This topic describes the service linked role AliyunServiceRoleForContainerService for Alibaba Cloud Container Service for Kubernetes (ACK) and how to delete the service linked role.
Background
AliyunServiceRoleForContainerService is a Resource Access Management (RAM) role. Alibaba Cloud Container Service for Kubernetes (ACK) assumes this service linked role to obtain the permissions required for accessing other Alibaba Cloud services when you use certain ACK features. For more information, see Service linked roles.
Scenarios
AliyunServiceRoleForContainerService is automatically created to grant ACK the permissions required for accessing other Alibaba Cloud services, such as Server Load Balancer (SLB), Auto Scaling (ESS), Elastic Compute Service (ECS), Virtual Private Cloud (VPC), and Resource Orchestration Service (ROS).
Description
The AliyunServiceRoleForContainerService role grants ACK the permissions to access the following Alibaba Cloud services: For more information, see Content of the AliyunServiceRoleForContainerService permission policy.
{
"Action": [
"ecs:RunInstances",
"ecs:RenewInstance",
"ecs:Create*",
"ecs:AllocatePublicIpAddress",
"ecs:AllocateEipAddress",
"ecs:Delete*",
"ecs:StartInstance",
"ecs:StopInstance",
"ecs:RebootInstance",
"ecs:Describe*",
"ecs:AuthorizeSecurityGroup",
"ecs:RevokeSecurityGroup",
"ecs:AuthorizeSecurityGroupEgress",
"ecs:AttachDisk",
"ecs:DetachDisk",
"ecs:WaitFor*",
"ecs:AddTags",
"ecs:ReplaceSystemDisk",
"ecs:ModifyInstanceAttribute",
"ecs:JoinSecurityGroup",
"ecs:LeaveSecurityGroup",
"ecs:UnassociateEipAddress",
"ecs:ReleaseEipAddress",
"ecs:CreateKeyPair",
"ecs:ImportKeyPair",
"ecs:AttachKeyPair",
"ecs:DetachKeyPair",
"ecs:DeleteKeyPairs",
"ecs:AttachInstanceRamRole",
"ecs:DetachInstanceRamRole",
"ecs:AllocateDedicatedHosts",
"ecs:CreateOrder",
"ecs:DeleteInstance",
"ecs:CreateDisk",
"ecs:Createvpc",
"ecs:Deletevpc",
"ecs:DeleteVSwitch",
"ecs:ResetDisk",
"ecs:DeleteSnapshot",
"ecs:AllocatePublicIpAddress",
"ecs:CreateVSwitch",
"ecs:DeleteSecurityGroup",
"ecs:CreateImage",
"ecs:RemoveTags",
"ecs:ReleaseDedicatedHost",
"ecs:CreateInstance",
"ecs:RevokeSecurityGroupEgress",
"ecs:DeleteDisk",
"ecs:StopInstance",
"ecs:CreateSecurityGroup",
"ecs:DeleteImage",
"ecs:ModifyInstanceSpec",
"ecs:CreateSnapshot",
"ecs:CreateCommand",
"ecs:InvokeCommand",
"ecs:StopInvocation",
"ecs:DeleteCommand",
"ecs:RunCommand",
"ecs:DescribeInvocationResults",
"ecs:ModifyCommand"
],
"Resource": "*",
"Effect": "Allow"
}
{
"Action": [
"vpc:Describe*",
"vpc:AllocateEipAddress",
"vpc:AssociateEipAddress",
"vpc:UnassociateEipAddress",
"vpc:ReleaseEipAddress",
"vpc:CreateRouteEntry",
"vpc:DeleteRouteEntry",
"vpc:CreateVSwitch",
"vpc:DeleteVSwitch",
"vpc:CreateVpc",
"vpc:DeleteVpc",
"vpc:CreateNatGateway",
"vpc:DeleteNatGateway",
"vpc:CreateSnatEntry",
"vpc:DeleteSnatEntry",
"vpc:ModifyEipAddressAttribute",
"vpc:CreateForwardEntry",
"vpc:DeleteBandwidthPackage",
"vpc:CreateBandwidthPackage",
"vpc:DeleteForwardEntry",
"vpc:TagResources",
"vpc:DeletionProtection"
],
"Resource": "*",
"Effect": "Allow"
}
{
"Action": [
"slb:Describe*",
"slb:CreateLoadBalancer",
"slb:DeleteLoadBalancer",
"slb:RemoveBackendServers",
"slb:StartLoadBalancerListener",
"slb:StopLoadBalancerListener",
"slb:CreateLoadBalancerTCPListener",
"slb:AddBackendServers*",
"slb:CreateVServerGroup",
"slb:CreateLoadBalancerHTTPSListener",
"slb:CreateLoadBalancerUDPListener",
"slb:ModifyLoadBalancerInternetSpec",
"slb:SetBackendServers",
"slb:AddVServerGroupBackendServers",
"slb:DeleteVServerGroup",
"slb:ModifyVServerGroupBackendServers",
"slb:CreateLoadBalancerHTTPListener",
"slb:RemoveVServerGroupBackendServers",
"slb:DeleteLoadBalancerListener",
"slb:AddTags",
"slb:RemoveTags",
