This topic describes the following service-linked roles in Resource Orchestration Service (ROS): AliyunServiceRoleForROSStackGroupsRDAdmin and AliyunServiceRoleForROSStackGroupsRDMember.
Overview
A service-linked role is a Resource Access Management (RAM) role whose trusted entity is an Alibaba Cloud service. ROS uses a service-linked role to access other Alibaba Cloud services or resources.
In most cases, the system automatically creates a service-linked role when you perform an operation. If a service-linked role fails to be automatically created or ROS does not support the automatic creation of a service-linked role, you must manually create a service-linked role.
RAM provides a system policy that cannot be modified for each service-linked role. To view information about the system policy of a service-linked role, you can go to the details page of the service-linked role. For more information, see System Policy Reference.
Scenario
If you want to query members in a resource directory within your administrator account and deploy stacks within the members when you use a stack group that has service-managed permissions, you must obtain permissions on specific Alibaba Cloud services. ROS provides the service-linked roles AliyunServiceRoleForROSStackGroupsRDAdmin and AliyunServiceRoleForROSStackGroupsRDMember to help you obtain the permissions.
For more information, see Service-linked roles.
Required policies for RAM users to assume service-linked roles
AliyunServiceRoleForROSStackGroupsRDAdmin
Required policy: AliyunServiceRolePolicyForROSStackGroupsRDAdmin.
Policy description: This policy allows ROS to uses the service-linked role to obtain information about members in a resource directory.
{ "Statement": [ { "Action": [ "resourcemanager:ListAccountsForParent", "resourcemanager:ListFoldersForParent", "resourcemanager:ListAncestors" ], "Effect": "Allow", "Resource": "*" }, { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "acs:ram:*:*:role/stackgroups-exec-*" }, { "Action": "ram:DeleteServiceLinkedRole", "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "ram:ServiceName": "stackgroups-admin.ros.aliyuncs.com" } } } ], "Version": "1" }AliyunServiceRoleForROSStackGroupsRDMember
Required policy: AliyunServiceRolePolicyForROSStackGroupsRDMember.
Policy description: This policy allows ROS to use the service-linked role to create RAM roles whose names are prefixed with
stackgroups-exec-. This policy also allows ROS to assume the created RAM roles to deploy stacks.{ "Statement": [ { "Action": [ "ram:CreateRole", "ram:GetRole", "ram:DeleteRole" ], "Effect": "Allow", "Resource": "acs:ram:*:*:role/stackgroups-exec-*" }, { "Action": [ "ram:AttachPolicyToRole", "ram:DetachPolicyFromRole" ], "Effect": "Allow", "Resource": [ "acs:ram:*:*:role/stackgroups-exec-*", "acs:ram:*:system:policy/AdministratorAccess" ] }, { "Action": [ "ram:ListPolicyAttachments", "ram:DetachPolicy" ], "Effect": "Allow", "Resource": [ "acs:ram:*:*:*" ] }, { "Action": "ram:DeleteServiceLinkedRole", "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "ram:ServiceName": "stackgroups-member.ros.aliyuncs.com" } } } ], "Version": "1" }
Create a service-linked role
When you use the administrator account to create stack instances in a stack group that has service-managed permissions, the system automatically creates the service-linked role AliyunServiceRoleForROSStackGroupsRDAdmin within the administrator account to obtain information about members in a resource directory. The system automatically creates the service-linked role AliyunServiceRoleForROSStackGroupsRDMember within all obtained members and uses this service-linked role to create RAM roles whose names are prefixed with stackgroups-exec-. Then, ROS assumes the created RAM roles to deploy stacks. The roles whose names are prefixed with stackgroups-exec- are deleted when you delete the relevant stack instances.
For more information, see Step 3: Create a stack group.
View a service-linked role
After the service-linked role is created, go to the Roles page in the RAM console and enter AliyunServiceRoleForROSStackGroupsRDAdmin or AliyunServiceRoleForROSStackGroupsRDMember in the search box to obtain the desired service-linked role. Then, click the role name to view the following information on the role details page:
Basic information
In the Basic Information section, you can view the basic information about the service-linked role, including the name, creation time, Alibaba Cloud Resource Name (ARN), and description.
Policies
On the Permissions tab, you can click the name of a policy to view the policy content and the cloud resources that the service-linked role can access.
Trust policy
On the Trust Policy tab, you can view the content of the trust policy that is attached to the service-linked role. A trust policy describes the trusted entities of a RAM role. A trusted entity refers to an entity that can assume the RAM role. The trusted entity of a service-linked role is a cloud service. To obtain the trusted entity of a service-linked role, you can view the value of the
Serviceparameter in the trust policy.
For more information about how to view the information about a service-linked role, see View the information about a RAM role.
Delete a service-linked role
Before you delete the service-linked role AliyunServiceRoleForROSStackGroupsRDAdmin from the administrator account, you must delete all stack groups that have service-managed permissions from the administrator account.
Before you delete the service-linked role AliyunServiceRoleForROSStackGroupsRDMember from members, you must delete the stack instances that are associated with the members.
Log on to the RAM console.
In the left-side navigation pane, choose .
On the Roles page, find the service-linked role that you want to delete and click Delete Role in the Actions column.
In the Delete Role dialog box, enter the name of the service-linked role and click Delete Role.
If a policy is attached to the service-linked role, the policy is detached when you delete the role.
If a service-linked role fails to be deleted, you can click Role Deletion in the upper-right corner of the RAM role list to view the details.