All Products
Search
Document Center

Server Load Balancer:Use service-linked roles

Last Updated:Nov 10, 2023

To allow Application Load Balancer (ALB), Network Load Balancer (NLB), or Classic Load Balancer (CLB) to access other services, you must create a service-linked role, which can be assumed by ALB, NLB, or CLB. This topic describes the service-linked roles for ALB, NLB, and CLB.

In most cases, service-linked roles for services can be automatically created and deleted. A service-linked role simplifies the process of authorizing a service to access other services and reduces the risks caused by accidental operations.

Important

Service-linked roles consume the quota on Resource Access Management (RAM) roles. If the quota on RAM roles is exhausted, you can still create service-linked roles. However, you can no longer create other types of RAM roles. For more information, see Limits.

Sub-service

Service-linked role

Description

ALB

AliyunServiceRoleForAlb

Allows ALB to access elastic network interfaces (ENIs), security groups, elastic IP addresses (EIPs), and Internet Shared Bandwidth instances.

AliyunServiceRoleForAlbLogDelivery

Allows ALB to access Simple Log Service.

AliyunServiceRoleForAlbClone

Allows ALB migrated from CLB to access the resources of other Alibaba Cloud services.

NLB

AliyunServiceRoleForNlb

Allows NLB to access the resources of other Alibaba Cloud services, such as Elastic Compute Service (ECS) instances, virtual private clouds (VPCs), ENIs, EIPs, and Internet Shared Bandwidth instances.

CLB

AliyunServiceRoleForSlbLogDelivery

Allows CLB to access Simple Log Service and Object Storage Service (OSS).

AliyunServiceRoleForSlbHealthDiagnose

Allows CLB to access ECS.

Service-linked roles for ALB

AliyunServiceRoleForAlb

Item

Description

Role name

AliyunServiceRoleForAlb

Policy name

AliyunServiceRolePolicyForAlb

Permission description

Allows ALB to access ENIs, security groups, EIPs, and Internet Shared Bandwidth instances.

ALB assumes this role to create and delete ALB instances and change configurations of ALB instances by managing ECS and VPC.

Policy content

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "ecs:CreateNetworkInterface",
                "ecs:DeleteNetworkInterface",
                "ecs:DescribeNetworkInterfaces",
                "ecs:CreateSecurityGroup",
                "ecs:DeleteSecurityGroup",
                "ecs:DescribeSecurityGroups",
                "ecs:AuthorizeSecurityGroup",
                "vpc:RemoveCommonBandwidthPackageIp",
                "vpc:AddCommonBandwidthPackageIp",
                "vpc:DeleteCommonBandwidthPackage",
                "vpc:CreateCommonBandwidthPackage",
                "vpc:DescribeCommonBandwidthPackages",
                "vpc:ModifyCommonBandwidthPackageSpec",
                "vpc:ModifyCommonBandwidthPackageChargeType",
                "vpc:ReleaseEipAddress",
                "vpc:AllocateEipAddress",
                "vpc:AssociateEipAddress",
                "vpc:UnassociateEipAddress",
                "vpc:DescribeEipAddresses",
                "vpc:ModifyEipAddressAttribute",
                "vpc:DeleteIpv6InternetBandwidth",
                "vpc:AllocateIpv6InternetBandwidth",
                "vpc:DescribeIpv6Addresses",
                "vpc:DescribeIpv6Gateways",
                "vpc:MoveResourceGroup",
                "vpc:TagResources",
                "cas:DescribeCACertificate",
                "yundun-waf:DescribeInstanceCompatible",
                "yundun-waf:CreateInstance",
                "eipanycast:AllocateAnycastEipAddress",
                "eipanycast:ModifyAnycastEipAddressAttribute",
                "eipanycast:ReleaseAnycastEipAddress",
                "eipanycast:AssociateAnycastEipAddress",
                "eipanycast:UnassociateAnycastEipAddress",
                "eipanycast:DescribeAnycastEipAddress",
                "eipanycast:ListAnycastEipAddresses"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "alb.aliyuncs.com"
                }
            }
        },
        {
            "Action": [
                "oss:GetBucketInfo",
                "oss:PutObject",
                "oss:GetObject",
                "oss:PutBucket",
                "oss:PutBucketVersioning",
                "oss:GetBucketVersioning",
                "oss:GetObjectVersion",
                "oss:PutBucketCors"
            ],
            "Effect": "Allow",
            "Resource": [
                "acs:oss:*:*:alb-res-backup-*",
                "acs:oss:*:*:alb-res-backup-*/*"
            ]
        }
    ]
}

Prerequisites for deleting the service-linked role

If you no longer use the service-linked role AliyunServiceRoleForAlb, you can delete it. Then, ALB can no longer assume this role to create or manage resources. All ALB instances must be released before you can delete the service-linked role AliyunServiceRoleForAlb.

