A service-linked role is a Resource Access Management (RAM) role whose trusted entity is an Alibaba Cloud service. Auto Scaling can access other Alibaba Cloud services and resources only after it assumes a service-linked role.
In most cases, a service-linked role is automatically created when you perform an operation. If a service-linked role fails to be created or Auto Scaling does not support automatic creation of a service-linked role, you must manually create the service-linked role.
RAM provides a system policy for each service-linked role. You cannot modify the system policy. To view information about the system policy of a specified service-linked role, go to the details page of the specified service-linked role. For more information, see AliyunESSFullAccess.
Scenarios
The first time you create a scaling group, you must manually create the
AliyunServiceRoleForAutoScaling
service-linked role for Auto Scaling. Auto Scaling can access cloud resources such as Elastic Compute Service (ECS) and Virtual Private Cloud (VPC) only after it assumes the service-linked role.If the
AliyunServiceRoleForAutoScaling
service-linked role is deleted, you must recreate it next time you create a scaling group.
Required permissions for a RAM user to use a service-linked role
Before you create or delete a service-linked role such as AliyunServiceRoleForAutoScaling
as a RAM user, you must contact the administrator to grant the RAM user the administrator permissions or create a custom policy whose Action
statement defines the following permissions and attach the custom policy to the RAM user:
Create a service-link role:
ram:CreateServiceLinkedRole
Delete a service-link role:
ram:DeleteServiceLinkedRole
For more information, see Permissions required to create and delete a service-linked role.
Create a service-linked role
The first time you activate Auto Scaling, the system checks whether your account contains the AliyunServiceRoleForAutoScaling
service-linked role. If the service-linked role does not exit, the Auto Scaling console prompts you that you do not have the required permissions. In this case, you must authorize the system to automatically create the service-linked role. For more information, see Create the AliyunServiceRoleForAutoScaling service-linked role.
After a service-linked role is created, a trusted entity or a cloud service can assume the role to access other cloud resources such as ECS instances, VPCs, and ApsaraDB RDS databases. You may need to pay for specific resources when you use them.
You can also manually create the service-linked role by using the RAM console or calling an API operation. For more information, see Create a service-linked role and CreateServiceLinkedRole.
View a service-linked role
After you create the AliyunServiceRoleForAutoScaling
service-linked role, you can log on to the RAM console and go to the Roles page to search for and view the role.
The AliyunServiceRoleForAutoScaling
service-linked role contains the AliyunServiceRolePolicyForAutoScaling
system policy. What policies a service-linked role provides are determined by the cloud service of the service-linked role. You cannot add, modify, or delete policies within a service-linked role. You can go to the details page of a service-linked role to view its policies. The following figure shows the details page of the AliyunServiceRoleForAutoScaling service-linked role. For more information, see View the information about a RAM role.
Details of the AliyunServiceRoleForAutoScaling service-linked role:
Basic Information
In the Basic Information section of the
AliyunServiceRoleForAutoScaling
role details page, you can view the basic information of the role, including the role name, creation time, ARN, and description.Permissions
On the Permissions tab of the
AliyunServiceRoleForAutoScaling
role details page, you can click the name of a policy to view the policy content and the cloud resources that the role can access.Trust Policy
On the Trust Policy tab of the
AliyunServiceRoleForAutoScaling
role details page, you can view the content of the trust policy. A trust policy is a policy that describes the trusted entity of a RAM role. A trusted entity refers to an entity that can assume the RAM role. The trusted entity of a service-linked role is a cloud service. You can view the value of theService
field in the trust policy of the service-linked role to obtain the trusted entity.
For information about how to view information about a service-linked role, see View the information about a RAM role.
Delete a service-linked role
Before you delete the AliyunServiceRoleForAutoScaling service-linked role, you must delete the resources of Auto Scaling in all regions within your Alibaba Cloud account, including scaling groups, scheduled tasks, and event-triggered tasks. Otherwise, the AliyunServiceRoleForAutoScaling service-linked role cannot be deleted.
After a service-linked role is deleted, the features that depend on the role cannot be used. Proceed with caution.
If you no longer need the AliyunServiceRoleForAutoScaling
service-linked role, you can delete it. For example, if you no longer need to create scaling groups and manage Auto Scaling resources, you can delete the AliyunServiceRoleForAutoScaling
service-linked role. For more information, see Delete a RAM role.