This topic describes the service-linked role AliyunServiceRoleForVpn. A VPN gateway can assume this role to access other cloud resources.

Background information

A service-linked role is a Resource Access Management (RAM) role that can be assumed by the linked service. A service can assume the service-linked role to access other cloud resources. Service-linked roles simplify the authorization process and prevent user errors. For more information, see Service-linked roles.

Create the service-linked role AliyunServiceRoleForVpn

When you create a VPN gateway, the system automatically creates the service-linked role AliyunServiceRoleForVpn. This role contains a policy named AliyunServiceRolePolicyForVpn, which allows a VPN gateway to access other cloud resources. The policy contains the following content:

Note If the service-linked role AliyunServiceRoleForVpn already exists, the system does not create it again. 
{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "vpc:DescribeVSwitchAttributes"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "ecs:CreateNetworkInterface",
        "ecs:CreateSecurityGroup",
        "ecs:AuthorizeSecurityGroup",
        "ecs:RevokeSecurityGroup",
        "ecs:DeleteSecurityGroup",
        "ecs:JoinSecurityGroup",
        "ecs:LeaveSecurityGroup",
        "ecs:DescribeSecurityGroups",
        "ecs:AttachNetworkInterface",
        "ecs:DetachNetworkInterface",
        "ecs:DeleteNetworkInterface",
        "ecs:DescribeNetworkInterfaces",
        "ecs:CreateNetworkInterfacePermission",
        "ecs:DescribeNetworkInterfacePermissions",
        "ecs:DeleteNetworkInterfacePermission",
        "ecs:CreateSecurityGroupPermission",
        "ecs:AuthorizeSecurityGroupPermission",
        "ecs:RevokeSecurityGroupPermission",
        "ecs:JoinSecurityGroupPermission",
        "ecs:DeleteSecurityGroupPermission",
        "ecs:LeaveSecurityGroupPermission",
        "ecs:DescribeSecurityGroupPermissions",
        "ecs:AttachNetworkInterfacePermissions",
        "ecs:DetachNetworkInterfacePermissions",
        "ecs:AssignPrivateIpAddresses",
        "ecs:UnassignPrivateIpAddresses",
        "ecs:DescribeNetworkInterfaceAttribute"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "vpn.aliyuncs.com"
        }
      }
    }
  ]
}

Delete the service-linked role AliyunServiceRoleForVpn

You can delete the service-linked role AliyunServiceRoleForVpn only when no VPN gateway exists within your Alibaba Cloud account. For more information, see the following topics:
  1. Delete a VPN gateway
  2. Delete a service-linked role

FAQ

Why am I unable to create the service-linked role AliyunServiceRoleForVpn by using a RAM user?

By default, an Alibaba Cloud account is authorized to create the service-linked role AliyunServiceRoleForVpn. If a RAM user wants to create the service-linked role, you must first use the Alibaba Cloud account to grant the required permissions to the RAM user.

You must create the following policy and attach it to the RAM user. Then, the RAM user can create the service-linked role AliyunServiceRoleForVpn. For more information, see Create a custom policy and Grant permissions to a RAM role. 

{
    "Statement": [
        {
            "Action": "ram:CreateServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "vpn.aliyuncs.com"
                }
            }
        }
    ],
    "Version": "1"
}

References

Create and manage a VPN gateway