Service-linked role

更新时间:
复制 MD 格式

A service-linked role is a Resource Access Management (RAM) role with a fixed trusted entity — an Alibaba Cloud service. Simple Application Server assumes the service-linked role AliyunServiceRoleForSwas to access related cloud resources, such as virtual private clouds (VPCs).

RAM provides a system policy for each service-linked role. You cannot modify the system policy. To view the policy document, go to the role's details page in the RAM console. For details, see AliyunSWASFullAccess.

When the role is created

The first time you use the service interconnection feature to connect Simple Application Server with another Alibaba Cloud product — such as Elastic Compute Service (ECS) and ApsaraDB — in a VPC, Simple Application Server automatically creates the service-linked role AliyunServiceRoleForSwas. This role grants Simple Application Server access to VPCs and related resources.

RAM user permissions

To create or delete a service-linked role as a RAM user, ask an administrator to grant you either of the following:

  • Option 1: The AliyunSWASFullAccess policy, which covers both create and delete operations.

  • Option 2: A custom policy with the following actions in the Action statement:

    • Create: ram:CreateServiceLinkedRole

    • Delete: ram:DeleteServiceLinkedRole

For instructions on granting permissions, see Permissions required to create and delete a service-linked role.

Create a service-linked role

When you first use the service interconnection feature, the system checks whether AliyunServiceRoleForSwas exists in your account. If it does not, authorize the system to create it automatically. For instructions, see Manage service interconnection.

View a service-linked role

  1. Go to the Roles page in the RAM console.

  2. Search for AliyunServiceRoleForSwas.

  3. Click the role name to open its details page, where you can view:

    • Basic Information — role name, creation time, Alibaba Cloud Resource Name (ARN), and description.

    • Permission Management tab — click an access policy name to see the policy document and the cloud resources the role can access.

    • Trust Policy tab — the trusted entity that can assume this role. For a service-linked role, the trusted entity is an Alibaba Cloud service, shown in the Service field.

For more details, see View a RAM role.

Delete a service-linked role

Important

After you delete a service-linked role, features that depend on the role no longer function correctly. Delete the role with caution.