This topic describes the scenarios and policies for the following service-linked roles of Resource Orchestration Service (ROS): AliyunServiceRoleForROSStackGroupsRDAdmin and AliyunServiceRoleForROSStackGroupsRDMember. This topic also describes the operations that you can perform on the service-linked roles.

Scenarios

If you want to access accounts of the resource directory within your administrator account and deploy stacks within the accounts when you use a stack group that has service-managed permissions, you must obtain permissions on specific Alibaba Cloud services. To obtain the permissions, you must create the following service-linked roles of ROS as RAM roles: AliyunServiceRoleForROSStackGroupsRDAdmin and AliyunServiceRoleForROSStackGroupsRDMember.

For more information about service-linked roles, see Service-linked roles.

Policies

  • Service-linked role: AliyunServiceRoleForROSStackGroupsRDAdmin

    Policy: AliyunServiceRolePolicyForROSStackGroupsRDAdmin.

    Description: ROS uses the service-linked role to obtain the information about accounts of the resource directory.

    {
      "Statement": [
        {
          "Action": [
            "resourcemanager:ListAccountsForParent",
            "resourcemanager:ListFoldersForParent",
            "resourcemanager:ListAncestors"
          ],
          "Effect": "Allow",
          "Resource": "*"
        },
        {
          "Effect": "Allow",
          "Action": "sts:AssumeRole",
          "Resource": "acs:ram:*:*:role/stackgroups-exec-*"
        },
        {
          "Action": "ram:DeleteServiceLinkedRole",
          "Resource": "*",
          "Effect": "Allow",
          "Condition": {
            "StringEquals": {
              "ram:ServiceName": "stackgroups-admin.ros.aliyuncs.com"
            }
          }
        }
      ],
      "Version": "1
  • Service-linked role: AliyunServiceRoleForROSStackGroupsRDMember

    Policy: AliyunServiceRolePolicyForROSStackGroupsRDMember.

    Description: ROS uses the service-linked role to create RAM roles whose name are prefixed by stackgroups-exec- and uses the RAM roles to deploy stacks.

    {
      "Statement": [
        {
          "Action": [
              "ram:CreateRole",
              "ram:GetRole",
              "ram:DeleteRole"
            ],
          "Effect": "Allow",
          "Resource": "acs:ram:*:*:role/stackgroups-exec-*"
        },
        {
          "Action": [
              "ram:AttachPolicyToRole",
              "ram:DetachPolicyFromRole"
            ],
          "Effect": "Allow",
          "Resource": [
            "acs:ram:*:*:role/stackgroups-exec-*",
            "acs:ram:*:system:policy/AdministratorAccess"
          ]
        },
        {
          "Action": "ram:DeleteServiceLinkedRole",
          "Resource": "*",
          "Effect": "Allow",
          "Condition": {
            "StringEquals": {
              "ram:ServiceName": "stackgroups-member.ros.aliyuncs.com"
            }
          }
        }
      ],
      "Version": "1"
    }

Create service-linked roles

When you use the administrator account to create stack instances in a service-managed stack group, you must create the AliyunServiceRoleForROSStackGroupsRDAdmin service-linked role within the administrator account. Then, the administrator account can assume the service-linked role to obtain the information about accounts of the resource directory. You must create the AliyunServiceRoleForROSStackGroupsRDMember service-linked roles within all the member accounts that you obtain in the resource directory. Then, ROS uses the service-linked roles to create RAM roles whose names are prefixed by stackgroups-exec-. Then, the member accounts can assume the RAM roles to deploy stacks. The RAM roles whose name are prefixed by stackgroups-exec- are deleted when you delete the stack instances.

For more information, see Step 3: Create a stack group.

Delete service-linked roles