All Products
Search

This Product

    Identity as a Service:Service-linked role for IDaaS EIAM instances

    Document Center

    Identity as a Service:Service-linked role for IDaaS EIAM instances

    Last Updated:Apr 17, 2024

    AliyunServiceRoleFroEiam is the service-linked role for Identity as a Service (IDaaS) Enterprise Identity Access Management (EIAM). This topic describes the scenarios of this service-linked role and how to delete this service-linked role.

    Background information

    AliyunServiceRoleFroEiam is a RAM role that allows IDaaS EIAM instances to access other Alibaba Cloud services to implement specific features. For more information, see Service-linked roles.

    Scenarios

    To implement the dedicated endpoint feature, IDaaS EIAM instances need to access your cloud resources, such as Elastic Compute Service (ECS) instances and virtual private clouds (VPCs). In addition, IDaaS EIAM instances need to manage the secondary elastic network interfaces (ENIs) that they create.

    A dedicated endpoint allows IDaaS EIAM instances to connect to your VPC over a private network. This way, IDaaS EIAM instances can connect to your Active Directory (AD) or Lightweight Directory Access Protocol (LDAP) system or application without the need to use a public port over the Internet. IDaaS EIAM instances can also access the Internet by using an independent IP address. This meets the requirements of WeCom for trusted IP addresses.

    Role description

    Role name: AliyunServiceRoleFroEiam

    Role policy: AliyunServiceRolePolicyForEiam

    Policy description:

    {
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "ecs:CreateNetworkInterfacePermission",
                "ecs:DescribeNetworkInterfacePermissions",
                "ecs:DeleteNetworkInterfacePermission",
                "ecs:CreateNetworkInterface",
                "ecs:DeleteNetworkInterface",
                "ecs:DescribeNetworkInterfaces",
                "ecs:ModifyNetworkInterfaceAttribute",
                "ecs:DescribeNetworkInterfaceAttribute",
                "ecs:CreateSecurityGroup",
                "ecs:RevokeSecurityGroup",
                "ecs:DeleteSecurityGroup",
                "ecs:DescribeSecurityGroups",
                "ecs:DescribeSecurityGroupAttribute",
                "ecs:DescribeSecurityGroupReferences",
                "ecs:ModifySecurityGroupAttribute",
                "ecs:ModifySecurityGroupRule"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "vpc:DescribeVpcs",
                "vpc:DescribeVSwitches",
                "vpc:DescribeNatGateways",
                "vpc:DescribeSnatTableEntries"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "eiam.aliyuncs.com"
                }
            }
        }
    ]
}

    Delete the service-linked role

    Before you delete the service-linked role, you must release all IDaaS EIAM instances.

    • For more information about how to release an IDaaS EIAM instance, see the "Release an IDaaS EIAM instance" section of the Manage IDaaS EIAM instances topic.

    • For more information about how to delete a service-linked role, see the "Delete a service-linked role" section of the Service-linked roles topic.