A service-linked role is a Resource Access Management (RAM) role whose trusted entity is an Alibaba Cloud service. Server Migration Center (SMC) assumes the service-linked role AliyunServiceRoleForSMC to obtain the access permissions on other Alibaba Cloud services or resources.
In most cases, a service-linked role is automatically created when you perform an operation. If the service-linked role AliyunServiceRoleForSMC fails to be automatically created or SMC does not support the automatic creation of the role, you must manually create the role.
RAM provides a system policy for each service-linked role. You cannot modify the system policy. To view information about the system policy of a specific service-linked role, go to the details page of the specified service-linked role. For more information, see AliyunSMCFullAccess.
Scenarios
The service-linked role AliyunServiceRoleForSMC
allows SMC to access Elastic Compute Service (ECS) during data migration.
Required permissions for a RAM user to assume a service-linked role
If you want to create or delete a service-linked role as a RAM user, contact the administrator to grant the RAM user the AliyunSWASFullAccess permission. You can also add the following permissions in the Action
statement of your custom policy:
Create a service-link role:
ram:CreateServiceLinkedRole
Delete a service-linked role:
ram:DeleteServiceLinkedRole
For more information, see the Permissions required to create and delete a service-linked role section of the "Service-linked roles" topic.
Create the service-linked role
SMC automatically creates the service-linked role AliyunServiceRoleForSMC
when you import the information about a migration source. For more information, see Step 1: Import the information about a migration source.
After the service-linked role is created, SMC can assume the RAM role to access other Alibaba Cloud services. You may be charged for creating snapshots and ECS instances.
View the information about the service-linked role
After the service-linked role is created, you can view the following information about the service-linked role. To view the information, go to the Roles page in the RAM console and search for AliyunServiceRoleForSMC
.
Basic information
In the Basic Information section of the details page of the service-linked role
AliyunServiceRoleForSMC
, view the basic information about the service-linked role. The information includes the role name, creation time, Alibaba Cloud Resource Name (ARN), and description.Permission policy
On the Permissions tab of the details page of the service-linked role
AliyunServiceRoleForSMC
, click the name of the permission policy. On the page that appears, view the content of the permission policy and cloud resources that SMC can access by assuming this service-linked role.Trust policy
On the Trust Policy tab of the details page of the service-linked role
AliyunServiceRoleForSMC
, view the content of the trust policy. A trust policy is a policy that describes the trusted entities of a RAM role. A trusted entity is an entity that can assume the RAM role. The trusted entity of a service-linked role is a cloud service. You can view the value of theService
field in the trust policy of the service-linked role to obtain the trusted entity.
For information about how to view information about a service-linked role, see View the information about a RAM role.
Delete the service-linked role
After the service-linked role is deleted, the features that depend on the role cannot be used. Proceed with caution.
If no longer need to use SMC, you can manually delete the service-linked role in the RAM console. For more information, see Delete a RAM role.
Before you delete the service-linked role for SMC, you can use one of the following methods to delete the migration source that depends on the service-linked role:
Log on to the SMC console. In the left-side navigation pane, click Migration Sources. On the Migration Sources page, find the migration source and delete it.
Call the DeleteSourceServer operation to delete the migration source.