This topic describes the service-linked role AliyunServiceRoleForVpn of VPN Gateway.
Background information
A service-linked role is a Resource Access Management (RAM) role that can be assumed by the linked service. A service can assume the service-linked role to access other cloud resources. Service-linked roles help you better manage the operation permissions that are required by cloud services and prevent risks caused by accidental operations. For more information, see Service-linked roles.
Create the service-linked role AliyunServiceRoleForVpn
When you create a VPN gateway, the system automatically creates the service-linked role AliyunServiceRoleForVpn. A policy named AliyunServiceRolePolicyForVpn is attached to this role. This policy allows a VPN gateway to access other cloud resources. The policy contains the following permissions:
If the service-linked role AliyunServiceRoleForVpn already exists, the system does not create it again.
{
"Version": "1",
"Statement": [
{
"Action": [
"vpc:DescribeVSwitchAttributes",
"vpc:TagResources"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ecs:CreateNetworkInterface",
"ecs:CreateSecurityGroup",
"ecs:AuthorizeSecurityGroup",
"ecs:RevokeSecurityGroup",
"ecs:DeleteSecurityGroup",
"ecs:JoinSecurityGroup",
"ecs:LeaveSecurityGroup",
"ecs:DescribeSecurityGroups",
"ecs:AttachNetworkInterface",
"ecs:DetachNetworkInterface",
"ecs:DeleteNetworkInterface",
"ecs:DescribeNetworkInterfaces",
"ecs:CreateNetworkInterfacePermission",
"ecs:DescribeNetworkInterfacePermissions",
"ecs:DeleteNetworkInterfacePermission",
"ecs:CreateSecurityGroupPermission",
"ecs:AuthorizeSecurityGroupPermission",
"ecs:RevokeSecurityGroupPermission",
"ecs:JoinSecurityGroupPermission",
"ecs:DeleteSecurityGroupPermission",
"ecs:LeaveSecurityGroupPermission",
"ecs:DescribeSecurityGroupPermissions",
"ecs:AttachNetworkInterfacePermissions",
"ecs:DetachNetworkInterfacePermissions",
"ecs:AssignPrivateIpAddresses",
"ecs:UnassignPrivateIpAddresses",
"ecs:DescribeNetworkInterfaceAttribute"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "vpn.aliyuncs.com"
}
}
}
]
}
Delete the service-linked role AliyunServiceRoleForVpn
You can delete the service-linked role AliyunServiceRoleForVpn only if no VPN gateway exists within your Alibaba Cloud account. For more information, see the following sections of related topics:
Delete a VPN gateway section of the "Create and manage a VPN gateway" topic
Delete a service-linked role section of the "Service-linked roles" topic
FAQ
Why am I unable to create the service-linked role AliyunServiceRoleForVpn by using a RAM user?
By default, an Alibaba Cloud account is authorized to create the service-linked role AliyunServiceRoleForVpn. If a RAM user wants to create the service-linked role, you must first use the Alibaba Cloud account to grant the required permissions to the RAM user.
You must create a custom policy and attach it to the RAM user. Then, the RAM user can create the service-linked role AliyunServiceRoleForVpn. The following code provides an example. For more information, see Create custom policies and Grant permissions to a RAM role.
{
"Statement": [
{
"Action": "ram:CreateServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "vpn.aliyuncs.com"
}
}
}
],
"Version": "1"
}