This topic describes the AliyunServiceRoleForCEN service-linked role and how to delete this service-linked role.

Background information

A service-linked role is a Resource Access Management (RAM) role that is associated with an Alibaba Cloud service. An Alibaba Cloud service may need to access other services to use a specific feature. Before you can access a service, you must acquire the required permissions. Service-linked roles simplify the authorization process and avoid user errors. For more information about service-linked roles, see Service-linked roles.

Create the AliyunServiceRoleForCEN service-linked role

When you use an Enterprise Edition transit router to create a connection to a virtual private cloud (VPC), the system automatically creates the AliyunServiceRoleForCEN service-linked role. In addition, the system attaches the AliyunServiceRolePolicyForCEN policy to the service-linked role. This policy allows the transit router to create elastic network interfaces (ENIs) in the VPC. The ENIs are used to transmit traffic from the VPC to the transit router. The following code block shows the content of the policy:

Note If the AliyunServiceRoleForCEN service-linked role already exists, the system does not create it again. 
{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "vpc:DescribeVSwitchAttributes",
                "vpc:CreateRouteEntries",
                "vpc:DeleteRouteEntries",
                "vpc:DescribeRouteEntryList",
                "vpc:GetVpcRouteEntrySummary"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "ecs:CreateNetworkInterface",
                "ecs:CreateSecurityGroup",
                "ecs:AuthorizeSecurityGroup",
                "ecs:RevokeSecurityGroup",
                "ecs:DeleteSecurityGroup",
                "ecs:JoinSecurityGroup",
                "ecs:DeleteSecurityGroup",
                "ecs:LeaveSecurityGroup",
                "ecs:DescribeSecurityGroups",
                "ecs:AttachNetworkInterface",
                "ecs:DetachNetworkInterface",
                "ecs:DeleteNetworkInterface",
                "ecs:DescribeNetworkInterfaces",
                "ecs:CreateNetworkInterfacePermission",
                "ecs:DescribeNetworkInterfacePermissions",
                "ecs:DeleteNetworkInterfacePermission",
                "ecs:CreateSecurityGroupPermission",
                "ecs:AuthorizeSecurityGroupPermission",
                "ecs:RevokeSecurityGroupPermission",
                "ecs:DeleteSecurityGroupPermission",
                "ecs:JoinSecurityGroupPermission",
                "ecs:DeleteSecurityGroupPermission",
                "ecs:LeaveSecurityGroupPermission",
                "ecs:DescribeSecurityGroupPermissions",
                "ecs:AttachNetworkInterfacePermissions",
                "ecs:DetachNetworkInterfacePermissions"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "cen.aliyuncs.com"
                }
            }
        }
    ]
}

Delete the AliyunServiceRoleForCEN service-linked role

The system does not automatically delete the AliyunServiceRoleForCEN service-linked role. To delete the AliyunServiceRoleForCEN service-linked role, you must first delete all connections between VPCs and Enterprise Edition transit routers. For more information, see the following topics:

References

Create a VPC connection