The AliyunServiceRoleForECSNetworkInsights role grants ECS the permissions required for network connectivity diagnostics.
Background
A service-linked role is associated with an Alibaba Cloud service and contains the permissions required for that service. The AliyunServiceRoleForECSNetworkInsights role grants access to VPC resources for creating diagnostic paths and starting diagnostic tasks. See Service-linked roles.
AliyunServiceRoleForECSNetworkInsights access policy
Role: AliyunServiceRoleForECSNetworkInsights
Policy: AliyunServiceRolePolicyForECSNetworkInsights
Policy content:
{
"Version": "1",
"Statement": [
{
"Action": [
"vpc:DescribeNetworkAcls",
"vpc:DescribeNetworkAclAttributes",
"vpc:DescribeNatGateways",
"vpc:DescribeRouteEntryList",
"vpc:DescribeRouteTableList",
"vpc:DescribeRouteTables",
"vpc:DescribeRouterInterfaceAttribute",
"vpc:DescribeRouterInterfaces",
"vpc:DescribeVRouters",
"antiddos-public:DescribeInstance"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"nis:IsOpenService",
"nis:CreateNetworkPath",
"nis:CreateNetworkReachableAnalysis",
"nis:GetNetworkReachableAnalysis",
"nis:DeleteNetworkPath",
"nis:DeleteNetworkReachableAnalysis"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"BssOpenApi:CreateInstance"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"bss:ModifyInstance"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Effect": "Allow",
"Resource": "*",
"Condition": {
"StringEquals": {
"ram:ServiceName": "network-insights.ecs.aliyuncs.com"
}
}
}
]
}
Create AliyunServiceRoleForECSNetworkInsights
When you create a diagnostic path or start a diagnostic task, the system automatically creates the AliyunServiceRoleForECSNetworkInsights role if it does not exist.
This role includes the AliyunServiceRolePolicyForECSNetworkInsights policy. Policies for service-linked roles are defined by the associated Alibaba Cloud service. You cannot modify the permissions of a service-linked role.
Delete AliyunServiceRoleForECSNetworkInsights
If you no longer need AliyunServiceRoleForECSNetworkInsights, delete it manually. See Delete a RAM role.
FAQ
Why can't my RAM user automatically create the AliyunServiceRoleForECSNetworkInsights service-linked role?
A RAM user must have specific permissions to automatically create or delete this service-linked role. If a RAM user cannot create the role automatically, add the following policy to the user.
{
"Statement": [
{
"Action": "ram:CreateServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "network-insights.ecs.aliyuncs.com"
}
}
}
],
"Version": "1"
}