This topic describes how to create the service-linked role AliyunServiceRoleForCloudSSO for CloudSSO, view the details of the role, and delete the role.

Scenarios

The service-linked role AliyunServiceRoleForCloudSSO has permissions to manage Resource Access Management (RAM) roles, RAM users, policies, and service providers (SPs). This role allows you to configure resource directory permissions in a centralized manner by using CloudSSO.

For more information about service-linked roles, see Service-linked roles.

Create the service-linked role

The service-linked role AliyunServiceRoleForCloudSSO is automatically created in the following scenarios:

  • When you create the CloudSSO directory, the service-linked role is automatically created within the management account of your resource directory.
  • The first time you provision an access configuration for a member of your resource directory in CloudSSO, the service-linked role is automatically created within the member.
  • The first time you configure RAM user provisioning for a member of your resource directory in CloudSSO, the service-linked role is automatically created within the member.

View the details of the service-linked role

After the service-linked role AliyunServiceRoleForCloudSSO is created, you can view the details of the role in the RAM console. The details include the basic information about the role, the trust policy of the role, and the permission policy AliyunServiceRolePolicyForCloudSSO that is attached to the role.

  1. Log on to the RAM console.
  2. In the left-side navigation pane, choose Identities > Roles.
  3. On the Roles page, click AliyunServiceRoleForCloudSSO.
  4. View the basic information about the role.
    In the Basic Information section of the details page of the role, view information such as Role Name, Created, and ARN.
  5. View the trust policy of the role.
    On the details page of the role, click the Trust Policy Management tab and view the cloud service that can assume the role in the Service field. Example: "Service": ["cloudsso.aliyuncs.com"].
  6. View the permission policy AliyunServiceRolePolicyForCloudSSO that is attached to the role.
    1. On the details page of the role, click the Permissions tab.
    2. Click the policy AliyunServiceRolePolicyForCloudSSO.
    3. On Policy Document tab of the page that appears, view the details of the permission policy.
    Note You cannot directly view the permission policy that is attached to the service-linked role on the Policies page in the RAM console.

Delete the service-linked role

You can delete the service-linked role AliyunServiceRoleForCloudSSO based on your business requirements.

  • Delete the service-linked role that is created within the management account of your resource directory

    After you delete the CloudSSO directory, you can manually delete the service-linked role AliyunServiceRoleForCloudSSO in the RAM console. For more information, see Delete a RAM role.

  • Delete the service-linked role that is created within a member of your resource directory

    If a member is removed from your resource directory, the service-linked role AliyunServiceRoleForCloudSSO that is created within the member is automatically deleted.