A service-linked role (SLR) is a RAM role that an Alibaba Cloud service can assume. CloudBox uses SLRs to access other Alibaba Cloud services and resources. This topic describes the service-linked roles for CloudBox.
Resource Access Management (RAM) provides a system policy for each service-linked role. This policy cannot be modified. You can view the details of the system policy on the details page of the specific service-linked role. For more information, see System policy reference.
Permissions required for a RAM user to use service-linked roles
To create or delete a service-linked role as a RAM user, contact an administrator to grant administrative permissions (AliyunXXXFullAccess) to the RAM user, or add the following permissions for the RAM user in the Action statement of a custom policy:
Create a service-linked role:
ram:CreateServiceLinkedRoleDelete a service-linked role:
ram:DeleteServiceLinkedRole
For more information about granting permissions, see Permissions required to manage a service-linked role.
Create a service-linked role
The system automatically creates a service-linked role in the following scenario:
When you query the distribution of ECS instances on the CloudBox product page, the AliyunServiceRoleForCloudBoxEcsResource service-linked role is automatically created to allow CloudBox to access resources in other cloud products. For more information, see View compute resources.
View a service-linked role
After the service-linked role is created, you can go to the Roles page of the RAM console. Search for AliyunServiceRoleForCloudBoxEcsResource to view the following information about the role:
Basic information
On the details page of the AliyunServiceRoleForCloudBoxEcsResource role, in the Basic Information section, you can view the basic information about the role. This includes the role name, creation time, ARN, and description.
Access policy
On the Permission Management tab of the AliyunServiceRoleForCloudBoxEcsResource role details page, click the policy name to view the policy document and the cloud resources that the role can access.
Trust policy
On the details page of the AliyunServiceRoleForCloudBoxEcsResource role, you can view the trust policy on the Trust Policy tab. A trust policy describes the trusted entities of a RAM role. A trusted entity is an entity that can assume the RAM role. The trusted entity for a service-linked role is an Alibaba Cloud service, which is specified in the
Servicefield of the trust policy.
For more information about viewing a service-linked role, see View a RAM role.
Delete a service-linked role
After you delete a service-linked role, features that depend on the role will no longer work. Delete the role with caution.
If you no longer use CloudBox for an extended period, you can manually delete the service-linked role in the RAM console.
For more information, see Delete a RAM role.