All Products
Search

This Product

    IoT Platform:Create the AliyunServiceRoleForIOTInstanceNetwork service-linked role

    Document Center

    IoT Platform:Create the AliyunServiceRoleForIOTInstanceNetwork service-linked role

    Last Updated:May 16, 2023

    This topic describes how to create the AliyunServiceRoleForIOTInstanceNetwork service-linked role for an Exclusive Enterprise Edition instance of IoT Platform and delete the role.

    Background information

    For more information, see Service-linked roles.

    Usage notes

    Important

    You can enable Message Queuing Telemetry Transport (MQTT)-based virtual private cloud (VPC) endpoints and create the AliyunServiceRoleForIOTInstanceNetwork service-linked role only for Exclusive Enterprise Edition instances.

    If you want to connect a device to IoT Platform over a VPC by using MQTT, you must grant the device the permissions to access the VPC. IoT Platform supports automatic creation of service-linked roles. If you create a separate MQTT endpoint for an Exclusive Enterprise Edition instance, the system automatically creates the service-linked role after you enable and grant permissions on VPCs. For more information, see Create a separate MQTT endpoint for an Exclusive Enterprise Edition instance.

    Role description

    • Name: AliyunServiceRoleForIOTInstanceNetwork

    • Policy: AliyunServiceRolePolicyForIOTInstanceNetwork

    • Permissions:

      The service-linked role is used to grant IoT Platform instances the permissions to access the resources of other Alibaba Cloud services. 

      {
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "privatelink:OpenPrivateLinkService",
                "privatelink:ListVpcEndpointServices",
                "privatelink:CreateVpcEndpoint",
                "privatelink:ListVpcEndpoints",
                "privatelink:UpdateVpcEndpointAttribute",
                "privatelink:GetVpcEndpointAttribute",
                "privatelink:ListVpcEndpointSecurityGroups",
                "privatelink:AttachSecurityGroupToVpcEndpoint",
                "privatelink:DetachSecurityGroupFromVpcEndpoint",
                "privatelink:AddZoneToVpcEndpoint",
                "privatelink:RemoveZoneFromVpcEndpoint",
                "privatelink:ListVpcEndpointZones",
                "privatelink:DeleteVpcEndpoint",
                "vpc:DescribeVpcs",
                "ecs:DescribeSecurityGroups",
                "vpc:DescribeVSwitches"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "iot-instance-network.iot.aliyuncs.com"
                }
            }
        },
        {
            "Action": "ram:CreateServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "privatelink.aliyuncs.com"
                }
            }
        }
    ]
}

    Delete the role

    If you no longer use the AliyunServiceRoleForIOTInstanceNetwork service-linked role, you can delete the role.

    1. Release the IoT Platform instance to which the role applies.

      Note

      You cannot manually release an instance. An instance is automatically released 15 days after the instance is expired.

    2. For more information, see Delete a service-linked role.