Serverless App Engine (SAE) assumes the service-linked role AliyunServiceRoleForSAE to obtain access permissions on other Alibaba Cloud resources. This topic describes the scenarios to which the SAE service-linked role is applicable. This topic also describes how to create and delete the service-linked role.
Definition
In some cases, SAE may need to access another Alibaba Cloud service to implement a feature. For example, if you want to obtain information about resources such as virtual private clouds (VPCs) when you create an application, you can use the service-linked AliyunServiceRoleForSAE role to obtain required permissions to access the related services such as VPC. A service-linked role simplifies the process to authorize a service to access other services and reduces the risks caused by human errors. The policy that is attached to a service-linked role is predefined by the linked service. You cannot modify or delete the policy. You cannot attach policies to or detach policies from a service-linked role. For more information, see Service-linked roles.
Permissions
Role name: AliyunServiceRoleForSAE
Policy attached to the role: AliyunServiceRolePolicyForSAE
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:CreateNetworkInterface",
"ecs:DeleteNetworkInterface",
"ecs:DescribeNetworkInterfaces",
"ecs:AttachNetworkInterface",
"ecs:DetachNetworkInterface",
"ecs:CreateNetworkInterfacePermission",
"ecs:DescribeNetworkInterfacePermissions",
"ecs:DeleteNetworkInterfacePermission",
"ecs:ModifyNetworkInterfaceAttribute",
"ecs:JoinSecurityGroup",
"ecs:LeaveSecurityGroup",
"ecs:CreateSecurityGroup",
"ecs:AuthorizeSecurityGroup",
"ecs:DescribeSecurityGroupAttribute",
"ecs:DescribeSecurityGroups",
"ecs:RevokeSecurityGroup",
"ecs:DeleteSecurityGroup",
"ecs:ModifySecurityGroupAttribute",
"ecs:AuthorizeSecurityGroupEgress",
"ecs:RevokeSecurityGroupEgress",
"ecs:ModifySecurityGroupRule",
"ecs:DescribeSecurityGroupReferences",
"ecs:ModifySecurityGroupPolicy"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"slb:AddTags",
"slb:CreateLoadBalancer",
"slb:ModifyLoadBalancerInternetSpec",
"slb:DeleteLoadBalancer",
"slb:SetLoadBalancerStatus",
"slb:SetLoadBalancerName",
"slb:DescribeLoadBalancers",
"slb:DescribeLoadBalancerAttribute",
"slb:ModifyLoadBalancerPayType",
"slb:ModifyLoadBalancerInstanceSpec",
"slb:CreateLoadBalancerHTTPListener",
"slb:CreateLoadBalancerHTTPSListener",
"slb:CreateLoadBalancerTCPListener",
"slb:CreateLoadBalancerUDPListener",
"slb:DeleteLoadBalancerListener",
"slb:StartLoadBalancerListener",
"slb:StopLoadBalancerListener",
"slb:SetLoadBalancerHTTPListenerAttribute",
"slb:SetLoadBalancerHTTPSListenerAttribute",
"slb:SetLoadBalancerTCPListenerAttribute",
"slb:SetLoadBalancerUDPListenerAttribute",
"slb:SetListenerAccessControlStatus",
"slb:DescribeLoadBalancerHTTPListenerAttribute",
"slb:DescribeLoadBalancerHTTPListenerAttributes",
"slb:DescribeLoadBalancerHTTPSListenerAttribute",
"slb:DescribeLoadBalancerTCPListenerAttribute",
"slb:DescribeLoadBalancerUDPListenerAttribute",
"slb:DescribeListenerAccessControlAttribute",
"slb:AddListenerWhiteListItem",
"slb:RemoveListenerWhiteListItem",
"slb:AddBackendServers",
"slb:RemoveBackendServers",
"slb:SetBackendServers",
"slb:DescribeHealthStatus",
"slb:UploadServerCertificate",
"slb:DeleteServerCertificate",
"slb:DescribeServerCertificates",
"slb:SetServerCertificateName",
"slb:DescribeRegions",
"slb:CreateVServerGroup",
"slb:DescribeVServerGroupAttribute",
"slb:DescribeVServerGroups",
