All Products
Search

This Product

    Container Registry:Use and delete the service-linked role for VPC access

    Document Center

    Container Registry:Use and delete the service-linked role for VPC access

    Last Updated:Apr 01, 2024

    When you import images from a Container Registry Personal Edition instance to a Container Registry Enterprise Edition instance, the system automatically creates a service-linked role named AliyunServiceRoleForContainerRegistryConnectCustomerVPC to access the Virtual Private Cloud (VPC). This topic describes the scenarios of the service-linked role and how to delete this role.

    Scenarios

    To import images from Container Registry, you must use a VPC to migrate image data. Container Registry must have VPC access to transfer image data when you import images. The system automatically creates a service-linked role named AliyunServiceRoleForContainerRegistryConnectCustomerVPC when you import images from a Container Registry Personal Edition instance to a Container Registry Enterprise Edition instance. Container Registry assumes this role to access resources in the VPC where the instances are deployed.

    AliyunServiceRoleForContainerRegistryConnectCustomerVPC

    • Role name: AliyunServiceRoleForContainerRegistryConnectCustomerVPC

    • Role policy: AliyunServiceRolePolicyForContainerRegistryConnectCustomerVPC

    • Policy content:

      {
  "Action": [
    "ecs:CreateNetworkInterfacePermission",
    "ecs:DeleteNetworkInterfacePermission",
    "ecs:CreateNetworkInterface",
    "ecs:DescribeNetworkInterfaces",
    "ecs:DescribeSecurityGroups"           
  ],
  "Resource": "*",
  "Effect": "Allow"
},
{
  "Action": [
    "vpc:DescribeVSwitches",
    "vpc:DescribeVpcs"
  ],
  "Resource": "*",
  "Effect": "Allow"
}

    Delete AliyunServiceRoleForContainerRegistryConnectCustomerVPC

    1. Log on to the RAM console by using your Alibaba Cloud account.

    2. In the left-side navigation pane, choose Identities > Roles.

    3. On the Roles page, enter AliyunServiceRoleForContainerRegistryConnectCustomerVPC in the search box to search for the service-linked role. Find the role and click Delete Role in the Actions column that corresponds to the role.

    4. In the message that appears, click Delete Role.

    FAQ

    Why is the AliyunServiceRoleForContainerRegistryConnectCustomerVPC service-linked role not automatically created for a RAM user?

    The system automatically creates the AliyunServiceRoleForContainerRegistryConnectCustomerVPC role for RAM users that are granted with specific permissions. If the AliyunServiceRoleForContainerRegistryConnectCustomerVPC role is not automatically created, you must attach the following policy to the RAM user. For more information, see RAM authentication information. 

    {
    "Statement": [
        {
            "Action": [
                "ram:CreateServiceLinkedRole"
            ],
            "Resource": "acs:ram:*:Alibaba Cloud account ID:role/*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": [
                        "connect-customer-vpc.cr.aliyuncs.com"
                    ]
                }
            }
        }
    ],
    "Version": "1"
}

    References

    Container Registry may need to access other Alibaba Cloud services to implement specific features. In these cases, Container Registry must assume a service-linked role to access other Alibaba Cloud services. A service-linked role is a RAM role. For more information, see Service-linked roles.