A trusted Alibaba Cloud service can assume a Resource Access Management (RAM) role to access other Alibaba Cloud services. RAM roles that a trusted Alibaba Cloud service can assume are classified into two types: normal service role and service-linked role. This topic describes service-linked roles.

Background information

An Alibaba Cloud service may need to access other services to implement a feature. In this case, the Alibaba Cloud service must be authorized to access other services. For example, to retrieve resource lists and log data from Elastic Compute Service (ECS) and ApsaraDB RDS, Cloud Config requires the access permissions on ECS and ApsaraDB RDS. Alibaba Cloud provides service-linked roles to simplify the process to authorize a service to access other services.

A service-linked role is a RAM role that only the linked service can assume. In most cases, a service automatically creates or deletes the service-linked role if needed. A service-linked role simplifies the process to authorize a service to access other services and reduces the risks caused by misoperations.

The policy that is attached to a service-linked role is predefined by the linked service. You cannot modify or delete the policy. You cannot attach policies to or detach policies from a service-linked role.

If a service does not support service-linked roles, you can use a normal service role to authorize the service.

Create a service-linked role

Some Alibaba Cloud services automatically create service-linked roles when you perform operations. For example, when you create a cloud resource or enable a feature, a service-linked role may be automatically created. You can view the created service-linked roles on the RAM Roles page of the RAM console. You can also retrieve the list of created service-linked roles by using the API or a CLI to call the ListRoles operation.

You can also manually create service-linked roles. For more information, see Create a service-linked role.

Note
  • The number of service-linked roles that you can create is based on the limit of the number of RAM roles that you can create within your Alibaba Cloud account. If the limit is exceeded, you can still create service-linked roles. However, you can no longer create other types of RAM roles.
  • For more information about how an Alibaba Cloud service creates a service-linked role, see the documentation of the service.

Delete a service-linked role

Some Alibaba Cloud services automatically delete service-linked roles when you perform operations. For example, when you delete a cloud resource or disable a feature, a service-linked role may be automatically deleted. You can also manually delete service-linked roles in the RAM console. For more information, see Delete a RAM role.

If you attempt to delete a service-linked role, RAM checks whether the role is being assumed by the linked service.

  • If the role is not being assumed, the role can be deleted.
  • If the role is being assumed, the role cannot be deleted. However, you can view the cloud resources of the linked service that assume the service-linked role. If you no longer need the cloud resources of the linked service, find and remove the resources of the linked service. Then, delete the service-linked role.
Note For more information about the conditions that allow you to delete a service-linked role, see the documentation of the linked service.

Permissions required to create and delete a service-linked role

RAM identities must be granted the required permissions before the RAM identities can create or delete a service-linked role. The permissions are also required when service-linked roles are automatically created.

Note The permissions to create a service-linked role are included in the administrative policy of the linked service. For ECS, the administrative policy is AliyunESSFullAccess. If you attach the administrative policy of a service to a RAM identity, the RAM identity can create the service-linked role for the service.

The following sample policy allows authorized RAM identities to create and delete the service-linked role for Resource Management:

{
    "Action": [
        "ram:CreateServiceLinkedRole",
        "ram:DeleteServiceLinkedRole"
    ],
    "Resource": "*",
    "Effect": "Allow",
    "Condition": {
        "StringEquals": {
            "ram:ServiceName": "resourcemanager.aliyuncs.com"
        }
    }
}

Assume a service-linked role

A service-linked role can be assumed only by the linked service. The role cannot be assumed by identities such as RAM users or other RAM roles.

You can view the service that can assume a service-linked role in the Service parameter on the Trust Policy Management tab of the role details page.

Alibaba Cloud services that support service-linked roles

Alibaba Cloud service Service name Service-linked role References
Resource Management resourcemanager.aliyuncs.com AliyunServiceRoleForResourceDirectory Service-linked role for Resource Directory
Cloud Config config.aliyuncs.com AliyunServiceRoleForConfig Manage the service-linked role for Cloud Config
remediation.config.aliyuncs.com AliyunServiceRoleForConfigRemediation
PolarDB polardb.aliyuncs.com AliyunServiceRoleForPolarDB RAM role linked to Apsara PolarDB
Hybrid Backup Recovery (HBR) dr.hbr.aliyuncs.com AliyunServiceRoleForHbrDr Service linked role for ECS disaster recovery
ecsbackup.hbr.aliyuncs.com AliyunServiceRoleForHbrEcsBackup Service-linked roles for HBR
ossbackup.hbr.aliyuncs.com AliyunServiceRoleForHbrOssBackup
nasbackup.hbr.aliyuncs.com AliyunServiceRoleForHbrNasBackup
csgbackup.hbr.aliyuncs.com AliyunServiceRoleForHbrCsgBackup
vaultencryption.hbr.aliyuncs.com AliyunServiceRoleForHbrVaultEncryption
otsbackup.hbr.aliyuncs.com AliyunServiceRoleForHbrOtsBackup
Operation Orchestration Service (OOS) bandwidthscheduler.oos.aliyuncs.com AliyunServiceRoleForOOSBandwidthScheduler OOS linked roles
instancescheduler.oos.aliyuncs.com AliyunServiceRoleForOOSInstanceScheduler
executiondelivery.oos.aliyuncs.com AliyunServiceRoleForOOSExecutionDelivery
Auto Scaling (ESS) ess.aliyuncs.com AliyunServiceRoleForAutoScaling Grant permissions to Auto Scaling
Time Series Database (TSDB) hitsdb.aliyuncs.com AliyunServiceRoleForTSDB

