Manage the service-linked role for Image Builder - - Alibaba Cloud Documentation Center

AliyunServiceRoleForECSImageBuilder is a service-linked role provided by Resource Access Management (RAM) to grant Image Builder the access permissions on Alibaba Cloud resources to create, share, and distribute images. This topic describes how to use the AliyunServiceRoleForECSImageBuilder service-linked role to grant Image Builder the access permissions on Alibaba Cloud resources.

Prerequisites

If you are a RAM user, the RAM user is granted the permissions to use Image Builder so that you can manage its service-linked role. For more information, see Grant permissions to a RAM user.

The following policy is attached to grant the RAM user the permissions to use Image Builder.

Note Replace <account ID> with the ID of your Alibaba Cloud account.

{
    "Statement": [
        {
            "Action": [
                "ram:CreateServiceLinkedRole"
            ],
            "Resource": "acs:ram:*:<account ID>:role/*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": [
                        "imagebuilder.ecs.aliyuncs.com"
                    ]
                }
            }
        }
    ],
    "Version": "1"
}

Background information

Image Builder can assume the AliyunServiceRoleForECSImageBuilder role to gain access to Operation Orchestration Service (OOS), Elastic Compute Service (ECS), and Virtual Private Cloud (VPC).

Create the AliyunServiceRoleForECSImageBuilder role

When you create an image builder template, the system checks whether the AliyunServiceRoleForECSImageBuilder role is created for your account. If not, the system creates the role for your account.

Note You can call the CreateImagePipeline operation to create image builder templates.

Delete the AliyunServiceRoleForECSImageBuilder role

If you no longer need the AliyunServiceRoleForECSImageBuilder role and are certain about the impact of deleting the role, you can delete the role. For more information, see Delete a RAM role.

Note Before you can delete the AliyunServiceRoleForECSImageBuilder role, you must delete the image builder templates from all regions within the current account.

After you delete the AliyunServiceRoleForECSImageBuilder role, Image Builder cannot create, share, or distribute images.