When you configure virtual private cloud (VPC) access control on a Container Registry Enterprise Edition instance, Container Registry automatically creates the AliyunServiceRoleForContainerRegistryAccessCustomerPrivateZone service-linked role. This role grants Container Registry the permissions it needs to manage PrivateZone on your behalf, so the internal domain name of your instance resolves to the correct VPC IP addresses without requiring you to configure permissions manually.
How it works
When you configure VPC access control on a Container Registry Enterprise Edition instance and create VPCs for that instance, Container Registry automatically creates the AliyunServiceRoleForContainerRegistryAccessCustomerPrivateZone service-linked role. Container Registry then assumes this role to access PrivateZone, which resolves the internal domain name of the instance to the IP address of each VPC.
For more information about service-linked roles, see Service-linked roles.
Role details
Role name:
AliyunServiceRoleForContainerRegistryAccessCustomerPrivateZoneRole policy name:
AliyunServiceRolePolicyForContainerRegistryAccessCustomerPrivate
Permissions granted by the role:
{
"Action": [
"pvtz:AddZone",
"pvtz:DeleteZone",
"pvtz:BindZoneVpc",
"pvtz:UpdateZoneRemark",
"pvtz:SetProxyPattern",
"pvtz:DescribeRegions",
"pvtz:DescribeZoneInfo",
"pvtz:DescribeZones",
"pvtz:AddZoneRecord",
"pvtz:DeleteZoneRecord",
"pvtz:UpdateRecordRemark",
"pvtz:DescribeZoneRecords"
],
"Resource": "*",
"Effect": "Allow"
}These permissions allow Container Registry to create, query, update, and delete private DNS zones and zone records in PrivateZone, and to bind zones to VPCs.
Delete the service-linked role
Delete this role only if you no longer need VPC access control on your Container Registry Enterprise Edition instance.
Step 1: Remove VPC access control configuration
Before deleting the role, remove all VPCs from your instance's access control configuration.
Log on to the Container Registry console.
In the left-side navigation pane, click Instances.
On the Instances page, click the Enterprise Edition instance you want to manage.
In the left-side navigation pane of the instance management page, choose Repository > Access Control.
On the VPC tab, click Delete in the Actions column for each VPC.
In the confirmation message, click OK.
Step 2: Delete the role in the RAM console
Log on to the RAM console with your Alibaba Cloud account.
In the left-side navigation pane, choose Identities > Roles.
On the Roles page, search for
AliyunServiceRoleForContainerRegistryAccessCustomerPrivateZone, then click Delete Role in the Actions column.In the Delete Role dialog box, enter the role name and click Delete Role.
FAQ
Why wasn't the service-linked role created automatically for my RAM user?
The role is only created automatically for RAM users with the ram:CreateServiceLinkedRole permission scoped to this service. To grant a RAM user the ability to trigger automatic creation, attach the following policy to that user. For more information, see RAM authentication rules.
{
"Statement": [
{
"Action": [
"ram:CreateServiceLinkedRole"
],
"Resource": "acs:ram:*:Alibaba Cloud account ID:role/*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": [
"access-customer-privatezone.cr.aliyuncs.com"
]
}
}
}
],
"Version": "1"
}Replace Alibaba Cloud account ID with your actual account ID. The ram:ServiceName condition restricts this permission to creating service-linked roles for Container Registry's PrivateZone integration only, preventing the RAM user from creating service-linked roles for other services. The wildcard in Resource allows the permission to apply to any role path within your account.