"slb:SetLoadBalancerDeleteProtection"
],
"Resource": [
"*"
],
"Effect": "Allow"
}
{
"Action": [
"dns:Describe*",
"dns:AddDomainRecord"
],
"Resource": [
"*"
],
"Effect": "Allow"
}
{
"Action": [
"rds:Describe*",
"rds:ModifySecurityIps"
],
"Resource": [
"*"
],
"Effect": "Allow"
}
{
"Action": [
"ros:Describe*",
"ros:WaitConditions",
"ros:AbandonStack",
"ros:DeleteStack",
"ros:CreateStack",
"ros:UpdateStack",
"ros:ValidateTemplate",
"ros:DoActions",
"ros:InquiryStack",
"ros:SetDeletionProtection",
"ros:PreviewStack"
],
"Resource": [
"*"
],
"Effect": "Allow"
}
{
"Action": [
"ess:Describe*",
"ess:CreateScalingConfiguration",
"ess:EnableScalingGroup",
"ess:ExitStandby",
"ess:DetachDBInstances",
"ess:DetachLoadBalancers",
"ess:AttachInstances",
"ess:DeleteScalingConfiguration",
"ess:AttachLoadBalancers",
"ess:DetachInstances",
"ess:ModifyScalingRule",
"ess:RemoveInstances",
"ess:ModifyScalingGroup",
"ess:AttachDBInstances",
"ess:CreateScalingRule",
"ess:DeleteScalingRule",
"ess:ExecuteScalingRule",
"ess:SetInstancesProtection",
"ess:ModifyNotificationConfiguration",
"ess:CreateNotificationConfiguration",
"ess:EnterStandby",
"ess:DeleteScalingGroup",
"ess:CreateScalingGroup",
"ess:DisableScalingGroup",
"ess:DeleteNotificationConfiguration",
"ess:ModifyScalingConfiguration",
"ess:SetGroupDeletionProtection",
"ess:CreateLifecycleHook",
"ess:DescribeLifecycleHooks",
"ess:ModifyLifecycleHook",
"ess:DeleteLifecycleHook"
],
"Resource": "*",
"Effect": "Allow"
}
{
"Action": [
"ram:GetUser",
"ram:ListUsers",
"ram:GetRole",
"ram:ListPoliciesForRole"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Action": [
"ram:DetachPolicyFromRole",
"ram:AttachPolicyToRole",
"ram:DeletePolicy",
"ram:DeletePolicyVersion",
"ram:DeleteRole"
],
"Resource": [
"acs:ram:*:*:role/KubernetesMasterRole-*",
"acs:ram:*:*:role/KubernetesWorkerRole-*",
"acs:ram:*:*:policy/k8sMasterRolePolicy-*",
"acs:ram:*:*:policy/k8sWorkerRolePolicy-*"
],
"Effect": "Allow"
},
{
"Action": [
"ram:CreateRole",
"ram:CreatePolicy"
],
"Resource": [
"acs:ram:*:*:role/*",
"acs:ram:*:*:policy/*"
],
"Effect": "Allow"
}
{
"Action": [
"cms:CreateMyGroups",
"cms:AddMyGroupInstances",
"cms:DeleteMyGroupInstances",
"cms:DeleteMyGroups",
"cms:GetMyGroups",
"cms:ListMyGroups",
"cms:UpdateMyGroupInstances",
"cms:UpdateMyGroups",
"cms:TaskConfigCreate",
"cms:TaskConfigList"
],
"Resource": "*",
"Effect": "Allow"
}
{
"Action": [
"ens:Describe*",
"ens:CreateInstance",
"ens:StartInstance",
"ens:StopInstance",
"ens:ReleasePrePaidInstance"
],
"Resource": "*",
"Effect": "Allow"
}
Delete the service-linked role for ACK
After you delete the service linked role AliyunServiceRoleForContainerService for ACK, you are no longer authorized to manage ACK clusters, for example, you cannot create, expand, or scale ACK clusters. Take the following steps to delete AliyunServiceRoleForContainerService:
- Log on to the RAM console.
- In the left-side navigation pane, click RAM Roles.
- On the RAM Roles page, enter AliyunServiceRoleForContainerService in the search bar and click the search icon.
- Find AliyunServiceRoleForContainerService and click Delete in the Actions column.
- In the Delete RAM Role message, click OK.
- To delete AliyunServiceRoleForContainerService under the current account, you must first delete the existing ACK clusters. Otherwise, the deletion fails.
- If no ACK cluster exists under the current account, the deletion succeeds.
FAQ
Why is AliyunServiceRoleForContainerService not automatically created for a RAM user account?
{
"Statement": [
{
"Action": [
"ram:CreateServiceLinkedRole"
],
"Resource": "acs:ram:*:<The ID of the Alibaba Cloud account>:role/*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": [
"cs.aliyuncs.com"
]
}
}
}
],
"Version": "1"
}