The first time you use Secure Access Service Edge (SASE), you must create a service-linked role so that SASE can access resources in other Alibaba Cloud services. This is a one-time setup — Alibaba Cloud creates the role automatically when you log on to the SASE console for the first time.
Prerequisites
Before you begin, make sure that:
SASE is activated
Your Alibaba Cloud account or RAM user has permission to create and delete service-linked roles
If you are using a RAM user, the user must have the ram:CreateServiceLinkedRole permission scoped to csas.aliyuncs.com. Attach the following policy to the RAM user before proceeding:
{
"Statement": [
{
"Action": [
"ram:CreateServiceLinkedRole"
],
"Resource": "acs:ram:*:ID of your Alibaba Cloud account:role/*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": [
"csas.aliyuncs.com"
]
}
}
}
],
"Version": "1"
}Replace ID of your Alibaba Cloud account with your actual Alibaba Cloud account ID. For instructions on attaching policies, see Grant permissions to a RAM role.
How it works
SASE uses a service-linked role named AliyunServiceRoleForCsas to interact with other Alibaba Cloud services on your behalf. When you log on to the SASE console for the first time, the console prompts you to create this role. After the role is created, SASE can access services such as Identity as a Service (IDaaS) and Smart Access Gateway (SAG).
The role is backed by a system policy named AliyunServiceRolePolicyForCsas. You cannot rename or modify this policy.
For background on service-linked roles, see Service-linked roles.
Create the service-linked role
Log on to the SASE console.
In the Welcome to Secure Access Service Edge (SASE) dialog box, click Create.
Alibaba Cloud creates the AliyunServiceRoleForCsas service-linked role. To verify, go to the Roles page of the RAM console and search for AliyunServiceRoleForCsas.
Service-linked role permissions
The AliyunServiceRolePolicyForCsas policy grants SASE the following permissions:
| Service | Actions | Scope |
|---|---|---|
| ECS | Describe, create, delete, and modify security groups and network interfaces | All resources |
| RDS | Describe and modify security group configuration and IP whitelists | All resources |
| ApsaraDB for Redis (Tair) | Describe and modify security IPs and security group configuration | All resources |
| ApsaraDB for MongoDB | Describe and modify security IPs and security group configuration | All resources |
| PolarDB | Describe DB clusters and manage access whitelists | All resources |
| VPC | Describe and manage VPCs, vSwitches, VPN Gateways, customer gateways, VPN connections, Virtual Border Routers (VBRs), physical connections, and route tables | All resources |
| Cloud Enterprise Network (CEN) | Describe CENs and manage child instance attachments and grants | All resources |
| Smart Access Gateway (SAG) | Manage SAG traffic services, Cloud Connect Networks (CCNs), and SAG software instances | All resources |
| Simple Log Service (SLS) | Manage Projects, Logstores, indexes, dashboards, and saved searches | Projects prefixed with csas-project- |
| PrivateZone | Describe private zones and zone records | All resources |
| RAM | Delete the AliyunServiceRoleForCsas service-linked role | Scoped to csas.aliyuncs.com |
<details> <summary>View the full policy JSON</summary>
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:DescribeInstances",
"ecs:CreateSecurityGroup",
"ecs:DeleteSecurityGroup",
"ecs:AuthorizeSecurityGroup",
"ecs:DescribeSecurityGroups",
"ecs:DescribeSecurityGroupReferences",
"ecs:ModifySecurityGroupPolicy",
"ecs:ModifySecurityGroupRule",
"ecs:ModifySecurityGroupEgressRule",
"ecs:CreateNetworkInterface",
"ecs:DeleteNetworkInterface",
"ecs:DescribeNetworkInterfaces",
"ecs:CreateNetworkInterfacePermission",
