Service-linked roles for ALB - Server Load Balancer - Alibaba Cloud Documentation Center

What is a service-linked role?

A service-linked role is a Resource Access Management (RAM) role that can be assumed by only the linked service. An Alibaba Cloud service may need to access other services to use a specific feature. Before you access a service, make sure that you are authorized to access the service.Service-linked roles simplify the authorization process and avoid risks caused by user errors. For more information, see Service-linked roles.

AliyunServiceRoleForAlb


Item	Description
Service-linked role	AliyunServiceRoleForAlb
Policy	AliyunServiceRolePolicyForAlb
Permissions	Allows Application Load Balancer to access your services such as elastic network interfaces (ENIs), security groups, elastic IP addresses (EIPs), and EIP bandwidth plans. To create, delete, and change specifications of Application Load Balancer instances, you must use Elastic Compute Service (ECS) and Virtual Private Cloud (VPC).
Policy syntax	{ "Version": "1", "Statement": [ { "Action": [ "ecs:CreateNetworkInterface", "ecs:DeleteNetworkInterface", "ecs:DescribeNetworkInterfaces", "ecs:CreateSecurityGroup", "ecs:DeleteSecurityGroup", "ecs:DescribeSecurityGroups", "ecs:AuthorizeSecurityGroup", "vpc:RemoveCommonBandwidthPackageIp", "vpc:AddCommonBandwidthPackageIp", "vpc:DeleteCommonBandwidthPackage", "vpc:CreateCommonBandwidthPackage", "vpc:DescribeCommonBandwidthPackages", "vpc:ModifyCommonBandwidthPackageSpec", "vpc:ModifyCommonBandwidthPackageChargeType", "vpc:ReleaseEipAddress", "vpc:AllocateEipAddress", "vpc:AssociateEipAddress", "vpc:UnassociateEipAddress", "vpc:DescribeEipAddresses", "vpc:ModifyEipAddressAttribute", "vpc:DeleteIpv6InternetBandwidth", "vpc:AllocateIpv6InternetBandwidth", "vpc:DescribeIpv6Addresses", "vpc:DescribeIpv6Gateways", "vpc:MoveResourceGroup", "vpc:TagResources", "cas:DescribeCACertificate", "yundun-waf:DescribeInstanceCompatible", "yundun-waf:CreateInstance", "eipanycast:AllocateAnycastEipAddress", "eipanycast:ModifyAnycastEipAddressAttribute", "eipanycast:ReleaseAnycastEipAddress", "eipanycast:AssociateAnycastEipAddress", "eipanycast:UnassociateAnycastEipAddress", "eipanycast:DescribeAnycastEipAddress", "eipanycast:ListAnycastEipAddresses" ], "Resource": "", "Effect": "Allow" }, { "Action": "ram:DeleteServiceLinkedRole", "Resource": "", "Effect": "Allow", "Condition": { "StringEquals": { "ram:ServiceName": "alb.aliyuncs.com" } } }, { "Action": [ "oss:GetBucketInfo", "oss:PutObject", "oss:GetObject", "oss:PutBucket", "oss:PutBucketVersioning", "oss:GetBucketVersioning", "oss:GetObjectVersion", "oss:PutBucketCors" ], "Effect": "Allow", "Resource": [ "acs:oss:::alb-res-backup-", "acs:oss:::alb-res-backup-/*" ] } ] }
Prerequisites for deleting the service-linked role	If you want to delete the service-linked role AliyunServiceRoleForAlb for Application Load Balancer, make sure that no Application Load Balancer instance exists in the current region. For more information, see Release an ALB instance.

AliyunServiceRoleForAlbLogDelivery


Item	Description
Service-linked role	AliyunServiceRoleForAlbLogDelivery
Policy	AliyunServiceRolePolicyForAlbLogDelivery
Permissions	Allows Application Load Balancer to access your Log Service. After you enable the access log feature, Application Load Balancer automatically delivers log files to the specified Logstore.
Policy syntax	`{ "Version": "1", "Statement": [ { "Action": [ "log:PostLogStoreLogs" ], "Resource": "", "Effect": "Allow" }, { "Action": "ram:DeleteServiceLinkedRole", "Resource": "", "Effect": "Allow", "Condition": { "StringEquals": { "ram:ServiceName": "logdelivery.alb.aliyuncs.com" } } } ] }`
Prerequisites for deleting the service-linked role	If you want to delete the service-linked role AliyunServiceRoleForAlbLogDelivery for Application Load Balancer, disable the access log feature for the ALB instance first. For more information, see DisableLoadBalancerAccessLog.