All Products
Search

This Product

    Elastic Container Instance:AliyunServiceRoleForECIVnode

    Document Center

    Elastic Container Instance:AliyunServiceRoleForECIVnode

    Last Updated:Mar 08, 2024

    This topic describes the AliyunServiceRoleForECIVnode service-linked role that can be used to perform operations on virtual nodes and how to delete the service-linked role.

    Background information

    The AliyunServiceRoleForECIVnode service-linked role for virtual nodes is a RAM role provided by Elastic Container Instance. After you are assigned the service-linked role, you can assume the role to access other Alibaba Cloud services and implement virtual node-related features. For more information about service-linked roles, see Service-linked roles.

    Scenarios

    When you create a virtual node, the system accesses resources of Elastic Container Instance, Elastic Compute Service (ECS), and Virtual Private Cloud (VPC). In this scenario, you can use the automatically created service-linked role AliyunServiceRoleForECIVnode to grant access permissions.

    Permission description

    The policy attached to the AliyunServiceRoleForECIVnode service-linked role is AliyunServiceRolePolicyForECIVnode. The policy contains the following access permissions on cloud services.

    {
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "eci:CreateContainerGroup",
                "eci:CreateContainerGroupFromTemplate",
                "eci:UpdateContainerGroup",
                "eci:UpdateContainerGroupByTemplate",
                "eci:RestartContainerGroup",
                "eci:DeleteContainerGroup",
                "eci:DescribeContainerGroups",
                "eci:ExportContainerGroupTemplate",
                "eci:ExecContainerCommand",
                "eci:CreateImageCache",
                "eci:DeleteImageCache",
                "eci:UpdateImageCache",
                "eci:DescribeImageCaches",
                "eci:DescribeContainerGroupMetric",
                "eci:DescribeMultiContainerGroupMetric",
                "eci:DescribeContainerLog",
                "eci:DescribeContainerGroupPrice",
                "eci:DescribeRegions"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "vpc:DescribeVSwitches",
                "vpc:DescribeVpcs",
                "vpc:DescribeEipAddresses"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "ecs:CreateNetworkInterfacePermission",
                "ecs:DeleteNetworkInterfacePermission",
                "ecs:CreateNetworkInterface",
                "ecs:DescribeNetworkInterfaces",
                "ecs:DescribeSecurityGroups"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "vnode.eci.aliyuncs.com"
                }
            }
        }
    ]
}

    Delete the service-linked role

    Before you delete the service-linked role AliyunServiceRoleForECIVnode, you must use OpenAPI Explorer to delete the virtual nodes that are associated with the service-linked role. After you delete the virtual nodes, you can delete the AliyunServiceRoleForECIVnode service-linked role. For more information, see Delete a RAM role.