You can create, view, and delete the service-linked role for the Tag service to enable cross-service authorized access.
Overview
A service-linked role is a RAM role whose trusted entity is an Alibaba Cloud service. It enables authorized access across services. The following table describes the service-linked role for the Tag service.
|
Service-linked role for Tag |
Service identifier |
Permission policy |
|
AliyunServiceRoleForTag |
tag.aliyuncs.com |
AliyunServiceRolePolicyForTag |
For more information, see Service-linked roles.
Scenarios
-
The Tag service assumes the service-linked role to access resource creation events in ActionTrail, obtain the creator information of resources, and then add createdby tags to the resources.
-
The Tag service assumes the service-linked role to access operation records and resources in ActionTrail and Cloud Config, monitor resource changes in real time, and then check the compliance of resource configurations, such as tags.
Create the service-linked role
The Tag service automatically creates the service-linked role when you perform the following operations:
-
Enable createdby tags. For more information, see Overview.
-
Enable the Tag Policy feature. For more information, see Enable the Tag Policy feature.
-
Enable tag configuration for associated resources. For more information, see Tag configuration for associated resources.
View information about the service-linked role
After the service-linked role is created, you can view its details on the role details page. To access this page, log on to the RAM console, go to the Roles page, find the role, and then click its name.
-
Basic information
On the role details page, the Basic Information section displays the role's name, creation time, ARN, and description.
-
Permission policy
On the role details page, on the Permissions tab, click the policy name to view the policy content.
NoteYou can view the permission policy of a service-linked role only from the role's details page. You cannot view the policy directly from the Permission Policy page in the RAM console.
-
Trust policy
On the Trust Policy tab, you can view the trust policy attached to the role. A trust policy specifies the trusted entities of a RAM role. A trusted entity is an entity that can assume the RAM role. For a service-linked role, the trusted entity is a cloud service. Check the
Servicefield in the trust policy to identify the trusted entity.
For more information, see View a RAM role.
Delete the service-linked role
After the service-linked role is deleted, the features that depend on the role cannot be used. Proceed with caution.
If you do not use the Tag service for a long period of time or you want to delete your Alibaba Cloud account, you may need to manually delete the service-linked role.
To delete the service-linked role, you can submit a ticket.