This topic describes what a service-linked role is and how to create, delete, and monitor one.
Overview
A service-linked role (SLR) is a type of RAM role predefined by Alibaba Cloud to enable cross-service access. It has the following features:
-
Linked to a specific cloud service: An SLR is a special type of RAM role that is linked to a specific Alibaba Cloud service.
-
Assumed only by the linked service: An SLR can be assumed only by the Alibaba Cloud service to which it is linked. No other identity can use it.
-
Predefined by Alibaba Cloud: The role, its permissions, and its trust policy (which specifies the cloud service that can assume the role) are all predefined by the associated cloud service.
-
Maintenance-free: You do not need to manually configure or maintain an SLR.
For a list of cloud services that support service-linked roles, see Cloud services that support service-linked roles. You can click the links in the Related Documents section to view the SLR documentation for each cloud service.
Benefits
Without service-linked roles, you would need to manually create RAM roles and configure complex permission and trust policies whenever a cloud service needs to access another. This process is tedious and prone to misconfiguration, which can lead to service failures or security risks. Service-linked roles solve these problems:
-
Simplifies cross-service authorization on Alibaba Cloud. For example, Cloud Config needs permission to read your cloud resource information, such as resource lists and configurations, to generate compliance reports. This requires access to other cloud services like ECS and RDS. By creating and assuming a service-linked role, Cloud Config obtains the required permissions to operate.
-
Reduces configuration complexity and operational risk. The permission policy of a service-linked role is predefined by the associated cloud service, ensuring that the service receives only the minimum permissions required to complete its tasks. This eliminates the need for manual permission configuration, which enhances security and ensures operational stability.
How it works
The following example using Cloud Config explains how service-linked roles work:
-
Alibaba Cloud predefines the service-linked role: Alibaba Cloud predefines a service-linked role for Cloud Config, named
AliyunServiceRoleForConfig. This role includes:-
A trust policy that allows only
config.aliyuncs.comto assume the role, ensuring that only the Cloud Config service can use it. -
A permission policy that grants permissions to read resource information from cloud services such as ECS and RDS.
-
-
Cloud Config assumes the role: When Cloud Config needs to read your cloud resource information to generate a compliance report, it assumes its service-linked role to obtain temporary security credentials.
-
Cloud Config accesses other cloud services: Cloud Config uses the identity and permissions of the service-linked role to securely access other cloud services like ECS and RDS to read resource lists and configurations.
-
Completes the task: After obtaining the required cloud resource information, Cloud Config generates the compliance report.
This way, Cloud Config can securely and conveniently access other services without requiring you to manually configure complex permission policies.
Service-linked roles vs. service roles
Similar to service roles, service-linked roles are assumed by a cloud service and grant the service the necessary permissions. However, they are fundamentally different in how they are used:
|
Item |
Service-linked role (SLR) |
Service role |
|
Creation method |
Usually created automatically by an Alibaba Cloud service. |
Usually created manually by an administrator. |
|
Maintenance method |
Usually maintained automatically by an Alibaba Cloud service. You cannot modify an SLR. |
Usually maintained manually by an administrator. You can modify a service role. |
|
Deletion condition |
You can delete the SLR only after ensuring it is not used by any cloud resources. |
An administrator can delete the role at any time. |
|
Permission policy |
Predefined. It cannot be modified, and you cannot attach or detach permission policies. |
Customized by an administrator. You can attach or detach permission policies. |
|
Trust policy |
Predefined. It cannot be modified. It trusts only its specific linked Alibaba Cloud service. |
Customized by an administrator. The trust policy can be modified. |
Required permissions
Managing a service-linked role is limited to creating or deleting it. You cannot modify an SLR or its associated permission and trust policies.
A RAM user needs specific permissions to create or delete a service-linked role. These permissions are typically included in the administrator permission policy for the corresponding cloud service, such as AliyunResourceDirectoryFullAccess. If a RAM user has administrator permissions for a cloud service, they can usually create an SLR for that service.
You can also create a custom policy to grant a RAM user permissions to manage SLRs for a specific service. The value for ram:ServiceName can be obtained from the Cloud Service Identifier column in Cloud services that support service-linked roles.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ram:CreateServiceLinkedRole",
"ram:DeleteServiceLinkedRole"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"ram:ServiceName": "resourcemanager.aliyuncs.com"
}
}
}
]
}
Creating a service-linked role
-
Created by a cloud service: In most cases, a cloud service automatically creates a service-linked role when you perform a specific action, such as creating a cloud resource or enabling a feature. Alternatively, the service may prompt an administrator for authorization to create the role. For details about automatic SLR creation, see the documentation for the corresponding cloud service in Cloud services that support service-linked roles.
-
Created manually: You can also create a service-linked role manually. For instructions, see Create a service-linked role.
Service-linked roles consume your RAM role quota. If you reach the quota for RAM roles, you can still create service-linked roles, but you cannot create other types of roles. For more information about quotas, see Usage notes.
Deleting a service-linked role
-
Deleted by a cloud service: A cloud service automatically deletes its associated service-linked role when you perform a specific action, such as deleting all related resources or disabling a feature.
-
Deleted manually: You can also delete a service-linked role manually. For instructions, see Delete a RAM role. Before you manually delete an SLR, Resource Access Management (RAM) checks whether the role is still in use by any cloud resources:
-
If the role is not in use, the deletion is successful.
-
If the role is still in use, the deletion fails. The error message shows which cloud resources are using the role. You must remove these resources before you can delete the role. Deletion conditions for SLRs vary by cloud service. For details, see the documentation for the specific cloud service in Cloud services that support service-linked roles.
-
Incorrectly deleting a service-linked role may cause features in the associated Alibaba Cloud service to fail. Before you delete an SLR, confirm that you no longer use the related features or have removed all dependent resources.
Assuming a service-linked role
A service-linked role can be assumed only by its linked cloud service. Other identities, such as RAM users or other RAM roles, cannot assume the SLR.
Viewing the trusted service
You can find which cloud service can assume a service-linked role by checking the Service field on the Trust Policy tab of the role. For example, the trust policy for the AliyunServiceRoleForConfig role allows only the config.aliyuncs.com service to assume it.
Monitoring service-linked roles
You can use ActionTrail to audit the lifecycle and usage of service-linked roles.
-
Query by event name:
-
CreateServiceLinkedRole: Query for events related to the creation of service-linked roles. -
DeleteServiceLinkedRole: Query for events related to the deletion of service-linked roles. -
AssumeRole: Find events where a cloud service assumed a service-linked role. In the event details, theuserIdentitysection contains the cloud service name, and therequestParameterssection contains the ARN of the assumed SLR. For example:{ ... "requestParameters": { ... "RoleArn": "acs:ram::ACCOUNT_ID:role/aliyunservicerolefortag", "RoleSessionName": "tag_operate", }, ... "userIdentity": { ... "principalId": "tag.aliyuncs.com", "userName": "tag.aliyuncs.com" }, "eventName": "AssumeRole" }
-
-
Query by event type:
Set the event type to AliyunServiceEvent and filter by Operator Name using a specific service-linked role name. This allows you to query the operations performed by that SLR.
FAQ
Broad permissions and security risks
-
The permission policy of a service-linked role is predefined by Alibaba Cloud and follows the principle of least privilege. It is designed to ensure that the linked service can function correctly.
-
The trust policy of a service-linked role strictly limits its use to the corresponding Alibaba Cloud service. No other identity can assume the role, which ensures its security.
-
If you have concerns about the permissions of a specific SLR, you can learn more by:
-
Reviewing the SLR documentation for the corresponding cloud service.
-
Contacting the support team for the corresponding cloud service.
-
Finding an SLR in the RAM console
The name of a service-linked role always starts with the prefix AliyunServiceRoleFor, followed by the cloud service identifier, such as AliyunServiceRoleForConfig. When searching, you must enter the full role name or the prefix (AliyunServiceRoleFor) to find the corresponding service-linked role.
You can find a service-linked role in the RAM console in one of two ways:
-
Go to the
Identities >Roles page, enter the role name in the search box, and check if the SLR exists in therole list . On the role details page, the role type is displayed as Service-linked role, and its permission policy is predefined by the system and cannot be modified. -
Go to the
Permissions >Grants page, search for the role name, and view the authorization records for the SLR.
If you cannot find the role, the SLR for the corresponding cloud service may not have been created. An SLR is typically created automatically the first time you use the associated cloud service. If you have never enabled a service, its SLR will not exist. You can log on to the AliyunServiceRoleFor to see all SLRs that have been created in your account.
Why deletion fails
This is because the role is still being used by one or more cloud resources. You must first remove these dependent resources before you can delete the role. For details, see the Delete a service-linked role section in this topic.