AliyunServiceRoleForGaCdt

If you set the billing method for network usage of a Global Accelerator (GA) instance to pay-by-data-transfer, your Alibaba Cloud account must have the service-linked role AliyunServiceRoleForGaCdt. If your Alibaba Cloud account does not have the service-linked role, the system creates the role for your account. Cloud Data Transfer (CDT) charges you for data transferred by the GA instance.

AliyunServiceRoleForGaCdt is a service-linked role of GA. If you want to configure the billing method for network usage of a GA instance to pay-by-data-transfer, make sure that GA assumes the service-linked role AliyunServiceRoleForGaCdt.

Note A service-linked role is a Resource Access Management (RAM) role that is associated with an Alibaba Cloud service. In some cases, to use a feature of a cloud service, you must first acquire permissions to access other cloud services. Service-linked roles simplify the authorization process and prevent accidental operations. For more information about service-linked roles, see Service-linked roles.

Permissions required to create the service-linked role AliyunServiceRoleForGaCdt

By default, an Alibaba Cloud account is authorized to create the service-linked role AliyunServiceRoleForGaCdt. If a RAM user wants to create the service-linked role, you must first use the Alibaba Cloud account to grant the following permissions to the RAM user:

{
      "Action": "ram:CreateServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "cdt.ga.aliyuncs.com"
        }
      }
}

You can grant the RAM user the required permissions by using one of the following methods:

Attach the administrator permission policy AliyunGlobalAccelerationFullAccess to the RAM user. For more information, see Grant permissions to a RAM role.
Note The permissions required to create the service-linked role AliyunServiceRoleForGaCdt are included in the administrator permission policy AliyunGlobalAccelerationFullAccess. After you attach the administrator permission policy to a RAM user, the RAM user can create the service-linked role AliyunServiceRoleForGaCdt.

Attach a custom permission policy to a RAM user. The following code block shows the content of the custom permission policy:

{
      "Action": "ram:CreateServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "cdt.ga.aliyuncs.com"
        }
      }
}

For more information, see Create custom policies and Grant permissions to a RAM role.

Create the service-linked role AliyunServiceRoleForGaCdt

When you set the billing method for network usage of a GA instance to pay-by-data-transfer, the system determines whether GA assumes the service-linked role AliyunServiceRoleForGaCdt.

If GA does not assume the service-linked role AliyunServiceRoleForGaCdt, the system creates the service-linked role and attaches the AliyunServiceRoleForGaCdt policy to the service-linked role. Then, GA obtains the permissions to access CDT by assuming the service linked role. The following code block shows the content of the permission policy:

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "cdt:GetCdtCbServiceStatus",
        "cdt:GetCdtInternetServiceStatus",
        "cdt:GetCdtServiceStatus",
        "cdt:OpenCdtCbService",
        "cdt:OpenCdtInternetService",
        "cdt:OpenCdtService"
      ],
      "Resource": "*"
    },
    {
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "cdt.ga.aliyuncs.com"
        }
      }
    }
  ]
}

If your Alibaba Cloud account already has the service-linked role AliyunServiceRoleForGaCdt, the system does not create the service-linked role again.

Delete the service-linked role AliyunServiceRoleForGaCdt

The system does not delete the service-linked role AliyunServiceRoleForGaCdt. To delete the service-linked role, you must first delete the GA instance whose billing method for network usage is pay-by-data-transfer. Then, you can delete the service-linked role AliyunServiceRoleForGaCdt. For more information, see Delete a service-linked role.