This topic describes the AliyunServiceRoleForECI service-linked role for Elastic Container Instance and how to delete the service-linked role.
Background information
AliyunServiceRoleForECI is the service-linked role for Elastic Container Instance. This role is a Resource Access Management (RAM) role that is defined for Elastic Container Instance to access other Alibaba Cloud services in specific scenarios. For more information about service-linked roles, see Service-linked roles.
Scenarios
When you create an elastic container instance or an image cache, if Elastic Container Instance needs to access resources of Elastic Compute Service (ECS), Virtual Private Cloud (VPC), Container Registry (ACR), Log Service (SLS), or Server Load Balancer (SLB), you can use the automatically created AliyunServiceRoleForECI role to obtain the access permissions.
AliyunServiceRoleForECI permissions
The permission policy attached to the AliyunServiceRoleForECI role is AliyunServiceRolePolicyForECI that contains the following access permissions on cloud services:
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:CreateNetworkInterfacePermission",
"ecs:DeleteNetworkInterfacePermission",
"ecs:DescribeNetworkInterfacePermissions",
"ecs:CreateNetworkInterface",
"ecs:DescribeNetworkInterfaces",
"ecs:AttachNetworkInterface",
"ecs:DetachNetworkInterface",
"ecs:DeleteNetworkInterface",
"ecs:DescribeSecurityGroups",
"ecs:TagResources"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"vpc:DescribeVSwitches",
"vpc:DescribeVSwitchAttributes",
"vpc:DescribeVpcs",
"vpc:AssociateEipAddress",
"vpc:UnassociateEipAddress",
"vpc:DescribeEipAddresses",
"vpc:AllocateEipAddress",
"vpc:ReleaseEipAddress",
"vpc:AddCommonBandwidthPackageIp",
"vpc:RemoveCommonBandwidthPackageIp",
"vpc:DescribeIpv6Addresses",
"vpc:DescribeIpv6Gateways",
"vpc:AllocateIpv6InternetBandwidth",
"vpc:TagResources"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"cr:PullRepository",
"cr:GetAuthorizationToken",
"cr:GetRepositoryLayers",
"cr:GetRepositoryManifest",
"cr:GetRepositoryTag",
"cr:GetRepository",
"cr:ListInstance",
"cr:ListInstanceEndpoint"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"log:CreateProject",
"log:GetProject",
"log:CreateLogStore",
"log:GetLogStore",
"log:CreateMachineGroup",
"log:CreateConfig",
"log:GetConfig",
"log:ApplyConfigToGroup",
"log:GetAppliedConfigs",
"log:CreateIndex",
"log:TagResources"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"slb:DescribeLoadBalancers",
"slb:RemoveBackendServers"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "eci.aliyuncs.com"
}
}
}
]
}Delete AliyunServiceRoleForECI
If you want to delete the AliyunServiceRoleForECI service-linked role, you must delete the Elastic Container Instance resources related to the role, such as elastic container instances and image caches, by using the Elastic Container Instance console or calling operations. You can delete AliyunServiceRoleForECI after you delete the related elastic container instances and image caches. For more information, see Delete a RAM role.