When you configure VPC (virtual private cloud) access control on your Container Registry Enterprise Edition instance, Container Registry automatically creates the AliyunServiceRoleForContainerRegistryAccessCustomerPrivateZone service-linked role for Alibaba Cloud DNS PrivateZone. Then, PrivateZone automatically resolves the internal domain name of the Container Registry Enterprise Edition instance to the IP address of each VPC. This topic describes the basic information and FAQ about the service-linked role. This topic also describes how to delete the service-linked role.
Background information
Container Registry may need to access other Alibaba Cloud services to implement specific features. In these cases, Container Registry must assume a service-linked role to access other Alibaba Cloud services. A service-linked role is a RAM role. For more information, see Service-linked roles.
Scenarios
When you configure VPC access control on your Container Registry Enterprise Edition instance, you must use Alibaba Cloud DNS PrivateZone to resolve the domain name of the instance to the IP address of each VPC. When you create the VPCs, Container Registry automatically creates the AliyunServiceRoleForContainerRegistryAccessCustomerPrivateZone service-linked role for Alibaba Cloud DNS PrivateZone. Then, Container Registry can assume the role to access the resources in PrivateZone.
Introduction to the service-linked role
Role name: AliyunServiceRoleForContainerRegistryAccessCustomerPrivateZone
Role policy: AliyunServiceRolePolicyForContainerRegistryAccessCustomerPrivate
Permissions of the service-linked role
{ "Action": [ "pvtz:AddZone", "pvtz:DeleteZone", "pvtz:BindZoneVpc", "pvtz:UpdateZoneRemark", "pvtz:SetProxyPattern", "pvtz:DescribeRegions", "pvtz:DescribeZoneInfo", "pvtz:DescribeZones", "pvtz:AddZoneRecord", "pvtz:DeleteZoneRecord", "pvtz:UpdateRecordRemark", "pvtz:DescribeZoneRecords" ], "Resource": "*", "Effect": "Allow" }
Deletion of the service-linked role
If you do not need to use VPC access control on your Container Registry Enterprise Edition instance, you can delete the AliyunServiceRoleForContainerRegistryAccessCustomerPrivateZone role.
Delete the VPCs.
Before you delete AliyunServiceRoleForContainerRegistryAccessCustomerPrivateZone, you must delete the VPCs.
Log on to the Container Registry console.
In the left-side navigation pane, click Instances.
On the Instances page, click the Enterprise Edition instance that you want to manage.
In the left-side navigation pane of the management page of the Enterprise Edition instance, choose .
On the VPC tab, click Delete in the Actions column of the VPCs.
In the message that appears, click OK.
Log on to the RAM console with your Alibaba Cloud account.
In the left-side navigation pane, choose .
On the Roles page, enter AliyunServiceRoleForContainerRegistryAccessCustomerPrivateZone in the search box to search for the service-linked role, and then click Delete Role in the Actions column that corresponds to AliyunServiceRoleForContainerRegistryAccessCustomerPrivateZone.
In the Delete Role dialog box, enter the name of the VPC service-linked role and click Delete Role.
FAQ
Why is the AliyunServiceRoleForContainerRegistryAccessCustomerPrivateZone role not automatically created for a RAM user?
The system automatically creates the AliyunServiceRoleForContainerRegistryAccessCustomerPrivateZone role only for RAM users that are granted specific permissions. If the AliyunServiceRoleForContainerRegistryAccessCustomerPrivateZone role is not automatically created, you must attach the following policy to the RAM user. For more information, see RAM authentication rules.
{
"Statement": [
{
"Action": [
"ram:CreateServiceLinkedRole"
],
"Resource": "acs:ram:*:Alibaba Cloud account ID:role/*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": [
"access-customer-privatezone.cr.aliyuncs.com"
]
}
}
}
],
"Version": "1"
}