Cloud Governance Center provides the following service-linked roles: AliyunServiceRoleForGovernance, AliyunServiceRoleForGovernanceSetup, AliyunServiceRoleForGovernanceNetworkBlueprint, and AliyunServiceRoleForGovernanceCloudNativeBlueprint. This topic describes how to create, view, or delete the service-linked roles.
Overview
A service-linked role is a Resource Access Management (RAM) role whose trusted entity is an Alibaba Cloud service. Service-linked roles can implement authorized access across services. The following table describes the service-linked roles that are provided by Cloud Governance Center.
Service-linked role | Service identifier | Policy |
governance.aliyuncs.com | AliyunServiceRolePolicyForGovernance | |
setup.governance.aliyuncs.com | AliyunServiceRolePolicyForGovernanceSetup | |
blueprint-network.governance.aliyuncs.com | AliyunServiceRolePolicyForGovernanceNetworkBlueprint | |
blueprint-cloud-native.governance.aliyuncs.com | AliyunServiceRolePolicyForGovernanceCloudNativeBlueprint |
For more information, see Service-linked roles.
AliyunServiceRoleForGovernance
Scenarios
This service-linked role is created for the management account of a resource directory. This role is suitable for the following scenarios:
When you initialize the resource structure of an enterprise, Cloud Governance Center must use this service-linked role to perform relevant operations, such as to enable a resource directory, create folders, create members, and query the trusteeship of the management account.
When Cloud Governance Center displays and manages the resource directory of your enterprise, Cloud Governance Center must use this service-linked role to obtain real-time information about the resource directory and perform relevant operations, such as to delete folders and move members.
Create the service-linked role
When you activate Cloud Governance Center, you must create this service-linked role. For more information, see Activate Cloud Governance Center.
View the service-linked role
After the AliyunServiceRoleForGovernance service-linked role is created, you can log on to the Resource Access Management (RAM) console by using the management account, and search for AliyunServiceRoleForGovernance on the Roles page. You can view the following information about the role:
Basic information
In the Basic Information section, you can view the basic information about the role, including the name, creation time, Alibaba Cloud Resource Name (ARN), and description.
Permission policy
On the Permissions tab, you can click the policy name to view the policy document.
NoteYou cannot view the permission policy that is attached to a service-linked role on the Policies page in the RAM console. You can view the permission policy only on the role details page.
Trust policy
On the Trust Policy tab, you can view the document of the trust policy that is attached to the role. A trust policy is a policy that contains the trusted entities of a RAM role. A trusted entity refers to an entity that can assume the RAM role. The trusted entity of a service-linked role is a cloud service. You can view the value of the
Service
field in the trust policy of the service-linked role to obtain the trusted entity.
For more information about how to view a service-linked role, see View the information about a RAM role.
Delete the service-linked role
After the service-linked role is deleted, the features that depend on the role cannot be used. Proceed with caution.
If you do not use Cloud Governance Center for an extended period of time or if you want to delete your Alibaba Cloud account, you may need to manually delete the service-linked role.
If the service-linked role is not used by cloud resources, you can manually delete the service-linked role in the RAM console. For more information, see Delete a RAM role.
AliyunServiceRoleForGovernanceSetup
Scenarios
This service-linked role is created for a member of a resource directory. This role is suitable for the following scenarios:
The role is required when you configure a feature for a member of your resource directory. For example, if you want to configure the log delivery auditing feature, Cloud Governance Center must use the role to create a RAM role that has the required permissions. The RAM role is used to perform operations that are specific to the feature.
When you want to delete the service-linked role, Cloud Governance Center uses the service-linked role to query the resource directory to which the member belongs and determines whether the service-linked role can be deleted.
Create the service-linked role
When Cloud Governance Center builds a landing zone, the system automatically creates this service-linked role for the required member.
View the service-linked role
After the AliyunServiceRoleForGovernanceSetup service-linked role is created, you can log on to the RAM console by using the member, and search for AliyunServiceRoleForGovernanceSetup on the Roles page. You can view the following information about the role:
Basic information
In the Basic Information section, you can view the basic information about the role, including the name, creation time, Alibaba Cloud Resource Name (ARN), and description.
Permission policy
On the Permissions tab, you can click the policy name to view the policy document.
NoteYou cannot view the permission policy that is attached to a service-linked role on the Policies page in the RAM console. You can view the permission policy only on the role details page.
Trust policy
On the Trust Policy tab, you can view the document of the trust policy that is attached to the role. A trust policy is a policy that contains the trusted entities of a RAM role. A trusted entity refers to an entity that can assume the RAM role. The trusted entity of a service-linked role is a cloud service. You can view the value of the
Service
field in the trust policy of the service-linked role to obtain the trusted entity.
