All Products
Search

This Product

    Container Registry:Service-linked role for VPC access

    Document Center

    Container Registry:Service-linked role for VPC access

    Last Updated:Mar 26, 2026

    When you import images from a Container Registry Personal Edition instance to a Container Registry Enterprise Edition instance, Container Registry needs access to the Virtual Private Cloud (VPC) where your instances are deployed. Instead of requiring you to manually configure VPC access permissions, the system automatically creates the AliyunServiceRoleForContainerRegistryConnectCustomerVPC service-linked role when you import images. This topic describes the role's permissions and how to delete it.

    How it works

    Importing images between Container Registry editions requires migrating data through a VPC. The system automatically creates the AliyunServiceRoleForContainerRegistryConnectCustomerVPC role when you import images from a Personal Edition instance to an Enterprise Edition instance. Container Registry assumes this role to access resources in your VPC without requiring manual permission setup.

    AliyunServiceRoleForContainerRegistryConnectCustomerVPC

    • Role name: AliyunServiceRoleForContainerRegistryConnectCustomerVPC

    • Role policy name: AliyunServiceRolePolicyForContainerRegistryConnectCustomerVPC

    Trusted service

    The role trusts the following service to assume it:

    connect-customer-vpc.cr.aliyuncs.com

    Permissions policy

    {
  "Action": [
    "ecs:CreateNetworkInterfacePermission",
    "ecs:DeleteNetworkInterfacePermission",
    "ecs:CreateNetworkInterface",
    "ecs:DescribeNetworkInterfaces",
    "ecs:DescribeSecurityGroups"
  ],
  "Resource": "*",
  "Effect": "Allow"
},
{
  "Action": [
    "vpc:DescribeVSwitches",
    "vpc:DescribeVpcs"
  ],
  "Resource": "*",
  "Effect": "Allow"
}

    Delete AliyunServiceRoleForContainerRegistryConnectCustomerVPC

    Deleting the service-linked role stops Container Registry from accessing your VPC for image imports.

    1. Log on to the RAM console using your Alibaba Cloud account.

    2. Log on to the Resource Access Management (RAM) console with your Alibaba Cloud account.

    3. In the left-side navigation pane, choose Identities > Roles.

    4. On the Roles page, enter AliyunServiceRoleForContainerRegistryConnectCustomerVPC in the search box. Find the role and click Delete Role in the Actions column.

    5. In the Delete Role dialog box, enter the name of the VPC service-linked role and click Delete Role.

    FAQ

    Why wasn't the service-linked role automatically created for my RAM user?

    The system automatically creates the role for RAM users that have the ram:CreateServiceLinkedRole permission. Attach the following policy to the RAM user, then retry the image import. For more information, see RAM authentication information.

    {
    "Statement": [
        {
            "Action": [
                "ram:CreateServiceLinkedRole"
            ],
            "Resource": "acs:ram:*:Alibaba Cloud account ID:role/*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": [
                        "connect-customer-vpc.cr.aliyuncs.com"
                    ]
                }
            }
        }
    ],
    "Version": "1"
}

    Related topics

    For background on service-linked roles in Resource Access Management (RAM), see Service-linked roles.