The AliyunServiceRoleForNis service-linked role allows Network Intelligence Service (NIS) to access resources in ECS, VPC, SLB, NLB, ALB, CEN, GA, PrivateLink, Express Connect Router, DTS, CloudMonitor, and Quota Center for network diagnostics, analysis, and flow log management.
For general information about service-linked roles, see Service-linked roles.
Permissions granted
The AliyunServiceRolePolicyForNis policy is attached to this role. It contains four statements with the following permissions:
Statement 1: Cloud Assistant operations
These permissions allow NIS to run diagnostic commands on ECS instances via Cloud Assistant.
| Action | Description |
|---|---|
ecs:InvokeCommand |
Run Cloud Assistant commands on ECS instances |
ecs:StopInvocation |
Stop a running Cloud Assistant command |
ecs:DescribeCloudAssistantStatus |
Query whether Cloud Assistant Agent is installed on instances and view command execution statistics |
ecs:DescribeCommands |
List available Cloud Assistant commands |
ecs:DescribeInvocations |
Query command invocation records |
ecs:DescribeInvocationResults |
Retrieve command execution results |
Resource scope: All ECS instances (acs:ecs:*:*:instance/*) and commands matching the pattern acs:ecs:*:*:command/cmd-ACS-SLB-Diagnosis*.
Statement 2: Cross-service read access and flow log management
These permissions allow NIS to query resources across multiple networking and infrastructure services, and to manage flow logs.
| Action | Description |
|---|---|
dts:DescribeDtsJobs |
Query DTS tasks and their execution details |
vpc:Describe*, vpc:List*, vpc:Get* |
Query VPC resources and configurations |
vpc:CreateFlowlog |
Create a VPC flow log |
vpc:DeleteFlowLog |
Delete a VPC flow log |
vpc:ModifyFlowLogAttribute |
Modify the name and description of a VPC flow log |
vpc:DiagnoseVpnConnectionsHistory |
Query the diagnostic history of IPsec-VPN connections |
vpc:UpgradeVpnGatewayFirmware |
Upgrade the firmware version of a VPN gateway |
quotas:ListProductQuotas |
Query quotas for a specified cloud product |
cms:DescribeMetricLast |
Query the latest monitoring data of a metric |
cms:GetCmsService |
Query the activation status of CloudMonitor |
cms:GetPrometheus* |
Query Prometheus-related monitoring resources |
bssapi:QueryAvailableInstances |
Query available instances of Alibaba Cloud services |
ecs:DescribeInstances |
Query ECS instances |
ecs:DescribeSecurityGroups |
Query security groups |
ecs:DescribeSecurityGroupAttribute |
Query security group rules |
ecs:DescribeSecurityGroupReferences |
Query security group cross-references |
ecs:DescribeNetworkInterfaces |
Query Elastic Network Interfaces (ENIs) |
alb:ListLoadBalancers |
Query Application Load Balancer (ALB) instances |
alb:GetLoadBalancerAttribute |
Query ALB instance details |
slb:Describe* |
Query Classic Load Balancer (CLB) resources |
nlb:ListLoadBalancers |
Query Network Load Balancer (NLB) instances |
nlb:GetListenerAttribute |
Query NLB listener details |
nlb:ListServerGroups |
Query NLB server groups |
nlb:ListServerGroupServers |
Query servers in an NLB server group |
nlb:ListListeners |
Query NLB listeners |
cen:Describe*, cen:List* |
Query Cloud Enterprise Network (CEN) resources |
cen:CreateFlowlog |
Create a CEN flow log |
cen:DeleteFlowlog |
Delete a CEN flow log |
privatelink:List*, privatelink:Get* |
Query PrivateLink resources |
ga:Describe*, ga:List*, ga:Get*, ga:Check*, ga:Query* |
Query Global Accelerator (GA) resources |
expressconnectrouter:Describe*, expressconnectrouter:List* |
Query Express Connect Router (ECR) resources |
Resource scope: All resources (*).
Statement 3: Self-deletion
| Action | Description |
|---|---|
ram:DeleteServiceLinkedRole |
Delete this service-linked role |
Condition: Restricted to ram:ServiceName = nis.aliyuncs.com.
Statement 4: CEN flow log service-linked role creation
| Action | Description |
|---|---|
ram:CreateServiceLinkedRole |
Create the service-linked role for CEN Flow Log |
Condition: Restricted to ram:ServiceName = flowlog.cen.aliyuncs.com.
Full policy JSON (v17)
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:InvokeCommand",
"ecs:StopInvocation",
"ecs:DescribeCloudAssistantStatus",
"ecs:DescribeCommands",
"ecs:DescribeInvocations",
"ecs:DescribeInvocationResults"
],
"Resource": [
"acs:ecs:*:*:instance/*",
"acs:ecs:*:*:command/cmd-ACS-SLB-Diagnosis*"
],
"Effect": "Allow"
},
{
"Action": [
"dts:DescribeDtsJobs",
"vpc:UpgradeVpnGatewayFirmware",
"quotas:ListProductQuotas",
"cms:DescribeMetricLast",
"cms:GetCmsService",
"cms:GetPrometheus*",
"bssapi:QueryAvailableInstances",
"ecs:DescribeInstances",
"ecs:DescribeSecurityGroups",
"ecs:DescribeSecurityGroupAttribute",
"ecs:DescribeSecurityGroupReferences",
"ecs:DescribeNetworkInterfaces",
"alb:ListLoadBalancers",
"alb:GetLoadBalancerAttribute",
"slb:Describe*",
"nlb:ListLoadBalancers",
"nlb:GetListenerAttribute",
"nlb:ListServerGroups",
"nlb:ListServerGroupServers",
"nlb:ListListeners",
"vpc:Describe*",
"vpc:List*",
"vpc:Get*",
"vpc:CreateFlowlog",
"vpc:DeleteFlowLog",
"vpc:UpgradeVpnGatewayFirmware",
"vpc:DiagnoseVpnConnectionsHistory",
"vpc:ModifyFlowLogAttribute",
"cen:Describe*",
"cen:List*",
"cen:CreateFlowlog",
"cen:DeleteFlowlog",
"privatelink:List*",
"privatelink:Get*",
"ga:Describe*",
"ga:List*",
"ga:Get*",
"ga:Check*",
"ga:Query*",
"expressconnectrouter:Describe*",
"expressconnectrouter:List*"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "nis.aliyuncs.com"
}
}
},
{
"Action": "ram:CreateServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "flowlog.cen.aliyuncs.com"
}
}
}
]
}
Role creation
The AliyunServiceRoleForNis role is created automatically when you first use NIS. If the role does not exist, the system creates it and attaches the AliyunServiceRolePolicyForNis policy.
No manual action is required.
Delete the service-linked role
To delete the AliyunServiceRoleForNis role:
-
Log on to the RAM console.
-
In the left-side navigation pane, choose Identities > Roles.
-
On the Roles page, find AliyunServiceRoleForNis. In the Actions column, click Delete Role.
-
In the dialog box that appears, enter the role name and click Delete Role.
After you delete this role, the system automatically recreates it the next time you use the diagnostics feature in NIS.
FAQ
Why does role auto-creation fail for a RAM user?
The RAM user lacks the ram:CreateServiceLinkedRole permission. To grant this permission, attach the following custom policy to the RAM user. For instructions, see Create custom policies.
{
"Statement": [
{
"Action": "ram:CreateServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "nis.aliyuncs.com"
}
}
}
],
"Version": "1"
}