If your Alibaba Cloud account is not assigned the service-linked role AliyunServiceRoleForGaSsl and you configure an HTTPS listener for a Global Accelerator (GA) instance, the system automatically creates the service-linked role AliyunServiceRoleForGaSsl.
Introduction to AliyunServiceRoleForGaSsl
AliyunServiceRoleForGaSsl is a service-linked role for Global Accelerator. When you configure an HTTPS listener for a Global Accelerator instance and you want to associate an SSL certificate with the HTTPS listener, Global Accelerator must be assigned the service-linked role.
A service-linked role is a Resource Access Management (RAM) role that is associated with an Alibaba Cloud service. In some cases, to use a feature of a cloud service, you must first acquire the permissions to access other cloud services. Service-linked roles simplify the authorization process and prevent accidental operations. For more information about service-linked roles, see Service-linked roles.
Permissions required to create the service-linked role AliyunServiceRoleForGaSsl
By default, an Alibaba Cloud account has the permissions to create the service-linked role AliyunServiceRoleForGaSsl. A RAM user must have the following permissions to create the service-linked role AliyunServiceRoleForGaSsl:
{
"Action": "ram:CreateServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "ssl.ga.aliyuncs.com"
}
}
}You can use one of the following methods to grant a RAM user the permissions to create the service-linked role AliyunServiceRoleForGaSsl:
Attach the AliyunGlobalAccelerationFullAccess administrator policy to the RAM user. For more information, see Grant permissions to a RAM role.
NoteIn most cases, the permissions to create the service-linked role AliyunServiceRoleForGaSsl are included in the AliyunGlobalAccelerationFullAccess administrator policy. If the administrator policy is attached to the RAM user, the RAM user can create the service-linked role AliyunServiceRoleForGaSsl.
Attach a custom policy to the RAM user. The following code block shows the content of the custom policy:
{ "Action": "ram:CreateServiceLinkedRole", "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "ram:ServiceName": "ssl.ga.aliyuncs.com" } } }
For more information, see Create a custom policy and Grant permissions to a RAM role.
Create the service-linked role AliyunServiceRoleForGaSsl
When you configure an HTTPS listener for a Global Accelerator instance, the system determines whether Global Accelerator is assigned the service-linked role AliyunServiceRoleForGaSsl:
If the service-linked role AliyunServiceRoleForGaSsl is not assigned to Global Accelerator, the system automatically creates the service-linked role and adds a policy named AliyunServiceRoleForGaSsl to the service-linked role to grant Global Accelerator the permissions to access SSL certificates. The following code block shows the content of the policy:
{ "Version": "1", "Statement": [{ "Effect": "Allow", "Action": [ "yundun-cert:GetUserCertificateDetail" ], "Resource": "*" }, { "Action": "ram:DeleteServiceLinkedRole", "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "ram:ServiceName": "ssl.ga.aliyuncs.com" } } } ] }If the service-linked role AliyunServiceRoleForGaSsl is assigned to Global Accelerator, the service-linked role is not created again.
Delete the service-linked role AliyunServiceRoleForGaSsl
The system does not automatically delete the Global Accelerator service-linked role AliyunServiceRoleForGaSsl. To delete the service-linked role, you must first delete the HTTPS listener of the Global Accelerator instance and then delete the service-linked role AliyunServiceRoleForGaSsl. For more information, see the following topics: