This topic describes the service linked role AliyunServiceRoleForContainerService for Alibaba Cloud Container Service for Kubernetes (ACK) and how to delete the service linked role.

Background

AliyunServiceRoleForContainerService is a Resource Access Management (RAM) role. Alibaba Cloud Container Service for Kubernetes (ACK) assumes this service linked role to obtain the permissions required for accessing other Alibaba Cloud services when you use certain ACK features. For more information, see Service linked roles.

Scenarios

AliyunServiceRoleForContainerService is automatically created to grant ACK the permissions required for accessing other Alibaba Cloud services, such as Server Load Balancer (SLB), Auto Scaling (ESS), Elastic Compute Service (ECS), Virtual Private Cloud (VPC), and Resource Orchestration Service (ROS).

Description

The AliyunServiceRoleForContainerService role grants ACK the permissions to access the following Alibaba Cloud services: For more information, see Content of the AliyunServiceRoleForContainerService permission policy.

	{
            "Action": [
                "ecs:RunInstances",
                "ecs:RenewInstance",
                "ecs:Create*",
                "ecs:AllocatePublicIpAddress",
                "ecs:AllocateEipAddress",
                "ecs:Delete*",
                "ecs:StartInstance",
                "ecs:StopInstance",
                "ecs:RebootInstance",
                "ecs:Describe*",
                "ecs:AuthorizeSecurityGroup",
                "ecs:RevokeSecurityGroup",
                "ecs:AuthorizeSecurityGroupEgress",
                "ecs:AttachDisk",
                "ecs:DetachDisk",
                "ecs:WaitFor*",
                "ecs:AddTags",
                "ecs:ReplaceSystemDisk",
                "ecs:ModifyInstanceAttribute",
                "ecs:JoinSecurityGroup",
                "ecs:LeaveSecurityGroup",
                "ecs:UnassociateEipAddress",
                "ecs:ReleaseEipAddress",
                "ecs:CreateKeyPair",
                "ecs:ImportKeyPair",
                "ecs:AttachKeyPair",
                "ecs:DetachKeyPair",
                "ecs:DeleteKeyPairs",
                "ecs:AttachInstanceRamRole",
                "ecs:DetachInstanceRamRole",
                "ecs:AllocateDedicatedHosts",
                "ecs:CreateOrder",
                "ecs:DeleteInstance",
                "ecs:CreateDisk",
                "ecs:Createvpc",
                "ecs:Deletevpc",
                "ecs:DeleteVSwitch",
                "ecs:ResetDisk",
                "ecs:DeleteSnapshot",
                "ecs:AllocatePublicIpAddress",
                "ecs:CreateVSwitch",
                "ecs:DeleteSecurityGroup",
                "ecs:CreateImage",
                "ecs:RemoveTags",
                "ecs:ReleaseDedicatedHost",
                "ecs:CreateInstance",
                "ecs:RevokeSecurityGroupEgress",
                "ecs:DeleteDisk",
                "ecs:StopInstance",
                "ecs:CreateSecurityGroup",
                "ecs:DeleteImage",
                "ecs:ModifyInstanceSpec",
                "ecs:CreateSnapshot",
                "ecs:CreateCommand",
                "ecs:InvokeCommand",
                "ecs:StopInvocation",
                "ecs:DeleteCommand",
                "ecs:RunCommand",
                "ecs:DescribeInvocationResults",
                "ecs:ModifyCommand"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
		

	{
            "Action": [
                "vpc:Describe*",
                "vpc:AllocateEipAddress",
                "vpc:AssociateEipAddress",
                "vpc:UnassociateEipAddress",
                "vpc:ReleaseEipAddress",
                "vpc:CreateRouteEntry",
                "vpc:DeleteRouteEntry",
                "vpc:CreateVSwitch",
                "vpc:DeleteVSwitch",
                "vpc:CreateVpc",
                "vpc:DeleteVpc",
                "vpc:CreateNatGateway",
                "vpc:DeleteNatGateway",
                "vpc:CreateSnatEntry",
                "vpc:DeleteSnatEntry",
                "vpc:ModifyEipAddressAttribute",
                "vpc:CreateForwardEntry",
                "vpc:DeleteBandwidthPackage",
                "vpc:CreateBandwidthPackage",
                "vpc:DeleteForwardEntry",
                "vpc:TagResources",
                "vpc:DeletionProtection"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
		

	{
            "Action": [
                "slb:Describe*",
                "slb:CreateLoadBalancer",
                "slb:DeleteLoadBalancer",
                "slb:RemoveBackendServers",
                "slb:StartLoadBalancerListener",
                "slb:StopLoadBalancerListener",
                "slb:CreateLoadBalancerTCPListener",
                "slb:AddBackendServers*",
                "slb:CreateVServerGroup",
                "slb:CreateLoadBalancerHTTPSListener",
                "slb:CreateLoadBalancerUDPListener",
                "slb:ModifyLoadBalancerInternetSpec",
                "slb:SetBackendServers",
                "slb:AddVServerGroupBackendServers",
                "slb:DeleteVServerGroup",
                "slb:ModifyVServerGroupBackendServers",
                "slb:CreateLoadBalancerHTTPListener",
                "slb:RemoveVServerGroupBackendServers",
                "slb:DeleteLoadBalancerListener",
                "slb:AddTags",
                "slb:RemoveTags",
                "slb:SetLoadBalancerDeleteProtection"
            ],
            "Resource": [
                "*"
            ],
            "Effect": "Allow"
        }
		

