All Products
Search

This Product

    Elastic High Performance Computing:E-HPC service role

    Document Center

    Elastic High Performance Computing:E-HPC service role

    Last Updated:Mar 13, 2026

    When you use Elastic High Performance Computing (E-HPC), you must create the service role AliyunECSInstanceForEHPCRole and attach the policy AliyunECSInstanceForEHPCRolePolicy. This topic describes how to create, view, and delete this service role.

    Function overview

    A service role is a type of Resource Access Management (RAM) role that an Alibaba Cloud service can assume. This role is used to manage access permissions across different Alibaba Cloud services. For more information, see RAM role overview.

    When you use E-HPC, the system provides the following service role and system policy:

    • Service role: AliyunECSInstanceForEHPCRole

    • System policy: AliyunECSInstanceForEHPCRolePolicy

    Scenarios

    The AliyunECSInstanceForEHPCRole authorizes nodes, which are Elastic Computing Service (ECS) instances, in an E-HPC cluster to access other cloud resources. With this role, ECS instances obtain access permissions to ECS and E-HPC.

    Permissions for a RAM user to use the service role

    To create or delete the service role as a RAM user, an Alibaba Cloud account must first grant the required permissions to that RAM user.

    • Method 1: Grant the AliyunEHPCFullAccess policy. This policy includes permissions to create and delete the AliyunECSInstanceForEHPCRole.

    • Method 2: Add the following permissions to the Action statement of a custom policy for the RAM user:

      • Create the service role: ram:CreateRole

      • Delete the service role: ram:DeleteRole

    Create the service role

    When you use E-HPC, the system checks whether the AliyunECSInstanceForEHPCRole exists in your account. If the role does not exist, a prompt appears. After you confirm the prompt, the system automatically creates the AliyunECSInstanceForEHPCRole and attaches the AliyunECSInstanceForEHPCRolePolicy to it.

    The AliyunECSInstanceForEHPCRole has the AliyunECSInstanceForEHPCRolePolicy system policy attached. You cannot modify the system policy, but you can attach other access policies to the role.

    Expand to view the AliyunECSInstanceForEHPCRolePolicy policy

    {
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "ecs:RunInstances",
                "ecs:StartInstances",
                "ecs:StopInstances",
                "ecs:DeleteInstances",
                "ecs:DescribeInstances",
                "cms:QueryMetricLast",
                "cms:QueryMetricList",
                "ess:DescribeScalingConfigurations",
                "ess:ModifyScalingConfiguration",
                "ess:ModifyScalingRule",
                "ess:ExecuteScalingRule",
                "ess:RemoveInstances",
                "oss:PutObject",
                "oss:GetObject",
                "oss:ListObjects",
                "oss:ListBuckets",
                "ehpc:*",
                "ecs:CreateCommand",
                "ecs:InvokeCommand",
                "ecs:RunCommand",
                "ecs:DescribeCommands",
                "ecs:DescribeSecurityGroupAttribute",
                "ecs:ListSecurityGroups",
                "ecs:AuthorizeSecurityGroup"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

    View the service role

    After the service role is created, you can go to the Roles page of the RAM console and search for AliyunECSInstanceForEHPCRole to view its details.

    • Basic information

      In the Basic Information section of the role's details page, you can view basic information about the role, such as its name, creation time, ARN, and description.

    • Permission policies

      On the Permission Management tab of the role's details page, you can click a policy name to view the policy document and the cloud resources that the role can access.

    • Trust policy

      On the Trust Policy tab of the role's details page, you can view the trust policy document. A trust policy specifies the trusted entities that can assume the RAM role. For a service role, the trusted entity is an Alibaba Cloud service, which you can view in the Service field of the trust policy.

    For more information, see View a RAM role.

    Limits and permission extension

    Important

    Do not detach or replace the AliyunECSInstanceForEHPCRole from control plane nodes or logon nodes in the ECS console. Detaching this role from a control plane node disables automatic scaling for the cluster. Detaching it from a logon node causes the Web Portal feature to malfunction.

    Attach a custom policy to the service role

    To grant nodes additional API call permissions, attach a custom policy to the AliyunECSInstanceForEHPCRole role instead of detaching or replacing it. Follow these steps:

    1. You can log on to the RAM console.

    2. In the navigation pane on the left, choose Identity Management > Roles.

    3. In the role list, search for and click AliyunECSInstanceForEHPCRole.

    4. On the Permission Management tab, click Grant Permission, then select or create the required custom policy.

    5. Click OK to complete the authorization.

    For more information about custom policies, see Basic elements of access policies.

    Delete a service role

    Important

    After you delete the service role, features that depend on it will no longer work. Proceed with caution.

    If you do not plan to use E-HPC for an extended period, you can manually delete the service role in the RAM console. For detailed steps, see Delete a RAM role.

    Before deleting AliyunECSInstanceForEHPCRole, ensure the following conditions are met:

    • You no longer need the service role. For example, you do not plan to create clusters or manage cluster nodes.

    • You have deleted all E-HPC clusters that depend on this service role. For more information, see Release a cluster.