The IDaaS EIAM service-linked role (AliyunServiceRoleForEiam) accesses ECS, VPC, and KMS resources for PrivateLink and credential management. All instances must be released before deletion. - Identity as a Service

This topic describes the scenarios for the IDaaS EIAM service-linked role (AliyunServiceRoleForEiam) and how to delete the service-linked role.

Background information

The IDaaS EIAM service-linked role (AliyunServiceRoleForEiam) is a RAM role that IDaaS EIAM uses to access other Alibaba Cloud services for certain features. For more information about service-linked roles, see Service-linked roles.

Scenarios

The dedicated endpoints feature of IDaaS EIAM accesses your ECS and VPC cloud resources. This lets IDaaS manage the auxiliary elastic network interfaces (ENIs) that it creates. With these permissions, IDaaS can use PrivateLink to connect to Active Directory (AD), LDAP, or other applications within a VPC without exposing public ports. IDaaS can also access the Internet through a dedicated endpoint IP address to meet the trusted IP requirements of WeCom.
The credential management feature of IDaaS EIAM accesses your KMS cloud resources. This lets IDaaS securely host credentials in Secrets Manager for secure storage and management.

Introduction to AliyunServiceRoleForEiam

Role name: AliyunServiceRoleForEiam

Access policy: AliyunServiceRolePolicyForEiam

Permissions:

{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "ecs:CreateNetworkInterfacePermission",
        "ecs:DescribeNetworkInterfacePermissions",
        "ecs:DeleteNetworkInterfacePermission",
        "ecs:CreateNetworkInterface",
        "ecs:DeleteNetworkInterface",
        "ecs:DescribeNetworkInterfaces",
        "ecs:ModifyNetworkInterfaceAttribute",
        "ecs:DescribeNetworkInterfaceAttribute",
        "ecs:CreateSecurityGroup",
        "ecs:RevokeSecurityGroup",
        "ecs:DeleteSecurityGroup",
        "ecs:DescribeSecurityGroups",
        "ecs:DescribeSecurityGroupAttribute",
        "ecs:DescribeSecurityGroupReferences",
        "ecs:ModifySecurityGroupAttribute",
        "ecs:ModifySecurityGroupRule",
        "ecs:DetachNetworkInterface",
        "ecs:AttachNetworkInterface",
        "ecs:ModifySecurityGroupPolicy",
        "ecs:AuthorizeSecurityGroup",
        "ecs:DescribeInstances",
        "ecs:DescribeImages",
        "ecs:DescribeZones",
        "ecs:DescribeRegions",
        "ecs:DescribeTags"
      ],
      "Resource": "",
      "Effect": "Allow"
    },
    {
      "Action": [
        "vpc:DescribeVpcs",
        "vpc:DescribeVSwitches",
        "vpc:DescribeNatGateways",
        "vpc:DescribeSnatTableEntries"
      ],
      "Resource": "",
      "Effect": "Allow"
    },
    {
      "Effect": "Allow",
      "Action": [
        "kms:CreateSecret",
        "kms:DeleteSecret",
        "kms:DescribeSecret",
        "kms:PutSecretValue",
        "kms:UpdateSecret",
        "kms:UpdateSecretVersionStage",
        "kms:ListSecretVersionIds",
        "kms:GetSecretValue"
      ],
      "Resource": [
        "acs:kms:::secret/idaas-eiam!"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "kms:ListManagedQuotas",
        "kms:GenerateDataKey",
        "kms:Decrypt",
        "kms:TagResource",
        "kms:UntagResource"
      ],
      "Resource": [
        ""
      ]
    },
    {
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "eiam.aliyuncs.com"
        }
      }
    }
  ]
}

Delete the service-linked role

Before you delete the AliyunServiceRoleForEiam service-linked role, release all IDaaS EIAM instances.

To delete an IDaaS EIAM instance, see Release an instance.
To delete the service-linked role, see Delete a service-linked role.