When you activate Elastic Container Instance, you must assign the system default role named AliyunECIContainerGroupRole to Elastic Container Instance. Elastic Container Instance can access other Alibaba Cloud services such as Elastic Compute Service (ECS) and Virtual Private Cloud (VPC) after and only after the default role is assigned.
Procedure
If you have not assigned the default AliyunECIContainerGroupRole role to Elastic Container Instance, a message is displayed when you go to the instance buy page. This message indicates that you have not authorized Elastic Container Instance to access your cloud resources. Follow the on-screen instructions to authorize Elastic Container Instance.
After Elastic Container Instance is authorized, you can log on to the Resource Access Management (RAM) console to view the role information. The default AliyunECIContainerGroupRole role is granted basic permissions on other Alibaba Cloud services. You can modify the permissions of this role based on your needs.
By default, the AliyunECIContainerGroupRole role is granted required permissions. Proceed with caution when you modify its permissions. Improper permission configurations may cause Elastic Container Instance to lack required permissions and then fail to perform corresponding operations.
Permissions
The following tables describe the permissions of the default AliyunECIContainerGroupRole role.
Permissions on ECS
Permission (Action) | Description |
|---|---|
ecs:CreateNetworkInterfacePermission | Permission to create elastic network interfaces (ENIs) |
ecs:DeleteNetworkInterfacePermission | Permission to delete ENIs |
ecs:CreateNetworkInterface | Permission to create ENIs |
ecs:DescribeNetworkInterfaces | Permission to query ENIs |
ecs:AttachNetworkInterface | Permission to bind ENIs |
ecs:DetachNetworkInterface | Permission to unbind ENIs |
ecs:DeleteNetworkInterface | Permission to delete ENIs |
ecs:DescribeSecurityGroups | Permission to query security groups |
Permissions on VPC
Permission (Action) | Description |
|---|---|
vpc:DescribeVSwitches | Permission to query vSwitches in a VPC |
vpc:DescribeVpcs | Permission to query VPCs |
vpc:AllocateEipAddress | Permission to apply for elastic IP addresses (EIPs) |
vpc:AssociateEipAddress | Permission to associate EIPs with cloud resources |
vpc:UnassociateEipAddress | Permission to disassociate EIPs from cloud resources |
vpc:DescribeEipAddresses | Permission to query EIPs |
vpc:ReleaseEipAddress | Permission to release EIPs |
vpc:AddCommonBandwidthPackageIp | Permission to associate EIPs with EIP bandwidth plans |
vpc:RemoveCommonBandwidthPackageIp | Permission to disassociate EIPs from EIP bandwidth plans |
Permissions on Container Registry
Permission (Action) | Description |
|---|---|
cr:Get* | Permission to query images |
cr:List* | Permission to query images |
cr:PullRepository | Permission to pull images from a repository |
Permissions on Log Service
Permission (Action) | Description |
|---|---|
log:CreateProject | Permission to create projects |
log:GetProject | Permission to query projects |
log:CreateLogStore | Permission to create Logstores |
log:GetLogStore | Permission to query Logstores |
log:CreateMachineGroup | Permission to create machine groups |
log:CreateConfig | Permission to create Logtail configurations |
log:GetConfig | Permission to query Logtail configurations |
log:GetAppliedConfigs | Permission to query Logtail configurations that are applied to a machine group |
log:CreateIndex | Permission to create indexes |
Permissions on Server Load Balancer (SLB)
Permission (Action) | Description |
|---|---|
slb:DescribeLoadBalancers | Permission to query SLB instances |
slb:RemoveBackendServers | Permission to remove backend servers |