To import images from a Container Registry Personal Edition instance to a Container Registry Enterprise Edition instance, the system automatically creates a service-linked role named AliyunServiceRoleForContainerRegistryConnectCustomerVPC to enable Virtual Private Cloud (VPC) access. This topic describes the use scenarios of this role and how to delete this role.
Background information
Container Registry may need to access other Alibaba Cloud services to implement certain features. In these cases, Container Registry must assume a service-linked role, which is a Resource Access Management (RAM) role, to obtain the permissions to access other Alibaba Cloud services. For more information, see Service-linked roles.
Scenarios
Container Registry must have VPC access to transfer image data when you import images. The system automatically creates a service-linked role named AliyunServiceRoleForContainerRegistryConnectCustomerVPC when you import images from a Container Registry Personal Edition instance to a Container Registry Enterprise Edition instance. Container Registry assumes this role to access resources in the VPC where the instances are deployed.
AliyunServiceRoleForContainerRegistryConnectCustomerVPC
- Role name: AliyunServiceRoleForContainerRegistryConnectCustomerVPC
- Policy: AliyunServiceRolePolicyForContainerRegistryConnectCustomerVPC
- Policy content:
{ "Action": [ "ecs:CreateNetworkInterfacePermission", "ecs:DeleteNetworkInterfacePermission", "ecs:CreateNetworkInterface", "ecs:DescribeNetworkInterfaces", "ecs:DescribeSecurityGroups" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "vpc:DescribeVSwitches", "vpc:DescribeVpcs" ], "Resource": "*", "Effect": "Allow" }
Delete AliyunServiceRoleForContainerRegistryConnectCustomerVPC
- Log on to the RAM console by using your Alibaba Cloud account.
- In the left-side navigation pane, choose .
- On the Roles page, enter AliyunServiceRoleForContainerRegistryConnectCustomerVPC into the search box to search for the RAM role. Select AliyunServiceRoleForContainerRegistryConnectCustomerVPC and click Delete in the Actions column.
- In the message that appears, click OK.
FAQ
Why is the AliyunServiceRoleForContainerRegistryConnectCustomerVPC role not automatically created for a RAM user?
{
"Statement": [
{
"Action": [
"ram:CreateServiceLinkedRole"
],
"Resource": "acs:ram:*:Alibaba Cloud account ID:role/*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": [
"connect-customer-vpc.cr.aliyuncs.com"
]
}
}
}
],
"Version": "1"
}