How do I delete the VPC service-linked role AliyunServiceRoleForApiGatewayConnectUserVpc? - API Gateway

This topic describes the scenario of the AliyunServiceRoleForApiGatewayConnectUserVpc service-linked role and how to delete the role.

Background

API Gateway provides the AliyunServiceRoleForApiGatewayConnectUserVpc Resource Access Management (RAM) role to create dedicated instances that are used to directly access services in a virtual private cloud (VPC) over an internal network. For more information about service-linked roles, see Service-linked roles.

Scenarios

If you create an API Gateway dedicated instance of the VPC type but the instance does not have a service-linked role, the system automatically creates the AliyunServiceRoleForApiGatewayConnectUserVpc role for the instance. Then, the system attaches the AliyunServiceRolePolicyForApiGatewayConnectUserVpc policy to the role. This allows the instance to access other resources in the VPC.

Introduction

Role name: AliyunServiceRoleForApiGatewayConnectUserVpc Policy: AliyunServiceRolePolicyForApiGatewayConnectUserVpc Policy content:

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ecs:CreateNetworkInterface",
        "ecs:DescribeNetworkInterfaceAttribute",
        "ecs:DescribeNetworkInterfaces",
        "ecs:DeleteNetworkInterface",
        "ecs:DescribeSecurityGroups",
        "ecs:ModifyNetworkInterfaceAttribute",
        "ecs:AssignPrivateIpAddresses",
        "ecs:UnassignPrivateIpAddresses",
        "ecs:AssignIpv6Addresses",
        "ecs:UnassignIpv6Addresses",
        "vpc:DescribeVpcs",
        "vpc:DescribeVSwitches"
      ],
      "Resource": "*"
    },
    {
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "connectuservpc.apigateway.aliyuncs.com"
        }
      }
    }
  ]
}

Delete the AliyunServiceRoleForApiGatewayConnectUserVpc role

Before you delete the AliyunServiceRoleForApiGatewayConnectUserVpc role, you must delete the API Gateway dedicated instance that is associated with the role. Procedure:

Log on to the API Gateway console. In the left-side navigation pane, choose Instances and Clusters > Dedicated Instances.
On the Instances tab of the Dedicated Instances page, find the VPC integration instance that you want to manage and then click Release Instance in the upper-right corner.
Go to the RAM console. In the left-side navigation pane, choose Identities > Roles, find the AliyunServiceRoleForApiGatewayConnectUserVpc role, and then click Delete Role in the Actions column.

FAQ

What do I do if the AliyunServiceRoleForApiGatewayConnectUserVpc service-linked role is not automatically created for my RAM user?

If you want the system to automatically create the service-linked role or if you want to delete the service-linked role, make sure that your RAM user has the required permissions. To obtain the required permissions, you must attach the following policy to the RAM user:

{

{
    "Statement": [
        {
            "Action": "ram:CreateServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "connectuservpc.apigateway.aliyuncs.com"
                }
            }
        }
    ],
    "Version": "1"
}