All Products
Search

This Product

    Service Catalog:Service-linked role

    Document Center

    Service Catalog:Service-linked role

    Last Updated:Aug 29, 2023

    This topic describes the scenarios and permissions of the AliyunServiceRoleForServiceCatalog service-linked role that is provided by Service Catalog. This topic also describes how to create and delete the service-linked role.

    Scenarios

    The AliyunServiceRoleForServiceCatalog service-linked role is a Resource Access Management (RAM) role that is provided by Service Catalog. Service Catalog can assume the service-linked role to access other services to implement a feature. For more information, see Service-linked roles.

    When you launch a product as a user in Service Catalog, Service Catalog must assume the AliyunServiceRoleForServiceCatalog role to access the resources of Resource Orchestration Service (ROS).

    Permissions

    Service-linked role: AliyunServiceRoleForServiceCatalog

    Policy that is attached to the service-linked role: AliyunServiceRolePolicyForServiceCatalog

    Description: This policy allows you to verify and preview ROS templates, check for risks contained in ROS templates, and query the details, events, and resources of ROS stacks. 

    {
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ros:ValidateTemplate",
                "ros:PreviewStack",
                "ros:ListStackOperationRisks",
                "ros:GetStack",
                "ros:ListStackEvents",
                "ros:GetStackResource",
                "ros:ListStackResources"
            ],
            "Resource": "*"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "servicecatalog.aliyuncs.com"
                }
            }
        }
    ]
}

    Create a service-linked role

    If you activate Service Catalog for the first time, Service Catalog automatically creates a service-linked role named AliyunServiceRoleForServiceCatalog.

    Delete the service-linked role

    If you want to delete the AliyunServiceRoleForServiceCatalog role, you must terminate the product instances that are associated with the service-linked role. You can perform the following steps to delete the service-linked role:

    1. Terminate the associated product instances.

      For more information, see the Terminate a product instance section of the "Manage a product instance" topic.

    2. Delete the service-linked role.

      For more information, see Delete a RAM role.