"ecs:DescribeNetworkInterfacePermissions",
"ecs:DeleteNetworkInterfacePermission",
"ecs:AttachNetworkInterface",
"ecs:DetachNetworkInterface",
"ecs:RevokeSecurityGroup"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"rds:DescribeDBInstances",
"rds:DescribeSecurityGroupConfiguration",
"rds:ModifySecurityGroupConfiguration",
"rds:DescribeDBInstanceIPArrayList",
"rds:ModifySecurityIps"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"kvstore:DescribeInstances",
"kvstore:DescribeGlobalDistributeCache",
"kvstore:DescribeSecurityIps",
"kvstore:ModifySecurityIps",
"kvstore:DescribeSecurityGroupConfiguration",
"kvstore:ModifySecurityGroupConfiguration"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"dds:DescribeDBInstances",
"dds:DescribeSecurityIps",
"dds:ModifySecurityIps",
"dds:DescribeSecurityGroupConfiguration",
"dds:ModifySecurityGroupConfiguration"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"polardb:DescribeDBClusters",
"polardb:DescribeDBClusterAccessWhitelist",
"polardb:ModifyDBClusterAccessWhitelist"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"vpc:DescribeVpcs",
"vpc:DescribeVSwitches",
"vpc:CreateVpc",
"vpc:DeleteVpc",
"vpc:CreateVSwitch",
"vpc:DeleteVSwitch",
"vpc:DescribeZones",
"vpc:DescribePhysicalConnections",
"vpc:DescribeVirtualBorderRouters",
"vpc:DescribeVirtualBorderRoutersForPhysicalConnection",
"vpc:DescribeVpnGateways",
"vpc:DescribeVpnGateway",
"vpc:DescribeCustomerGateways",
"vpc:DescribeVpnConnections",
"vpc:DescribeVpcAttribute",
"vpc:DescribeRouteTables",
"vpc:DescribeRouteTableList",
"vpc:DescribeRouteEntryList"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"cen:DescribeCens",
"cen:DescribeCenAttachedChildInstances",
"cen:DescribeCenAttachedChildInstanceAttribute",
"cen:AttachCenChildInstance",
"cen:DetachCenChildInstance",
"cen:GrantInstanceToCen",
"cen:RevokeInstanceFromCen"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"smartag:CreateSmartAGTrafficService",
"smartag:UpdateSmartAGTrafficService",
"smartag:DeleteSmartAGTrafficSerivce",
"smartag:ListSmartAGTrafficService",
"smartag:DescribeSmartAccessGateways",
"smartag:DescribeCloudConnectNetworks",
"smartag:CreateCloudConnectNetwork",
"smartag:ModifyCloudConnectNetwork",
"smartag:DeleteCloudConnectNetwork",
"smartag:CreateSmartAccessGatewaySoftware",
"smartag:UpgradeSmartAccessGatewaySoftware",
"smartag:DowngradeSmartAccessGatewaySoftware",
"smartag:BindSmartAccessGateway",
"smartag:UnbindSmartAccessGateway"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"log:PostLogStoreLogs",
"log:GetProject",
"log:ListProject",
"log:GetLogStore",
"log:ListLogStores",
"log:CreateLogStore",
"log:CreateProject",
"log:GetIndex",
"log:CreateIndex",
"log:UpdateIndex",
"log:CreateDashboard",
"log:ClearLogStoreStorage",
"log:UpdateLogStore",
"log:UpdateDashboard",
"log:CreateSavedSearch",
"log:UpdateSavedSearch",
"log:DeleteLogStore",
"log:DeleteSavedSearch",
"log:GetSavedSearch",
"log:ListSavedSearch",
"log:DeleteDashboard",
"log:GetDashboard",
"log:ListDashboard"
],
"Resource": "acs:log:*:*:project/csas-project-*",
"Effect": "Allow"
},
{
"Action": [
"pvtz:DescribeZones",
"pvtz:DescribeZoneInfo",
"pvtz:DescribeZoneRecords"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "csas.aliyuncs.com"
}
}
}
]
}</details>
Delete the service-linked role
If you no longer need to use SASE, you can delete the AliyunServiceRoleForCsas service-linked role. Before you delete the role, you must release your SASE. After you release SASE, follow these steps to delete the service-linked role in the RAM console:
Log on to the RAM console.
In the left-side navigation pane, choose Identities > Roles.
Search for
AliyunServiceRoleForCsasand click Delete Role in the Actions column.In the Delete Role dialog box, enter the role name and click Delete Role.