  • For more information about how to release ALB instances, see the Release an ALB instance section of the "Manage ALB instances" topic.

  • For more information about how to delete a service-linked role, see Delete a RAM role.

AliyunServiceRoleForAlbLogDelivery

Item

Description

Role name

AliyunServiceRoleForAlbLogDelivery

Policy name

AliyunServiceRolePolicyForAlbLogDelivery

Permission description

Allows ALB to access Simple Log Service.

After the access log feature is enabled for an ALB instance, the ALB instance delivers the collected log data to a Simple Log Service Logstore.

Policy content

{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "log:PostLogStoreLogs"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "logdelivery.alb.aliyuncs.com"
        }
      }
    }
  ]
}

Prerequisites for deleting the service-linked role

Disable the access log feature of the ALB instance before you delete the service-linked role AliyunServiceRoleForAlbLogDelivery. For more information, see DisableLoadBalancerAccessLog.

AliyunServiceRoleForAlbClone

Item

Description

Role name

AliyunServiceRoleForALbClone

Policy name

AliyunServiceRolePolicyForALbClone

Permission description

The service-linked role for ALB migrated from CLB.

Allows ALB-CloneCLB to access the resources of other Alibaba Cloud services.

Policy content

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "ros:CreateTemplateScratch",
                "ros:GetTemplateScratch",
                "ros:GenerateTemplateByScratch",
                "ros:DeleteTemplateScratch",
                "ros:PreviewStack",
                "ros:CreateStack",
                "ros:DeleteStack",
                "ros:GetStack",
                "ros:ListStacks",
                "ros:ListStackResources",
                "ros:GetStackResource"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "alb:CreateLoadBalancer",
                "alb:DeleteLoadBalancer",
                "alb:UpdateLoadBalancerAttribute",
                "alb:GetLoadBalancerAttribute",
                "alb:AttachCommonBandwidthPackageToLoadBalancer",
                "alb:DetachCommonBandwidthPackageFromLoadBalancer",
                "alb:EnableLoadBalancerAccessLog",
                "alb:DisableLoadBalancerAccessLog",
                "alb:EnableLoadBalancerIpv6Internet",
                "alb:DisableLoadBalancerIpv6Internet",
                "alb:DisableDeletionProtection",
                "alb:EnableDeletionProtection",
                "alb:CreateListener",
                "alb:DeleteListener",
                "alb:GetListenerAttribute",
                "alb:UpdateListenerAttribute",
                "alb:StartListener",
                "alb:StopListener",
                "alb:ListListenerCertificates",
                "alb:AssociateAclsWithListener",
                "alb:DissociateAclsFromListener",
                "alb:AssociateAdditionalCertificatesWithListener",
                "alb:DissociateAdditionalCertificatesFromListener",
                "alb:CreateRule",
                "alb:CreateRules",
                "alb:DeleteRules",
                "alb:DeleteRule",
                "alb:UpdateRuleAttribute",
                "alb:UpdateRulesAttribute",
                "alb:ListRules",
                "alb:DeleteAcl",
                "alb:CreateAcl",
                "alb:ListAcls",
                "alb:AddEntriesToAcl",
                "alb:RemoveEntriesFromAcl",
                "alb:ListAclEntries",
                "alb:ListAclRelations",
                "alb:ListServerGroupServers",
                "alb:ListServerGroups",
                "alb:CreateServerGroup",
                "alb:DeleteServerGroup",
                "alb:UpdateServerGroupAttribute",
                "alb:UpdateServerGroupServersAttribute",
                "alb:AddServersToServerGroup",
                "alb:RemoveServersFromServerGroup",
                "alb:CreateHealthCheckTemplate",
                "alb:DeleteHealthCheckTemplates",
                "alb:UpdateHealthCheckTemplateAttribute",
                "alb:GetHealthCheckTemplateAttribute",
                "alb:ListTagResources",
                "alb:UnTagResources",
                "alb:TagResources",
                "alb:DescribeZones",
                "alb:ListAsynJobs"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "slb:Describe*",
                "slb:ListTagResources"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "vpc:DescribeVpcs",
                "vpc:DescribeVSwitches"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "tag:TagResources",
                "tag:UntagResources"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "clone.alb.aliyuncs.com"
                }
            }
        }
    ]
}

