This topic describes the AliyunServiceRoleForECI service-linked role for Elastic Container Instance and how to delete the service-linked role.

Background information

AliyunServiceRoleForECI is the service-linked role for Elastic Container Instance. This role is a Resource Access Management (RAM) role that is defined for Elastic Container Instance to access other Alibaba Cloud services in specific scenarios. For more information about service-linked roles, see Service-linked roles.

AliyunServiceRoleForECI scenarios

When you create an elastic container instance or an image cache, if Elastic Container Instance needs to access resources of Elastic Compute Service (ECS), Virtual Private Cloud (VPC), Container Registry (ACR), Log Service (SLS), or Server Load Balancer (SLB), you can use the automatically created AliyunServiceRoleForECI role to obtain the access permissions.

AliyunServiceRoleForECI permissions

The permission policy attached to the AliyunServiceRoleForECI role is AliyunServiceRolePolicyForECI that contains the following access permissions on cloud services:
{
    "Version":"1",
    "Statement":[
        {
            "Action":[
                "ecs:CreateNetworkInterfacePermission",
                "ecs:DeleteNetworkInterfacePermission",
                "ecs:CreateNetworkInterface",
                "ecs:DescribeNetworkInterfaces",
                "ecs:AttachNetworkInterface",
                "ecs:DetachNetworkInterface",
                "ecs:DeleteNetworkInterface",
                "ecs:DescribeSecurityGroups"
            ],
            "Resource":"*",
            "Effect":"Allow"
        },
        {
            "Action":[
                "vpc:DescribeVSwitches",
                "vpc:DescribeVpcs",
                "vpc:AssociateEipAddress",
                "vpc:UnassociateEipAddress",
                "vpc:DescribeEipAddresses",
                "vpc:AllocateEipAddress",
                "vpc:ReleaseEipAddress",
                "vpc:AddCommonBandwidthPackageIp",
                "vpc:RemoveCommonBandwidthPackageIp",
                "vpc:TagResources"
            ],
            "Resource":"*",
            "Effect":"Allow"
        },
        {
            "Action":[
                "cr:Get*",
                "cr:List*",
                "cr:PullRepository"
            ],
            "Resource":"*",
            "Effect":"Allow"
        },
        {
            "Action":[
                "log:CreateProject",
                "log:GetProject",
                "log:CreateLogStore",
                "log:GetLogStore",
                "log:CreateMachineGroup",
                "log:CreateConfig",
                "log:GetConfig",
                "log:ApplyConfigToGroup",
                "log:GetAppliedConfigs",
                "log:CreateIndex",
                "log:TagResources"
            ],
            "Resource":"*",
            "Effect":"Allow"
        },
        {
            "Action":[
                "slb:DescribeLoadBalancers",
                "slb:RemoveBackendServers"
            ],
            "Resource":"*",
            "Effect":"Allow"
        },
        {
            "Action":"ram:DeleteServiceLinkedRole",
            "Resource":"*",
            "Effect":"Allow",
            "Condition":{
                "StringEquals":{
                    "ram:ServiceName":"eci.aliyuncs.com"
                }
            }
        }
    ]
}

Delete AliyunServiceRoleForECI

If you want to delete the AliyunServiceRoleForECI service-linked role, you must delete the Elastic Container Instance resources related to the role, such as elastic container instances and image caches, by using the Elastic Container Instance console or calling operations. You can delete AliyunServiceRoleForECI after you delete the related elastic container instances and image caches. For more information, see Delete a RAM role.