All Products
Search
Document Center

Container Service for Kubernetes:ACK roles

Last Updated:Feb 06, 2024

When you activate Container Service for Kubernetes (ACK), you must assign roles to ACK. ACK assumes the roles to use other cloud services, create clusters, and save log files. The cloud services include Elastic Compute Service (ECS), Object Storage Service (OSS), Apsara File Storage NAS (NAS), and Server Load Balancer (SLB). This topic describes the permissions of the ACK roles.

Permissions provided by the default roles

The following table describes the roles that are assigned to ACK.

Role

Description

AliyunCSDefaultRole

ACK assumes this role to access your resources in other cloud services when ACK manages clusters. These cloud services include ECS, Virtual Private Cloud (VPC), SLB, Auto Scaling, and Resource Orchestration Service (ROS).

AliyunCISDefaultRole

Container Intelligent Service (CIS) assumes this role to access your resources in services such as ECS, VPC, and SLB to perform diagnostics and inspections.

AliyunCSManagedKubernetesRole

An ACK managed cluster assumes this role to access your resources in other cloud services. These cloud services include ECS, VPC, SLB, and Container Registry.

AliyunCSServerlessKubernetesRole

An ACK Serverless cluster assumes this role to access your resources in other cloud services. These cloud services include ECS, VPC, SLB, and Alibaba Cloud DNS PrivateZone.

AliyunCSKubernetesAuditRole

The audit feature of an ACK managed cluster or ACK Serverless cluster assumes this role to access your resources in Simple Log Service.

AliyunCSManagedNetworkRole

The network component of an ACK managed cluster or ACK Serverless cluster assumes this role to access your resources in other cloud services. These cloud services include ECS and VPC.

AliyunCSManagedCsiRole

The storage component of an ACK managed cluster or ACK Serverless cluster assumes this role to access your resources in other cloud services. These cloud services include ECS and NAS.

AliyunCSManagedCmsRole

The monitoring component of an ACK managed cluster or ACK Serverless cluster assumes this role to access your resources in other cloud services. These cloud services include CloudMonitor and Simple Log Service.

AliyunCSManagedLogRole

The logging component of an ACK managed cluster or ACK Serverless cluster assumes this role to access your resources in Simple Log Service.

AliyunCSManagedVKRole

The virtual node component of an ACK Serverless cluster assumes this role to access your resources in other cloud services. These cloud services include ECS, VPC, and Elastic Container Instance.

AliyunCSManagedArmsRole

The Application Real-Time Monitoring Service (ARMS) component of an ACK managed cluster or ACK Serverless cluster assumes this role to access your resources in ARMS.

AliyunCSManagedAcrRole

The password-free image pulling plug-in of an ACK managed cluster or ACK Serverless cluster assumes this role to access your resources in Container Registry.

AliyunCSManagedNlcRole

The managed node pool controller of an ACK managed cluster assumes this role to access your node pool resources in ECS and ACK.

AliyunCSManagedAutoScalerRole

The auto scaling component of an ACK managed cluster or ACK Serverless cluster assumes this role to access your resources in Auto Scaling and ECS.

AliyunCSManagedSecurityRole

The disk encryption component of an ACK managed cluster or ACK Serverless cluster assumes this role to access your resources in Key Management Service (KMS).

AliyunCSManagedCostRole

The cost analysis component of an ACK managed cluster or ACK Serverless cluster assumes this role to access your resources in ECS and Elastic Container Instance and call API operations of Transactions and Bills Management (BSS).

AliyunCSManagedNimitzRole

The network component of an ACK Lingjun managed cluster assumes this role to access your resources in Intelligent Computing LINGJUN.

AliyunCSManagedBackupRestoreRole

The backup center component of an ACK managed cluster assumes this role to access your resources in Cloud Backup and OSS.

AliyunCSManagedEdgeRole

The control component of an ACK Edge cluster assumes this role to access your resources in Smart Access Gateway (SAG), VPC, and Cloud Enterprise Network (CEN).

AliyunCSDefaultRole

ACK assumes the AliyunCSDefaultRole role to access your resources in other cloud services when ACK performs operations on clusters.

ECS-related permissions

Permission (Action)

Description

ecs:RunInstances

Starts an ECS instance.

ecs:RenewInstance

Renews an ECS instance.

ecs:Create*

Creates ECS resources, such as ECS instances and disks.

ecs:AllocatePublicIpAddress

Assigns a public IP address to an ECS instance.

ecs:AllocateEipAddress

Assigns an elastic IP address (EIP) to an ECS instance.

ecs:Delete*

Deletes an ECS instance.

ecs:StartInstance

Starts ECS resources.

ecs:StopInstance

Stops an ECS instance.

ecs:RebootInstance

Restarts an ECS instance.

ecs:Describe*

Queries ECS resources.

ecs:AuthorizeSecurityGroup

Configures inbound rules for a security group.

ecs:RevokeSecurityGroup

Revokes security group rules.

