AliyunServiceRoleForServiceMesh is a service-linked role that is provided by Resource Access Management (RAM) to grant Service Mesh (ASM) the access permissions on other Alibaba Cloud resources. This topic describes how to create and delete the service-linked role for ASM.
Background information
Service-linked roles are RAM roles that only the linked Alibaba Cloud services can assume. AliyunServiceRoleForServiceMesh is the service-linked role that is used to grant ASM the access permissions on other Alibaba Cloud services, such as Container Service for Kubernetes (ACK), Virtual Private Cloud (VPC), Classic Load Balancer (CLB), Simple Log Service (SLS), Managed Service for OpenTelemetry, Application Real-Time Monitoring Service (ARMS), and Cloud Enterprise Network (CEN). For more information, see Service-linked roles.
Precautions
By default, Alibaba Cloud accounts have the permissions to create the service-linked role for ASM. To create the service-linked role for ASM as a RAM user, you must attach the CreateServiceLinkedRole policy to the RAM user. For more information, see Grant permissions to the RAM user.
{
"Statement": [
{
"Action": "ram:CreateServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "servicemesh.aliyuncs.com"
}
}
}
],
"Version": "1"
}Create the service-linked role for ASM
When you use ASM, the system checks whether the AliyunServiceRoleForServiceMesh service-linked role is created for your ASM service. If the service-linked role is not created for your ASM service, the system instructs you to create the service-linked role. You can click Create on the Service-linked Role for ASM page to create the service-linked role.
System policies that are attached to service-linked roles are defined and used by the linked Alibaba Cloud services. You cannot add, modify, or remove permissions for service-linked roles. You can view the policies that are attached to a service-linked role on the details page of the service-linked role. For more information, see View the information about a RAM role.
Delete the service-linked role for ASM
If you do not need to use ASM or create ASM instances for a short period of time, you can delete the AliyunServiceRoleForServiceMesh service-linked role.
Before you can delete the AliyunServiceRoleForServiceMesh service-linked role, you must delete the ASM instances in all regions in the current account. Otherwise, the delete operation will fail. Each Alibaba Cloud account has only one AliyunServiceRoleForSerivceMesh service-linked role. After the AliyunServiceRoleForServiceMesh service-linked role is deleted from an Alibaba Cloud account, the Alibaba Cloud account and its RAM users can no longer use ASM or create ASM instances.
Log on to the RAM console. In the left-side navigation pane, choose Identities > Roles.
On the Roles page, enter AliyunServiceRoleForServiceMesh in the search box. Then, find the AliyunServiceRoleForServiceMesh service-linked role and click Delete Role in the Actions column.
In the Delete Role dialog box , click Delete Role.
NoteWhen you delete the service-linked role, Deleting appears in the Actions column. The delete operation takes a few seconds to complete. After the role is deleted, a success message appears. If the service-linked role fails to be deleted, click View Details in the error message and troubleshoot the error.