A trusted Alibaba Cloud service can assume a Resource Access Management (RAM) role to access other Alibaba Cloud services. RAM roles that a trusted Alibaba Cloud service can assume are classified into two types: normal service role and service-linked role. This topic describes service-linked roles.
Background information
An Alibaba Cloud service may need to access other services to implement a feature. In this case, the Alibaba Cloud service must be authorized to access other services. For example, to retrieve resource lists and log data from Elastic Compute Service (ECS) and ApsaraDB RDS, Cloud Config requires the access permissions on ECS and ApsaraDB RDS. Alibaba Cloud provides service-linked roles to simplify the process to authorize a service to access other services.
A service-linked role is a RAM role whose trusted entity is an Alibaba Cloud service. A service-linked role is used to authorize access across Alibaba Cloud services. A service-linked role is a RAM role that only the linked service can assume. In most cases, a service automatically creates or deletes the service-linked role if needed. A service-linked role simplifies the process to authorize a service to access other services and reduces the risks caused by misoperations.
The policy that is attached to a service-linked role is predefined by the linked service. You cannot modify or delete the policy. You cannot attach policies to or detach policies from a service-linked role.
Create a service-linked role
Some Alibaba Cloud services automatically create service-linked roles when you perform operations. For example, when you create a cloud resource or enable a feature, a service-linked role may be automatically created. You can view the created service-linked roles on the RAM Roles page of the RAM console. You can also retrieve the list of created service-linked roles by using the API or a CLI to call the ListRoles operation.
You can also manually create service-linked roles. For more information, see Create a service-linked role.
The number of service-linked roles that you can create is based on the limit of the number of RAM roles that you can create within your Alibaba Cloud account. If the limit is exceeded, you can still create service-linked roles. However, you can no longer create other types of RAM roles.
For more information about how a service-linked role is automatically created, see the documentation of each service.
Delete a service-linked role
Some Alibaba Cloud services automatically delete service-linked roles when you perform operations. For example, when you delete a cloud resource or disable a feature, a service-linked role may be automatically deleted. You can also manually delete service-linked roles in the RAM console. For more information, see Delete a RAM role.
If you attempt to delete a service-linked role, RAM checks whether the role is being assumed by the linked service.
If the role is not being assumed, the role can be deleted.
If the role is being assumed, the role cannot be deleted. However, you can view the cloud resources of the linked service that assumes the service-linked role in the error message. If you no longer need the cloud resources of the linked service, find and remove the resources of the linked service. Then, delete the service-linked role.
For more information about the conditions that allow you to delete a service-linked role, see the documentation of the linked service.
Permissions required to create and delete a service-linked role
RAM identities must be granted the required permissions before the RAM identities can create or delete a service-linked role. The permissions are also required when service-linked roles are automatically created.
The following sample policy allows authorized RAM identities to create and delete the service-linked role for Resource Management. You can view the value of ram:ServiceName
in the Service identifier column of Services that work with service-linked roles.
{
"Action": [
"ram:CreateServiceLinkedRole",
"ram:DeleteServiceLinkedRole"
],
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "resourcemanager.aliyuncs.com"
}
}
}
The permissions to create a service-linked role are included in the administrative policy of the linked service. For ECS, the administrative policy is AliyunESSFullAccess. If you attach the administrative policy of a service to a RAM identity, the RAM identity can create the service-linked role for the service.
Assume a service-linked role
A service-linked role can be assumed only by the linked service. The role cannot be assumed by identities such as RAM users or other RAM roles.
You can view the service that can assume a service-linked role in the Service
parameter on the Trust Policy Management tab of the role details page.
Alibaba Cloud services that support service-linked roles
For more information, see Services that work with service-linked roles.
If a service does not support service-linked roles, you can use a normal service role to authorize the service.