All Products
Search
Document Center

Resource Access Management:Alibaba Cloud Container Service for Kubernetes (ACK)

Last Updated:Dec 31, 2021

Resource Access Management (RAM) users or RAM roles must be granted permissions before they can access cloud resources. RAM uses policies to define permissions. A cloud service defines elements that can be used in a policy statement, such as Action, Resource, and Condition. This topic describes the permissions on Alibaba Cloud Container Service for Kubernetes (ACK).

The code (RamCode) in RAM that is used to indicate Alibaba Cloud Container Service for Kubernetes (ACK) is cs. You can grant permissions on Alibaba Cloud Container Service for Kubernetes (ACK) at the resource level.

Action

The following table describes the values that you can use in the Action element of a policy statement. The values are defined by Alibaba Cloud Container Service for Kubernetes (ACK). The following list describes the columns in the table:
  • Action: the value that you can use in the Action element to specify the operation on a resource.

  • API: the API operation that you can call to perform the action. In most cases, only one API operation of a cloud service is required to perform an action. In some cases, multiple API operations must be called to perform an action, or an API operation can be called to perform multiple actions.

  • Access level: the access level of each action. The levels are read, write, and list.

  • Resource type: the type of the resource on which you can authorize a RAM user or a RAM role to perform the operation. Take note of the following items:

    • The required resource types are displayed in bold characters.

    • If the permissions cannot be granted at the resource level, All resources is used in the Resource type column of the action.

  • Condition key: the condition keys that are defined by a cloud service. The Condition key column does not list the common condition keys that are defined by Alibaba Cloud. For more information about the common condition keys, see Policy elements.

  • Dependent action: other actions that a RAM user or a RAM role must have permissions to perform the action. To successfully call the action, a RAM user or a RAM role must have the permissions to perform the dependent action.

Actions

APIs

Access level

Resource types

Condition keys

Dependent actions

cs:AttachInstances

AttachInstances

Write

Cluster

acs:cs:{#regionId}:{#accountId}:cluster/{#ClusterId}

None.

None.

cs:CancelClusterUpgrade

CancelClusterUpgrade

Write

Cluster

acs:cs:{#regionId}:{#accountId}:cluster/{#ClusterId}

None.

None.

cs:CancelComponentUpgrade

CancelComponentUpgrade

Write

Cluster

acs:cs:{#regionId}:{#accountId}:cluster/{#ClusterId}

None.

None.

cs:CancelWorkflow

CancelWorkflow

Write

All resources

acs:cs:*:{#accountId}:*

None.

None.

cs:CreateCluster

CreateCluster

Write

Cluster

acs:cs:{#regionId}:{#accountId}:cluster/*

cs:ClusterType

cs:ClusterSpec

cs:ClusterProfile

None.

cs:CreateClusterNodePool

CreateClusterNodePool

Write

Cluster

acs:cs:{#regionId}:{#accountId}:cluster/{#ClusterId}

None.

None.

cs:CreateKubernetesTrigger

CreateKubernetesTrigger

Write

All resources

acs:cs:*:{#accountId}:*/*

None.

None.

cs:CreateTemplate

CreateTemplate

Write

All resources

acs:cs::{#accountId}:*

None.

None.

cs:CreateTrigger

CreateTrigger

Read

Cluster

acs:cs:{#regionId}:{#accountId}:cluster/*

None.

None.

cs:DeleteAlertContact

DeleteAlertContact

Write

All resources

acs:cs:*:{#accountId}:*

None.

None.

cs:DeleteAlertContactGroup

DeleteAlertContactGroup

Read

All resources

acs:cs:*:{#accountId}:*

None.

None.

cs:DeleteCluster

DeleteCluster

Write

Cluster

acs:cs:{#regionId}:{#accountId}:cluster/{#ClusterId}

None.

None.

cs:DeleteClusterNodepool

DeleteClusterNodepool

Write

Cluster

acs:cs:{#regionId}:{#accountId}:cluster/{#ClusterId}

None.

None.

cs:DeleteClusterNodes

DeleteClusterNodes

Write

Cluster

acs:cs:{#regionId}:{#accountId}:cluster/{#ClusterId}

None.

None.

cs:DeleteEdgeMachine

DeleteEdgeMachine

Read

All resources

acs:cs:*:{#accountId}:*

None.

None.

cs:DeletePolicyInstance

DeletePolicyInstance

Read

Cluster

acs:cs:{#regionId}:{#accountId}:cluster/{#ClusterId}

None.

