After you activate PAI-Lingjun AI Computing Service and create Lingjun connections, you can use Lingjun connections to access other Alibaba Cloud services — for example, to access virtual private clouds (VPCs), create Express Connect circuits, and create elastic network interfaces (ENIs). The AliyunServiceRoleForEfloVcc service-linked role enables Lingjun connections to manage VPCs, physical connections, ENIs, and routing resources on your behalf. This topic describes the role's permissions and how to delete it.
A service-linked role differs from a regular RAM role. The system creates and manages it automatically; you cannot modify its policy. For more information, see Service-linked roles.
Role description
Role name: AliyunServiceRoleForEfloVcc
Permissions summary:
| Service | Permissions granted |
|---|---|
| ECS | Create, attach, detach, delete, and describe ENIs; create, delete, and manage security groups; modify instance attributes |
| VPC | Describe VPCs and VSwitches; manage physical connections, Virtual Border Routers (VBRs), BGP groups, BGP peers, BGP networks, router interfaces, and route entries |
| CEN | Manage transit router attachments, route entries, route tables, and route propagation; attach and detach CEN child instances |
| ROS | Create, delete, preview, and describe stacks and stack resources |
| RAM | Delete this service-linked role (scoped to vcc.eflo.aliyuncs.com) |
Full policy:
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:CreateNetworkInterface",
"ecs:AttachNetworkInterface",
"ecs:DetachNetworkInterface",
"ecs:DeleteNetworkInterface",
"ecs:DescribeNetworkInterfaces",
"ecs:CreateSecurityGroup",
"ecs:DeleteSecurityGroup",
"ecs:AuthorizeSecurityGroup",
"ecs:AuthorizeSecurityGroupEgress",
"ecs:RevokeSecurityGroup",
"ecs:RevokeSecurityGroupEgress",
"ecs:DescribeSecurityGroups",
"ecs:DescribeSecurityGroupAttribute",
"ecs:ModifyInstanceAttribute"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"vpc:DescribeVpcs",
"vpc:DescribeVSwitches",
"vpc:ConfirmPhysicalConnection",
"vpc:CreateVirtualBorderRouter",
"vpc:DeleteVirtualBorderRouter",
"vpc:DescribeVirtualBorderRouters",
"vpc:CreateBgpGroup",
"vpc:DeleteBgpGroup",
"vpc:DescribeBgpGroups",
"vpc:CreateBgpPeer",
"vpc:DeleteBgpPeer",
"vpc:DescribeBgpPeers",
"cen:AttachCenChildInstance",
"cen:DetachCenChildInstance",
"vpc:DescribeRouteEntryList",
"vpc:AddBgpNetwork",
"vpc:DeleteBgpNetwork",
"vpc:DescribeBgpNetworks",
"vpc:TerminatePhysicalConnection",
"vpc:RecoverPhysicalConnection",
"vpc:DeletePhysicalConnection",
"vpc:OpenPhysicalConnectionService",
"vpc:GetPhysicalConnectionServiceStatus",
"vpc:DescribePhysicalConnections",
"vpc:CreatePhysicalConnectionOccupancyOrder",
"vpc:UpdateVirtualPhysicalConnection",
"vpc:CreateRouterInterface",
"vpc:DeleteRouterInterface",
"vpc:DeactivateRouterInterface",
"vpc:DescribeRouterInterfaces",
"vpc:DescribeRouteTableList",
"vpc:CreateRouteEntries",
"vpc:DeleteRouteEntries",
"vpc:CreateRouteEntry",
"vpc:DeleteRouteEntry",
"vpc:DescribeGrantRulesToCen",
"vpc:GrantInstanceToCen",
"vpc:RevokeInstanceFromCen",
"vpc:CreatePhysicalConnectionNew",
"vpc:ModifyVirtualBorderRouterAttribute",
"vpc:AssociatePhysicalConnectionToVirtualBorderRouter",
"vpc:UnassociatePhysicalConnectionFromVirtualBorderRouter",
"bssapi:SetRenewal",
"vpc:CancelPhysicalConnection"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"cen:CreateTransitRouterRouteEntry",
"cen:ListTransitRouterRouteEntries",
"cen:DeleteTransitRouterRouteEntry",
"cen:ResolveAndRouteServiceInCen",
"cen:DescribeRouteServicesInCen",
"cen:DeleteRouteServiceInCen",
"cen:CreateTransitRouterVbrAttachment",
"cen:DeleteTransitRouterVbrAttachment",
"cen:ListTransitRouterVbrAttachments",
"cen:ListTransitRouterVpcAttachments",
"cen:DisableTransitRouterRouteTablePropagation",
"cen:EnableTransitRouterRouteTablePropagation",
"cen:ListTransitRouterRouteTablePropagations",
"cen:AssociateTransitRouterAttachmentWithRouteTable",
"cen:DissociateTransitRouterAttachmentFromRouteTable",
"cen:ListTransitRouterRouteTableAssociations",
"cen:ListTransitRouterRouteTables",
"cen:ListTransitRouters",
"cen:ListTransitRouterAvailableResource",
"cen:ResolveAndRouteServiceInCen",
"cen:DescribeRouteServicesInCen",
"cen:DeleteRouteServiceInCen",
"cen:DescribeCenAttachedChildInstances",
"cen:DescribeCenAttachedChildInstanceAttribute",
"cen:DescribeCens"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ros:ListStacks",
"ros:GetStack",
"ros:ListStackEvents",
"ros:ListStackResources",
"ros:GetStackResource",
"ros:CreateStack",
"ros:DeleteStack",
"ros:PreviewStack"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "vcc.eflo.aliyuncs.com"
}
}
}
]
}Create the AliyunServiceRoleForEfloVcc role
When you create a Lingjun cluster for the first time, click Confirm Authorization in the Network Configurations step. The system then creates the AliyunServiceRoleForEfloVcc role automatically.
Delete the AliyunServiceRoleForEfloVcc role
Before deleting AliyunServiceRoleForEfloVcc, release all Lingjun connections that assume this role.
A Lingjun connection is released automatically when it expires.
To delete the role after releasing connections, follow the steps in the "Delete a service-linked role" section of Service-linked roles.