This topic describes the scenarios of service-linked roles for Application Load Balancer (ALB) and how to delete service-linked roles.

What is a service-linked role?

A service-linked role is a Resource Access Management (RAM) role that can be assumed by only the linked service. An Alibaba Cloud service may need to access other services to use a specific feature. Before you access a service, make sure that you are authorized to access the service.Service-linked roles simplify the authorization process and avoid risks caused by user errors. For more information, see Service-linked roles.

AliyunServiceRoleForAlb

Item Description
Service-linked role AliyunServiceRoleForAlb
Policy AliyunServiceRolePolicyForAlb
Permissions Allows Application Load Balancer to access your services such as elastic network interfaces (ENIs), security groups, elastic IP addresses (EIPs), and EIP bandwidth plans.

To create, delete, and change specifications of Application Load Balancer instances, you must use Elastic Compute Service (ECS) and Virtual Private Cloud (VPC).

Policy syntax
{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "ecs:CreateNetworkInterface",
        "ecs:DeleteNetworkInterface",
        "ecs:DescribeNetworkInterfaces",
        "ecs:CreateSecurityGroup",
        "ecs:DeleteSecurityGroup",
        "ecs:DescribeSecurityGroups",
        "ecs:AuthorizeSecurityGroup",
        "vpc:RemoveCommonBandwidthPackageIp",
        "vpc:AddCommonBandwidthPackageIp",
        "vpc:DeleteCommonBandwidthPackage",
        "vpc:CreateCommonBandwidthPackage",
        "vpc:DescribeCommonBandwidthPackages",
        "vpc:ModifyCommonBandwidthPackageSpec",
        "vpc:ModifyCommonBandwidthPackageChargeType",
        "vpc:ReleaseEipAddress",
        "vpc:AllocateEipAddress",
        "vpc:AssociateEipAddress",
        "vpc:DescribeEipAddresses",
        "vpc:ModifyEipAddressAttribute"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "alb.aliyuncs.com"
        }
      }
    }
  ]
}
Prerequisites for deleting the service-linked role

If you want to delete the service-linked role AliyunServiceRoleForAlb for Application Load Balancer, make sure that no Application Load Balancer instance exists in the current region. For more information, see Release an ALB instance.

AliyunServiceRoleForAlbLogDelivery

Item Description
Service-linked role AliyunServiceRoleForAlbLogDelivery
Policy AliyunServiceRolePolicyForAlbLogDelivery
Permissions Allows Application Load Balancer to access your Log Service.

After you enable the access log feature, Application Load Balancer automatically delivers log files to the specified Logstore.

Policy syntax
{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "log:PostLogStoreLogs"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "logdelivery.alb.aliyuncs.com"
        }
      }
    }
  ]
}
Prerequisites for deleting the service-linked role If you want to delete the service-linked role AliyunServiceRoleForAlbLogDelivery for Application Load Balancer, disable the access log feature for the ALB instance first. For more information, see DisableLoadBalancerAccessLog.