All Products
Search
Document Center

Elastic Compute Service:Manage the service-linked role for ECS network connectivity diagnostics

Last Updated:Apr 27, 2026

The AliyunServiceRoleForECSNetworkInsights role grants ECS the permissions required for network connectivity diagnostics.

Background

A service-linked role is associated with an Alibaba Cloud service and contains the permissions required for that service. The AliyunServiceRoleForECSNetworkInsights role grants access to VPC resources for creating diagnostic paths and starting diagnostic tasks. See Service-linked roles.

AliyunServiceRoleForECSNetworkInsights access policy

Role: AliyunServiceRoleForECSNetworkInsights

Policy: AliyunServiceRolePolicyForECSNetworkInsights

Policy content:

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "vpc:DescribeNetworkAcls",
                "vpc:DescribeNetworkAclAttributes",
                "vpc:DescribeNatGateways",
                "vpc:DescribeRouteEntryList",
                "vpc:DescribeRouteTableList",
                "vpc:DescribeRouteTables",
                "vpc:DescribeRouterInterfaceAttribute",
                "vpc:DescribeRouterInterfaces",
                "vpc:DescribeVRouters",
                "antiddos-public:DescribeInstance"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "nis:IsOpenService",
                "nis:CreateNetworkPath",
                "nis:CreateNetworkReachableAnalysis",
                "nis:GetNetworkReachableAnalysis",
                "nis:DeleteNetworkPath",
                "nis:DeleteNetworkReachableAnalysis"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "BssOpenApi:CreateInstance"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "bss:ModifyInstance"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Effect": "Allow",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "network-insights.ecs.aliyuncs.com"
                }
            }
        }
    ]
}

Create AliyunServiceRoleForECSNetworkInsights

When you create a diagnostic path or start a diagnostic task, the system automatically creates the AliyunServiceRoleForECSNetworkInsights role if it does not exist.

This role includes the AliyunServiceRolePolicyForECSNetworkInsights policy. Policies for service-linked roles are defined by the associated Alibaba Cloud service. You cannot modify the permissions of a service-linked role.

Delete AliyunServiceRoleForECSNetworkInsights

If you no longer need AliyunServiceRoleForECSNetworkInsights, delete it manually. See Delete a RAM role.

FAQ

Why can't my RAM user automatically create the AliyunServiceRoleForECSNetworkInsights service-linked role?

A RAM user must have specific permissions to automatically create or delete this service-linked role. If a RAM user cannot create the role automatically, add the following policy to the user.

{
  "Statement": [
    {
      "Action": "ram:CreateServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "network-insights.ecs.aliyuncs.com"
        }
      }
    }
  ],
  "Version": "1"
}