DocsICP FilingConsole
官方文档
首页

Manage the service-linked role

更新时间:
复制 MD 格式
产品详情
我的收藏

A service-linked role is a Resource Access Management (RAM) role whose trusted entity is an Alibaba Cloud service. An Express Connect router (ECR) uses a service-linked role to access your resources of other Alibaba Cloud services.

Background information

A service-linked role is a RAM role that is associated with an Alibaba Cloud service. An Alibaba Cloud service may need to access other services to implement a feature. In this case, the Alibaba Cloud service must be authorized to access other services. Service-linked roles simplify the authorization process and avoid user errors. For more information, see Service-linked roles.

Create the AliyunServiceRoleForECR service-linked role

When you associate a transit router (TR) with an ECR, the system automatically creates a service-linked role named AliyunServiceRoleForECR and attaches the AliyunServiceRoleForECR policy to the role. This policy allows the TR to create resources that the ECR requires. The following code shows the content of the policy:

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "cen:CreateTransitRouterEcrAttachment",
                "cen:DeleteTransitRouterEcrAttachment",
                "cen:DescribeGrantRulesToResource"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "ecr.aliyuncs.com"
                }
            }
        }
    ]
}

View the service-linked role

After the service-linked role is created, you can view the information about the role by searching for AliyunServiceRoleForECR on the Roles page in the RAM console.

  • Basic Information

    In the Basic Information section of the role details page, view the role's basic information, such as its name, creation time, ARN, and description.

  • Policies

    On the Permissions tab of the role details page, click the policy name to view the policy content and the cloud resources that the role can access.

  • Trust Policy

    The Trust Policy Management tab displays the trust policy, which defines the trusted entities that can assume the RAM role. For a service-linked role, the trusted entity is a cloud service, specified in the Service field of the policy.

For information about how to view the information about a service-linked role, see View the information about a RAM role.

Delete the AliyunServiceRoleForECR service-linked role

The system does not automatically delete the AliyunServiceRoleForECR service-linked role. If you want to delete the AliyunServiceRoleForECR service-linked role, delete the ECR for which the service-linked role is created first. For more information, see the following topics:

References

For more information about how to associate a TR with your ECR, see Associate with a TR.

Previous:Fast failover for VBRs attached to an ECRNext:Cross-account ECR authorization