The Elastic Compute Service (ECS) Network Connectivity Diagnostics feature allows you to check the network connectivity between diagnostic objects. Before you can use this feature to create a path and initiate a diagnostic task, you must grant access permissions on required resources to ECS. This topic describes how to use the AliyunServiceRoleForECSNetworkInsights role to grant permissions to ECS. AliyunServiceRoleForECSNetworkInsights is the service-linked role of ECS Network Connectivity Diagnostics.

Prerequisites

If you want to log on to the ECS console as a Resource Access Management (RAM) user to use ECS Network Connectivity Diagnostics, make sure that the RAM user has been granted the permissions to use ECS Network Connectivity Diagnostics by your Alibaba Cloud account so that the RAM user can manage the AliyunServiceRoleForECSNetworkInsights role. For more information, see Grant permissions to a RAM user.
The following policy is attached to grant the RAM user the permissions to use the ECS Network Connectivity Diagnostics feature.
Note Replace <account ID> with the ID of your Alibaba Cloud account.
{
    "Statement": [
        {
            "Action": [
                "ram:CreateServiceLinkedRole"
            ],
            "Resource": "acs:ram:*:<account ID>:role/*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": [
                        "network-insights.ecs.aliyuncs.com"
                    ]
                }
            }
        }
    ],
    "Version": "1"
}

Background information

A service-linked role is a role that is linked to a service, and includes the permissions required to call other services. For example, the AliyunServiceRoleForECSNetworkInsights service-linked role includes the access permissions on virtual private cloud (VPC) resources that are required for ECS Network Connectivity Diagnostics to create paths and initiate diagnostic tasks. For more information, see Service-linked roles.

Create the AliyunServiceRoleForECSNetworkInsights service-linked role

When you create a path and initiate a diagnostic task, the system checks whether the AliyunServiceRoleForECSNetworkInsights role exists. If the role does not exist, the system creates the role. The AliyunServiceRolePolicyForECSNetworkInsights policy is attached to the AliyunServiceRoleForECSNetworkInsights role. ECS can assume this role to take on the permissions of the role.

The policy attached to a service-linked role is predefined by the linked service. You cannot add, modify, or delete the policy. You can view policies attached to a role and policy details in the RAM console. For more information, see View the basic information about a RAM role and View the basic information about a policy. The following code shows the content of the AliyunServiceRolePolicyForECSNetworkInsights policy:
{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "vpc:DescribeNetworkAcls",
                "vpc:DescribeNetworkAclAttributes",
                "vpc:DescribeNatGateways",
                "vpc:DescribeRouteEntryList",
                "vpc:DescribeRouteTableList",
                "vpc:DescribeRouteTables",
                "vpc:DescribeRouterInterfaceAttribute",
                "vpc:DescribeRouterInterfaces",
                "vpc:DescribeVRouters",
                "antiddos-public:DescribeInstance"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Effect": "Allow",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "network-insights.ecs.aliyuncs.com"
                }
            }
        }
    ]
}

Delete the AliyunServiceRoleForECSNetworkInsights service-linked role

If the AliyunServiceRoleForECSNetworkInsights service-linked role within your account is no longer needed, you can manually delete the role.

  1. Log on to the RAM console.
  2. In the left-side navigation pane, choose Identities > Roles.
  3. In the search box, enter AliyunServiceRoleForECSNetworkInsights.
    The AliyunServiceRoleForECSNetworkInsights role is displayed in the search result.
  4. In the Actions column, click Delete.
  5. Click OK.

For more information about how to delete a service-linked role, see the "Delete a service-linked role" section in Service-linked roles.