A service-linked role (SLR) is a Resource Access Management (RAM) role whose trusted entity is an Alibaba Cloud service. Elastic Compute Service (ECS) uses service-linked roles to access other cloud services or resources. This topic describes the service-linked roles of ECS.
RAM provides a system policy for each service-linked role. You cannot modify the system policy. To view information about the system policy of a specific service-linked role, go to the details page of the service-linked role. For more information, see System Policy Reference.
Create a service-linked role
When you use specific features or services, ECS checks whether corresponding service-linked roles exist in the current account. You can grant ECS the permissions to automatically create service-linked roles. This way, when a required service-linked role does not exist in the account, ECS creates the role.
When you use Workbench, ECS automatically creates a service-linked role named AliyunServiceRoleForECSWorkbench. This service-linked role grants Workbench access to Alibaba Cloud services such as ECS and Elastic Container Instance.
For more information, see Workbench service-linked role.
When you use the Operation Content and Result Delivery feature or the Session Record Delivery feature, ECS automatically creates a service-linked role named AliyunServiceRoleForECSArchiving. This service-linked role grants Cloud Assistant access to associated cloud resources. Cloud Assistant can assume the AliyunServiceRoleForECSArchiving role to deliver O&M task execution records and session records to a specific Object Storage Service (OSS) bucket or Simple Log Service project for persistent storage.
For more information, see Manage the service-linked role for Cloud Assistant.
When you use Elastic Block Storage (EBS), ECS automatically creates a service-linked role named AliyunServiceRoleForEBS. This service-linked role grants EBS access to ECS.
For more information, see Service-linked role for EBS.
When you use Image Builder, ECS automatically creates a service-linked role named AliyunServiceRoleForECSImageBuilder. This service-link role grants Image Builder access to CloudOps Orchestration Service, ECS, and Virtual Private Cloud (VPC).
For more information, see Manage the service-linked role for Image Builder.
When you create an auto provisioning group, ECS automatically creates a service-linked role named AliyunServiceRoleForAutoProvisioning. This service-link role grants Auto Provisioning access to the associated Alibaba Cloud services, such as ECS, VPC, ApsaraDB RDS, and CloudMonitor.
For more information, see Manage the service-linked role for Auto Provisioning.
Delete a service-linked role
After a service-linked role is deleted, the features that depend on the role cannot be used. Proceed with caution.
If you no longer need a service-linked role, you can delete the service-linked role in the RAM console.
For more information, see the Delete a service-linked role section of the "Service-linked roles" topic.
Required permissions for a RAM user to use a service-linked role
Before you use a RAM user to create or delete a service-linked role, contact the administrator to attach the AliyunECSFullAccess system policy that grants administrator permissions to the RAM user or add the following permissions to the Action statement of a custom policy that is attached to the RAM user:
Create a service-link role:
ram:CreateServiceLinkedRoleDelete a service-link role:
ram:DeleteServiceLinkedRole
For more information, see the Permissions required to create and delete a service-linked role section of the "Service-linked roles" topic.