None.

cs:DeleteTemplate

DeleteTemplate

Write

All resources

acs:cs::{#accountId}:*

None.

None.

cs:DeleteTrigger

DeleteTrigger

Read

Cluster

acs:cs:{#regionId}:{#accountId}:cluster/{#ClusterId}

None.

None.

cs:DeployPolicyInstance

DeployPolicyInstance

Read

Cluster

acs:cs:{#regionId}:{#accountId}:cluster/{#ClusterId}

None.

None.

cs:DescirbeWorkflow

DescirbeWorkflow

Read

All resources

acs:cs:*:{#accountId}:*

None.

None.

cs:DescribeAddons

DescribeAddons

Read

All resources

acs:cs:*:{#accountId}:*

None.

None.

cs:DescribeClusterAddonMetadata

DescribeClusterAddonMetadata

Read

Cluster

acs:cs:{#regionId}:{#accountId}:cluster/{#ClusterId}

None.

None.

cs:DescribeClusterAddonsUpgradeStatus

DescribeClusterAddonsUpgradeStatus

Read

Cluster

acs:cs:{#regionId}:{#accountId}:cluster/{#ClusterId}

None.

None.

cs:DescribeClusterAttachScripts

DescribeClusterAttachScripts

Read

Cluster

acs:cs:{#regionId}:{#accountId}:cluster/{#ClusterId}

None.

None.

cs:DescribeClusterDetail

DescribeClusterDetail

Read

Cluster

acs:cs:{#regionId}:{#accountId}:cluster/{#ClusterId}

None.

None.

cs:DescribeClusterLogs

DescribeClusterLogs

Read

Cluster

acs:cs:{#regionId}:{#accountId}:cluster/{#ClusterId}

None.

None.

cs:DescribeClusterNodePoolDetail

DescribeClusterNodePoolDetail

Read

Cluster

acs:cs:{#regionId}:{#accountId}:cluster/{#ClusterId}

None.

None.

cs:DescribeClusterNodePools

DescribeClusterNodePools

Read

Cluster

acs:cs:{#regionId}:{#accountId}:cluster/{#ClusterId}

None.

None.

cs:DescribeClusterNodes

DescribeClusterNodes

Read

Cluster

acs:cs:{#regionId}:{#accountId}:cluster/{#ClusterId}

None.

None.

cs:DescribeClusterResources

DescribeClusterResources

Read

Cluster

acs:cs:{#regionId}:{#accountId}:cluster/{#ClusterId}

None.

None.

cs:DescribeClusterUserKubeconfig

DescribeClusterUserKubeconfig

Read

Cluster

acs:cs:{#regionId}:{#accountId}:cluster/{#ClusterId}

None.

None.

cs:DescribeClustersV1

DescribeClustersV1

Read

Cluster

acs:cs:{#regionId}:{#accountId}:cluster/*

None.

None.

cs:DescribeEdgeMachineModels

DescribeEdgeMachineModels

Read

All resources

acs:cs:*:{#accountId}:*

None.

None.

cs:DescribeEdgeMachineTunnelConfigDetail

DescribeEdgeMachineTunnelConfigDetail

Read

All resources

acs:cs:*:{#accountId}:*

None.

None.

cs:DescribeEdgeMachines

DescribeEdgeMachines

Read

All resources

acs:cs:*:{#accountId}:*

None.

None.

cs:DescribeEvents

DescribeEvents

Read

All resources

acs:cs:*:{#accountId}:*

None.

None.

cs:DescribeExternalAgent

DescribeExternalAgent

Read

Cluster

acs:cs:{#regionId}:{#accountId}:cluster/{#ClusterId}

None.

None.

cs:DescribeKubernetesVersionMetadata

DescribeKubernetesVersionMetadata

All resources

acs:cs:*:{#accountId}:*

None.

None.

cs:DescribePolicies

DescribePolicies

Read

All resources

acs:cs:*:{#accountId}:*

None.

None.

cs:DescribePolicyDetails

DescribePolicyDetails

Read

All resources

acs:cs:*:{#accountId}:*

None.

None.

cs:DescribePolicyGovernanceInCluster

DescribePolicyGovernanceInCluster

Read

Cluster

acs:cs:{#regionId}:{#accountId}:cluster/{#ClusterId}

None.

None.

cs:DescribePolicyInstances

DescribePolicyInstances

Read

Cluster

acs:cs:{#regionId}:{#accountId}:cluster/{#ClusterId}

None.