"slb:AddVServerGroupBackendServers",
"slb:SetVServerGroupAttribute",
"slb:RemoveVServerGroupBackendServers",
"slb:DescribeRules",
"slb:SetRule",
"slb:CreateRules",
"slb:DeleteRules",
"slb:DescribeTags",
"slb:DeleteVServerGroup"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"nas:DescribeRegions",
"nas:CreateFileSystem",
"nas:DeleteFileSystem",
"nas:DescribeFileSystems",
"nas:ModifyFileSystem",
"nas:CreateMountTarget",
"nas:DeleteMountTarget",
"nas:DescribeMountTargets",
"nas:ModifyMountTarget",
"nas:CreateAccessGroup",
"nas:DeleteAccessGroup",
"nas:DescribeAccessGroups",
"nas:ModifyAccessGroup",
"nas:CreateAccessRule",
"nas:DeleteAccessRule",
"nas:DescribeAccessRules",
"nas:ModifyAccessRule",
"nas:SetUserVolumeCountLimit"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"vpc:DescribeVSwitches",
"vpc:DescribeVpcs"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"cr:GetUserInfo",
"cr:GetRegionList",
"cr:GetNamespaceList",
"cr:GetRepoListByNamespace",
"cr:GetRepoTags",
"cr:GetRepoList",
"cr:GetRepo",
"cr:GetAuthorizationToken",
"cr:PullRepository",
"cr:CreateRepository",
"cr:DeleteRepositoryTag",
"cr:PushRepository",
"cr:DeleteRepository",
"cr:UpdateRepository"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ram:GetRole"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"log:GetLogStore",
"log:ListLogStores",
"log:CreateLogStore",
"log:DeleteLogStore",
"log:UpdateLogStore",
"log:GetCursorOrData",
"log:ListShards",
"log:PostLogStoreLogs",
"log:CreateConfig",
"log:UpdateConfig",
"log:DeleteConfig",
"log:GetConfig",
"log:ListConfig",
"log:CreateMachineGroup",
"log:UpdateMachineGroup",
"log:DeleteMachineGroup",
"log:GetMachineGroup",
"log:ListMachineGroup",
"log:ListMachines",
"log:ApplyConfigToGroup",
"log:RemoveConfigFromGroup",
"log:GetAppliedMachineGroups",
"log:GetAppliedConfigs",
"log:GetLogStoreLogs",
"log:GetLogStoreHistogram",
"log:CreateProject",
"log:GetProject",
"log:GetIndex",
"log:CreateIndex",
"log:DeleteIndex",
"log:UpdateIndex",
"log:GetMachineGroups",
"log:RemoveConfigFromMachineGroup",
"log:DeleteProject"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"yundun-cert:DescribeUserCertificateList",
"yundun-cert:DescribeUserCertificateDetail"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"bss:DescribePrice",
"bss:DescribeInstances"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"arms:QueryMetric"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"oos:ListExecutions",
"oos:StartExecution",
"oos:DeleteExecutions",
"oos:CancelExecution",
"oos:GetTemplate",
"oos:CreateTemplate",
"oos:UpdateTemplate"
],
"Resource": "*",
"Effect": "Allow"
}
]
}Create the service-linked role
SAE automatically creates the service-linked role. If you have not created the service-linked role, the Welcome to Serverless App Engine (SAE) dialog box appears when you log on to the SAE console. Click Confirm to create the service-linked role.
Delete the service-linked role
If you want to delete the service-linked role, you must first delete all applications that are deployed on SAE within the current Alibaba Cloud account.
- After the service-linked role is deleted, you can no longer use SAE. Proceed with caution.
- If you still need to use SAE after you delete the service-linked role, log on to the SAE console to recreate the service-linked role. For more information, see Create the service-linked role.
- For information about how to delete applications, see Delete an application.
- For information about how to delete the service-linked role, see Delete a RAM role.