All Products
Search
Document Center

Elastic Compute Service:Manage the service-linked role for Image Builder

Last Updated:Apr 27, 2026

Create, manage, or delete the AliyunServiceRoleForECSImageBuilder role that grants Image Builder access to OOS, ECS, and VPC resources.

Prerequisites

If you use a RAM user, the RAM user is granted permissions to use Image Builder.

Attach the following policy to grant the RAM user Image Builder permissions.

Note

Replace <account ID> with your Alibaba Cloud account ID.

{
"Statement": [
{
"Action": [
"ram:CreateServiceLinkedRole"
],
"Resource": "acs:ram:*:<account ID>:role/*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": [
"imagebuilder.ecs.aliyuncs.com"
]
}
}
}
],
"Version": "1"
}

Background

Image Builder assumes the AliyunServiceRoleForECSImageBuilder role to access CloudOps Orchestration Service (OOS), ECS, and Virtual Private Cloud (VPC).

Create the AliyunServiceRoleForECSImageBuilder role

When you create an image component or template, the system automatically creates the AliyunServiceRoleForECSImageBuilder role if it does not exist in your account.

Note

Call CreateImagePipeline to create image templates and CreateIageComponent to create image components.

Delete the AliyunServiceRoleForECSImageBuilder role

If you no longer need the AliyunServiceRoleForECSImageBuilder role, delete the RAM role.

Note

Before you delete the AliyunServiceRoleForECSImageBuilder role, delete all image templates in all regions of your account.

After the role is deleted, Image Builder can no longer create, share, or distribute images.