This topic describes the use scenarios, policy, creation, and deletion of the service-linked role AliyunServiceRoleForTag for the Tag service.

Scenarios

When you enable createdby tags, the Tag service automatically creates its service-linked role AliyunServiceRoleForTag. The Tag service uses the service-linked role to obtain the access permissions on ActionTrail.

For more information about service-linked roles, see Service-linked roles.

Role description

Role name: AliyunServiceRoleForTag.

Policy name: AliyunServiceRolePolicyForTag.

Permission description: This policy allows the Tag service to create, delete, or view ActionTrail trails and delete the service-linked role of the Tag service.

 {
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "actiontrail:CreateServiceTrail",
                "actiontrail:DeleteServiceTrail",
                "actiontrail:ListServiceTrail"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "tag.aliyuncs.com"
                }
            }
        }
    ]
}

Create the service-linked role for the Tag service

When you enable createdby tags, the Tag service automatically creates its service-linked role AliyunServiceRoleForTag. For more information about createdby tags, see Overview.

Delete the service-linked role for the Tag service

You can delete the service-linked role AliyunServiceRoleForTag for the Tag service in the Resource Access Management (RAM) console after you disable createdby tags. For more information, see Delete a RAM role.