ecs:AuthorizeSecurityGroupEgress

Configures outbound rules for a security group.

ecs:AttachDisk

Attaches a disk to an ECS instance.

ecs:DetachDisk

Detaches a disk from an ECS instance.

ecs:WaitFor*

Waits for the execution of a task.

ecs:AddTags

Adds tags.

ecs:ReplaceSystemDisk

Replaces the system disk of an ECS instance.

ecs:ModifyInstanceAttribute

Modifies the attributes of an ECS instance.

ecs:JoinSecurityGroup

Adds an ECS instance to a security group.

ecs:LeaveSecurityGroup

Removes an ECS instance from a security group.

ecs:UnassociateEipAddress

Disassociates an EIP from an ECS instance.

ecs:ReleaseEipAddress

Releases an EIP.

ecs:CreateKeyPair

Creates an SSH key pair.

ecs:ImportKeyPair

Imports the public key of a Rivest-Shamir-Adleman (RSA)-encrypted key pair that is generated by a third-party tool.

ecs:AttachKeyPair

Binds an SSH key pair to one or more Linux-based ECS instances.

ecs:DetachKeyPair

Unbinds an SSH key pair from one or more Linux-based ECS instances.

ecs:DeleteKeyPairs

Deletes one or more SSH key pairs.

ecs:AttachInstanceRamRole

Attaches a Resource Access Management (RAM) role to one or more ECS instances.

ecs:DetachInstanceRamRole

Detaches a RAM role from one or more ECS instances.

ecs:AllocateDedicatedHosts

Creates one or more pay-as-you-go or subscription dedicated hosts.

ecs:CreateOrder

Creates an order to purchase ECS instances.

ecs:DeleteInstance

Releases a pay-as-you-go instance or an expired subscription instance.

ecs:CreateDisk

Creates a pay-as-you-go or subscription data disk.

ecs:Createvpc

Creates a VPC for an ECS instance.

ecs:Deletevpc

Deletes a VPC that is associated with an ECS instance.

ecs:DeleteVSwitch

Deletes a vSwitch that is associated with an ECS instance.

ecs:ResetDisk

Rolls back a disk to a specific state by using a snapshot of the disk.

ecs:DeleteSnapshot

Deletes a snapshot.

ecs:AllocatePublicIpAddress

Assigns a public IP address to an ECS instance.

ecs:CreateVSwitch

Creates a vSwitch for an ECS instance.

ecs:DeleteSecurityGroup

Deletes a security group.

ecs:CreateImage

Creates a custom image.

ecs:RemoveTags

Deletes tags from an ECS instance.

ecs:ReleaseDedicatedHost

Releases a pay-as-you-go dedicated host.

ecs:CreateInstance

Creates a subscription or pay-as-you-go ECS instance.

ecs:RevokeSecurityGroupEgress

Deletes an outbound security group rule. After the rule is deleted, the access control implemented by the rule is removed.

ecs:DeleteDisk

Releases a pay-as-you-go data disk.

ecs:StopInstance

Stops an instance.

ecs:CreateSecurityGroup

Creates a security group.

ecs:RevokeSecurityGroup

Deletes an inbound security group rule. After the rule is deleted, the access control implemented by the rule is removed.

ecs:DeleteImage

Deletes a custom image.

ecs:ModifyInstanceSpec

Changes the instance type and public bandwidth of a pay-as-you-go ECS instance.

ecs:CreateSnapshot

Creates a snapshot for a cloud disk.

ecs:CreateCommand

Creates a Cloud Assistant command.

ecs:InvokeCommand

Triggers a Cloud Assistant command on one or more ECS instances.

ecs:StopInvocation

Stops the process of a Cloud Assistant command that is running on one or more ECS instances.

ecs:DeleteCommand

Deletes a Cloud Assistant command.

ecs:RunCommand

Creates a Cloud Assistant command of the Shell, PowerShell, or Bat type, and runs the command on one or more ECS instances.

ecs:DescribeInvocationResults

Queries the result of running a Cloud Assistant command on an ECS instance.

ecs:ModifyCommand

Modifies a Cloud Assistant command.

VPC-related permissions

Permission (Action)

Description

vpc:Describe*

Queries VPC resources.

vpc:AllocateEipAddress

Assigns an EIP to a VPC.

vpc:AssociateEipAddress

Binds an EIP to a VPC.

vpc:UnassociateEipAddress

Unbinds an EIP from a VPC.

vpc:ReleaseEipAddress

Releases an EIP.

vpc:CreateRouteEntry

Creates a route entry.

vpc:DeleteRouteEntry

Deletes a route entry.

vpc:CreateVSwitch

Creates a vSwitch.

vpc:DeleteVSwitch

Deletes a vSwitch.

vpc:CreateVpc

Creates a VPC.

vpc:DeleteVpc

Deletes a VPC.

vpc:CreateNatGateway

Creates a NAT gateway.

vpc:DeleteNatGateway

Deletes a NAT gateway.

vpc:CreateSnatEntry

Adds an SNAT entry to an SNAT table.

vpc:DeleteSnatEntry

Deletes an SNAT entry.

vpc:ModifyEipAddressAttribute

Modifies the name, description, and maximum bandwidth of an EIP.

vpc:CreateForwardEntry

Adds a DNAT entry to a DNAT table.

vpc:DeleteBandwidthPackage

Creates a NAT service plan.

vpc:CreateBandwidthPackage

Deletes a NAT service plan.

vpc:DeleteForwardEntry

Deletes a DNAT entry.

vpc:TagResources

Creates and adds tags to the specified resources.

vpc:DeletionProtection

Enables or disables deletion protection for a VPC.

