All Products
Search
Document Center

Cloud Config:Manage the AliyunServiceRoleForConfig service-linked role

Last Updated:Sep 26, 2024

The AliyunServiceRoleForConfig service-linked role is a RAM role that authorizes Cloud Config to access other Alibaba Cloud services in specific scenarios.

Note

For more information about service-linked roles, see Service-linked roles.

Scenarios

  • Cloud Config can retrieve resource configurations of other Alibaba Cloud services by assuming the AliyunServiceRoleForConfig role to call the API operations of these Alibaba Cloud services. The AliyunServiceRoleForConfig role allows Cloud Config to read the resource configurations.

  • You can specify an Object Storage Service (OSS) bucket to receive resource snapshots. The AliyunServiceRoleForConfig role allows Cloud Config to write snapshots to the specified bucket.

  • You can specify a Simple Log Service Logstore to receive resource change logs. The AliyunServiceRoleForConfig role allows Cloud Config to write logs to the specified Logstore.

  • You can specify a Simple Message Queue (formerly MNS) topic to receive notifications of resource events. The AliyunServiceRoleForConfig role allows Cloud Config to send notifications of resource events to the specified topic.

Role description

The following list describes the details of the AliyunServiceRoleForConfig service-linked role:

  • Role name: AliyunServiceRoleForConfig.

  • Policy attached to the role: AliyunServiceRolePolicyForConfig.

  • Policy description: This policy grants Cloud Config the permissions to read resource configurations of other Alibaba Cloud services, write resource snapshots to OSS buckets, write resource change logs to Simple Log Service Logstores, and send notifications of resource events to SMQ topics.

    Note

    For more information about the policy, see AliyunServiceRolePolicyForConfig.

Create the AliyunServiceRoleForConfig service-linked role

You can create the AliyunServiceRoleForConfig service-linked role in the Cloud Config console.

  • Single-account mode

    When you activate Cloud Config, the AliyunServiceRoleForConfig service-linked role is automatically created. For more information, see Activate Cloud Config.

  • Multi-account mode

    When you add all or some members in your resource directory to an account group, Cloud Config automatically creates the AliyunServiceRoleForConfig role for all members in the account group. For more information about account groups, see Overview.

Delete the AliyunServiceRoleForConfig service-linked role

Before you delete an account, you must delete the AliyunServiceRoleForConfig service-linked role of Cloud Config. You cannot directly delete the service-linked role. To delete the service-linked role, perform the following steps:

  1. Log on to the Cloud Config console and deactivate Cloud Config.

    For more information, see Deactivate Cloud Config.

  2. Log on to the RAM console and delete the AliyunServiceRoleForConfig role.

    For more information, see Delete a RAM role.

For more information about how to delete the AliyunServiceRoleForConfig service-linked role by using different accounts, see How do I delete the AliyunServiceRoleForConfig service-linked role?