How do I delete the VPC service-linked role AliyunServiceRoleForApiGatewayConnectUserVpc? - API Gateway

When you create a Dedicated Instance (VPC) in API Gateway, the system needs permissions to manage network interfaces, security groups, and VPC resources in your account. To grant these permissions securely, API Gateway uses a service-linked role.

This topic covers the AliyunServiceRoleForApiGatewayConnectUserVpc service-linked role, including its permissions, automatic creation, and deletion procedure.

For general information about service-linked roles, see Service-linked roles.

Role details

Property	Value
Role name	`AliyunServiceRoleForApiGatewayConnectUserVpc`
Policy name	`AliyunServiceRolePolicyForApiGatewayConnectUserVpc`
Trusted service	`connectuservpc.apigateway.aliyuncs.com`
Purpose	Allows API Gateway dedicated instances to access services in your virtual private cloud (VPC) over the internal network

Permissions

The AliyunServiceRolePolicyForApiGatewayConnectUserVpc policy grants the following permissions:

Network interface management

Permission	Description
`ecs:CreateNetworkInterface`	Create elastic network interfaces (ENIs) in the VPC for API Gateway connectivity
`ecs:DeleteNetworkInterface`	Delete ENIs that are no longer needed
`ecs:AttachNetworkInterface`	Attach ENIs to instances
`ecs:DetachNetworkInterface`	Detach ENIs from instances
`ecs:DescribeNetworkInterfaces`	Query ENI details
`ecs:DescribeNetworkInterfaceAttribute`	Query ENI attributes
`ecs:ModifyNetworkInterfaceAttribute`	Update ENI attributes
`ecs:CreateNetworkInterfacePermission`	Create cross-account ENI permissions
`ecs:DescribeNetworkInterfacePermissions`	Query ENI permissions

IP address management

Permission	Description
`ecs:AssignPrivateIpAddresses`	Assign private IP addresses to ENIs
`ecs:UnassignPrivateIpAddresses`	Release private IP addresses from ENIs
`ecs:AssignIpv6Addresses`	Assign IPv6 addresses to ENIs
`ecs:UnassignIpv6Addresses`	Release IPv6 addresses from ENIs

VPC and security group access

Permission	Description
`ecs:DescribeSecurityGroups`	Query security groups in the VPC
`ecs:ListTagResources`	List tag resources
`vpc:DescribeVpcs`	Query available VPCs
`vpc:DescribeVpcAttribute`	Query VPC attributes
`vpc:DescribeVSwitches`	Query vSwitches in the VPC
`vpc:DescribeVSwitchAttributes`	Query vSwitch attributes
`vpc:ModifyBypassToaAttribute`	Modify bypass ToA attribute

Role lifecycle management

Permission	Description
`ram:DeleteServiceLinkedRole`	Delete this service-linked role (restricted to `connectuservpc.apigateway.aliyuncs.com`)

Full policy document

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ecs:CreateNetworkInterface",
        "ecs:DescribeNetworkInterfaceAttribute",
        "ecs:DescribeNetworkInterfaces",
        "ecs:DeleteNetworkInterface",
        "ecs:DescribeSecurityGroups",
        "ecs:ModifyNetworkInterfaceAttribute",
        "ecs:AssignPrivateIpAddresses",
        "ecs:UnassignPrivateIpAddresses",
        "ecs:AssignIpv6Addresses",
        "ecs:UnassignIpv6Addresses",
        "vpc:DescribeVpcs",
        "vpc:DescribeVSwitches",
        "ecs:AttachNetworkInterface",
        "ecs:DetachNetworkInterface",
        "ecs:CreateNetworkInterfacePermission",
        "ecs:DescribeNetworkInterfacePermissions",
        "ecs:ListTagResources",
        "vpc:DescribeVSwitchAttributes",
        "vpc:DescribeVpcAttribute",
        "vpc:ModifyBypassToaAttribute"
      ],
      "Resource": "*"
    },
    {
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "connectuservpc.apigateway.aliyuncs.com"
        }
      }
    }
  ]
}

Create the role

You do not need to manually create this role. When you create a Dedicated Instance (VPC) in API Gateway, the system automatically creates the AliyunServiceRoleForApiGatewayConnectUserVpc role and attaches the AliyunServiceRolePolicyForApiGatewayConnectUserVpc policy.

Note: If the role is not automatically created for your RAM user, the RAM user might lack the required permissions. Attach the following policy to your RAM user to grant the ram:CreateServiceLinkedRole permission:

{
  "Version": "1",
  "Statement": [
    {
      "Action": "ram:CreateServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "connectuservpc.apigateway.aliyuncs.com"
        }
      }
    }
  ]
}

Edit the role

API Gateway does not allow you to edit the AliyunServiceRoleForApiGatewayConnectUserVpc service-linked role. After the role is created, its name and permissions cannot be changed.

Delete the role

Before you delete the AliyunServiceRoleForApiGatewayConnectUserVpc role, release all API Gateway dedicated instances associated with the role. Then delete the role from the Resource Access Management (RAM) console.

Step 1: Release the dedicated instance

Log on to the API Gateway console.
In the left-side navigation pane, choose Instances and Clusters > Dedicated Instances.
On the Instances tab, find the Dedicated Instance (VPC), and then click Release Instance.

Step 2: Delete the role

Log on to the RAM console.
In the left-side navigation pane, choose Identities > Roles.
Find AliyunServiceRoleForApiGatewayConnectUserVpc and click Delete Role in the Actions column.

Related information

Service-linked roles