how to use the service-linked role for Workbench - Elastic Compute Service

This topic describes the Workbench service-linked role, which is named AliyunServiceRoleForECSWorkbench, and how to delete the role.

Background information

AliyunServiceRoleForECSWorkbench is a service-linked role provided by Resource Access Management (RAM) for Workbench. Workbench can assume the AliyunServiceRoleForECSWorkbench role to gain access to Elastic Compute Service (ECS) and Elastic Container Instance. For more information, see Service-linked roles.

Permissions of AliyunServiceRoleForECSWorkbench

Role: AliyunServiceRoleForECSWorkbench
Policy: AliyunServiceRolePolicyForECSWorkbench

Policy content:

{
  "Version": "1",
  "Statement": [
    {
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "workbench.ecs.aliyuncs.com"
        }
      }
    },
    {
      "Action": "eci:DescribeContainerGroups",
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": "ecs:DescribeInstances",
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": "ecs:StartTerminalSession",
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": "ecs:DescribeInvocations",
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": "ecs:InvokeCommand",
      "Resource": "*",
      "Effect": "Allow"
    },
    {
       "Action": "eci:ExecContainerCommand",
       "Resource": "*",
       "Effect": "Allow"
     }
  ]
}

Create AliyunServiceRoleForECSWorkbench

When you use Workbench, the system checks whether AliyunServiceRolePolicyForECSWorkbench exists in your account. If the role does not exist in your account, the system creates the role.

AliyunServiceRoleForECSWorkbench includes the AliyunServiceRolePolicyForECSWorkbench system policy. System policies that are attached to service-linked roles are defined and used by the linked Alibaba Cloud services. You cannot add, modify, or remove permissions for service-linked roles.

Delete AliyunServiceRolePolicyForECSWorkbench

If you no longer need AliyunServiceRolePolicyForECSWorkbench, you can delete it. For more information, see Delete a RAM role.

FAQ

Why cannot the Workbench service-linked role AliyunServiceRoleForECSWorkbench be automatically created for my RAM user?

AliyunServiceRoleForECSWorkbench can be automatically created or deleted only for RAM users that are granted specific permissions. For AliyunServiceRoleForECSWorkbench to be automatically created for a RAM user, attach the AliyunECSWorkbenchFullAccess system policy or the following custom policy to the RAM user:

{
  "Version": "1",
  "Statement": [
    {
      "Action": "ecs-workbench:LoginInstance",
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": "ram:CreateServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "workbench.ecs.aliyuncs.com"
        }
      }
    }
  ]
}

Note

Replace <Alibaba Cloud account ID> with the ID of your Alibaba Cloud account.