None.

cs:DescribePolicyInstancesStatus

DescribePolicyInstancesStatus

Read

Cluster

acs:cs:{#regionId}:{#accountId}:cluster/{#ClusterId}

None.

None.

cs:DescribeTaskInfo

DescribeTaskInfo

Read

All resources

acs:cs:{#regionId}:{#accountId}:*

None.

None.

cs:DescribeTemplateAttribute

DescribeTemplateAttribute

Read

All resources

acs:cs::{#accountId}:*

None.

None.

cs:DescribeTemplates

DescribeTemplates

Read

All resources

acs:cs::{#accountId}:*

None.

None.

cs:DescribeTrigger

DescribeTrigger

Read

Cluster

acs:cs:{#regionId}:{#accountId}:cluster/{#ClusterId}

None.

None.

cs:DescribeUserQuota

DescribeUserQuota

Read

All resources

acs:cs::{#accountId}:*

None.

None.

cs:DescribeWorkflows

DescribeWorkflows

Read

All resources

acs:cs:*:{#accountId}:*

None.

None.

cs:EdgeClusterAddEdgeMachine

EdgeClusterAddEdgeMachine

Read

All resources

acs:cs:*:{#accountId}:*

None.

None.

cs:GetClusters

DescribeClusters

Read

Cluster

acs:cs:{#regionId}:{#accountId}:cluster/*

None.

None.

cs:GetKubernetesTrigger

GetKubernetesTrigger

Read

Cluster

acs:cs:{#regionId}:{#accountId}:cluster/{#ClusterId}

None.

None.

cs:GetUpgradeStatus

GetUpgradeStatus

Read

Cluster

acs:cs:{#regionId}:{#accountId}:cluster/{#ClusterId}

None.

None.

cs:GetUserPermissions

DescribeUserPermission

Read

All resources

acs:cs:*:{#accountId}:*

None.

None.

cs:GrantPermission

GrantPermissions

Write

All resources

acs:cs:*:{#accountId}:*

None.

None.

cs:InstallClusterAddons

InstallClusterAddons

Write

Cluster

acs:cs:{#regionId}:{#accountId}:cluster/{#ClusterId}

None.

None.

cs:ListTagResources

ListTagResources

Read

All resources

acs:cs:*:{#accountId}:*/*

None.

None.

cs:MigrateCluster

MigrateCluster

Write

Cluster

acs:cs:{#regionId}:{#accountId}:cluster/{#ClusterId}

None.

None.

cs:ModifyCluster

ModifyCluster

Write

Cluster

acs:cs:{#regionId}:{#accountId}:cluster/{#ClusterId}

None.

None.

cs:ModifyClusterAddon

ModifyClusterAddon

Read

Cluster

acs:cs:{#regionId}:{#accountId}:cluster/{#ClusterId}

None.

None.

cs:ModifyClusterConfiguration

ModifyClusterConfiguration

Write

Cluster

acs:cs:{#regionId}:{#accountId}:cluster/{#ClusterId}

None.

None.

cs:ModifyClusterNodePool

ModifyClusterNodePool

Write

Cluster

acs:cs:{#regionId}:{#accountId}:cluster/{#ClusterId}

None.

None.

cs:ModifyClusterTags

ModifyClusterTags

Write

Cluster

acs:cs:{#regionId}:{#accountId}:cluster/{#ClusterId}

None.

None.

cs:ModifyPolicyInstance

ModifyPolicyInstance

Read

Cluster

acs:cs:{#regionId}:{#accountId}:cluster/{#ClusterId}

None.

None.

cs:PauseClusterUpgrade

PauseClusterUpgrade

Write

Cluster

acs:cs:{#regionId}:{#accountId}:cluster/{#ClusterId}

None.

None.

cs:PauseComponentUpgrade

PauseComponentUpgrade

Write

Cluster

acs:cs:{#regionId}:{#accountId}:cluster/{#ClusterId}

None.

None.

cs:QueryK8sComponentUpgradeStatus

DescribeClusterAddonUpgradeStatus

Read

Cluster

acs:cs:{#regionId}:{#accountId}:cluster/{#ClusterId}

None.

None.

cs:Queryk8sComponentsUpdateVersion

DescribeClusterAddonsVersion

Read

Cluster

acs:cs:{#regionId}:{#accountId}:cluster/{#ClusterId}

None.

None.

cs:RemoveClusterNodes

RemoveClusterNodes

Write

Cluster

acs:cs:{#regionId}:{#accountId}:cluster/{#ClusterId}

None.

