The Elastic Compute Service (ECS) Network Connectivity Diagnostics feature allows you to check the network connectivity between diagnostic objects. Before you can use this feature to create a path and initiate a diagnostic task, you must grant access permissions on required resources to ECS. This topic describes how to use the AliyunServiceRoleForECSNetworkInsights role to grant permissions to ECS. AliyunServiceRoleForECSNetworkInsights is the service-linked role of ECS Network Connectivity Diagnostics.
Prerequisites
{
"Statement": [
{
"Action": [
"ram:CreateServiceLinkedRole"
],
"Resource": "acs:ram:*:<account ID>:role/*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": [
"network-insights.ecs.aliyuncs.com"
]
}
}
}
],
"Version": "1"
}
Background information
A service-linked role is a role that is linked to a service, and includes the permissions required to call other services. For example, the AliyunServiceRoleForECSNetworkInsights service-linked role includes the access permissions on virtual private cloud (VPC) resources that are required for ECS Network Connectivity Diagnostics to create paths and initiate diagnostic tasks. For more information, see Service-linked roles.
Create the AliyunServiceRoleForECSNetworkInsights service-linked role
When you create a path and initiate a diagnostic task, the system checks whether the AliyunServiceRoleForECSNetworkInsights role exists. If the role does not exist, the system creates the role. The AliyunServiceRolePolicyForECSNetworkInsights policy is attached to the AliyunServiceRoleForECSNetworkInsights role. ECS can assume this role to take on the permissions of the role.
{
"Version": "1",
"Statement": [
{
"Action": [
"vpc:DescribeNetworkAcls",
"vpc:DescribeNetworkAclAttributes",
"vpc:DescribeNatGateways",
"vpc:DescribeRouteEntryList",
"vpc:DescribeRouteTableList",
"vpc:DescribeRouteTables",
"vpc:DescribeRouterInterfaceAttribute",
"vpc:DescribeRouterInterfaces",
"vpc:DescribeVRouters",
"antiddos-public:DescribeInstance"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Effect": "Allow",
"Resource": "*",
"Condition": {
"StringEquals": {
"ram:ServiceName": "network-insights.ecs.aliyuncs.com"
}
}
}
]
}
Delete the AliyunServiceRoleForECSNetworkInsights service-linked role
If the AliyunServiceRoleForECSNetworkInsights service-linked role within your account is no longer needed, you can manually delete the role.
For more information about how to delete a service-linked role, see the "Delete a service-linked role" section in Service-linked roles.