This topic describes how to use the AliyunServiceRoleForECSNetworkInsights service-linked role to grant permissions to Elastic Compute Service (ECS).
Background information
A service-linked role is a role that is associated with an Alibaba Cloud service and contains the permissions required to perform operations for that service. For example, the AliyunServiceRoleForECSNetworkInsights service-linked role has permissions to access VPC resources. These permissions are required to create diagnostic paths and start diagnostic tasks. For more information, see Service-linked roles.
AliyunServiceRoleForECSNetworkInsights access policy
Role name: AliyunServiceRoleForECSNetworkInsights
Role access policy: AliyunServiceRolePolicyForECSNetworkInsights
The policy is as follows:
{
"Version": "1",
"Statement": [
{
"Action": [
"vpc:DescribeNetworkAcls",
"vpc:DescribeNetworkAclAttributes",
"vpc:DescribeNatGateways",
"vpc:DescribeRouteEntryList",
"vpc:DescribeRouteTableList",
"vpc:DescribeRouteTables",
"vpc:DescribeRouterInterfaceAttribute",
"vpc:DescribeRouterInterfaces",
"vpc:DescribeVRouters",
"antiddos-public:DescribeInstance"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"nis:IsOpenService",
"nis:CreateNetworkPath",
"nis:CreateNetworkReachableAnalysis",
"nis:GetNetworkReachableAnalysis",
"nis:DeleteNetworkPath",
"nis:DeleteNetworkReachableAnalysis"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"BssOpenApi:CreateInstance"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"bss:ModifyInstance"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Effect": "Allow",
"Resource": "*",
"Condition": {
"StringEquals": {
"ram:ServiceName": "network-insights.ecs.aliyuncs.com"
}
}
}
]
}Create AliyunServiceRoleForECSNetworkInsights
When you create a diagnostic path and start a diagnostic task, the system checks whether the AliyunServiceRoleForECSNetworkInsights role exists. If the role does not exist, the system automatically creates it.
The AliyunServiceRoleForECSNetworkInsights role includes the AliyunServiceRolePolicyForECSNetworkInsights access policy. The access policies for service-linked roles are defined and used by the associated Alibaba Cloud services. You cannot add, modify, or delete permissions for a service-linked role.
Delete AliyunServiceRoleForECSNetworkInsights
If you no longer need to use AliyunServiceRoleForECSNetworkInsights, you can manually delete it. For more information, see Delete a RAM role.
FAQ
Why can't my RAM user automatically create the AliyunServiceRoleForECSNetworkInsights service-linked role?
A Resource Access Management (RAM) user must have specific permissions to automatically create or delete the AliyunServiceRoleForECSNetworkInsights service-linked role. If a RAM user cannot automatically create the role, add the following access policy to the user.
{
"Statement": [
{
"Action": "ram:CreateServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "network-insights.ecs.aliyuncs.com"
}
}
}
],
"Version": "1"
}