Skip to main content

Service-linked role for Enterprise VPC Edition (AliyunServiceRoleForqodercnEnterpriseVPC)

When you use Alibaba Cloud DevOps/Tongyi Lingma Enterprise Edition to access other Alibaba Cloud services, the system automatically creates a service-linked role named AliyunServiceRoleForqodercnEnterpriseVPC. This topic describes the use cases, permission policy, and deletion of this service-linked role.
VersionEnterprise Edition

Background

A service-linked role is linked to a specific cloud service. The associated service typically creates or deletes this role automatically as you use its features. The role securely grants a service the required permissions, which helps prevent operational errors. For more information about service-linked roles, see service-linked role.

Use cases

The AliyunServiceRoleForqodercnEnterpriseVPC role is used for the following scenarios:
  • Simplifying network configuration by automatically creating a VPC endpoint to access a VPC.
  • Obtaining certificates from Alibaba Cloud SSL Certificates Service to enable HTTPS for custom domain names.

Permissions

Role name: AliyunServiceRoleForqodercnEnterpriseVPC Permission policy: AliyunServiceRoleForqodercnEnterpriseVPC Description: Allows QoderCN Enterprise Edition to access your cloud services, such as VPC. The permission policy includes the following permissions:
{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "privatelink:CheckProductOpen",
        "privatelink:OpenPrivateLinkService",
        "privatelink:CreateVpcEndpoint",
        "privatelink:GetVpcEndpointAttribute",
        "privatelink:UpdateVpcEndpointAttribute",
        "privatelink:DeleteVpcEndpoint",
        "privatelink:ListVpcEndpoints",
        "privatelink:ListVpcEndpointZones",
        "privatelink:RemoveZoneFromVpcEndpoint",
        "privatelink:ListVpcEndpointSecurityGroups",
        "privatelink:DescribeZones",
        "vpc:ListEnhancedNatGatewayAvailableZones",
        "vpc:DescribeVpcs",
        "vpc:DescribeVSwitches",
        "ecs:DescribeSecurityGroups",
        "resourcemanager:ListResourceGroups"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "vpc:DescribeVpcAttribute"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "ecs:DescribeSecurityGroupAttribute"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "vpc.qodercn.aliyuncs.com"
        }
      }
    },
    {
      "Action": "ram:CreateServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "privatelink.aliyuncs.com"
        }
      }
    }
  ]
}

Deleting the service-linked role

To delete the AliyunServiceRoleForqodercnEnterpriseVPC service-linked role, you must first delete all your QoderCN Enterprise Edition instances by using the console or OpenAPI. You can then delete the role by following the instructions in Delete a RAM role.
Service-linked role for Enterprise VPC Edition (AliyunServiceRoleForqodercnEnterpriseVPC) - Qoder CN