Prerequisites for deleting the service-linked role

If you no longer need to migrate CLB instances to ALB instances, you can delete the service-linked role AliyunServiceRoleForAlbClone. For more information about how to delete a service-linked role, see Delete a RAM role.

Service-linked roles for NLB

AliyunServiceRoleForNlb

Item

Description

Role name

AliyunServiceRoleForNlb

Policy name

AliyunServiceRolePolicyForNlb

Permission description

Allows NLB to access the resources of other Alibaba Cloud services, such as ECS instances, VPCs, ENIs, EIPs, and Internet Shared Bandwidth instances.

Scenarios

NLB assumes this role to access other cloud services.

NLB assumes this role to create and delete NLB instances and change configurations of NLB instances by managing ECS and VPC.

Policy content

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "ecs:CreateNetworkInterface",
                "ecs:DeleteNetworkInterface",
                "ecs:DescribeNetworkInterfaces",
                "ecs:AttachNetworkInterface",
                "ecs:DetachNetworkInterface",
                "ecs:DescribeNetworkInterfaces",
                "ecs:ModifyNetworkInterfaceAttribute",
                "ecs:CreateNetworkInterfacePermission",
                "ecs:DescribeNetworkInterfacePermissions",
                "ecs:DeleteNetworkInterfacePermission",
                "ecs:AttachNetworkInterfacePermissions",
                "ecs:DetachNetworkInterfacePermissions",
                "ecs:AssignPrivateIpAddresses",
                "ecs:UnassignPrivateIpAddresses",
                "ecs:DescribeNetworkInterfaceAttribute",
                "ecs:CreateSecurityGroup",
                "ecs:DeleteSecurityGroup",
                "ecs:DescribeSecurityGroups",
                "ecs:DescribeSecurityGroupAttribute",
                "ecs:AuthorizeSecurityGroup",
                "ecs:AuthorizeSecurityGroupEgress",
                "ecs:RevokeSecurityGroup",
                "ecs:RevokeSecurityGroupEgress",
                "ecs:AuthorizeSecurityGroupPermission",
                "ecs:RevokeSecurityGroupPermission",
                "ecs:DeleteSecurityGroupPermission",
                "ecs:JoinSecurityGroupPermission",
                "ecs:DeleteSecurityGroupPermission",
                "ecs:LeaveSecurityGroupPermission",
                "ecs:DescribeSecurityGroupPermissions",
                "vpc:RemoveCommonBandwidthPackageIp",
                "vpc:AddCommonBandwidthPackageIp",
                "vpc:DeleteCommonBandwidthPackage",
                "vpc:CreateCommonBandwidthPackage",
                "vpc:DescribeCommonBandwidthPackages",
                "vpc:ModifyCommonBandwidthPackageSpec",
                "vpc:ModifyCommonBandwidthPackageChargeType",
                "vpc:ReleaseEipAddress",
                "vpc:AllocateEipAddress",
                "vpc:AssociateEipAddress",
                "vpc:UnassociateEipAddress",
                "vpc:DescribeEipAddresses",
                "vpc:ModifyEipAddressAttribute",
                "vpc:DeleteIpv6InternetBandwidth",
                "vpc:AllocateIpv6InternetBandwidth",
                "vpc:DescribeIpv6Addresses",
                "vpc:DescribeIpv6Gateways",
                "vpc:DescribeVSwitchAttributes",
                "vpc:MoveResourceGroup",
                "vpc:TagResources",
                "cas:DescribeCACertificate",
                "eipanycast:AllocateAnycastEipAddress",
                "eipanycast:ListAnycastEipAddresses",
                "eipanycast:AssociateAnycastEipAddress",
                "eipanycast:UnassociateAnycastEipAddress",
                "eipanycast:ReleaseAnycastEipAddress"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "nlb.aliyuncs.com"
                }
            }
        },
        {
            "Action": [
                "oss:GetBucketInfo",
                "oss:PutObject",
                "oss:GetObject",
                "oss:PutBucket",
                "oss:PutBucketVersioning",
                "oss:GetBucketVersioning",
                "oss:GetObjectVersion",
                "oss:PutBucketCors"
            ],
            "Effect": "Allow",
            "Resource": [
                "acs:oss:*:*:nlb-res-backup-*",
                "acs:oss:*:*:nlb-res-backup-*/*"
            ]
        }
    ]
}

