All Products
Search

This Product

    Global Accelerator:AliyunServiceRoleForGaFlowlog

    Document Center

    Global Accelerator:AliyunServiceRoleForGaFlowlog

    Last Updated:Mar 11, 2024

    This topic describes the scenarios of the service-linked role AliyunServiceRoleForGaFlowlog and how to create and delete the service-linked role.

    Overview

    AliyunServiceRoleForGaFlowlog is a service-linked role of Global Accelerator (GA). After you create AliyunServiceRoleForGaFlowlog, GA can access your Log Service and deliver logs to Log Service.
    Note A service-linked role is a Resource Access Management (RAM) role that is associated with an Alibaba Cloud service. In some scenarios, to use a feature of a cloud service, you must obtain the permissions to access other cloud services. Service-linked roles simplify the authorization process and avoid risks caused by user errors. For more information, see Service-linked roles.

    Permissions required to create AliyunServiceRoleForGaFlowlog

    You can use an Alibaba Cloud account to create AliyunServiceRoleForGaFlowlog. If you want to create AliyunServiceRoleForGaFlowlog as a RAM user, the RAM user must first obtain the following permissions:
    {
      "Action": "ram:CreateServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "flowlog.ga.aliyuncs.com"
        }
      }
}
    You can grant the RAM user the required permissions in one of the following ways:
    • Attach the administrator permission policy AliyunGlobalAccelerationFullAccess to the RAM user. For more information, see Grant permissions to a RAM role.
      Note The permission to create a service-linked role is included in AliyunGlobalAccelerationFullAccess. Therefore, you can create a service-linked role as a RAM user after you attach AliyunGlobalAccelerationFullAccess to the RAM user.
    • Create a custom permission policy and attach it to the RAM user. The following code block shows the content of the custom permission policy:
      {
      "Action": "ram:CreateServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "flowlog.ga.aliyuncs.com"
        }
      }
}

      For more information, see Create custom policies and Grant permissions to a RAM role.

    Create AliyunServiceRoleForGaFlowlog

    After you enable the log delivery feature of flow logs for GA, the system automatically creates the service-linked role AliyunServiceRoleForGaFlowlog, and attaches a permission policy named AliyunServiceRolePolicyForGaFlowlog to it. The permission policy allows GA to access flow logs. The following code block shows the content of the permission policy:
    {
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "log:PostLogStoreLogs"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "flowlog.ga.aliyuncs.com"
        }
      }
    }
  ]
}

    Delete AliyunServiceRoleForGaFlowlog

    The system cannot automatically delete the service-linked role AliyunServiceRoleForGaFlowlog of GA. To manually delete AliyunServiceRoleForGaFlowlog, delete all GA instances first. For more information, see Delete a service-linked role.