Service-linked roles for Cloud-native API Gateway-API Gateway(API Gateway)-阿里云帮助中心

This topic describes the use cases and management of Cloud-native API Gateway service-linked roles.

Use cases

AliyunServiceRoleForNativeApiGw: When Cloud-native API Gateway needs to access resources of other cloud services, such as Virtual Private Cloud (VPC), Container Service for Kubernetes (ACK), Function Compute (FC), Enterprise Distributed Application Service (EDAS), Microservices Engine (MSE), Server Load Balancer (SLB), Network Load Balancer (NLB), Elastic Compute Service (ECS), and Application Real-Time Monitoring Service (ARMS), it assumes the automatically created AliyunServiceRoleForNativeApiGw service-linked role to get the necessary permissions.
AliyunServiceRoleForNativeApiGwInvokeFC: When Cloud-native API Gateway needs to call the FC service, it assumes the automatically created AliyunServiceRoleForNativeApiGwInvokeFC service-linked role to get the necessary permissions.
AliyunServiceRoleForNativeApiGwInvokeCloudFlow: When Cloud-native API Gateway needs to call the CloudFlow service, it assumes the automatically created AliyunServiceRoleForNativeApiGwInvokeCloudFlow service-linked role to get the necessary permissions.
AliyunServiceRoleForNativeApiGwInvokeKMS: When Cloud-native API Gateway needs to call the Key Management Service (KMS), it assumes the automatically created AliyunServiceRoleForNativeApiGwInvokeKMS service-linked role to get the necessary permissions.

RAM user permissions

To allow a RAM user to create or delete a service-linked role, an administrator must grant them either administrator permissions (AliyunNativeApiGwFullAccess) or the following permissions within the Action statement of a custom permission policy:

Create a service-linked role: ram:CreateServiceLinkedRole
Delete a service-linked role: ram:DeleteServiceLinkedRole

For more information about how to grant permissions, see Permissions required to manage service-linked roles.

Permissions

AliyunServiceRoleForNativeApiGw

The AliyunServiceRoleForNativeApiGw service-linked role has the following permissions:

VPC

{
      "Effect": "Allow",
      "Action": [
        "vpc:AllocateEipAddress",
        "vpc:AllocateEipAddressPro",
        "vpc:DescribeEipAddresses",
        "vpc:AssociateEipAddress",
        "vpc:UnassociateEipAddress",
        "vpc:ReleaseEipAddress",
        "vpc:ModifyEipAddressAttribute",
        "vpc:ModifyBypassToaAttribute",
        "vpc:AddCommonBandwidthPackageIp",
        "vpc:RemoveCommonBandwidthPackageIp",
        "vpc:TagResources",
        "vpc:DescribeVSwitches",
        "vpc:DescribeVSwitchAttributes",
        "vpc:DescribeVpcs",
        "vpc:CreateVSwitch",
        "vpc:DescribeVpcAttribute",
        "vpc:DescribeVRouters",
        "vpc:DescribeRouteTables",
        "vpc:DescribeRouteEntryList"
      ],
      "Resource": "*"
}

ACK

{
      "Effect": "Allow",
      "Action": [
        "cs:DescribeClusterDetail",
        "cs:DescribeClusterInnerServiceKubeconfig",
        "cs:RevokeClusterInnerServiceKubeconfig",
        "cs:GetUserConfig",
        "cs:DescribeClusterUserKubeconfig",
        "cs:GetClusterById",
        "cs:GetClustersByUid",
        "cs:DescribeClustersV1",
        "cs:ListClusters",
        "cs:GetClusters",
        "cs:DescribeClusterNodePools"
      ],
      "Resource": "*"
}

FC

{
      "Effect": "Allow",
      "Action": [
        "fc:ListAliases",
        "fc:ListServices",
        "fc:ListServiceVersions",
        "fc:ListFunctions",
        "fc:ListFunctionVersions",
        "fc:ListTriggers"
      ],
      "Resource": "*"
}

EDAS

{
      "Effect": "Allow",
      "Action": [
        "edas:ReadNamespace",
        "edas:ReadService",
        "edas:ListUserDefineRegion"
      ],
      "Resource": "*"
}

MSE

{
      "Effect": "Allow",
      "Action": [
        "mse:ListAnsServices",
        "mse:ListEngineNamespaces",
        "mse:ListClusters",
        "mse:QueryConfig"
      ],
      "Resource": "*"
}

