All Products
Search
Document Center

Authorize a RAM role

Last Updated: Jul 08, 2021

When you activate Elastic Container Instance, you must assign the system default role named AliyunECIContainerGroupRole to Elastic Container Instance. Elastic Container Instance can access other Alibaba Cloud services such as Elastic Compute Service (ECS) and Virtual Private Cloud (VPC) after and only after the default role is assigned.

Procedure

If you have not assigned the default AliyunECIContainerGroupRole role to Elastic Container Instance, a message is displayed when you go to the instance buy page. This message indicates that you have not authorized Elastic Container Instance to access your cloud resources. Follow the on-screen instructions to authorize Elastic Container Instance.

Default authorization

After Elastic Container Instance is authorized, you can log on to the Resource Access Management (RAM) console to view the role information. The default AliyunECIContainerGroupRole role is granted basic permissions on other Alibaba Cloud services. You can modify the permissions of this role based on your needs.

Notice

By default, the AliyunECIContainerGroupRole role is granted required permissions. Proceed with caution when you modify its permissions. Improper permission configurations may cause Elastic Container Instance to lack required permissions and then fail to perform corresponding operations.

Permissions

The following tables describe the permissions of the default AliyunECIContainerGroupRole role.

Permissions on ECS

Permission (Action)

Description

ecs:CreateNetworkInterfacePermission

Permission to create elastic network interfaces (ENIs)

ecs:DeleteNetworkInterfacePermission

Permission to delete ENIs

ecs:CreateNetworkInterface

Permission to create ENIs

ecs:DescribeNetworkInterfaces

Permission to query ENIs

ecs:AttachNetworkInterface

Permission to bind ENIs

ecs:DetachNetworkInterface

Permission to unbind ENIs

ecs:DeleteNetworkInterface

Permission to delete ENIs

ecs:DescribeSecurityGroups

Permission to query security groups

Permissions on VPC

Permission (Action)

Description

vpc:DescribeVSwitches

Permission to query vSwitches in a VPC

vpc:DescribeVpcs

Permission to query VPCs

vpc:AllocateEipAddress

Permission to apply for elastic IP addresses (EIPs)

vpc:AssociateEipAddress

Permission to associate EIPs with cloud resources

vpc:UnassociateEipAddress

Permission to disassociate EIPs from cloud resources

vpc:DescribeEipAddresses

Permission to query EIPs

vpc:ReleaseEipAddress

Permission to release EIPs

vpc:AddCommonBandwidthPackageIp

Permission to associate EIPs with EIP bandwidth plans

vpc:RemoveCommonBandwidthPackageIp

Permission to disassociate EIPs from EIP bandwidth plans

Permissions on Container Registry

Permission (Action)

Description

cr:Get*

Permission to query images

cr:List*

Permission to query images

cr:PullRepository

Permission to pull images from a repository

Permissions on Log Service

Permission (Action)

Description

log:CreateProject

Permission to create projects

log:GetProject

Permission to query projects

log:CreateLogStore

Permission to create Logstores

log:GetLogStore

Permission to query Logstores

log:CreateMachineGroup

Permission to create machine groups

log:CreateConfig

Permission to create Logtail configurations

log:GetConfig

Permission to query Logtail configurations

log:GetAppliedConfigs

Permission to query Logtail configurations that are applied to a machine group

log:CreateIndex

Permission to create indexes

Permissions on Server Load Balancer (SLB)

Permission (Action)

Description

slb:DescribeLoadBalancers

Permission to query SLB instances

slb:RemoveBackendServers

Permission to remove backend servers