All Products
Search
Document Center

VPN Gateway:AliyunServiceRoleForVpn

Last Updated:May 20, 2024

This topic describes the service-linked role AliyunServiceRoleForVpn of VPN Gateway. When you create a VPN gateway or an IPsec-VPN connection associated with a transit router for the first time, the system automatically creates the service-linked role AliyunServiceRoleForVpn. This service-linked role allows a VPN gateway to access other cloud resources such as elastic network interfaces (ENIs) and security groups. This helps you create a VPN gateway or an IPsec-VPN connection.

Background information

An Alibaba Cloud service may need to access other services to implement a feature. In this case, the Alibaba Cloud service must be authorized to access other services. For example, to retrieve resource lists and log data from Elastic Compute Service (ECS) and ApsaraDB RDS, Cloud Config requires the access permissions on ECS and ApsaraDB RDS. Alibaba Cloud provides service-linked roles to simplify the process to authorize a service to access other services.

A service-linked role is a RAM role whose trusted entity is an Alibaba Cloud service. A service-linked role is used to authorize access across Alibaba Cloud services. A service-linked role is a RAM role that only the linked service can assume. In most cases, a service automatically creates or deletes the service-linked role if needed. A service-linked role simplifies the process to authorize a service to access other services and reduces the risks caused by misoperations.

The policy that is attached to a service-linked role is predefined by the linked service. You cannot modify or delete the policy. You cannot attach policies to or detach policies from a service-linked role.

For more information, see Service-linked roles.

Create the service-linked role AliyunServiceRoleForVpn

When you create a VPN gateway or an IPsec-VPN connection associated with a transit router for the first time, the system automatically creates the service-linked role AliyunServiceRoleForVpn. This service-linked role helps you create a VPN gateway or an IPsec-VPN connection. If the service-linked role AliyunServiceRoleForVpn already exists, the system does not create it again.

A policy named AliyunServiceRolePolicyForVpn is attached to the service-linked role AliyunServiceRoleForVpn. This policy allows a VPN gateway to perform a series of operations. The policy contains the following permissions:

{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "vpc:DescribeVSwitchAttributes",
        "vpc:TagResources",
        "vpc:DescribeRouteTableList"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "ecs:CreateNetworkInterface",
        "ecs:CreateSecurityGroup",
        "ecs:AuthorizeSecurityGroup",
        "ecs:RevokeSecurityGroup",
        "ecs:DeleteSecurityGroup",
        "ecs:JoinSecurityGroup",
        "ecs:LeaveSecurityGroup",
        "ecs:DescribeSecurityGroups",
        "ecs:AttachNetworkInterface",
        "ecs:DetachNetworkInterface",
        "ecs:DeleteNetworkInterface",
        "ecs:DescribeNetworkInterfaces",
        "ecs:CreateNetworkInterfacePermission",
        "ecs:DescribeNetworkInterfacePermissions",
        "ecs:DeleteNetworkInterfacePermission",
        "ecs:CreateSecurityGroupPermission",
        "ecs:AuthorizeSecurityGroupPermission",
        "ecs:RevokeSecurityGroupPermission",
        "ecs:JoinSecurityGroupPermission",
        "ecs:DeleteSecurityGroupPermission",
        "ecs:LeaveSecurityGroupPermission",
        "ecs:DescribeSecurityGroupPermissions",
        "ecs:AttachNetworkInterfacePermissions",
        "ecs:DetachNetworkInterfacePermissions",
        "ecs:AssignPrivateIpAddresses",
        "ecs:UnassignPrivateIpAddresses",
        "ecs:DescribeNetworkInterfaceAttribute"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "vpn.aliyuncs.com"
        }
      }
    }
  ]
}

Delete the service-linked role AliyunServiceRoleForVpn

You can delete the service-linked role AliyunServiceRoleForVpn only if no VPN gateway or IPsec-VPN connection exists within your Alibaba Cloud account. For more information, see the following sections of related topics:

  1. Delete a VPN gateway section of the "Create and manage a VPN gateway" topic

  2. Delete an IPsec-VPN connection section of the "Create and manage IPsec-VPN connections in single-tunnel mode" topic

  3. Delete a service-linked role section of the "Service-linked roles" topic

FAQ

Why am I unable to create the service-linked role AliyunServiceRoleForVpn by using a Resource Access Management (RAM) user?

By default, an Alibaba Cloud account is authorized to create the service-linked role AliyunServiceRoleForVpn. If a RAM user wants to create the service-linked role, you must first use the Alibaba Cloud account to grant the required permissions to the RAM user.

You must create a custom policy and attach it to the RAM user. Then, the RAM user can create the service-linked role AliyunServiceRoleForVpn. The following code provides an example. For more information, see Create custom policies and Grant permissions to a RAM role.

{
    "Statement": [
        {
            "Action": "ram:CreateServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "vpn.aliyuncs.com"
                }
            }
        }
    ],
    "Version": "1"
}