This topic describes the AliyunServiceRoleForCEN service-linked role for Cloud Enterprise Network (CEN) and how to delete the service-linked role.

Background

A service-linked role is a Resource Access Management (RAM) role that is associated with an Alibaba Cloud service. An Alibaba Cloud service may need to access other services to perform a specific feature. Before you access a service, make sure that required permissions are granted. Service-linked roles simplify the authorization process and avoid risks caused by user errors. For more information about service-linked roles, see Service-linked roles.

Create the AliyunServiceRoleForCEN service-linked role

When you use an Enterprise Edition transit router to create a connection to a virtual private cloud (VPC), the system automatically creates the AliyunServiceRoleForCEN service-linked role. In addition, the system adds the AliyunServiceRolePolicyForCEN permission policy to the service-linked role. This allows the transit router to create elastic network interfaces (ENIs) in the VPC. The ENIs are used to transmit traffic from the VPC to the transit router. The following code block shows the content of the permission policy:

Note If the AliyunServiceRoleForCEN service-linked role already exists, the system does not create it again.
{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "vpc:DescribeVSwitchAttributes"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "ecs:CreateNetworkInterface",
        "ecs:CreateSecurityGroup",
        "ecs:AuthorizeSecurityGroup",
        "ecs:RevokeSecurityGroup",
        "ecs:DeleteSecurityGroup",
        "ecs:JoinSecurityGroup",
        "ecs:DeleteSecurityGroup",
        "ecs:LeaveSecurityGroup",
        "ecs:DescribeSecurityGroups",
        "ecs:AttachNetworkInterface",
        "ecs:DetachNetworkInterface",
        "ecs:DeleteNetworkInterface",
        "ecs:DescribeNetworkInterfaces",
        "ecs:CreateNetworkInterfacePermission",
        "ecs:DescribeNetworkInterfacePermissions",
        "ecs:DeleteNetworkInterfacePermission",
        "ecs:CreateSecurityGroupPermission",
        "ecs:AuthorizeSecurityGroupPermission",
        "ecs:RevokeSecurityGroupPermission",
        "ecs:DeleteSecurityGroupPermission",
        "ecs:JoinSecurityGroupPermission",
        "ecs:DeleteSecurityGroupPermission",
        "ecs:LeaveSecurityGroupPermission",
        "ecs:DescribeSecurityGroupPermissions",
        "ecs:AttachNetworkInterfacePermissions",
        "ecs:DetachNetworkInterfacePermissions"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "cen.aliyuncs.com"
        }
      }
    }
  ]
}

Delete the AliyunServiceRoleForCEN service-linked role

The system does not automatically delete the AliyunServiceRoleForCEN service-linked role. To delete the AliyunServiceRoleForCEN service-linked role, delete all connections between VPCs and Enterprise Edition transit routers. For more information, see:

References

Create a VPC connection