When you enable Elastic Container Instances (ECIs), grant the default role of AliyunECIContainerGroupRole to the service account. ECIs can call Elastic Compute Service (ECS), Virtual Private Cloud (VPC), and other services only when this default role is correctly granted.

Authorize a role

  1. If you log on to the ECI console and you have not granted the default role to the service account, the following message is displayed. Click Authorize and then click Confirm Authorization Policy.

    Notice The default role permissions have been set for ECIs. You can go to the RAM roles page to modify the role permissions. Incorrect configurations may cause ECIs to fail to obtain the required permissions.
  2. After you complete the authorization, refresh the ECI console.

    To view detailed policy information about AliyunECIContainerGroupRole, you can log on to the RAM console.

Permissions granted to AliyunECIContainerGroupRole

The default role AliyunECIContainerGroupRole has permissions to perform the following actions.

ECS actions

Action Description
ecs:CreateNetworkInterfacePermission Create Elastic Network Interface (ENI) permissions
ecs:DeleteNetworkInterfacePermission Delete ENI permissions
ecs:CreateNetworkInterface Create an ENI
ecs:DescribeNetworkInterfaces Query an ENI
ecs:AttachNetworkInterface Attach an ENI to an instance
ecs:DetachNetworkInterface Detach an ENI from an instance
ecs:DeleteNetworkInterface Delete an ENI
ecs:DescribeSecurityGroups Query security group information

VPC actions

Action Description
vpc:DescribeVSwitches Query VSwitches in a VPC
vpc:DescribeVpcs Query VPCs
vpc:AssociateEipAddress Attach an Elastic IP address
vpc:DescribeEipAddresses Query Elastic IP addresses

Image repository actions

Action Description
cr:Get\* Query the image information of ECS instances.
cr:List\* Query the image list information of ECS instances.
cr:PullRepository Pull images from a repository.