Service linked role

This topic introduces the service linked role AliyunServiceRoleForPrivatelink for PrivateLink. You can delete the service linked role if you no longer need it.

Service linked roles are Resource Access Management (RAM) roles that can be assumed by linked Alibaba Cloud services. An Alibaba Cloud service may need to access other services to perform a specific function. Before you can access a service, make sure that authorization is granted for the service. Service linked roles simplify the authorization and avoid the risks caused by user errors. For more information, see Service-linked roles.

Create the service linked role for PrivateLink

When you create an endpoint, the system automatically creates a service linked role. The service linked role can delegate permissions to the endpoint and allows the endpoint to access other cloud resources. The service linked role that the system automatically created is AliyunServiceRoleForPrivatelink. After the service linked role is created, the system automatically attaches the AliyunServiceRolePolicyForPrivatelink policy to the service linked role. This way, permissions are granted to the service linked role and the endpoint can assume this role to access other cloud resources. The content of the policy is:

{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "vpc:DescribeVSwitchAttributes"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "ecs:CreateNetworkInterface",
        "ecs:DeleteNetworkInterface",
        "ecs:DescribeNetworkInterfaces",
        "ecs:CreateNetworkInterfacePermission",
        "ecs:DescribeNetworkInterfacePermissions",
        "ecs:DeleteNetworkInterfacePermission"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "privatelink.aliyuncs.com"
        }
      }
    }
  ]
}

Delete the service linked role for PrivateLink

Before you delete the service linked role for PrivateLink (AliyunServiceRoleForPrivatelink), you must delete the endpoint to which the service linked role is assigned. For more information, see Delete an endpoint.