To use Container Service for Kubernetes (ACK) for the first time, you do not need to activate the service. However, you must assign default roles to the service account. After you perform this operation, the service account can be used to call services such as Elastic Compute Service (ECS), Object Storage Service (OSS), Apsara File Storage NAS, and Server Load Balancer (SLB), create clusters, and store logs. This topic describes how to assign roles to the service account.

Background information

The default roles in ACK include:


  • If you used ACK before January 15, 2018, the system automatically assigns the default roles to the service account. For more information about role permissions, see Default roles. If you use a Resource Access Management (RAM) user to access ACK, you must upgrade the RAM policy that is attached to the RAM user. For more information, see Customize RAM policies.
  • As of January 15, 2018, new users must assign their Alibaba Cloud accounts the default roles to use ACK. To authorize RAM users to use ACK, a new user must log on to the RAM console. For more information, see Overview.


  1. Log on to the ACK console.
  2. If you have not assigned your Alibaba Cloud account the default roles, click Go to RAM console. On the Cloud Resource Access Authorization page, click Confirm Authorization Policy.
    • If you use a managed cluster, you must assign KubernetesAuditRole to your account to access your cloud resources.
    • The default policy WorkerRolePolicy that is attached to worker roles in a managed cluster has high permissions. To ensure data security and resource isolation in multi-tenancy scenarios, ACK reduces the permissions of RAM roles in a managed cluster. For more information, see Container Service for Kubernetes reduces the permissions of worker RAM roles in managed clusters.
    • To modify the permission settings of default roles, log on to the RAM console and go to the RAM Roles page. Make sure that ACK is granted the required permissions when you modify the permission settings.
  3. After you assign the default roles to your account, refresh the console to use ACK.