All Products
Search

This Product

    Microservices Engine:MSE service-linked roles

    Document Center

    Microservices Engine:MSE service-linked roles

    Last Updated:Dec 03, 2025

    Microservices Engine (MSE) service-linked roles are predefined Resource Access Management (RAM) roles designed for specific features. By creating and granting these roles to MSE, you allow MSE to automatically obtain and manage the required permissions. This eliminates the need to manually assign complex and error-prone access policies, simplifying permission management and improving security. This topic describes the service-linked roles for MSE and how to delete them.

    AliyunServiceRoleForMSE

    Scenarios

    When MSE needs to access resources from other Alibaba Cloud services, such as Elastic Compute Service (ECS), Virtual Private Cloud (VPC), Application Real-Time Monitoring Service (ARMS), Server Load Balancer (SLB), Container Service for Kubernetes (ACK), Enterprise Distributed Application Service (EDAS), and Alibaba Cloud Service Mesh (ASM), it uses the automatically created AliyunServiceRoleForMSE service-linked role to obtain access permissions.

    Permission description

    The AliyunServiceRoleForMSE role has access permissions for the following Alibaba Cloud services:

    Access permissions for ECS

    {
  "Action": [
    "ecs:CreateNetworkInterfacePermission",
    "ecs:DeleteNetworkInterfacePermission",
    "ecs:CreateNetworkInterface",
    "ecs:DescribeNetworkInterfaces",
    "ecs:DescribeSecurityGroups",
    "ecs:CreateSecurityGroup"
  ],
  "Resource": "*",
  "Effect": "Allow"
}

    Access permissions for VPC

    {
  "Action": [
    "vpc:DescribeVSwitches",
    "vpc:DescribeVpcs",
    "vpc:CreateVSwitch"
  ],
  "Resource": "*",
  "Effect": "Allow"
},

    Access permissions for ARMS

       {
            "Action": [
                "arms:OpenArmsService",
                "arms:OpenArmsServiceSecondVersion",
                "arms:CheckServiceStatus",
                "arms:OpenVCluster",
                "arms:GetPrometheusApiToken",
                "arms:ListDashboards"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },

    Access permissions for SLB

      {
            "Action": [
                "slb:CreateLoadBalancer",
                "slb:AddBackendServers",
                "slb:SetBackendServers",
                "slb:RemoveBackendServers",
                "slb:CreateLoadBalancerTCPListener",
                "slb:DescribeLoadBalancerTCPListenerAttribute",
                "slb:SetLoadBalancerTCPListenerAttribute",
                "slb:CreateLoadBalancerHTTPListener",
                "slb:DescribeLoadBalancerHTTPListenerAttribute",
                "slb:SetLoadBalancerHTTPListenerAttribute",
                "slb:CreateLoadBalancerHTTPSListener",
                "slb:DescribeLoadBalancerHTTPSListenerAttribute",
                "slb:SetLoadBalancerHTTPSListenerAttribute",
                "slb:StartLoadBalancerListener",
                "slb:StopLoadBalancerListener",
                "slb:DeleteLoadBalancerListener",
                "slb:DescribeLoadBalancers",
                "slb:DescribeLoadBalancerAttribute",
                "slb:DescribeHealthStatus",
                "slb:CreateLoadBalancerForCloudService",
                "slb:DeleteLoadBalancer",
                "slb:ModifyLoadBalancerInternetSpec",
                "slb:RemoveTags",
                "slb:AddTags",
                "slb:SetLoadBalancerUDPListenerAttribute",
                "slb:CreateLoadBalancerUDPListener",
                "slb:CreateVServerGroup",
                "slb:DeleteVServerGroup",
                "slb:SetVServerGroupAttribute",
                "slb:ModifyVServerGroupBackendServers",
                "slb:AddVServerGroupBackendServers",
                "slb:ModifyLoadBalancerInstanceSpec",
                "slb:ModifyLoadBalancerInternetSpec",
                "slb:RemoveVServerGroupBackendServers",
                "slb:SetLoadBalancerModificationProtection",
                "slb:SetLoadBalancerDeleteProtection",
                "slb:DescribeLoadBalancerUDPListenerAttribute  ",
                "slb:DescribeTags",
                "slb:DescribeVServerGroups",
                "slb:DescribeVServerGroupAttribute",
                "slb:DescribeLoadBalancerListeners"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },

    ACK Access Permissions

       {
            "Action": [
                "cs:DescribeClusterInnerServiceKubeconfig",
                "cs:RevokeClusterInnerServiceKubeconfig",
                "cs:GetUserConfig",
                "cs:DescribeClusterUserKubeconfig",
                "cs:GetClusterById",
                "cs:GetClustersByUid",
                "cs:GetClusters",
                "cs:ListClusters",
                "cs:DescribeClusterNodes"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },

    EDAS access permissions

     {
            "Action": [
                "edas:ReadApplication",
                "edas:ReadCluster",
                "edas:ReadNamespace",
                "edas:ReadService",
                "edas:ListUserDefineRegion",
                "edas:GetSecureToken"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },

    ASM access permissions

       {
            "Action": [
                "servicemesh:CreateServiceMesh",
                "servicemesh:DeleteServiceMesh",
                "servicemesh:DescribeServiceMeshDetail",
                "servicemesh:DescribeServiceMeshKubeconfig",
                "servicemesh:AddClusterIntoServiceMesh",
                "servicemesh:RemoveClusterFromServiceMesh",
                "servicemesh:InitializeASMRole",
                "servicemesh:InvokeApiServer"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },

    AliyunServiceRolePolicyForMSEEngineService

    Scenarios

    If you want to integrate the Nacos engine with other cloud products, such as Security Guardrail, you can use the AliyunServiceRolePolicyForMSEEngineService role.

    Permission description

    {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "yundun-greenweb:MultiModalGuard",
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "engine-service.mse.aliyuncs.com"
        }
      }
    }
  ]
}

    Deleting permissions

    Important

    Deleting an MSE service-linked role prevents you from using the features that depend on it. This action may affect your business. Evaluate the impact and proceed with caution.

    1. Log on to the Resource Access Management (RAM) console using your Alibaba Cloud account. In the navigation pane on the left, click Identities > Roles.

    2. On the Roles page, enter the role name, such as AliyunServiceRoleForMSE, in the search box to find the role.

    3. In the search results, find the role and click Delete Role in the Actions column.

    4. In the Delete Role dialog box, enter the role name and click Delete Role.

    FAQ

    Why can't my RAM user automatically create the AliyunServiceRoleForMSE service-linked role?

    The AliyunServiceRoleForMSE role can be automatically created or deleted only by a user with specific permissions. If a RAM user cannot automatically create the AliyunServiceRoleForMSE role, you must attach the following access policy to the user.

    Note

    Replace Alibaba Cloud account ID with your Alibaba Cloud account ID.

    {
    "Statement": [
        {
            "Action": [
                "ram:CreateServiceLinkedRole"
            ],
            "Resource": "acs:ram:*:Alibaba Cloud account ID:role/*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": [
                        "mse.aliyuncs.com"
                    ]
                }
            }
        }
    ],
    "Version": "1"
}