScaling service-linked role is provided by RAM to allow Auto Scaling to access associated cloud resources in your Alibaba Cloud account.
For example, the AliyunServiceRoleForAutoScaling service-linked role allows Auto Scaling to access ECS, VPC, ApsaraDB RDS, Server Load Balancer (SLB), CloudOps Orchestration Service (OOS), Message Service (MNS), and CloudMonitor. For more information, see Service-linked roles.
Note
If you initially used the AliyunESSDefaultRole role to grant Auto Scaling access to the associated cloud resources, Alibaba Cloud automatically replaces the AliyunESSDefaultRole role with the AliyunServiceRoleForAutoScaling role. For more information, go to the ActionTrail console.
The AliyunServiceRoleForAutoScaling service-linked role contains the AliyunServiceRolePolicyForAutoScaling system policy. What policies a service-linked role provides are determined by the cloud service of the service-linked role. You cannot add, modify, or delete policies within a service-linked role. You can go to the details page of a service-linked role to view its policies. The following figure shows the details page of the AliyunServiceRoleForAutoScaling service-linked role. For more information, see View the information about a RAM role.

Create the AliyunServiceRoleForAutoScaling service-linked role

When you use Auto Scaling, the system checks whether the AliyunServiceRoleForAutoScaling service-linked role is created within your Alibaba Cloud account. If the AliyunServiceRoleForAutoScaling service-linked role is not created, the system prompts you that you do not have the required permissions. Perform the following steps to create the AliyunServiceRoleForAutoScaling service-linked role:

Log on to the Auto Scaling console.
Click Create Service-linked Role.
In the Create Service Linked Role dialog box, click OK.
Auto Scaling automatically creates the AliyunServiceRoleForAutoScaling service-linked role. After the creation is complete, you can use the Auto Scaling service.

Delete the AliyunServiceRoleForAutoScaling service-linked role

If you no longer require the AliyunServiceRoleForAutoScaling service-linked role, you can delete it. For example, if you no longer need to create scaling groups and manage Auto Scaling resources, you can delete the AliyunServiceRoleForAutoScaling service-linked role. For more information, see Delete a RAM role.

Important

Before you delete the AliyunServiceRoleForAutoScaling service-linked role, you must delete the resources of Auto Scaling in all regions within your Alibaba Cloud account, including scaling groups, scheduled tasks, and event-triggered tasks. Otherwise, the AliyunServiceRoleForAutoScaling service-linked role cannot be deleted.

After you delete the AliyunServiceRoleForAutoScaling service-linked role, you cannot use Auto Scaling to create or manage resources.