This topic describes the service-linked role AliyunServiceRoleForVpn. A VPN gateway can assume this role to access other cloud resources.
Background information
A service-linked role is a Resource Access Management (RAM) role that can be assumed by the linked service. A service can assume the service-linked role to access other cloud resources. Service-linked roles simplify the authorization process and prevent user errors. For more information, see Service-linked roles.
Create the service-linked role AliyunServiceRoleForVpn
When you create a VPN gateway, the system automatically creates the service-linked role AliyunServiceRoleForVpn. This role contains a policy named AliyunServiceRolePolicyForVpn, which allows a VPN gateway to access other cloud resources. The policy contains the following content:
{
"Version": "1",
"Statement": [
{
"Action": [
"vpc:DescribeVSwitchAttributes"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ecs:CreateNetworkInterface",
"ecs:CreateSecurityGroup",
"ecs:AuthorizeSecurityGroup",
"ecs:RevokeSecurityGroup",
"ecs:DeleteSecurityGroup",
"ecs:JoinSecurityGroup",
"ecs:LeaveSecurityGroup",
"ecs:DescribeSecurityGroups",
"ecs:AttachNetworkInterface",
"ecs:DetachNetworkInterface",
"ecs:DeleteNetworkInterface",
"ecs:DescribeNetworkInterfaces",
"ecs:CreateNetworkInterfacePermission",
"ecs:DescribeNetworkInterfacePermissions",
"ecs:DeleteNetworkInterfacePermission",
"ecs:CreateSecurityGroupPermission",
"ecs:AuthorizeSecurityGroupPermission",
"ecs:RevokeSecurityGroupPermission",
"ecs:JoinSecurityGroupPermission",
"ecs:DeleteSecurityGroupPermission",
"ecs:LeaveSecurityGroupPermission",
"ecs:DescribeSecurityGroupPermissions",
"ecs:AttachNetworkInterfacePermissions",
"ecs:DetachNetworkInterfacePermissions",
"ecs:AssignPrivateIpAddresses",
"ecs:UnassignPrivateIpAddresses",
"ecs:DescribeNetworkInterfaceAttribute"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "vpn.aliyuncs.com"
}
}
}
]
}
Delete the service-linked role AliyunServiceRoleForVpn
FAQ
Why am I unable to create the service-linked role AliyunServiceRoleForVpn by using a RAM user?
By default, an Alibaba Cloud account is authorized to create the service-linked role AliyunServiceRoleForVpn. If a RAM user wants to create the service-linked role, you must first use the Alibaba Cloud account to grant the required permissions to the RAM user.
You must create the following policy and attach it to the RAM user. Then, the RAM user can create the service-linked role AliyunServiceRoleForVpn. For more information, see Create a custom policy and Grant permissions to a RAM role.
{
"Statement": [
{
"Action": "ram:CreateServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "vpn.aliyuncs.com"
}
}
}
],
"Version": "1"
}