None

CloudMonitor cloudmonitor.aliyuncs.com AliyunServiceRoleForCloudMonitor Manage the service-linked role for CloudMonitor
Blockchain as a Service (BaaS) baas.aliyuncs.com AliyunServiceRoleForBaaS

None

Global Traffic Manager (GTM) gtm.aliyuncs.com AliyunServiceRoleForGTM Service-linked role for Global Traffic Manager
DNS alidns.aliyuncs.com AliyunServiceRoleForDNS

None

Data Security Center (DSC) sddp.aliyuncs.com AliyunServiceRoleForSDDP Authorize DSC to access Alibaba Cloud resources
CDN cdn-ddos.cdn.aliyuncs.com AliyunServiceRoleForCDNAccessingDDoS Configure Anti-DDoS
cdn-waf.cdn.aliyuncs.com AliyunServiceRoleForCDNAccessingWAF

None

logdelivery.cdn.aliyuncs.com AliyunServiceRoleForCDNLogDelivery Manage the SLR for log storage
Application Real-Time Monitoring Service (ARMS) arms.aliyuncs.com AliyunServiceRoleForARMS Service-linked role for ARMS
security.arms.aliyuncs.com AliyunServiceRoleForARMSSecurity Application security service-linked role
EventBridge sendevent-fc.eventbridge.aliyuncs.com AliyunServiceRoleForEventBridgeSendToFC Service-linked roles for EventBridge
sendevent-mns.eventbridge.aliyuncs.com AliyunServiceRoleForEventBridgeSendToMNS
sendevent-sms.eventbridge.aliyuncs.com AliyunServiceRoleForEventBridgeSendToSMS
sendevent-directmail.eventbridge.aliyuncs.com AliyunServiceRoleForEventBridgeSendToDirectMail
source-rocketmq.eventbridge.aliyuncs.com AliyunServiceRoleForEventBridgeSourceRocketMQ
connect-vpc.eventbridge.aliyuncs.com AliyunServiceRoleForEventBridgeConnectVPC
source-actiontrail.eventbridge.aliyuncs.com AliyunServiceRoleForEventBridgeSourceActionTrail
source-rabbitmq.eventbridge.aliyuncs.com AliyunServiceRoleForEventBridgeSourceRabbitMQ
sendevent-rabbitmq.eventbridge.aliyuncs.com AliyunServiceRoleForEventBridgeSendToRabbitMQ
sendevent-rocketmq.eventbridge.aliyuncs.com AliyunServiceRoleForEventBridgeSendToRocketMQ
DataWorks di.dataworks.aliyuncs.com AliyunServiceRoleForDataWorksDI Service linked role of DataWorks Data Integration
Elastic High Performance Computing (E-HPC) ehpc.aliyuncs.com AliyunServiceRoleForEHPC Service-linked role for E-HPC
Server Migration Center (SMC) smc.aliyuncs.com AliyunServiceRoleForSMC Service linked roles for SMC
Message Queue for Apache Kafka connector.alikafka.aliyuncs.com AliyunServiceRoleForAlikafkaConnector Service-linked roles for Message Queue for Apache Kafka
instanceencryption.alikafka.aliyuncs.com AliyunServiceRoleForAlikafkaInstanceEncryption
alikafka.aliyuncs.com AliyunServiceRoleForAlikafka
etl.alikafka.aliyuncs.com AliyunServiceRoleForAlikafkaETL
Tracing Analysis xtrace.aliyuncs.com AliyunServiceRoleForXtrace Service-linked role for Tracing Analysis
NAT Gateway (NAT) nat.aliyuncs.com AliyunServiceRoleForNatgw Service-linked role for NAT Gateway
Alibaba Cloud DNS PrivateZone pvtz.aliyuncs.com AliyunServiceRoleForPvtz Service-linked role for Alibaba Cloud DNS PrivateZone
ActionTrail actiontrail.aliyuncs.com AliyunServiceRoleForActionTrail Manage the service-linked role
Cloud Storage Gateway (CSG) hcs-sgw.aliyuncs.com AliyunServiceRoleForHCSSGW Service-linked roles for CSG
logmonitor.hcs-sgw.aliyuncs.com AliyunServiceRoleForHCSSGWLogMonitor
Data Lake Analytics (DLA) openanalytics.aliyuncs.com AliyunServiceRoleForOpenAnalytics AliyunServiceRoleForOpenAnalytics
API Gateway apigateway.aliyuncs.com AliyunServiceRoleForApiGateway

