AliyunServiceRoleForACVS and AliyunServiceRoleForACVSCenResourceConfiguration are the service-linked roles for Alibaba Cloud VMware Service (ACVS). This topic describes the application scenarios of the service-linked roles for ACVS and how to delete the service-linked roles.
Background information
A service-linked role is a Resource Access Management (RAM) role that can be assumed by the linked service. ACVS may need to access other cloud services to implement features. Alibaba Cloud provides the roles AliyunServiceRoleForACVS and AliyunServiceRoleForACVSCenResourceConfiguration that allow ACVS to access other cloud services. For more information, see Service-linked roles.
Scenarios
1. AliyunServiceRoleForACVS role: If you want to create a dedicated VMware environment for ACVS, ACVS needs to access the resources of Elastic Compute Service (ECS), Virtual Private Cloud (VPC), Cloud Enterprise Network (CEN), or Resource Orchestration Service (ROS). In this case, ACVS can assume the AliyunServiceRoleForACVS role to obtain the required access permissions.
2. AliyunServiceRoleForACVSCenResourceConfiguration role: If ACVS needs to query your CEN instance information, create a route table and add a route on a transit router, query, create, or delete the network instance connections between VPCs and virtual border routers (VBRs) in you CEN instance, or create an associated forwarding correlation, learn routes, and add routes for network instance connections, ACVS can assume the AliyunServiceRoleForACVSCenResourceConfiguration role to obtain the required access permissions.
AliyunServiceRoleForACVS
Role name: AliyunServiceRoleForACVS
Role policy: AliyunServiceRolePolicyForACVS
Permission description:
{
"Version": "1",
"Statement": [
{
"Action": [
"vpc:DescribeVpcs",
"vpc:DescribeVSwitches",
"vpc:CreateVSwitch",
"vpc:DeleteVSwitch",
"vpc:ConfirmPhysicalConnection",
"vpc:CreateVirtualBorderRouter",
"vpc:DeleteVirtualBorderRouter",
"vpc:DescribeVirtualBorderRouters",
"vpc:CreateBgpGroup",
"vpc:DeleteBgpGroup",
"vpc:DescribeBgpGroups",
"vpc:CreateBgpPeer",
"vpc:DeleteBgpPeer",
"vpc:DescribeBgpPeers",
"vpc:CreateRouteEntry",
"vpc:DeleteRouteEntry",
"vpc:DescribeRouteTables",
"vpc:DescribeVRouters",
"vpc:DescribeRouteEntryList",
"vpc:AddBgpNetwork",
"vpc:DeleteBgpNetwork",
"vpc:DescribeBgpNetworks",
"vpc:AssociateEipAddress",
"vpc:UnassociateEipAddress",
"vpc:DescribeEipAddresses",
"vpc:CreateForwardEntry",
"vpc:DeleteForwardEntry",
"vpc:DescribeForwardTableEntries",
"vpc:CreateSnatEntry",
"vpc:DeleteSnatEntry",
"vpc:DescribeSnatTableEntries",
"vpc:DescribeNatGateways",
"vpc:TerminatePhysicalConnection",
"vpc:RecoverPhysicalConnection",
"vpc:DeletePhysicalConnection",
"vpc:OpenPhysicalConnectionService",
"vpc:GetPhysicalConnectionServiceStatus",
"vpc:DescribeGrantRulesToCen",
"vpc:GrantInstanceToCen",
"vpc:DescribeRouteTableList"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"cen:ResolveAndRouteServiceInCen",
"cen:DeleteRouteServiceInCen",
"cen:DescribeRouteServicesInCen",
"cen:DescribeCenAttachedChildInstances",
"cen:AttachCenChildInstance",
"cen:DetachCenChildInstance",
"cen:DescribeCenAttachedChildInstanceAttribute",
"cen:DescribeCens",
"cen:ListTransitRouters",
"cen:ListTransitRouterAvailableResource",
"cen:CreateTransitRouterVpcAttachment",
"cen:ListTransitRouterVpcAttachments",
"cen:DeleteTransitRouterVpcAttachment",
"cen:CreateTransitRouterVbrAttachment",
"cen:ListTransitRouterVbrAttachments",
"cen:DeleteTransitRouterVbrAttachment",
"cen:CreateCenChildInstanceRouteEntryToAttachment",
"cen:DescribeCenChildInstanceRouteEntries",
"cen:DeleteCenChildInstanceRouteEntryToAttachment",
"cen:CreateTransitRouterRouteTable",
"cen:ListTransitRouterRouteTables",
"cen:DeleteTransitRouterRouteTable",
"cen:CreateTransitRouterRouteEntry",
