Service-linked role
Service-linked roles
This topic describes the service-linked role for 5G Cloud Connector (CC5G), AliyunServiceRoleForCCIoT, and how to delete it.
Background information
A service-linked role is a Resource Access Management (RAM) role that is associated with an Alibaba Cloud service. In some scenarios, an Alibaba Cloud service requires access permissions to other Alibaba Cloud services to perform an operation. Service-linked roles grant the necessary permissions to ensure that services can operate correctly. This simplifies authorization and helps prevent risks that are caused by incorrect operations. For more information, see Service-linked roles.
Create a service-linked role
When you create a CC5G instance, the system automatically creates a service-linked role named AliyunServiceRoleForCCIoT if the role does not already exist. The system then attaches the AliyunServiceRolePolicyForCCIoT access policy to the role. This policy grants the CC5G instance permissions to access other cloud resources. The policy is as follows:
{
"Version": "1",
"Statement": [
{
"Action": [
"vpc:CreateVpc",
"vpc:DescribeVpcs",
"vpc:DeleteVpc",
"vpc:CreateVSwitch",
"vpc:DescribeVSwitches",
"vpc:DeleteVSwitch",
"vpc:DescribeRegions",
"vpc:AllocateEipAddress",
"vpc:ModifyEipAddressAttribute",
"vpc:ReleaseEipAddress",
"vpc:CreateNatGateway",
"vpc:DescribeNatGateways",
"vpc:DescribeSnatTableEntries",
"vpc:DeleteSnatEntry",
"vpc:DescribeForwardTableEntries",
"vpc:DeleteForwardEntry",
"vpc:DeleteNatGateway",
"vpc:CreateSnatEntry",
"vpc:DeleteNatGateway",
"vpc:ModifySnatEntry",
"vpc:AssociateEipAddress",
"vpc:DescribeEipAddresses",
"vpc:UnassociateEipAddress",
"vpc:CreateCommonBandwidthPackage",
"vpc:AddCommonBandwidthPackageIp",
"vpc:RemoveCommonBandwidthPackageIp",
"vpc:CreateRouteTable",
"vpc:DescribeRouteTables",
"vpc:DescribeRouteTableList",
"vpc:DeleteRouteTable",
"vpc:CreateRouteEntry",
"vpc:DescribeRouteEntryList",
"vpc:DeleteRouteEntry"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ecs:CreateSecurityGroup",
"ecs:RevokeSecurityGroup",
"ecs:AuthorizeSecurityGroup",
"ecs:AuthorizeSecurityGroupEgress",
"ecs:RevokeSecurityGroupEgress",
"ecs:DeleteSecurityGroup",
"ecs:DescribeSecurityGroups",
"ecs:DescribeSecurityGroupAttribute",
"ecs:CreateSecurityGroupPermission",
"ecs:AuthorizeSecurityGroupPermission",
"ecs:RevokeSecurityGroupPermission",
"ecs:JoinSecurityGroupPermission",
"ecs:DeleteSecurityGroupPermission",
"ecs:LeaveSecurityGroupPermission",
"ecs:DescribeSecurityGroupPermissions",
"ecs:JoinSecurityGroup",
"ecs:LeaveSecurityGroup",
"ecs:CreateNetworkInterface",
"ecs:AttachNetworkInterface",
"ecs:DetachNetworkInterface",
"ecs:DeleteNetworkInterface",
"ecs:DescribeNetworkInterfaces",
"ecs:CreateNetworkInterfacePermission",
"ecs:DescribeNetworkInterfacePermissions",
"ecs:DeleteNetworkInterfacePermission",
"ecs:AttachNetworkInterfacePermissions",
"ecs:DetachNetworkInterfacePermissions"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "uisplus.aliyuncs.com"
}
}
},
{
"Action": "ram:CreateServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "cciot.aliyuncs.com"
}
}
}
]
}Delete the service-linked role
To delete the AliyunServiceRoleForCCIoT service-linked role, you must first delete all associated CC5G instances. For more information, see:
FAQ
Why can't a RAM user automatically create the AliyunServiceRoleForCCIoT service-linked role?
A RAM user must be granted specific permissions to automatically create or delete the AliyunServiceRoleForCCIoT service-linked role. If a RAM user cannot automatically create the role, you can attach the following access policy to the RAM user:
{
"Statement":[
{
"Action":"ram:CreateServiceLinkedRole",
"Resource":"*",
"Effect":"Allow",
"Condition":{
"StringEquals":{
"ram:ServiceName":"cciot.aliyuncs.com"
}
}
}
],
"Version":"1"
}