None.

cs:RemoveWorkflow

RemoveWorkflow

Write

All resources

acs:cs:*:{#accountId}:*

None.

None.

cs:ResumeComponentUpgrade

ResumeComponentUpgrade

Write

Cluster

acs:cs:{#regionId}:{#accountId}:cluster/{#ClusterId}

None.

None.

cs:ResumeUpgradeCluster

ResumeUpgradeCluster

Write

Cluster

acs:cs:{#regionId}:{#accountId}:cluster/{#ClusterId}

None.

None.

cs:ScaleCluster

ScaleCluster

Write

Cluster

acs:cs:{#regionId}:{#accountId}:cluster/{#ClusterId}

None.

None.

cs:ScaleClusterNodePool

ScaleClusterNodePool

Write

Cluster

acs:cs:{#regionId}:{#accountId}:cluster/{#ClusterId}

None.

None.

cs:ScaleOutCluster

ScaleOutCluster

Write

Cluster

acs:cs:{#regionId}:{#accountId}:cluster/{#ClusterId}

None.

None.

cs:StartAlert

StartAlert

Write

Cluster

acs:cs:{#regionId}:{#accountId}:cluster/{#ClusterId}

None.

None.

cs:StartWorkflow

StartWorkflow

Write

All resources

acs:cs:*:{#accountId}:*

None.

None.

cs:StopAlert

StopAlert

Write

Cluster

acs:cs:{#regionId}:{#accountId}:cluster/{#ClusterId}

None.

None.

cs:TagResources

TagResources

Write

All resources

acs:cs:*:{#accountId}:*

None.

None.

cs:UnInstallK8sComponents

UnInstallClusterAddons

Write

Cluster

acs:cs:{#regionId}:{#accountId}:cluster/{#ClusterId}

None.

None.

cs:UntagResources

UntagResources

Write

All resources

acs:cs:*:{#accountId}:*

None.

None.

cs:UpdateContactGroupForAlert

UpdateContactGroupForAlert

Write

Cluster

acs:cs:{#regionId}:{#accountId}:cluster/{#ClusterId}

None.

None.

cs:UpdateK8sClusterUserConfigExpire

UpdateK8sClusterUserConfigExpire

Write

Cluster

acs:cs:{#regionId}:{#accountId}:cluster/{#ClusterId}

None.

None.

cs:UpdateTemplate

UpdateTemplate

Write

All resources

acs:cs:*:{#accountId}:*

None.

None.

cs:UpgradeCluster

UpgradeCluster

Write

Cluster

acs:cs:{#regionId}:{#accountId}:cluster/{#ClusterId}

None.

None.

cs:UpgradeK8sComponents

UpgradeClusterAddons

Write

Cluster

acs:cs:{#regionId}:{#accountId}:cluster/{#ClusterId}

None.

None.

Resource

The following table describes the values that you can use in the Resource element of a policy statement. The values are defined by Alibaba Cloud Container Service for Kubernetes (ACK).

The Alibaba Cloud Resource Name (ARN) is the unique identifier of the resource on Alibaba Cloud. Take note of the following items:

  • {#} indicates a variable. {#} must be replaced with an actual value. For example, {#regionId} must be replaced with the actual ID of the region where your resource resides.

  • An asterisk (*) is used as a wildcard. Examples:

    • If you specify {#resourceType}/*, all resources are specified.

    • If {#regionId} is set to *, all regions are specified.

    • If {#accountId} is set to *, all Alibaba Cloud accounts are specified.

Resource

ARN

Cluster

acs:cs:{#regionId}:{#accountId}:cluster/{#ClusterId}

Condition

The following table describes the values that you can use in the Condition element of a policy statement. The values are defined by Alibaba Cloud Container Service for Kubernetes (ACK). The following table describes the service-specific condition keys. The common condition keys that are defined by Alibaba Cloud also apply to Alibaba Cloud Container Service for Kubernetes (ACK). For more information about the common condition keys, see Policy elements.

The data type determines which condition operators you can use to compare the value in a request with the value in a policy statement. You must use condition operators that are supported by the data type. Otherwise, you cannot compare the value in the request with the value in the policy statement. In this case, the authorization is invalid. For more information about the condition operators that are supported by each data type, see Policy elements.

Condition keys

Description

Type

cs:ClusterType

ACK cluster form

String

cs:ClusterSpec

ACK managed cluster type

String

cs:ClusterProfile

ACK cluster type

String