This topic describes the Workbench service-linked role, which is named AliyunServiceRoleForECSWorkbench, and how to delete the role.
Background information
AliyunServiceRoleForECSWorkbench is a service-linked role provided by Resource Access Management (RAM) for Workbench. Workbench can assume the AliyunServiceRoleForECSWorkbench role to gain access to Elastic Compute Service (ECS) and Elastic Container Instance. For more information, see Service-linked roles.
Permissions of AliyunServiceRoleForECSWorkbench
Role: AliyunServiceRoleForECSWorkbench
Policy: AliyunServiceRolePolicyForECSWorkbench
Policy content:
{ "Version": "1", "Statement": [ { "Action": "ram:DeleteServiceLinkedRole", "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "ram:ServiceName": "workbench.ecs.aliyuncs.com" } } }, { "Action": "eci:DescribeContainerGroups", "Resource": "*", "Effect": "Allow" }, { "Action": "ecs:DescribeInstances", "Resource": "*", "Effect": "Allow" }, { "Action": "ecs:StartTerminalSession", "Resource": "*", "Effect": "Allow" }, { "Action": "ecs:DescribeInvocations", "Resource": "*", "Effect": "Allow" }, { "Action": "ecs:InvokeCommand", "Resource": "*", "Effect": "Allow" }, { "Action": "eci:ExecContainerCommand", "Resource": "*", "Effect": "Allow" } ] }
Create AliyunServiceRoleForECSWorkbench
When you use Workbench, the system checks whether AliyunServiceRolePolicyForECSWorkbench exists in your account. If the role does not exist in your account, the system creates the role.
AliyunServiceRoleForECSWorkbench includes the AliyunServiceRolePolicyForECSWorkbench system policy. System policies that are attached to service-linked roles are defined and used by the linked Alibaba Cloud services. You cannot add, modify, or remove permissions for service-linked roles.
Delete AliyunServiceRolePolicyForECSWorkbench
If you no longer need AliyunServiceRolePolicyForECSWorkbench, you can delete it. For more information, see Delete a RAM role.
FAQ
Why cannot the Workbench service-linked role AliyunServiceRoleForECSWorkbench be automatically created for my RAM user?
AliyunServiceRoleForECSWorkbench can be automatically created or deleted only for RAM users that are granted specific permissions. For AliyunServiceRoleForECSWorkbench to be automatically created for a RAM user, attach the AliyunECSWorkbenchFullAccess system policy or the following custom policy to the RAM user:
{
"Version": "1",
"Statement": [
{
"Action": "ecs-workbench:LoginInstance",
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:CreateServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "workbench.ecs.aliyuncs.com"
}
}
}
]
}
Replace <Alibaba Cloud account ID>
with the ID of your Alibaba Cloud account.