Prerequisites for deleting the service-linked role

If you no longer use the service-linked role AliyunServiceRoleForNlb, you can delete it. Then, NLB can no longer assume this role to create or manage NLB resources. All NLB instances must be released before you can delete the service-linked role AliyunServiceRoleForNlb.

  • For more information about how to release NLB instances, see the Release an NLB instance section of the "Create and manage an ALB instance" topic.

  • For more information about how to delete a service-linked role, see Delete a RAM role.

Service-linked roles for CLB

AliyunServiceRoleForSlbLogDelivery

Item

Description

Role name

logdelivery.slb.aliyuncs.com

Policy name

AliyunServiceRolePolicyForSlbLogDelivery

Permission description

Allows CLB to access Simple Log Service and OSS.

Scenario

After the log delivery feature is enabled for a CLB instance, the CLB instance delivers log data to Simple Log Service or OSS.

Creation methods

  • Create the service-linked role by enabling one of the following features: health check log, access log, and fine-grained monitoring.

  • Create the service-linked role by calling the SetLogsDownloadAttribute or SetAccessLogsDownloadAttribute operation.

Policy content

{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "log:PostLogStoreLogs",
        "oss:PutObject"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "logdelivery.slb.aliyuncs.com"
        }
      }
    }
  ]
}

Prerequisites for deleting the service-linked role

If you no longer use the service-linked role AliyunServiceRoleForSlbLogDelivery, you can delete it. Then, CLB can no longer assume the role to access Log Service or OSS. All CLB instances must be released before you can delete the service-linked role AliyunServiceRoleForSlbLogDelivery.

  • For more information about how to release CLB instances, see the Release a CLB instance section of the "Create and manage a CLB instance" topic.

  • For more information about how to delete a service-linked role, see Delete a RAM role.

AliyunServiceRoleForSlbHealthDiagnose

Item

Description

Role name

healthdiagnose.slb.aliyuncs.com

Policy name

AliyunServiceRolePolicyForSlbHealthDiagnose

Permission description

Allows CLB to access ECS.

Scenario

CLB performs health checks based on the health check configurations on the listeners. CLB uses ECS Cloud Assistant to run scripts to perform health checks on ECS instances and generates health check reports, which include the causes of errors and troubleshooting solutions.

Creation methods

  • Create the service-linked role by using the instance health check feature in the console.

  • Create the service-linked role by calling the DiagnoseHealthCheckStatus or DetectHealthCheckStatus operation.

Policy content

{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "ecs:CreateCommand",
        "ecs:InvokeCommand",
        "ecs:StopInvocation",
        "ecs:DeleteCommand",
        "ecs:DescribeCloudAssistantStatus",
        "ecs:DescribeCommands",
        "ecs:DescribeInvocations",
        "ecs:DescribeInvocationResults",
        "ecs:ModifyCommand"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "healthdiagnose.slb.aliyuncs.com"
        }
      }
    }
  ]
}

Prerequisites for deleting the service-linked role

If you no longer use the service-linked role AliyunServiceRoleForSlbHealthDiagnose, you can delete it. Then, CLB can no longer assume this role to access ECS. All CLB instances must be released before you can delete the service-linked role AliyunServiceRoleForSlbHealthDiagnose.

  • For more information about how to release CLB instances, see the Release a CLB instance section of the "Create and manage a CLB instance" topic.

  • For more information about how to delete a service-linked role, see Delete a RAM role.