"cen:ListTransitRouterRouteEntries",
"cen:DeleteTransitRouterRouteEntry",
"cen:AssociateTransitRouterAttachmentWithRouteTable",
"cen:ListTransitRouterRouteTableAssociations",
"cen:DissociateTransitRouterAttachmentFromRouteTable",
"cen:EnableTransitRouterRouteTablePropagation",
"cen:ListTransitRouterRouteTablePropagations",
"cen:DisableTransitRouterRouteTablePropagation",
"cen:DescribeGrantRulesToCen"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"bssapi:CreateInstance"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ecs:CreateSecurityGroup",
"ecs:DeleteSecurityGroup",
"ecs:DescribeSecurityGroups",
"ecs:DescribeSecurityGroupAttribute",
"ecs:AuthorizeSecurityGroup",
"ecs:RevokeSecurityGroup",
"ecs:CreateNetworkInterface",
"ecs:DeleteNetworkInterface",
"ecs:DescribeNetworkInterfaces"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"nas:DescribeFileSystems"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ros:ListStacks",
"ros:GetStack",
"ros:ListStackEvents",
"ros:ListStackResources",
"ros:GetStackResource",
"ros:CreateStack",
"ros:DeleteStack",
"ros:PreviewStack"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Action": "ram:PassRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"acs:Service": [
"ros.aliyuncs.com"
]
}
}
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "acvs.aliyuncs.com"
}
}
}
]
}AliyunServiceRoleForACVSCenResourceConfiguration
Role name: AliyunServiceRoleForACVSCenResourceConfiguration
Role policy: AliyunServiceRolePolicyForACVSCenResourceConfiguration
Permission description:
{
"Version": "1",
"Statement": [
{
"Action": [
"cen:DescribeCens",
"cen:DescribeGrantRulesToCen",
"cen:ListTransitRouters",
"cen:ListTransitRouterAvailableResource",
"cen:CreateTransitRouterVpcAttachment",
"cen:ListTransitRouterVpcAttachments",
"cen:DeleteTransitRouterVpcAttachment",
"cen:CreateTransitRouterVbrAttachment",
"cen:ListTransitRouterVbrAttachments",
"cen:DeleteTransitRouterVbrAttachment",
"cen:CreateCenChildInstanceRouteEntryToAttachment",
"cen:DescribeCenChildInstanceRouteEntries",
"cen:DeleteCenChildInstanceRouteEntryToAttachment",
"cen:CreateTransitRouterRouteTable",
"cen:ListTransitRouterRouteTables",
"cen:DeleteTransitRouterRouteTable",
"cen:CreateTransitRouterRouteEntry",
"cen:ListTransitRouterRouteEntries",
"cen:DeleteTransitRouterRouteEntry",
"cen:AssociateTransitRouterAttachmentWithRouteTable",
"cen:ListTransitRouterRouteTableAssociations",
"cen:DissociateTransitRouterAttachmentFromRouteTable",
"cen:EnableTransitRouterRouteTablePropagation",
"cen:ListTransitRouterRouteTablePropagations",
"cen:DisableTransitRouterRouteTablePropagation",
"cen:ResolveAndRouteServiceInCen",
"cen:DeleteRouteServiceInCen",
"cen:DescribeRouteServicesInCen",
"cen:DescribeCenAttachedChildInstances",
"cen:AttachCenChildInstance",
"cen:DetachCenChildInstance",
"cen:DescribeCenAttachedChildInstanceAttribute"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ros:ListStacks",
"ros:GetStack",
"ros:ListStackEvents",
"ros:ListStackResources",
"ros:GetStackResource",
"ros:CreateStack",
"ros:DeleteStack",
"ros:PreviewStack"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Action": "ram:PassRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"acs:Service": [
"ros.aliyuncs.com"
]
}
}
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "cen.acvs.aliyuncs.com"
}
}
}
]
}Delete a service-linked role
Before you delete the AliyunServiceRoleForACVS role, you must release the dedicated VMware environment that depends on the role.
Before you delete the AliyunServiceRoleForACVSCenResourceConfiguration role, you must log on to the ACVS console, select Cross-Account Authorization, and then delete all cross-account authorizations.
For more information about how to delete a service-linked role, see the following topic: