The first time you use an exclusive resource group, DataWorks creates the service-linked
role AliyunServiceRoleForDataWorks. You can use the role to access resources in a virtual private cloud (VPC), in an
elastic network interface (ENI), and in a security group. This topic describes how
to view the details of the service-linked role AliyunServiceRoleForDataWorks and how
to create the service-linked role as a RAM user.
Background information
View the policy attached to AliyunServiceRoleForDataWorks
You can log on to the RAM console and perform the operations that are shown in the following figure to go to the details
page of the service-linked role 
To view the details of the policy that is attached to the service-linked role
AliyunServiceRoleForDataWorks and view the basic information such as the name and creation time of the role. Note You can delete the service-linked role
AliyunServiceRoleForDataWorks if you do not need to use the role. After you delete the service-linked role, you
can no longer associate an exclusive resource group with a VPC. However, existing
network connections are not affected.
AliyunServiceRoleForDataWorks, you can click the name of the policy on the Permissions tab on the details page of the service-linked role. Sample policy details: {
"Version": "1",
"Statement": [
{
"Action": [
"ecs:AttachNetworkInterface",
"ecs:AuthorizeSecurityGroup",
"ecs:AuthorizeSecurityGroupEgress",
"ecs:CreateNetworkInterface",
"ecs:CreateNetworkInterfacePermission",
"ecs:CreateSecurityGroup",
"ecs:DeleteNetworkInterface",
"ecs:DeleteNetworkInterfacePermission",
"ecs:DeleteSecurityGroup",
"ecs:DescribeNetworkInterfacePermissions",
"ecs:DescribeNetworkInterfaces",
"ecs:DescribeSecurityGroupAttribute",
"ecs:DescribeSecurityGroupReferences",
"ecs:DescribeSecurityGroups",
"ecs:DetachNetworkInterface",
"ecs:JoinSecurityGroup",
"ecs:LeaveSecurityGroup",
"ecs:ModifyNetworkInterfaceAttribute",
"ecs:ModifySecurityGroupAttribute",
"ecs:ModifySecurityGroupPolicy",
"ecs:ModifySecurityGroupRule",
"ecs:RevokeSecurityGroup",
"ecs:RevokeSecurityGroupEgress",
"ecs:AssignIpv6Addresses",
"ecs:UnassignIpv6Addresses"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"vpc:DescribeVpcs",
"vpc:DescribeVpcAttribute",
"vpc:DescribeVSwitches",
"vpc:DescribeVSwitchAttributes"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "dataworks.aliyuncs.com"
}
}
}
]
}Permissions required for you to create AliyunServiceRoleForDataWorks as a RAM user
If you want to create the service-linked role
AliyunServiceRoleForDataWorks as a RAM user, make sure that the RAM user is attached the AliyunDataWorksFullAccess policy or the policy in the following sample code.
Note For information about how to create a custom policy, see Create a custom policy. For information about how to attach a policy to a RAM user, see Grant permissions to a RAM user.
{
"Version": "1",
"Statement": [
{
"Action": "dataworks:*",
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:CreateServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": [
"dataworks.aliyuncs.com"
]
}
}
}
]
}