	{
            "Action": [
                "dns:Describe*",
                "dns:AddDomainRecord"
            ],
            "Resource": [
                "*"
            ],
            "Effect": "Allow"
        }
		

	{
            "Action": [
                "rds:Describe*",
                "rds:ModifySecurityIps"
            ],
            "Resource": [
                "*"
            ],
            "Effect": "Allow"
        }
		

	{
            "Action": [
                "ros:Describe*",
                "ros:WaitConditions",
                "ros:AbandonStack",
                "ros:DeleteStack",
                "ros:CreateStack",
                "ros:UpdateStack",
                "ros:ValidateTemplate",
                "ros:DoActions",
                "ros:InquiryStack",
                "ros:SetDeletionProtection",
                "ros:PreviewStack"
            ],
            "Resource": [
                "*"
            ],
            "Effect": "Allow"
        }
		

	{
            "Action": [
                "ess:Describe*",
                "ess:CreateScalingConfiguration",
                "ess:EnableScalingGroup",
                "ess:ExitStandby",
                "ess:DetachDBInstances",
                "ess:DetachLoadBalancers",
                "ess:AttachInstances",
                "ess:DeleteScalingConfiguration",
                "ess:AttachLoadBalancers",
                "ess:DetachInstances",
                "ess:ModifyScalingRule",
                "ess:RemoveInstances",
                "ess:ModifyScalingGroup",
                "ess:AttachDBInstances",
                "ess:CreateScalingRule",
                "ess:DeleteScalingRule",
                "ess:ExecuteScalingRule",
                "ess:SetInstancesProtection",
                "ess:ModifyNotificationConfiguration",
                "ess:CreateNotificationConfiguration",
                "ess:EnterStandby",
                "ess:DeleteScalingGroup",
                "ess:CreateScalingGroup",
                "ess:DisableScalingGroup",
                "ess:DeleteNotificationConfiguration",
                "ess:ModifyScalingConfiguration",
                "ess:SetGroupDeletionProtection",
                "ess:CreateLifecycleHook",
                "ess:DescribeLifecycleHooks",
                "ess:ModifyLifecycleHook",
                "ess:DeleteLifecycleHook"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
		

	{
            "Action": [
                "ram:GetUser",
                "ram:ListUsers",
                "ram:GetRole",
                "ram:ListPoliciesForRole"
            ],
            "Resource": [
                "*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "ram:DetachPolicyFromRole",
                "ram:AttachPolicyToRole",
                "ram:DeletePolicy",
                "ram:DeletePolicyVersion",
                "ram:DeleteRole"
            ],
            "Resource": [
                "acs:ram:*:*:role/KubernetesMasterRole-*",
                "acs:ram:*:*:role/KubernetesWorkerRole-*",
                "acs:ram:*:*:policy/k8sMasterRolePolicy-*",
                "acs:ram:*:*:policy/k8sWorkerRolePolicy-*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "ram:CreateRole",
                "ram:CreatePolicy"
            ],
            "Resource": [
                "acs:ram:*:*:role/*",
                "acs:ram:*:*:policy/*"
            ],
            "Effect": "Allow"
        }
		

	{
            "Action": [
                "cms:CreateMyGroups",
                "cms:AddMyGroupInstances",
                "cms:DeleteMyGroupInstances",
                "cms:DeleteMyGroups",
                "cms:GetMyGroups",
                "cms:ListMyGroups",
                "cms:UpdateMyGroupInstances",
                "cms:UpdateMyGroups",
                "cms:TaskConfigCreate",
                "cms:TaskConfigList"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
		

	{
            "Action": [
                "ens:Describe*",
                "ens:CreateInstance",
                "ens:StartInstance",
                "ens:StopInstance",
                "ens:ReleasePrePaidInstance"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
		

Delete the service-linked role for ACK

After you delete the service linked role AliyunServiceRoleForContainerService for ACK, you are no longer authorized to manage ACK clusters, for example, you cannot create, expand, or scale ACK clusters. Take the following steps to delete AliyunServiceRoleForContainerService:

Notice Before you delete AliyunServiceRoleForContainerService, make sure that you have deleted all ACK clusters under the current account. The deletion failsif clusters still exist under the account.
  1. Log on to the RAM console.
  2. In the left-side navigation pane, click RAM Roles.
  3. On the RAM Roles page, enter AliyunServiceRoleForContainerService in the search bar and click the search icon.
  4. Find AliyunServiceRoleForContainerService and click Delete in the Actions column.
  5. In the Delete RAM Role message, click OK.
    • To delete AliyunServiceRoleForContainerService under the current account, you must first delete the existing ACK clusters. Otherwise, the deletion fails.
    • If no ACK cluster exists under the current account, the deletion succeeds.

FAQ

Why is AliyunServiceRoleForContainerService not automatically created for a RAM user account?

AliyunServiceRoleForContainerService is not created for a RAM user account because the RAM user account does not have the required permission. You must attach the following permission policy to the RAM user account:
{
    "Statement": [
        {
            "Action": [
                "ram:CreateServiceLinkedRole"
            ],
            "Resource": "acs:ram:*:<The ID of the Alibaba Cloud account>:role/*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": [
                        "cs.aliyuncs.com"
                    ]
                }
            }
        }
    ],
    "Version": "1"
}
Note Enter the ID of the Alibaba Cloud account that creates the RAM user account into the content of the preceding permission policy.