All Products
Search

This Product

    Cloud Enterprise Network:AliyunServiceRoleForCEN

    Document Center

    Cloud Enterprise Network:AliyunServiceRoleForCEN

    Last Updated:Mar 08, 2024

    This topic describes the AliyunServiceRoleForCEN service-linked role and how to delete this service-linked role.

    Background information

    A service-linked role is a Resource Access Management (RAM) role that is associated with an Alibaba Cloud service. An Alibaba Cloud service may need to access other services to use a specific feature. Before you can access a service, you must acquire the required permissions. Service-linked roles simplify the authorization process and prevent user errors. For more information, see Service-linked roles.

    Create the AliyunServiceRoleForCEN service-linked role

    When you use an Enterprise Edition transit router to create a connection to a virtual private cloud (VPC), the system automatically creates the AliyunServiceRoleForCEN service-linked role. In addition, the system attaches the AliyunServiceRolePolicyForCEN policy to the service-linked role. This policy allows the transit router to create elastic network interfaces (ENIs) in the VPC. The ENIs are used to transmit traffic from the VPC to the transit router. The following code block shows the content of the policy:

    Note

    If the AliyunServiceRoleForCEN service-linked role already exists, the system does not create it again. 

    {
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "vpc:DescribeVSwitchAttributes",
        "vpc:CreateRouteEntries",
        "vpc:DeleteRouteEntries",
        "vpc:DescribeRouteEntryList",
        "vpc:GetVpcRouteEntrySummary"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "ecs:CreateNetworkInterface",
        "ecs:CreateSecurityGroup",
        "ecs:AuthorizeSecurityGroup",
        "ecs:RevokeSecurityGroup",
        "ecs:DeleteSecurityGroup",
        "ecs:JoinSecurityGroup",
        "ecs:DeleteSecurityGroup",
        "ecs:LeaveSecurityGroup",
        "ecs:DescribeSecurityGroups",
        "ecs:AttachNetworkInterface",
        "ecs:DetachNetworkInterface",
        "ecs:DeleteNetworkInterface",
        "ecs:DescribeNetworkInterfaces",
        "ecs:CreateNetworkInterfacePermission",
        "ecs:DescribeNetworkInterfacePermissions",
        "ecs:DeleteNetworkInterfacePermission",
        "ecs:CreateSecurityGroupPermission",
        "ecs:AuthorizeSecurityGroupPermission",
        "ecs:RevokeSecurityGroupPermission",
        "ecs:DeleteSecurityGroupPermission",
        "ecs:JoinSecurityGroupPermission",
        "ecs:DeleteSecurityGroupPermission",
        "ecs:LeaveSecurityGroupPermission",
        "ecs:DescribeSecurityGroupPermissions",
        "ecs:AttachNetworkInterfacePermissions",
        "ecs:DetachNetworkInterfacePermissions"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "expressconnectrouter:CreateExpressConnectRouterAssociation",
        "expressconnectrouter:DeleteExpressConnectRouterAssociation"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "cen.aliyuncs.com"
        }
      }
    }
  ]
}

    Delete the AliyunServiceRoleForCEN service-linked role

    The system does not automatically delete the AliyunServiceRoleForCEN service-linked role. Before you can delete the AliyunServiceRoleForCEN service-linked role, you must delete all VPC connections from the Enterprise Edition transit router. For more information, see the following topics:

    References

    Create a VPC connection