SLB

 {
      "Effect": "Allow",
      "Action": [
        "slb:SetLoadBalancerName",
        "slb:CreateLoadBalancer",
        "slb:AddBackendServers",
        "slb:SetBackendServers",
        "slb:RemoveBackendServers",
        "slb:CreateLoadBalancerTCPListener",
        "slb:DescribeLoadBalancerTCPListenerAttribute",
        "slb:SetLoadBalancerTCPListenerAttribute",
        "slb:CreateLoadBalancerHTTPListener",
        "slb:DescribeLoadBalancerHTTPListenerAttribute",
        "slb:SetLoadBalancerHTTPListenerAttribute",
        "slb:CreateLoadBalancerHTTPSListener",
        "slb:DescribeLoadBalancerHTTPSListenerAttribute",
        "slb:SetLoadBalancerHTTPSListenerAttribute",
        "slb:StartLoadBalancerListener",
        "slb:StopLoadBalancerListener",
        "slb:DeleteLoadBalancerListener",
        "slb:DescribeLoadBalancers",
        "slb:DescribeLoadBalancerAttribute",
        "slb:DescribeHealthStatus",
        "slb:CreateLoadBalancerForCloudService",
        "slb:DeleteLoadBalancer",
        "slb:ModifyLoadBalancerInternetSpec",
        "slb:RemoveTags",
        "slb:AddTags",
        "slb:SetLoadBalancerUDPListenerAttribute",
        "slb:CreateLoadBalancerUDPListener",
        "slb:CreateVServerGroup",
        "slb:DeleteVServerGroup",
        "slb:SetVServerGroupAttribute",
        "slb:ModifyVServerGroupBackendServers",
        "slb:AddVServerGroupBackendServers",
        "slb:ModifyLoadBalancerInstanceSpec",
        "slb:ModifyLoadBalancerInternetSpec",
        "slb:RemoveVServerGroupBackendServers",
        "slb:SetLoadBalancerModificationProtection",
        "slb:SetLoadBalancerDeleteProtection",
        "slb:DescribeLoadBalancerUDPListenerAttribute  ",
        "slb:DescribeTags",
        "slb:DescribeVServerGroups",
        "slb:DescribeVServerGroupAttribute",
        "slb:DescribeLoadBalancerListeners",
        "slb:ListTagResources",
        "slb:TagResources",
        "slb:UntagResources"
      ],
      "Resource": "*"
}

NLB

{
      "Effect": "Allow",
      "Action": [
        "nlb:TagResources",
        "nlb:UnTagResources",
        "nlb:ListTagResources",
        "nlb:CreateLoadBalancer",
        "nlb:DeleteLoadBalancer",
        "nlb:GetLoadBalancerAttribute",
        "nlb:ListLoadBalancers",
        "nlb:UpdateLoadBalancerAttribute",
        "nlb:UpdateLoadBalancerAddressTypeConfig",
        "nlb:UpdateLoadBalancerZones",
        "nlb:CreateListener",
        "nlb:DeleteListener",
        "nlb:ListListeners",
        "nlb:UpdateListenerAttribute",
        "nlb:StopListener",
        "nlb:StartListener",
        "nlb:GetListenerAttribute",
        "nlb:GetListenerHealthStatus",
        "nlb:CreateServerGroup",
        "nlb:DeleteServerGroup",
        "nlb:UpdateServerGroupAttribute",
        "nlb:AddServersToServerGroup",
        "nlb:RemoveServersFromServerGroup",
        "nlb:UpdateServerGroupServersAttribute",
        "nlb:ListServerGroups",
        "nlb:ListServerGroupServers",
        "nlb:LoadBalancerLeaveSecurityGroup",
        "nlb:LoadBalancerJoinSecurityGroup",
        "nlb:GetJobStatus",
        "nlb:UpdateLoadBalancerProtection"
      ],
      "Resource": "*"
}

ECS

{
      "Effect": "Allow",
      "Action": [
        "ecs:CreateSecurityGroup",
        "ecs:AuthorizeSecurityGroup",
        "ecs:AuthorizeSecurityGroupEgress",
        "ecs:RevokeSecurityGroup",
        "ecs:RevokeSecurityGroupEgress",
        "ecs:DeleteSecurityGroup",
        "ecs:JoinSecurityGroup",
        "ecs:LeaveSecurityGroup",
        "ecs:DescribeSecurityGroups",
        "ecs:DescribeInstances",
        "ecs:CreateNetworkInterface",
        "ecs:DeleteNetworkInterface",
        "ecs:DescribeNetworkInterfaces",
        "ecs:CreateNetworkInterfacePermission",
        "ecs:DescribeNetworkInterfacePermissions",
        "ecs:DeleteNetworkInterfacePermission",
        "ecs:DescribeSecurityGroupAttribute",
        "ecs:AddTags",
        "ecs:DescribeEipAddresses",
        "ecs:DescribeNetworkInterfaceAttribute",
        "ecs:ModifyNetworkInterfaceAttribute",
        "ecs:AssignPrivateIpAddresses",
        "ecs:UnassignPrivateIpAddresses",
        "ecs:AssignIpv6Addresses",
        "ecs:UnassignIpv6Addresses",
        "ecs:AttachNetworkInterface",
        "ecs:DetachNetworkInterface",
        "ecs:ListTagResources"
      ],
      "Resource": "*"
}

