All Products
Search

This Product

    Simple Application Server:Service-linked role

    Document Center

    Simple Application Server:Service-linked role

    Last Updated:Nov 19, 2025

    A service-linked role is a Resource Access Management (RAM) role whose trusted entity is an Alibaba Cloud service. Simple Application Server assumes a service-linked role to access other Alibaba Cloud services or cloud resources. In most cases, a service-linked role is automatically created when you perform an operation.

    Resource Access Management (RAM) provides a system policy for each service-linked role. You cannot modify the system policy. To view the policy document of a specific service-linked role, go to its details page. For more information, see AliyunSWASFullAccess.

    Scenarios

    When you first use service interconnection to connect Simple Application Server with other Alibaba Cloud products, such as Elastic Compute Service (ECS) and ApsaraDB, in a virtual private cloud (VPC), Simple Application Server automatically creates the service-linked role AliyunServiceRoleForSwas. This role allows Simple Application Server to access related resources, such as VPCs.

    Permissions required for a RAM user to use a service-linked role

    To create or delete a service-linked role as a Resource Access Management (RAM) user, ask an administrator to grant the RAM user the AliyunSWASFullAccess permission. Alternatively, an administrator can add the following permissions for the RAM user in the Action statement of a custom policy:

    • Create a service-linked role: ram:CreateServiceLinkedRole

    • Delete a service-linked role: ram:DeleteServiceLinkedRole

    For more information about how to grant permissions, see Permissions required to create and delete a service-linked role.

    Create a service-linked role

    The first time you use the service interconnection feature of Simple Application Server, the system checks whether the service-linked role AliyunServiceRoleForSwas exists in your Alibaba Cloud account. If the role does not exist, you must authorize the system to automatically create it. For more information, see Manage service interconnection.

    View a service-linked role

    After the service-linked role is created, go to the Roles page of the Resource Access Management (RAM) console and search for AliyunServiceRoleForSwas to view the following information about the role:

    • Basic information

      On the details page of the AliyunServiceRoleForSwas role, the Basic Information section displays the role's basic information. This includes the role name, creation time, Alibaba Cloud Resource Name (ARN), and description.

    • Access policy

      On the details page of the AliyunServiceRoleForSwas role, click the Permission Management tab. Click an access policy name to view the policy document and the cloud resources that the role can access.

    • Trust policy

      On the details page of the AliyunServiceRoleForSwas role, click the Trust Policy tab to view the trust policy. A trust policy describes the trusted entities that can assume a RAM role. For a service-linked role, the trusted entity is an Alibaba Cloud service. You can view this trusted entity in the Service field of the trust policy.

    For more information about how to view a service-linked role, see View a RAM role.

    Delete a service-linked role

    Important

    After you delete a service-linked role, features that depend on the role no longer function correctly. Delete the role with caution.