AliyunServiceRoleForGaVpcEndpoint - Global Accelerator - Alibaba Cloud Documentation Center

You can specify an Elastic Compute Service (ECS) instance or a Classic Load Balancer (CLB) instance (formerly known as an SLB instance) as an endpoint for a Global Accelerator (GA) instance. In this case, if your GA instance does not have the service-linked role AliyunServiceRoleForGaVpcEndpoint, the system automatically creates the service-linked role.

Overview

AliyunServiceRoleForGaVpcEndpoint is a service-linked role of GA. If you want to specify an ECS instance or a CLB instance as an endpoint, make sure that your GA instance has the service-linked role AliyunServiceRoleForGaVpcEndpoint.

Note A service-linked role is a Resource Access Management (RAM) role that is associated with an Alibaba Cloud service. In some cases, to use a feature of a cloud service, you must first acquire the permissions to access other cloud services. Service-linked roles simplify the authorization process and avoid user errors. For more information, see Service-linked roles.

Permissions required to create the service-linked role

By default, an Alibaba Cloud account is authorized to create the service-linked role AliyunServiceRoleForGaVpcEndpoint. RAM users must be granted the following permissions to create the service-linked role:

{
      "Action": "ram:CreateServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "vpcendpoint.ga.aliyuncs.com"
        }
      }
}

You can authorize a RAM user to create the service-linked role by using one of the following methods:

Attach the administrator permission policy AliyunGlobalAccelerationFullAccess to the RAM user. For more information, see Grant permissions to a RAM role.
Note The permissions required to create the service-linked role AliyunServiceRoleForGaVpcEndpoint are included in the administrator permission policy AliyunGlobalAccelerationFullAccess. You can attach the administrator permission policy to a RAM user. This way, the RAM user can create the service-linked role AliyunServiceRoleForGaVpcEndpoint.

Attach a custom permission policy to a RAM user. The following code block shows the content of the custom permission policy:

{
      "Action": "ram:CreateServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "vpcendpoint.ga.aliyuncs.com"
        }
      }
}

For more information, see Create a custom policy and Grant permissions to a RAM role.

Create the service-linked role

When you specify an ECS instance or a CLB instance as an endpoint for a GA instance, the system checks whether the GA instance has the service-linked role AliyunServiceRoleForGaVpcEndpoint. In this case, the following rules apply to the GA instance:

If the GA instance does not have the service-linked role AliyunServiceRoleForGaVpcEndpoint, the system automatically creates the service-linked role and attaches the permission policy AliyunServiceRoleForGaVpcEndpoint to the service-linked role. This allows GA to access ECS and CLB. The following code block shows the content of the permission policy:

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Resource": "*",
      "Action": [
        "ecs:CreateNetworkInterface",
        "ecs:DeleteNetworkInterface",
        "ecs:DescribeNetworkInterfaces",
        "ecs:ModifyNetworkInterfaceAttribute",
        "ecs:DescribeSecurityGroups",
        "ecs:CreateSecurityGroup",
        "ecs:AuthorizeSecurityGroup",
        "ecs:AuthorizeSecurityGroupEgress",
        "ecs:RevokeSecurityGroup",
        "ecs:RevokeSecurityGroupEgress",
        "ecs:JoinSecurityGroup",
        "ecs:LeaveSecurityGroup",
        "ecs:DeleteSecurityGroup",
        "ecs:DescribeSecurityGroupAttribute",
        "ecs:DescribeSecurityGroups",
        "ecs:DescribeSecurityGroupReferences",
        "ecs:ModifySecurityGroupAttribute",
        "ecs:ModifySecurityGroupEgressRule",
        "ecs:ModifySecurityGroupPolicy",
        "ecs:ModifySecurityGroupRule",
        "vpc:DescribeVSwitches"
      ]
    },
    {
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "vpcendpoint.ga.aliyuncs.com"
        }
      }
    }
  ]
}

If the GA instance has the service-linked role AliyunServiceRoleForGaVpcEndpoint, the system does not create the service-linked role again.

Delete the service-linked role

The system does not automatically delete the service-linked role AliyunServiceRoleForGaVpcEndpoint. To delete the service-linked role, you must first delete the ECS instance or CLB instance that serves as an endpoint. For more information, see the following topics: