Before using secure access service edge (SASE) for the first time, you must grant it access to your cloud resources. This topic explains how.
Prerequisites
-
You have activated SASE.
-
You are using an Alibaba Cloud account or a RAM user that has permissions to create and delete service-linked roles.
Background information
When you use SASE for the first time, Alibaba Cloud automatically creates a service-linked role named AliyunServiceRoleForCsas. This role authorizes SASE to access other related Alibaba Cloud services on your behalf. You do not need to manually create or modify this service-linked role. For more information, see Service-linked roles.
Procedure
Log on to the Secure Access Service Edge console.
-
In the Welcome to SASE dialog box, click Confirm Authorization.
After you enable secure access service edge, secure access service edge guides you through the process of creating a service-linked role when you log on to the console for the first time.
When you click Confirm Creation, Alibaba Cloud automatically creates the service-linked role
AliyunServiceRoleForCsasfor SASE. You can view the service-linked role that Alibaba Cloud automatically created for SASE on the Roles page of the RAM console. Only after the service-linked role is created can your SASE instance access the resources of cloud services such as IDaaS and SAG.
SASE service-linked role
The following describes the roles associated with the secure access service edge:
-
Role name:
AliyunServiceRoleForCsas -
Policy name:
AliyunServiceRolePolicyForCsasNoteThis is a system policy. You cannot change the policy name or its content.
-
Policy example:
{ "Version": "1", "Statement": [ { "Action": [ "ecs:DescribeInstances", "ecs:CreateSecurityGroup", "ecs:DeleteSecurityGroup", "ecs:AuthorizeSecurityGroup", "ecs:DescribeSecurityGroups", "ecs:DescribeSecurityGroupReferences", "ecs:ModifySecurityGroupPolicy", "ecs:ModifySecurityGroupRule", "ecs:ModifySecurityGroupEgressRule", "ecs:CreateNetworkInterface", "ecs:DeleteNetworkInterface", "ecs:DescribeNetworkInterfaces", "ecs:CreateNetworkInterfacePermission", "ecs:DescribeNetworkInterfacePermissions", "ecs:DeleteNetworkInterfacePermission", "ecs:AttachNetworkInterface", "ecs:DetachNetworkInterface", "ecs:RevokeSecurityGroup" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "rds:DescribeDBInstances", "rds:DescribeSecurityGroupConfiguration", "rds:ModifySecurityGroupConfiguration", "rds:DescribeDBInstanceIPArrayList", "rds:ModifySecurityIps" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "kvstore:DescribeInstances", "kvstore:DescribeGlobalDistributeCache", "kvstore:DescribeSecurityIps", "kvstore:ModifySecurityIps", "kvstore:DescribeSecurityGroupConfiguration", "kvstore:ModifySecurityGroupConfiguration" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "dds:DescribeDBInstances", "dds:DescribeSecurityIps", "dds:ModifySecurityIps", "dds:DescribeSecurityGroupConfiguration", "dds:ModifySecurityGroupConfiguration" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "polardb:DescribeDBClusters", "polardb:DescribeDBClusterAccessWhitelist", "polardb:ModifyDBClusterAccessWhitelist" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "vpc:DescribeVpcs", "vpc:DescribeVSwitches", "vpc:CreateVpc", "vpc:DeleteVpc", "vpc:CreateVSwitch", "vpc:DeleteVSwitch", "vpc:DescribeZones", "vpc:DescribePhysicalConnections", "vpc:DescribeVirtualBorderRouters", "vpc:DescribeVirtualBorderRoutersForPhysicalConnection", "vpc:DescribeVpnGateways", "vpc:DescribeVpnGateway", "vpc:DescribeCustomerGateways", "vpc:DescribeVpnConnections", "vpc:DescribeVpcAttribute", "vpc:DescribeRouteTables", "vpc:DescribeRouteTableList", "vpc:DescribeRouteEntryList" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "cen:DescribeCens", "cen:DescribeCenAttachedChildInstances", "cen:DescribeCenAttachedChildInstanceAttribute", "cen:AttachCenChildInstance", "cen:DetachCenChildInstance", "cen:GrantInstanceToCen", "cen:RevokeInstanceFromCen" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "smartag:CreateSmartAGTrafficService", "smartag:UpdateSmartAGTrafficService", "smartag:DeleteSmartAGTrafficSerivce", "smartag:ListSmartAGTrafficService", "smartag:DescribeSmartAccessGateways", "smartag:DescribeCloudConnectNetworks", "smartag:CreateCloudConnectNetwork", "smartag:ModifyCloudConnectNetwork", "smartag:DeleteCloudConnectNetwork", "smartag:CreateSmartAccessGatewaySoftware", "smartag:UpgradeSmartAccessGatewaySoftware", "smartag:DowngradeSmartAccessGatewaySoftware", "smartag:BindSmartAccessGateway", "smartag:UnbindSmartAccessGateway" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "log:PostLogStoreLogs", "log:GetProject", "log:ListProject", "log:GetLogStore", "log:ListLogStores", "log:CreateLogStore", "log:CreateProject", "log:GetIndex", "log:CreateIndex", "log:UpdateIndex", "log:CreateDashboard", "log:ClearLogStoreStorage", "log:UpdateLogStore", "log:UpdateDashboard", "log:CreateSavedSearch", "log:UpdateSavedSearch", "log:DeleteLogStore", "log:DeleteSavedSearch", "log:GetSavedSearch", "log:ListSavedSearch", "log:DeleteDashboard", "log:GetDashboard", "log:ListDashboard" ], "Resource": "acs:log:*:*:project/csas-project-*", "Effect": "Allow" }, { "Action": [ "pvtz:DescribeZones", "pvtz:DescribeZoneInfo", "pvtz:DescribeZoneRecords" ], "Resource": "*", "Effect": "Allow" }, { "Action": "ram:DeleteServiceLinkedRole", "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "ram:ServiceName": "csas.aliyuncs.com" } } } ] }
FAQ
Why can't I automatically create the SASE service-linked role when I use a RAM user?
A RAM user must have specific permissions to automatically create or delete service-linked roles. You must attach the following policy to the RAM user:
{
"Statement": [
{
"Action": [
"ram:CreateServiceLinkedRole"
],
"Resource": "acs:ram:*:ACCOUNT_ID:role/*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": [
"csas.aliyuncs.com"
]
}
}
}
],
"Version": "1"
}For instructions, see Grant permissions to a RAM role.