ARMS

{
      "Effect": "Allow",
      "Action": [
        "arms:OpenArmsService",
        "arms:GetAlertRules",
        "arms:ReportCustomIncidents",
        "arms:AddPrometheusInstance",
        "arms:GetAuthToken",
        "arms:GetClusterAllUrl",
        "arms:OpenArmsServiceSecondVersion",
        "arms:CheckServiceStatus",
        "arms:OpenVCluster",
        "arms:GetPrometheusApiToken",
        "arms:ListDashboards",
        "arms:GetExploreUrl",
        "arms:CreateDefaultCloudProductPrometheusAlertRule",
        "arms:ListNotificationPolicies",
        "arms:ListDispatchRule",
        "arms:CreateDispatchRule",
        "arms:CreateOrUpdateNotificationPolicy",
        "arms:DescribeContactGroups",
        "arms:SearchContactGroup",
        "arms:CreatePrometheusAlertRule"
      ],
      "Resource": "*"
    }

AliyunServiceRoleForNativeApiGwInvokeFC

The AliyunServiceRoleForNativeApiGwInvokeFC service-linked role has the following permissions:

{
    "Effect": "Allow",
    "Action": "fc:InvokeFunction",
    "Resource": "*"
}

AliyunServiceRoleForNativeApiGwInvokeCloudFlow

The AliyunServiceRoleForNativeApiGwInvokeCloudFlow service-linked role has the following permissions:

{
      "Effect": "Allow",
      "Action": [
        "fnf:StartExecution",
        "fnf:StartSyncExecution"
      ],
      "Resource": "*"
}

AliyunServiceRoleForNativeApiGwInvokeKMS

The AliyunServiceRoleForNativeApiGwInvokeKMS service-linked role has the following permissions:

{
    "Effect": "Allow",
    "Action": [
        "kms:ListKmsInstances",
        "kms:ListKeys",
        "kms:GenerateDataKey",
        "kms:Decrypt",
        "kms:CreateSecret",
        "kms:DeleteSecret",
        "kms:UpdateSecret",
        "kms:DescribeSecret",
        "kms:GetSecretValue",
        "kms:PutSecretValue",
        "kms:TagResource",
        "kms:UntagResource"
    ],
    "Resource": "*"
}

View a service-linked role

After a service-linked role is created, you can go to the Roles page of the RAM console and search for the role name, such as AliyunServiceRoleForNativeApiGw, to view the following information about the role:

Basic Information
In the Basic Information section, you can find the role's name, creation time, ARN, and description.
Permission Policy
On the Permissions tab, click a permission policy name to view its content and the resources the role can access.
Trust Policy
On the Trust Policy Management tab of the role details page, view the content of the trust policy. A trust policy defines the trusted entities that can assume a RAM role. The Service field in the trust policy identifies the trusted cloud service.

For more information about how to view a service-linked role, see View a RAM role.

Delete a service-linked role

Note

If you no longer use Cloud-native API Gateway, you can manually delete its service-linked roles in the RAM console.

Log on to the RAM console with your Alibaba Cloud account. In the navigation pane on the left, click Identities > Roles.
On the Roles page, enter the name of the role that you want to delete in the search box, for example, AliyunServiceRoleForNativeApiGw.
Find the role in the search results and click Delete Role in the Actions column.
In the confirmation dialog box, enter the role name for verification and click Delete Role.

Important

After you delete a service-linked role for Cloud-native API Gateway, features that depend on the role will no longer function. Proceed with caution.

FAQ

Failure to automatically create the AliyunServiceRoleForNativeApiGw role

A RAM user must have specific permissions to automatically create or delete the AliyunServiceRoleForNativeApiGw service-linked role. If a RAM user fails to automatically create the role, an administrator must attach the following permission policy to the RAM user.

{
    "Statement": [
        {
            "Action": [
                "ram:CreateServiceLinkedRole"
            ],
            "Resource": "acs:ram:*:Alibaba Cloud account ID:role/*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": [
                        "nativeapigw.aliyuncs.com"
                    ]
                }
            }
        }
    ],
    "Version": "1"
}

Note

Replace Alibaba Cloud account ID with your Alibaba Cloud account ID.

Failure to automatically create the AliyunServiceRoleForNativeApiGwInvokeFC role

A RAM user must have specific permissions to automatically create or delete the AliyunServiceRoleForNativeApiGwInvokeFC service-linked role. If a RAM user fails to automatically create the role, an administrator must attach the following permission policy to the RAM user.

{
    "Statement": [
        {
            "Action": [
                "ram:CreateServiceLinkedRole"
            ],
            "Resource": "acs:ram:*:Alibaba Cloud account ID:role/*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": [
                        "invokefc.nativeapigw.aliyuncs.com"
                    ]
                }
            }
        }
    ],
    "Version": "1"
}

Important

Replace Alibaba Cloud account ID with your Alibaba Cloud account ID.

References

For more information about service-linked roles, see Service-linked roles.