This topic describes the service-linked role AliyunServiceRoleForCCIoT of Cloud Connector (CC) and how to delete the service-linked role.
Background information
A service-linked role is a Resource Access Management (RAM) role that can be assumed by the linked service. An Alibaba Cloud service may need to access other services to use a specific feature. Before you access a service, make sure that you are authorized to access the service. Service-linked roles simplify the authorization process and avoid user errors. For more information, see Service-linked roles.
Create AliyunServiceRoleForCCIoT
When you create a CC instance that does not have a service-linked role, the system automatically creates the service-linked role AliyunServiceRoleForCCIoT for the CC instance. Then, the system attaches the permission policy AliyunServiceRolePolicyForCCIoT to the role. This allows the CC instance to access other resources on Alibaba Cloud. The content of the permission policy is:
{
"Version": "1",
"Statement": [{
"Action": [
"vpc:CreateVpc",
"vpc:DescribeVpcs",
"vpc:DeleteVpc",
"vpc:CreateVSwitch",
"vpc:DescribeVSwitches",
"vpc:DeleteVSwitch",
"vpc:DescribeRegions",
"vpc:AllocateEipAddress",
"vpc:ModifyEipAddressAttribute",
"vpc:ReleaseEipAddress",
"vpc:CreateNatGateway",
"vpc:DescribeNatGateways",
"vpc:DescribeSnatTableEntries",
"vpc:DeleteSnatEntry",
"vpc:DescribeForwardTableEntries",
"vpc:DeleteForwardEntry",
"vpc:DeleteNatGateway",
"vpc:CreateSnatEntry",
"vpc:DeleteNatGateway",
"vpc:ModifySnatEntry",
"vpc:AssociateEipAddress",
"vpc:DescribeEipAddresses",
"vpc:UnassociateEipAddress",
"vpc:CreateCommonBandwidthPackage",
"vpc:AddCommonBandwidthPackageIp",
"vpc:RemoveCommonBandwidthPackageIp",
"vpc:CreateRouteTable",
"vpc:DescribeRouteTables",
"vpc:DescribeRouteTableList",
"vpc:DeleteRouteTable",
"vpc:CreateRouteEntry",
"vpc:DescribeRouteEntryList",
"vpc:DeleteRouteEntry"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ecs:CreateSecurityGroup",
"ecs:RevokeSecurityGroup",
"ecs:AuthorizeSecurityGroup",
"ecs:AuthorizeSecurityGroupEgress",
"ecs:RevokeSecurityGroupEgress",
"ecs:DeleteSecurityGroup",
"ecs:DescribeSecurityGroups",
"ecs:DescribeSecurityGroupAttribute",
"ecs:CreateSecurityGroupPermission",
"ecs:AuthorizeSecurityGroupPermission",
"ecs:RevokeSecurityGroupPermission",
"ecs:JoinSecurityGroupPermission",
"ecs:DeleteSecurityGroupPermission",
"ecs:LeaveSecurityGroupPermission",
"ecs:DescribeSecurityGroupPermissions",
"ecs:JoinSecurityGroup",
"ecs:LeaveSecurityGroup",
"ecs:CreateNetworkInterface",
"ecs:AttachNetworkInterface",
"ecs:DetachNetworkInterface",
"ecs:DeleteNetworkInterface",
"ecs:DescribeNetworkInterfaces",
"ecs:CreateNetworkInterfacePermission",
"ecs:DescribeNetworkInterfacePermissions",
"ecs:DeleteNetworkInterfacePermission",
"ecs:AttachNetworkInterfacePermissions",
"ecs:DetachNetworkInterfacePermissions"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "uisplus.aliyuncs.com"
}
}
},
{
"Action": "ram:CreateServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "cciot.aliyuncs.com"
}
}
}
]
}Delete AliyunServiceRoleForCCIoT
FAQ
Why is the service-linked role AliyunServiceRoleForCCIoT not automatically created for a RAM user?
The service-linked role AliyunServiceRoleForCCIoT is automatically created or deleted only when a RAM user has the required permissions. If the service-linked role AliyunServiceRoleForCCIoT is not automatically created, you must attach the following policy to the RAM user:
{
"Statement": [
{
"Action": "ram:CreateServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "cciot.aliyuncs.com"
}
}
}
],
"Version": "1"
}