Delete the service-linked role
After the service-linked role is deleted, the features that depend on the role cannot be used. Proceed with caution.
If you do not use Cloud Governance Center for an extended period of time or if you want to delete your Alibaba Cloud account, you may need to manually delete the service-linked role.
Before you delete the service-linked role from the member, you must delete the member from the resource directory.
If the service-linked role is not used by cloud resources, you can manually delete the service-linked role in the RAM console. For more information, see Delete a RAM role.
AliyunServiceRoleForGovernanceNetworkBlueprint
Scenarios
This service-linked role is created for a member of a resource directory. This role is suitable for the following scenarios:
The role is required when you configure network settings for a member of your resource directory. For example, if you want to configure a Cloud Enterprise Network (CEN) instance for a shared service account, Cloud Governance Center must use the role to activate CEN, create a CEN instance, and configure routing rules.
When you want to delete the service-linked role, Cloud Governance Center uses the service-linked role to query the resource directory to which the member belongs and determines whether the service-linked role can be deleted.
Create the service-linked role
When you initialize network settings, Cloud Governance Center automatically creates the service-linked role within the required member.
View the service-linked role
After the AliyunServiceRoleForGovernanceNetworkBlueprint service-linked role is created, you can log on to the RAM console by using the member, and search for AliyunServiceRoleForGovernanceNetworkBlueprint on the Roles page. You can view the following information about the role:
Basic information
In the Basic Information section, you can view the basic information about the role, including the name, creation time, Alibaba Cloud Resource Name (ARN), and description.
Permission policy
On the Permissions tab, you can click the policy name to view the policy document.
NoteYou cannot view the permission policy that is attached to a service-linked role on the Policies page in the RAM console. You can view the permission policy only on the role details page.
Trust policy
On the Trust Policy tab, you can view the document of the trust policy that is attached to the role. A trust policy is a policy that contains the trusted entities of a RAM role. A trusted entity refers to an entity that can assume the RAM role. The trusted entity of a service-linked role is a cloud service. You can view the value of the
Service
field in the trust policy of the service-linked role to obtain the trusted entity.
Delete the service-linked role
After the service-linked role is deleted, the features that depend on the role cannot be used. Proceed with caution.
If you do not use Cloud Governance Center for an extended period of time or if you want to delete your Alibaba Cloud account, you may need to manually delete the service-linked role.
Before you delete the service-linked role from the member, you must delete the member from the resource directory.
If the service-linked role is not used by cloud resources, you can manually delete the service-linked role in the RAM console. For more information, see Delete a RAM role.
AliyunServiceRoleForGovernanceCloudNativeBlueprint
Scenarios
This service-linked role is created for a member of a resource directory. This role is suitable for the following scenarios:
The role is required when you configure cloud-native settings for a member of your resource directory. For example, if you want to configure a Kubernetes cluster for a shared service account, Cloud Governance Center must use the role to activate Container Service for Kubernetes (ACK) and create a Kubernetes cluster.
When you want to delete the service-linked role, Cloud Governance Center uses the service-linked role to query the resource directory to which the member belongs and determines whether the service-linked role can be deleted.
Create the service-linked role
When you initialize cloud-native settings, Cloud Governance Center automatically creates the service-linked role within the required member.
View the service-linked role
After the AliyunServiceRoleForGovernanceCloudNativeBlueprint service-linked role is created, you can log on to the RAM console by using the member, and search for AliyunServiceRoleForGovernanceCloudNativeBlueprint on the Roles page. You can view the following information about the role:
Basic information
In the Basic Information section, you can view the basic information about the role, including the name, creation time, Alibaba Cloud Resource Name (ARN), and description.
Permission policy
On the Permissions tab, you can click the policy name to view the policy document.
NoteYou cannot view the permission policy that is attached to a service-linked role on the Policies page in the RAM console. You can view the permission policy only on the role details page.
Trust policy
On the Trust Policy tab, you can view the document of the trust policy that is attached to the role. A trust policy is a policy that contains the trusted entities of a RAM role. A trusted entity refers to an entity that can assume the RAM role. The trusted entity of a service-linked role is a cloud service. You can view the value of the
Service
field in the trust policy of the service-linked role to obtain the trusted entity.
Delete the service-linked role
After the service-linked role is deleted, the features that depend on the role cannot be used. Proceed with caution.
If you do not use Cloud Governance Center for an extended period of time or if you want to delete your Alibaba Cloud account, you may need to manually delete the service-linked role.
Before you delete the service-linked role from the member, you must delete the member from the resource directory.
If the service-linked role is not used by cloud resources, you can manually delete the service-linked role in the RAM console. For more information, see Delete a RAM role.