Service-linked roles - Resource Orchestration Service - Alibaba Cloud Documentation Center

Resource Orchestration Service (ROS) uses two service-linked roles to manage stack groups with service-managed permissions across accounts in a resource directory: AliyunServiceRoleForROSStackGroupsRDAdmin and AliyunServiceRoleForROSStackGroupsRDMember.

A service-linked role is a Resource Access Management (RAM) role whose trusted entity is an Alibaba Cloud service. ROS uses service-linked roles to access other Alibaba Cloud services and resources on your behalf. The system automatically creates a service-linked role when you perform a qualifying operation. If automatic creation fails or ROS does not support it, create the role manually.

Each service-linked role has a system policy that RAM provides. You cannot modify these policies. To view a system policy, go to the details page of the service-linked role. For more information, see System Policy Reference.

For more information about service-linked roles, see Service-linked roles.

Role comparison

When you use a stack group with service-managed permissions, ROS needs to query member accounts in a resource directory from your administrator account and deploy stacks within those member accounts. This requires two service-linked roles:

Property	AliyunServiceRoleForROSStackGroupsRDAdmin	AliyunServiceRoleForROSStackGroupsRDMember
Created in	Administrator account	All member accounts
Purpose	Query member accounts in the resource directory	Create and assume RAM roles prefixed with `stackgroups-exec-` to deploy stacks
Policy name	AliyunServiceRolePolicyForROSStackGroupsRDAdmin	AliyunServiceRolePolicyForROSStackGroupsRDMember
Delete prerequisite	Delete all stack groups with service-managed permissions from the administrator account	Delete the stack instances associated with the member accounts

Automatic creation

Both roles are created automatically when the administrator account creates stack instances in a stack group that has service-managed permissions. The creation follows this sequence:

The system creates AliyunServiceRoleForROSStackGroupsRDAdmin in the administrator account.
The system creates AliyunServiceRoleForROSStackGroupsRDMember in all member accounts.
The member role creates RAM roles prefixed with stackgroups-exec- in each member account.
ROS assumes the stackgroups-exec-* roles to deploy stacks.

The stackgroups-exec-* roles are deleted when you delete the associated stack instances.

For more information, see Step 3: Create a stack group.

Policies attached to each role

AliyunServiceRoleForROSStackGroupsRDAdmin

Policy name: AliyunServiceRolePolicyForROSStackGroupsRDAdmin

This policy allows ROS to get information about member accounts in a resource directory.

{
  "Statement": [
    {
      "Action": [
        "resourcemanager:ListAccountsForParent",
        "resourcemanager:ListFoldersForParent",
        "resourcemanager:ListAncestors"
      ],
      "Effect": "Allow",
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": "sts:AssumeRole",
      "Resource": "acs:ram:*:*:role/stackgroups-exec-*"
    },
    {
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "stackgroups-admin.ros.aliyuncs.com"
        }
      }
    }
  ],
  "Version": "1"
}

AliyunServiceRoleForROSStackGroupsRDMember

Policy name: AliyunServiceRolePolicyForROSStackGroupsRDMember

This policy allows ROS to create RAM roles prefixed with stackgroups-exec- and assume them to deploy stacks.

{
  "Statement": [
    {
      "Action": [
        "ram:CreateRole",
        "ram:GetRole",
        "ram:DeleteRole"
      ],
      "Effect": "Allow",
      "Resource": "acs:ram:*:*:role/stackgroups-exec-*"
    },
    {
      "Action": [
        "ram:AttachPolicyToRole",
        "ram:DetachPolicyFromRole"
      ],
      "Effect": "Allow",
      "Resource": [
        "acs:ram:*:*:role/stackgroups-exec-*",
        "acs:ram:*:system:policy/AdministratorAccess"
      ]
    },
    {
      "Action": [
        "ram:ListPolicyAttachments",
        "ram:DetachPolicy"
      ],
      "Effect": "Allow",
      "Resource": [
        "acs:ram:*:*:*"
      ]
    },
    {
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "stackgroups-member.ros.aliyuncs.com"
        }
      }
    }
  ],
  "Version": "1"
}

View a service-linked role

After the system creates a service-linked role, go to the Roles page in the RAM console and search for AliyunServiceRoleForROSStackGroupsRDAdmin or AliyunServiceRoleForROSStackGroupsRDMember. Click the role name to view the following details:

Section or tab	Information available
Basic Information	Role name, creation time, Alibaba Cloud Resource Name (ARN), and description
Permissions tab	Click the policy name to view the policy content and accessible cloud resources
Trust Policy tab	View the trust policy content. The `Service` parameter identifies the trusted entity.

For more information, see View the information about a RAM role.

Delete a service-linked role

Before deleting a service-linked role, remove the associated resources:

AliyunServiceRoleForROSStackGroupsRDAdmin -- Delete all stack groups with service-managed permissions from the administrator account.
AliyunServiceRoleForROSStackGroupsRDMember -- Delete the stack instances associated with the member accounts.

To delete a service-linked role:

Log on to the RAM console.
In the left-side navigation pane, choose Identities > Roles.
On the Roles page, find the service-linked role and click Delete Role in the Actions column.
In the Delete Role dialog box, enter the role name and click Delete Role.

Any attached policy is automatically detached when the role is deleted.

If deletion fails, click Role Deletion in the upper-right corner of the role list to view details.