When you configure access to your Container Registry Enterprise Edition instance over virtual private clouds (VPCs), Container Registry automatically creates the service-linked role AliyunServiceRoleForContainerRegistryAccessCustomerPrivateZone for Alibaba Cloud DNS PrivateZone. Then, PrivateZone automatically resolves the internal domain name of the Container Registry Enterprise Edition instance to the IP address of each VPC. This topic describes the basic information and FAQ about the service-linked role. This topic also describes how to delete the service linked role.

Background information

Container Registry may need to access other Alibaba Cloud services to enable specific features. In this case, Container Registry must assume a service-linked role to obtain the permissions that are required to access other Alibaba Cloud services. A service-linked role is a RAM role. For more information about service-linked roles, see Service-linked roles.

Scenarios

When you configure access to your Container Registry Enterprise Edition instance over VPCs, you must use Alibaba Cloud DNS PrivateZone to resolve the domain name of the instance to the IP address of each VPC. When you create the VPCs, Container Registry automatically creates a service-linked role AliyunServiceRoleForContainerRegistryAccessCustomerPrivateZone for Alibaba Cloud DNS PrivateZone. Then, Container Registry can assume the role to access the resources in PrivateZone.

Introduction to the service-linked role

  • Role name: AliyunServiceRoleForContainerRegistryAccessCustomerPrivateZone
  • Role policy: AliyunServiceRolePolicyForContainerRegistryAccessCustomerPrivate
  • Permissions of the service-linked role
    {
        "Action": [
            "pvtz:AddZone",
            "pvtz:DeleteZone",
            "pvtz:BindZoneVpc",
            "pvtz:UpdateZoneRemark",
            "pvtz:SetProxyPattern",
            "pvtz:DescribeRegions",
        "pvtz:DescribeZoneInfo",
        "pvtz:DescribeZones",
        "pvtz:AddZoneRecord",
        "pvtz:DeleteZoneRecord",
        "pvtz:UpdateRecordRemark",
        "pvtz:DescribeZoneRecords"
        ],
      "Resource": "*",
      "Effect": "Allow"
    }

Deletion of the service-linked role

If you do not need to access your Container Registry Enterprise Edition instance over VPCs, you can delete the AliyunServiceRoleForContainerRegistryAccessCustomerPrivateZone role.

  1. Delete the VPCs.

    Before you delete AliyunServiceRoleForContainerRegistryAccessCustomerPrivateZone, you must delete the VPCs.

    1. Log on to the Container Registry console.
    2. In the left-side navigation pane, click Instances.
    3. On the Instances page, click the required Container Registry Enterprise Edition instance.
    4. On the management page of the Container Registry Enterprise Edition instance, choose Repository > Access Control in the left-side navigation pane.
    5. On the VPC tab, click Delete in the Actions column of the VPCs.
    6. In the message that appears, click OK.
  2. Use your Alibaba Cloud account to log on to the RAM console.
  3. In the left-side navigation pane, choose Identities > Roles.
  4. On the Roles page, search for AliyunServiceRoleForContainerRegistryAccessCustomerPrivateZone by using the search box, and then click Delete in the Actions column of AliyunServiceRoleForContainerRegistryAccessCustomerPrivateZone.
  5. In the message that appears, click OK.

FAQ

Why is the AliyunServiceRoleForContainerRegistryAccessCustomerPrivateZone role not automatically created for a RAM user?

The system automatically creates the AliyunServiceRoleForContainerRegistryAccessCustomerPrivateZone role only for RAM users that are granted specific permissions. If the AliyunServiceRoleForContainerRegistryAccessCustomerPrivateZone role is not automatically created, you must attach the following policy to the RAM user.
{
    "Statement": [
        {
            "Action": [
                "ram:CreateServiceLinkedRole"
            ],
            "Resource": "acs:ram:*:Alibaba Cloud account ID:role/*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": [
                        "access-customer-privatezone.cr.aliyuncs.com"
                    ]
                }
            }
        }
    ],
    "Version": "1"
}