To import images from a Container Registry Personal Edition instance to a Container Registry Enterprise Edition instance, the system automatically creates a service-linked role named AliyunServiceRoleForContainerRegistryConnectCustomerVPC to enable Virtual Private Cloud (VPC) access. This topic describes the use scenarios of this role and how to delete this role.

Background information

Container Registry may need to access other Alibaba Cloud services to implement certain features. In these cases, Container Registry must assume a service-linked role, which is a Resource Access Management (RAM) role, to obtain the permissions to access other Alibaba Cloud services. For more information, see Service-linked roles.

Scenarios

Container Registry must have VPC access to transfer image data when you import images. The system automatically creates a service-linked role named AliyunServiceRoleForContainerRegistryConnectCustomerVPC when you import images from a Container Registry Personal Edition instance to a Container Registry Enterprise Edition instance. Container Registry assumes this role to access resources in the VPC where the instances are deployed.

AliyunServiceRoleForContainerRegistryConnectCustomerVPC

  • Role name: AliyunServiceRoleForContainerRegistryConnectCustomerVPC
  • Policy: AliyunServiceRolePolicyForContainerRegistryConnectCustomerVPC
  • Policy content:
    {
      "Action": [
        "ecs:CreateNetworkInterfacePermission",
        "ecs:DeleteNetworkInterfacePermission",
        "ecs:CreateNetworkInterface",
        "ecs:DescribeNetworkInterfaces",
        "ecs:DescribeSecurityGroups"           
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "vpc:DescribeVSwitches",
        "vpc:DescribeVpcs"
      ],
      "Resource": "*",
      "Effect": "Allow"
    }

Delete AliyunServiceRoleForContainerRegistryConnectCustomerVPC

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, choose Identities > Roles.
  3. On the Roles page, enter AliyunServiceRoleForContainerRegistryConnectCustomerVPC into the search box to search for the RAM role. Select AliyunServiceRoleForContainerRegistryConnectCustomerVPC and click Delete in the Actions column.
  4. In the message that appears, click OK.

FAQ

Why is the AliyunServiceRoleForContainerRegistryConnectCustomerVPC role not automatically created for a RAM user?

The system automatically creates the AliyunServiceRoleForContainerRegistryConnectCustomerVPC role for RAM users that are granted with specific permissions. If the AliyunServiceRoleForContainerRegistryConnectCustomerVPC role is not automatically created, you must attach the following policy to the RAM user. For more information, see Attach custom policies to a RAM user.
{
    "Statement": [
        {
            "Action": [
                "ram:CreateServiceLinkedRole"
            ],
            "Resource": "acs:ram:*:Alibaba Cloud account ID:role/*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": [
                        "connect-customer-vpc.cr.aliyuncs.com"
                    ]
                }
            }
        }
    ],
    "Version": "1"
}