When you import images from a Container Registry Personal Edition instance to a Container Registry Enterprise Edition instance, the system automatically creates a service-linked role named AliyunServiceRoleForContainerRegistryConnectCustomerVPC to access the Virtual Private Cloud (VPC). This topic describes the scenarios of the service-linked role and how to delete this role.
Scenarios
To import images from Container Registry, you must use a VPC to migrate image data. Container Registry must have VPC access to transfer image data when you import images. The system automatically creates a service-linked role named AliyunServiceRoleForContainerRegistryConnectCustomerVPC when you import images from a Container Registry Personal Edition instance to a Container Registry Enterprise Edition instance. Container Registry assumes this role to access resources in the VPC where the instances are deployed.
AliyunServiceRoleForContainerRegistryConnectCustomerVPC
Role name: AliyunServiceRoleForContainerRegistryConnectCustomerVPC
Role policy: AliyunServiceRolePolicyForContainerRegistryConnectCustomerVPC
Policy document:
{ "Action": [ "ecs:CreateNetworkInterfacePermission", "ecs:DeleteNetworkInterfacePermission", "ecs:CreateNetworkInterface", "ecs:DescribeNetworkInterfaces", "ecs:DescribeSecurityGroups" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "vpc:DescribeVSwitches", "vpc:DescribeVpcs" ], "Resource": "*", "Effect": "Allow" }
Delete AliyunServiceRoleForContainerRegistryConnectCustomerVPC
Log on to the RAM console by using your Alibaba Cloud account.
In the left-side navigation pane, choose .
On the Roles page, enter AliyunServiceRoleForContainerRegistryConnectCustomerVPC in the search box to search for the service-linked role. Find the role and click Delete Role in the Actions column that corresponds to the role.
In the Delete Role dialog box, enter the name of the VPC service-linked role and click Delete Role.
FAQ
Why is the AliyunServiceRoleForContainerRegistryConnectCustomerVPC service-linked role not automatically created for a RAM user?
The system automatically creates the AliyunServiceRoleForContainerRegistryConnectCustomerVPC role for RAM users that are granted with specific permissions. If the AliyunServiceRoleForContainerRegistryConnectCustomerVPC role is not automatically created, you must attach the following policy to the RAM user. For more information, see RAM authentication information.
{
"Statement": [
{
"Action": [
"ram:CreateServiceLinkedRole"
],
"Resource": "acs:ram:*:Alibaba Cloud account ID:role/*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": [
"connect-customer-vpc.cr.aliyuncs.com"
]
}
}
}
],
"Version": "1"
}
References
Container Registry may need to access other Alibaba Cloud services to implement specific features. In these cases, Container Registry must assume a service-linked role to access other Alibaba Cloud services. A service-linked role is a RAM role. For more information, see Service-linked roles.