None

monitor.apigateway.aliyuncs.com AliyunServiceRoleForApiGatewayMonitoring

None

Elasticsearch ops.elasticsearch.aliyuncs.com AliyunServiceRoleForElasticsearchOps

None

collector.elasticsearch.aliyuncs.com AliyunServiceRoleForElasticsearchCollector
Bastionhost bastionhost.aliyuncs.com AliyunServiceRoleForBastionhost Service-linked role for Bastionhost
Global Accelerator (GA) vpcendpoint.ga.aliyuncs.com AliyunServiceRoleForGaVpcEndpoint AliyunServiceRoleForGaVpcEndpoint
ddos.ga.aliyuncs.com AliyunServiceRoleForGaAntiDdos

None

Message Queue for Apache RocketMQ ons.aliyuncs.com AliyunServiceRoleForOns Service-linked role for Message Queue for Apache RocketMQ
AnalyticDB for PostgreSQL adbpg.aliyuncs.com AliyunServiceRoleForADBPG Service-linked role for AnalyticDB for PostgreSQL
Key Management Service (KMS) secretsmanager-rds.kms.aliyuncs.com AliyunServiceRoleForKMSSecretsManagerForRDS Manage the service-linked role for dynamic ApsaraDB RDS secrets
keystore.kms.aliyuncs.com AliyunServiceRoleForKMSKeyStore Service-linked role for dedicated KMS
ApsaraDB for MongoDB mongodb.aliyuncs.com AliyunServiceRoleForMongoDB ApsaraDB for MongoDB service-linked roles
ApsaraDB RDS pgsql-onecs.rds.aliyuncs.com AliyunServiceRoleForRdsPgsqlOnEcs Service-linked role for ApsaraDB RDS
PrivateLink privatelink.aliyuncs.com AliyunServiceRoleForPrivatelink Service-linked role for PrivateLink
AnalyticDB for MySQL ads.aliyuncs.com AliyunServiceRoleForAnalyticDBForMySQL Manage the service-linked role
ApsaraDB for ClickHouse clickhouse.aliyuncs.com AliyunServiceRoleForClickHouse ApsaraDB for ClickHouse service-linked role
Real-Time Communication rtc.aliyuncs.com AliyunServiceRoleForRTC Service-linked role for RTC
Application Load Balancer (ALB) alb.aliyuncs.com AliyunServiceRoleForAlb Service-linked roles for ALB
logdelivery.alb.aliyuncs.com AliyunServiceRoleForAlbLogDelivery
Dynamic Route for CDN (DCDN) logdelivery.dcdn.aliyuncs.com AliyunServiceRoleForDCDNLogDelivery SLR for log delivery
Server Load Balancer (SLB) logdelivery.slb.aliyuncs.com AliyunServiceRoleForSlbLogDelivery Service-linked role for SLB
Cloud Enterprise Network cen.aliyuncs.com AliyunServiceRoleForCEN AliyunServiceRoleForCEN
Elastic Container Instance eci.aliyuncs.com AliyunServiceRoleForECI Elastic Container Instance service-linked role
vnode.eci.aliyuncs.com AliyunServiceRoleForECIVnode Service-linked role for virtual nodes
Database Backup (DBS) dbs.aliyuncs.com AliyunServiceRoleForDBS How do I activate DBS?
Cloud Governance Center governance.aliyuncs.com AliyunServiceRoleForGovernance Service-linked roles in Cloud Governance Center
CloudSSO cloudsso.aliyuncs.com AliyunServiceRoleForCloudSSO Use the service-linked role for CloudSSO
Resource Sharing resourcesharing.aliyuncs.com AliyunServiceRoleForResourceSharing Service-linked role for Resource Sharing
ApsaraDB for Redis r-kvstore.aliyuncs.com AliyunServiceRoleForKvstore Service linked roles in ApsaraDB for Redis
Database Autonomy Service (DAS) hdm.aliyuncs.com AliyunServiceRoleForDAS AliyunServiceRoleForDAS role
ECS archiving.ecs.aliyuncs.com AliyunServiceRoleForECSArchiving Manage the service-linked role for Operation Content and Result Delivery
VPN Gateway vpn.aliyuncs.com AliyunServiceRoleForVpn Service-linked role for VPN Gateway
IoT Platform device-file-upload.iot.aliyuncs.com AliyunServiceRoleForIoTDeviceFileUpload

None

Alibaba Cloud Distributed Cloud Container Platform (ACK One) adcp.aliyuncs.com AliyunServiceRoleForAdcp Manage the service-linked role for ACK One