All Products
Search
Document Center

Network Intelligence Service:Service-linked role for Network Intelligence Service

Last Updated:Jun 16, 2026

The AliyunServiceRoleForNis service-linked role allows Network Intelligence Service (NIS) to access resources in ECS, VPC, SLB, NLB, ALB, CEN, GA, PrivateLink, Express Connect Router, DTS, CloudMonitor, and Quota Center for network diagnostics, analysis, and flow log management.

For general information about service-linked roles, see Service-linked roles.

Permissions granted

The AliyunServiceRolePolicyForNis policy is attached to this role. It contains four statements with the following permissions:

Statement 1: Cloud Assistant operations

These permissions allow NIS to run diagnostic commands on ECS instances via Cloud Assistant.

Action Description
ecs:InvokeCommand Run Cloud Assistant commands on ECS instances
ecs:StopInvocation Stop a running Cloud Assistant command
ecs:DescribeCloudAssistantStatus Query whether Cloud Assistant Agent is installed on instances and view command execution statistics
ecs:DescribeCommands List available Cloud Assistant commands
ecs:DescribeInvocations Query command invocation records
ecs:DescribeInvocationResults Retrieve command execution results

Resource scope: All ECS instances (acs:ecs:*:*:instance/*) and commands matching the pattern acs:ecs:*:*:command/cmd-ACS-SLB-Diagnosis*.

Statement 2: Cross-service read access and flow log management

These permissions allow NIS to query resources across multiple networking and infrastructure services, and to manage flow logs.

Action Description
dts:DescribeDtsJobs Query DTS tasks and their execution details
vpc:Describe*, vpc:List*, vpc:Get* Query VPC resources and configurations
vpc:CreateFlowlog Create a VPC flow log
vpc:DeleteFlowLog Delete a VPC flow log
vpc:ModifyFlowLogAttribute Modify the name and description of a VPC flow log
vpc:DiagnoseVpnConnectionsHistory Query the diagnostic history of IPsec-VPN connections
vpc:UpgradeVpnGatewayFirmware Upgrade the firmware version of a VPN gateway
quotas:ListProductQuotas Query quotas for a specified cloud product
cms:DescribeMetricLast Query the latest monitoring data of a metric
cms:GetCmsService Query the activation status of CloudMonitor
cms:GetPrometheus* Query Prometheus-related monitoring resources
bssapi:QueryAvailableInstances Query available instances of Alibaba Cloud services
ecs:DescribeInstances Query ECS instances
ecs:DescribeSecurityGroups Query security groups
ecs:DescribeSecurityGroupAttribute Query security group rules
ecs:DescribeSecurityGroupReferences Query security group cross-references
ecs:DescribeNetworkInterfaces Query Elastic Network Interfaces (ENIs)
alb:ListLoadBalancers Query Application Load Balancer (ALB) instances
alb:GetLoadBalancerAttribute Query ALB instance details
slb:Describe* Query Classic Load Balancer (CLB) resources
nlb:ListLoadBalancers Query Network Load Balancer (NLB) instances
nlb:GetListenerAttribute Query NLB listener details
nlb:ListServerGroups Query NLB server groups
nlb:ListServerGroupServers Query servers in an NLB server group
nlb:ListListeners Query NLB listeners
cen:Describe*, cen:List* Query Cloud Enterprise Network (CEN) resources
cen:CreateFlowlog Create a CEN flow log
cen:DeleteFlowlog Delete a CEN flow log
privatelink:List*, privatelink:Get* Query PrivateLink resources
ga:Describe*, ga:List*, ga:Get*, ga:Check*, ga:Query* Query Global Accelerator (GA) resources
expressconnectrouter:Describe*, expressconnectrouter:List* Query Express Connect Router (ECR) resources

Resource scope: All resources (*).

Statement 3: Self-deletion

Action Description
ram:DeleteServiceLinkedRole Delete this service-linked role

Condition: Restricted to ram:ServiceName = nis.aliyuncs.com.

Statement 4: CEN flow log service-linked role creation

Action Description
ram:CreateServiceLinkedRole Create the service-linked role for CEN Flow Log

Condition: Restricted to ram:ServiceName = flowlog.cen.aliyuncs.com.

Full policy JSON (v17)

{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "ecs:InvokeCommand",
        "ecs:StopInvocation",
        "ecs:DescribeCloudAssistantStatus",
        "ecs:DescribeCommands",
        "ecs:DescribeInvocations",
        "ecs:DescribeInvocationResults"
      ],
      "Resource": [
        "acs:ecs:*:*:instance/*",
        "acs:ecs:*:*:command/cmd-ACS-SLB-Diagnosis*"
      ],
      "Effect": "Allow"
    },
    {
      "Action": [
        "dts:DescribeDtsJobs",
        "vpc:UpgradeVpnGatewayFirmware",
        "quotas:ListProductQuotas",
        "cms:DescribeMetricLast",
        "cms:GetCmsService",
        "cms:GetPrometheus*",
        "bssapi:QueryAvailableInstances",
        "ecs:DescribeInstances",
        "ecs:DescribeSecurityGroups",
        "ecs:DescribeSecurityGroupAttribute",
        "ecs:DescribeSecurityGroupReferences",
        "ecs:DescribeNetworkInterfaces",
        "alb:ListLoadBalancers",
        "alb:GetLoadBalancerAttribute",
        "slb:Describe*",
        "nlb:ListLoadBalancers",
        "nlb:GetListenerAttribute",
        "nlb:ListServerGroups",
        "nlb:ListServerGroupServers",
        "nlb:ListListeners",
        "vpc:Describe*",
        "vpc:List*",
        "vpc:Get*",
        "vpc:CreateFlowlog",
        "vpc:DeleteFlowLog",
        "vpc:UpgradeVpnGatewayFirmware",
        "vpc:DiagnoseVpnConnectionsHistory",
        "vpc:ModifyFlowLogAttribute",
        "cen:Describe*",
        "cen:List*",
        "cen:CreateFlowlog",
        "cen:DeleteFlowlog",
        "privatelink:List*",
        "privatelink:Get*",
        "ga:Describe*",
        "ga:List*",
        "ga:Get*",
        "ga:Check*",
        "ga:Query*",
        "expressconnectrouter:Describe*",
        "expressconnectrouter:List*"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "nis.aliyuncs.com"
        }
      }
    },
    {
      "Action": "ram:CreateServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "flowlog.cen.aliyuncs.com"
        }
      }
    }
  ]
}

Role creation

The AliyunServiceRoleForNis role is created automatically when you first use NIS. If the role does not exist, the system creates it and attaches the AliyunServiceRolePolicyForNis policy.

No manual action is required.

Delete the service-linked role

To delete the AliyunServiceRoleForNis role:

  1. Log on to the RAM console.

  2. In the left-side navigation pane, choose Identities > Roles.

  3. On the Roles page, find AliyunServiceRoleForNis. In the Actions column, click Delete Role.

  4. In the dialog box that appears, enter the role name and click Delete Role.

Important

After you delete this role, the system automatically recreates it the next time you use the diagnostics feature in NIS.

FAQ

Why does role auto-creation fail for a RAM user?

The RAM user lacks the ram:CreateServiceLinkedRole permission. To grant this permission, attach the following custom policy to the RAM user. For instructions, see Create custom policies.

{
  "Statement": [
    {
      "Action": "ram:CreateServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "nis.aliyuncs.com"
        }
      }
    }
  ],
  "Version": "1"
}