When you enable the disk encryption feature for a cloud computer, the Elastic Desktop Service system automatically creates a service-linked role AliyunServiceRoleForGwsDiskEncryption. This topic describes the scenarios, policies, and operations of the service-linked role specific to Elastic Desktop Service.
Background information
A service-linked role is a Resource Access Management (RAM) role that can be assumed only by the linked service. In most cases, a service automatically creates or deletes the service-linked role based on business requirements. A service-linked role streamlines the process to authorize a service to access other services and reduce misoperations. For more information about service-linked roles, see Service-linked roles.
Scenario
During disk encryption, Elastic Desktop Service can use the AliyunServiceRoleForGwsDiskEncryption role to access Key Management Service (KMS) resources.
Permissions
The first time you enable the disk encryption feature for a Elastic Desktop Service, the system automatically creates a service-linked role and grants permissions to the role. The following section describes the details:
Role: AliyunServiceRoleForGwsDiskEncryption
Policy: AliyunServiceRolePolicyForGwsDiskEncryption
Permission description: This role is specific to Elastic Desktop Service for the access to KMS resources.
This policy contains the following permissions on cloud service access:
{
"Version": "1",
"Statement": [
{
"Action": [
"kms:ListKeys",
"kms:ListAliases",
"kms:ListResourceTags",
"kms:DescribeKey",
"kms:TagResource",
"kms:UntagResource"
],
"Resource": [
"acs:kms:*:*:*"
],
"Effect": "Allow"
},
{
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Resource": [
"acs:kms:*:*:*"
],
"Effect": "Allow",
"Condition": {
"StringEqualsIgnoreCase": {
"kms:tag/acs:eds:instance-encryption": "true"
}
}
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "disk-encryption.gws.aliyuncs.com"
}
}
}
]
}Delete a service-linked role
If you want to delete the service-linked role AliyunServiceRoleForGwsDiskEncryption specific to Elastic Desktop Service, delete the Elastic Desktop Service resources that are created based on the role by using the EDS console or calling API operations. That is, you must delete the cloud computers that have encrypted disks before you delete the role.Elastic Desktop Service For more information, see Delete a RAM role.
Troubleshooting
Why is the service-linked role AliyunServiceRoleForGwsDiskEncryption not created when I enable disk encryption for a cloud computer in Elastic Desktop Service as a RAM user?
The system automatically creates the service-linked role AliyunServiceRoleForGwsDiskEncryption for a RAM user only if the RAM user is granted the CreateServiceLinkedRole permission. If the system does not create the service-linked role AliyunServiceRoleForGwsDiskEncryption for a RAM user, you must grant the CreateServiceLinkedRole permission to the RAM user.
Replace Alibaba Cloud account ID with the actual account ID.
{
"Statement": [
{
"Action": [
"ram:CreateServiceLinkedRole"
],
"Resource": "acs:ram:*: Alibaba Cloud account ID:role/*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": [
"arms.aliyuncs.com"
]
}
}
}
],
"Version": "1"
}