When you enable Elastic Container Instances (ECIs), grant the default role of AliyunECIContainerGroupRole to the service account. ECIs can call Elastic Compute Service (ECS), Virtual Private Cloud (VPC), and other services only when this default role is correctly granted.
Authorize a role
-
If you log on to the ECI console and you have not granted the default role to the service account, the following message is displayed. Click Authorize and then click Confirm Authorization Policy.Notice The default role permissions have been set for ECIs. You can go to the RAM roles page to modify the role permissions. Incorrect configurations may cause ECIs to fail to obtain the required permissions.
-
After you complete the authorization, refresh the ECI console.
To view detailed policy information about AliyunECIContainerGroupRole, you can log on to the RAM console.
Permissions granted to AliyunECIContainerGroupRole
The default role AliyunECIContainerGroupRole has permissions to perform the following actions.
ECS actions
Action | Description |
---|---|
ecs:CreateNetworkInterfacePermission | Create Elastic Network Interface (ENI) permissions |
ecs:DeleteNetworkInterfacePermission | Delete ENI permissions |
ecs:CreateNetworkInterface | Create an ENI |
ecs:DescribeNetworkInterfaces | Query an ENI |
ecs:AttachNetworkInterface | Attach an ENI to an instance |
ecs:DetachNetworkInterface | Detach an ENI from an instance |
ecs:DeleteNetworkInterface | Delete an ENI |
ecs:DescribeSecurityGroups | Query security group information |
VPC actions
Action | Description |
---|---|
vpc:DescribeVSwitches | Query VSwitches in a VPC |
vpc:DescribeVpcs | Query VPCs |
vpc:AssociateEipAddress | Attach an Elastic IP address |
vpc:DescribeEipAddresses | Query Elastic IP addresses |
Image repository actions
Action | Description |
---|---|
cr:Get\* | Query the image information of ECS instances. |
cr:List\* | Query the image list information of ECS instances. |
cr:PullRepository | Pull images from a repository. |