All Products
Search

This Product

    Key Management Service:Service-linked roles

    Document Center

    Key Management Service:Service-linked roles

    Last Updated:Jul 29, 2024

    A service-linked role is a Resource Access Management (RAM) role whose trusted entity is an Alibaba Cloud service. Key Management Service (KMS) assumes a service-linked role to access other cloud services or resources. In most cases, a service-linked role is automatically created when you perform an operation. If a service-linked role fails to be automatically created, you must manually create the service-linked role.

    Scenarios

    KMS automatically creates service-linked roles and grants permissions to the service-linked roles in the following scenarios:

    • Scenario 1: You enable a KMS instance

      KMS automatically creates a service-linked role named AliyunServiceRoleForKMSKeyStore to allow KMS to access services such as Elastic Compute Service (ECS), Virtual Private Cloud (VPC), and Simple Log Service. The AliyunServiceRolePolicyForK SKeyStore policy is automatically attached to the service-linked role.

    • Scenario 2: You create an ECS secret

      KMS automatically creates a service-linked role named AliyunServiceRoleForKMSSecretsManagerForECS to allow KMS to access ECS to manage and rotate the ECS secret. The AliyunServiceRolePolicyForKMSSecretsManagerForECS policy is automatically attached to the service-linked role.

    • Scenario 3: You create an ApsaraDB RDS secret

      KMS automatically creates a service-linked role named AliyunServiceRoleForKMSSecretsManagerForRDS to allow KMS to access ApsaraDB RDS to manage and rotate the ApsaraDB RDS secret. The AliyunServiceRolePolicyForKMSSecretsManagerForRDS policy is automatically attached to the service-linked role.

    • Scenario 4: You create an ApsaraDB for Redis secret

      KMS automatically creates a service-linked role named AliyunServiceRoleForKMSSecretsManagerForRedis to allow KMS to access ApsaraDB for Redis to manage and rotate the ApsaraDB for Redis secret. The AliyunServiceRoleForKMSSecretsManagerForRedis policy is automatically attached to the service-linked role.

    Required permissions for a RAM user to use a service-linked role

    If you use a RAM user to create or delete a service-linked role, you must contact the administrator to grant the AliyunKMSFullAccess administrator permission to the RAM user or create a custom policy and include the following permissions in the Action statement of the custom policy:

    • Permissions required to create a service-link role: ram:CreateServiceLinkedRole

    • Permissions required to delete a service-linked role: ram:DeleteServiceLinkedRole

    {
    "Action": [
        "ram:CreateServiceLinkedRole",
        "ram:DeleteServiceLinkedRole"
    ],
    "Resource": "*",
    "Effect": "Allow",
    "Condition": {
        "StringEquals": {
             "ram:ServiceName": [
                        "keystore.kms.aliyuncs.com",
                        "secretsmanager-ecs.kms.aliyuncs.com",
                        "secretsmanager-rds.kms.aliyuncs.com",
                        "secretsmanager-redis.kms.aliyuncs.com"
                    ]
        }
     }
}

    For more information, see Service-linked roles and Grant permissions to a RAM user.

    Create a service-linked role

    The system automatically creates a service-linked role when you perform the following operations:

    • AliyunServiceRoleForKMSKeyStore: The system automatically creates the service-linked role when you enable a KMS instance.

    • AliyunServiceRoleForKMSSecretsManagerForECS: The system automatically creates the service-linked role when you create an ECS secret.

    • AliyunServiceRoleForKMSSecretsManagerForRDS: The system automatically creates the service-linked role when you create an ApsaraDB RDS secret.

    • AliyunServiceRoleForKMSSecretsManagerForRedis: The system automatically creates the service-linked role when you create an ApsaraDB for Redis secret.

    Important

    After a service-linked role is created, the trusted cloud service can assume the service-linked role to access the required cloud resources. You may be charged for creating KMS instances and using Simple Log Service.

    View a service-linked role

    After you create a service-linked role, you can enter the ID of the AliyunServiceRoleForKMSKeyStore role on the Roles page to view the following information about the service-linked role:

    • Basic information

      In the Basic Information section of the details page of the AliyunServiceRoleForKMSKeyStore role, view the basic information about the role, including the role name, creation time, role ARN, and description.

    • Permission policy

      On the Permissions tab of the details page of the AliyunServiceRoleForKMSKeyStore role, click the policy name to view the policy content and the cloud resources that the role can access.

    • Trust policy

      On the Trust Policy tab of the details page of the AliyunServiceRoleForKMSKeyStore role, view the content of the trust policy. A trust policy is a policy that describes the trusted entities of a RAM role. A trusted entity is an entity that can assume the RAM role. The trusted entity of a service-linked role is a cloud service. You can view the value of the Service field in the trust policy of the service-linked role to obtain the trusted entity.

    For information about how to view information about a service-linked role, see View the information about a RAM role.

    Delete a service-linked role

    Important

    After a service-linked role is deleted, the features that depend on the role cannot be used. Proceed with caution.

    When your account has no KMS resources, the system automatically deletes service-linked roles.

    If you do not use KMS for a long period of time, you can manually delete service-linked roles for KMS in the RAM console.

    Before you delete service-linked roles, make sure that all instances within your account are released.

    For more information, see Delete a RAM role.