IDaaS EIAM automatically creates the AliyunServiceRoleForEiam RAM (Resource Access Management) role to access other Alibaba Cloud services on your behalf. This page describes which features trigger the role, what permissions it grants, and how to delete it.
For background on service-linked roles, see Service-linked roles.
Scenarios
AliyunServiceRoleForEiam is used by two IDaaS EIAM features:
Dedicated endpoints — IDaaS EIAM accesses your Elastic Compute Service (ECS) and Virtual Private Cloud (VPC) resources to manage the auxiliary elastic network interfaces (ENIs) it creates. With these permissions, IDaaS EIAM can use PrivateLink to connect to Active Directory (AD), LDAP, or other applications inside a VPC without exposing public ports. It can also reach the internet through a dedicated endpoint IP address to satisfy WeCom's trusted IP requirements.
Credential management — IDaaS EIAM accesses your Key Management Service (KMS) resources to securely host credentials in Secrets Manager for secure storage and management.
AliyunServiceRoleForEiam details
Role name: AliyunServiceRoleForEiam
Access policy: AliyunServiceRolePolicyForEiam
Permissions:
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:CreateNetworkInterfacePermission",
"ecs:DescribeNetworkInterfacePermissions",
"ecs:DeleteNetworkInterfacePermission",
"ecs:CreateNetworkInterface",
"ecs:DeleteNetworkInterface",
"ecs:DescribeNetworkInterfaces",
"ecs:ModifyNetworkInterfaceAttribute",
"ecs:DescribeNetworkInterfaceAttribute",
"ecs:CreateSecurityGroup",
"ecs:RevokeSecurityGroup",
"ecs:DeleteSecurityGroup",
"ecs:DescribeSecurityGroups",
"ecs:DescribeSecurityGroupAttribute",
"ecs:DescribeSecurityGroupReferences",
"ecs:ModifySecurityGroupAttribute",
"ecs:ModifySecurityGroupRule",
"ecs:DetachNetworkInterface",
"ecs:AttachNetworkInterface",
"ecs:ModifySecurityGroupPolicy",
"ecs:AuthorizeSecurityGroup",
"ecs:DescribeInstances",
"ecs:DescribeImages",
"ecs:DescribeZones",
"ecs:DescribeRegions",
"ecs:DescribeTags"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"vpc:DescribeVpcs",
"vpc:DescribeVSwitches",
"vpc:DescribeNatGateways",
"vpc:DescribeSnatTableEntries"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Effect": "Allow",
"Action": [
"kms:CreateSecret",
"kms:DeleteSecret",
"kms:DescribeSecret",
"kms:PutSecretValue",
"kms:UpdateSecret",
"kms:UpdateSecretVersionStage",
"kms:ListSecretVersionIds",
"kms:GetSecretValue"
],
"Resource": [
"acs:kms:::secret/idaas-eiam!"
]
},
{
"Effect": "Allow",
"Action": [
"kms:ListManagedQuotas",
"kms:GenerateDataKey",
"kms:Decrypt",
"kms:TagResource",
"kms:UntagResource"
],
"Resource": [
"*"
]
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "eiam.aliyuncs.com"
}
}
}
]
}What these permissions allow:
| Permission group | Services | Purpose |
|---|---|---|
| ECS permissions | ECS | Create and manage ENIs and security groups that support dedicated endpoint connectivity |
| VPC permissions | VPC | Read VPC, vSwitch, NAT gateway, and SNAT table configurations to set up network routing for dedicated endpoints |
KMS secret permissions (scoped to acs:kms:::secret/idaas-eiam!) | KMS | Create, read, update, and delete secrets in Secrets Manager for credential management |
| KMS key permissions | KMS | Generate data keys and decrypt data used for credential encryption |
| RAM permission | RAM | Delete this service-linked role when IDaaS EIAM instances are released |
Delete the service-linked role
Before deleting AliyunServiceRoleForEiam, release all IDaaS EIAM instances. The role cannot be deleted while active instances depend on it.
Step 1: Release all IDaaS EIAM instances
Follow the steps in Release an instance for each active instance.
Step 2: Delete the service-linked role
After all instances are released, follow the steps in Delete a service-linked role.