本文为您介绍云SSO服务关联角色(AliyunServiceRoleForCloudSSO)的应用场景、权限策略、创建及删除操作。

应用场景

服务关联角色(AliyunServiceRoleForCloudSSO)具有操作RAM角色、权限策略和服务提供商等的权限,方便云SSO进行RD统一权限配置。

关于服务关联角色的更多信息,请参见服务关联角色

权限说明

角色名称:AliyunServiceRoleForCloudSSO

权限策略:AliyunServiceRolePolicyForCloudSSO

 {
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "ram:CreateSAMLProvider",
                "ram:CreatePolicy",
                "ram:ListRoles",
                "ram:ListPolicies"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "ram:ListPolicyVersions",
                "ram:DeletePolicyVersion",
                "ram:CreatePolicyVersion",
                "ram:DeletePolicy"
            ],
            "Resource": [
                "acs:ram:*:*:policy/AliyunReservedSSO*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "ram:GetSAMLProvider",
                "ram:DeleteSAMLProvider",
                "ram:GetRole",
                "ram:CreateRole",
                "ram:DeleteRole",
                "ram:GetPolicy",
                "ram:AttachPolicyToRole",
                "ram:DetachPolicyFromRole",
                "ram:ListPoliciesForRole"
            ],
            "Resource": [
                "acs:ram:*:*:saml-provider/AliyunReservedSSO*",
                "acs:ram:*:*:role/aliyunreservedsso*",
                "acs:ram:*:*:policy/*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "ram:DeleteServiceLinkedRole",
                "ram:GetServiceLinkedRoleDeletionStatus"
            ],
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "cloudsso.aliyuncs.com"
                }
            }
        }
    ]
}

创建服务关联角色

服务关联角色(AliyunServiceRoleForCloudSSO)会自动创建,具体如下:

  • 创建目录时,会在企业管理账号内自动创建该服务关联角色。
  • 在云SSO中,为资源目录的某个成员账号首次授权访问配置时,会在该成员账号内自动创建该服务关联角色。

删除服务关联角色

当您删除目录后,您可以手动删除服务关联角色(AliyunServiceRoleForCloudSSO)。具体操作,请参见删除RAM角色

当成员账号退出资源目录时,系统会自动删除该成员账号的服务关联角色(AliyunServiceRoleForCloudSSO)。