文档

AliyunServiceRoleForECI

更新时间:

本文为您介绍弹性容器实例服务关联角色AliyunServiceRoleForECI以及如何删除服务关联角色。

背景信息

弹性容器实例服务关联角色AliyunServiceRoleForECI是ECI在某些情况下,为了完成自身的某个功能,需要获取其他云服务的访问权限而提供的RAM角色。更多关于服务关联角色的信息,请参见服务关联角色

AliyunServiceRoleForECI应用场景

在创建ECI实例和镜像缓存的过程中,ECI需要访问云服务器ECS、专有网络VPC、容器镜像服务ACR、日志服务SLS和负载均衡SLB的资源时,可以通过自动创建的弹性容器实例服务关联角色AliyunServiceRoleForECI获取访问权限。

AliyunServiceRoleForECI权限说明

弹性容器实例服务关联角色AliyunServiceRoleForECI对应的角色权限策略为AliyunServiceRolePolicyForECI,包含的云服务访问权限如下:

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "ecs:CreateNetworkInterfacePermission",
                "ecs:DeleteNetworkInterfacePermission",
                "ecs:DescribeNetworkInterfacePermissions",
                "ecs:CreateNetworkInterface",
                "ecs:DescribeNetworkInterfaces",
                "ecs:AttachNetworkInterface",
                "ecs:DetachNetworkInterface",
                "ecs:DeleteNetworkInterface",
                "ecs:DescribeSecurityGroups",
                "ecs:TagResources"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "vpc:DescribeVSwitches",
                "vpc:DescribeVSwitchAttributes",
                "vpc:DescribeVpcs",
                "vpc:AssociateEipAddress",
                "vpc:UnassociateEipAddress",
                "vpc:DescribeEipAddresses",
                "vpc:AllocateEipAddress",
                "vpc:ReleaseEipAddress",
                "vpc:AddCommonBandwidthPackageIp",
                "vpc:RemoveCommonBandwidthPackageIp",
                "vpc:DescribeIpv6Addresses",
                "vpc:DescribeIpv6Gateways",
                "vpc:AllocateIpv6InternetBandwidth",
                "vpc:TagResources"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "cr:PullRepository",
                "cr:GetAuthorizationToken",
                "cr:GetRepositoryLayers",
                "cr:GetRepositoryManifest",
                "cr:GetRepositoryTag",
                "cr:GetRepository",
                "cr:ListInstance",
                "cr:ListInstanceEndpoint"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "log:CreateProject",
                "log:GetProject",
                "log:CreateLogStore",
                "log:GetLogStore",
                "log:CreateMachineGroup",
                "log:CreateConfig",
                "log:GetConfig",
                "log:ApplyConfigToGroup",
                "log:GetAppliedConfigs",
                "log:CreateIndex",
                "log:TagResources"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "slb:DescribeLoadBalancers",
                "slb:RemoveBackendServers"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "eci.aliyuncs.com"
                }
            }
        }
    ]
}

删除AliyunServiceRoleForECI

如果您需要删除弹性容器实例服务关联角色AliyunServiceRoleForECI,请先通过控制台或者OpenAPI删除依赖该服务关联角色的ECI资源,包括ECI实例和镜像缓存。删除ECI实例和镜像缓存后,您可以删除AliyunServiceRoleForECI。具体操作,请参见删除RAM角色

  • 本页导读 (1)
文档反馈