SLB-related permissions

Permission (Action)

Description

slb:Describe*

Queries the information about SLB instances.

slb:CreateLoadBalancer

Creates an SLB instance.

slb:DeleteLoadBalancer

Deletes an SLB instance.

slb:RemoveBackendServers

Removes backend servers from an SLB instance.

slb:StartLoadBalancerListener

Starts a listener.

slb:StopLoadBalancerListener

Stops a listener.

slb:CreateLoadBalancerTCPListener

Creates a TCP listener for an SLB instance.

slb:AddBackendServers

Adds backend servers to an SLB instance.

slb:CreateVServerGroup

Creates a vServer group and adds backend servers to the vServer group.

slb:CreateLoadBalancerHTTPSListener

Creates an HTTPS listener for an SLB instance.

slb:CreateLoadBalancerUDPListener

Creates a UDP listener.

slb:ModifyLoadBalancerInternetSpec

Modifies the billing method of an Internet-facing SLB instance.

slb:SetBackendServers

Configures backend servers of an SLB instance and sets weights for the backend servers. The backend servers are ECS instances.

slb:AddVServerGroupBackendServers

Adds backend servers to a vServer group.

slb:DeleteVServerGroup

Deletes a vServer group.

slb:ModifyVServerGroupBackendServers

Modifies the backend servers of a vServer group.

slb:CreateLoadBalancerHTTPListener

Creates an HTTP listener for an SLB instance.

slb:RemoveVServerGroupBackendServers

Removes backend servers from a vServer group.

slb:DeleteLoadBalancerListener

Deletes a listener of an SLB instance.

slb:AddTags

Adds tags to an SLB instance.

slb:RemoveTags

Removes tags from an SLB instance.

slb:SetLoadBalancerDeleteProtection

Enables or disables deletion protection for an SLB instance.

DNS-related permissions

Permission (Action)

Description

dns:Describe*

Queries DNS resources.

dns:AddDomainRecord

Adds a DNS record.

ApsaraDB RDS-related permissions

Permission (Action)

Description

rds:Describe*

Queries ApsaraDB RDS resources.

rds:ModifySecurityIps

Modifies the IP address whitelist of an ApsaraDB RDS instance.

ROS-related permissions

Permission (Action)

Description

ros:Describe*

Queries ROS resources.

ros:WaitConditions

Waits for the execution of a ROS script.

ros:AbandonStack

Stops a stack.

ros:DeleteStack

Deletes a stack.

ros:CreateStack

Creates a stack.

ros:UpdateStack

Updates a stack.

ros:ValidateTemplate

Verifies a ROS template.

ros:DoActions

Performs actions.

ros:InquiryStack

Queries a stack.

ros:SetDeletionProtection

Enables or disables deletion protection.

ros:PreviewStack

Previews a stack.

Auto Scaling-related permissions

Permission (Action)

Description

ess:Describe*

Queries Auto Scaling resources.

ess:CreateScalingConfiguration

Creates a scaling configuration.

ess:EnableScalingGroup

Enables a scaling group.

ess:ExitStandby

Switches the state of a standby ECS instance in a scaling group to Running.

ess:DetachDBInstances

Removes one or more ApsaraDB RDS instances from a scaling group.

ess:DetachLoadBalancers

Removes one or more SLB instances from a scaling group.

ess:AttachInstances

Adds one or more ECS instances to a scaling group.

ess:DeleteScalingConfiguration

Deletes a scaling configuration.

ess:AttachLoadBalancers

Adds one or more SLB instances to a scaling group.

ess:DetachInstances

Removes one or more ECS instances from a scaling group.

ess:ModifyScalingRule

Modifies a scaling group rule.

ess:RemoveInstances

Removes ECS instances from a scaling group.

ess:ModifyScalingGroup

Modifies a scaling group.

ess:AttachDBInstances

Adds one or more ApsaraDB RDS instances.

ess:CreateScalingRule

Creates a scaling rule.

ess:DeleteScalingRule

Deletes a scaling rule.

ess:ExecuteScalingRule

Runs a scaling rule.

ess:SetInstancesProtection

Enables or disables protection for one or more ECS instances in a scaling group.

ess:ModifyNotificationConfiguration

Modifies a notification of auto scaling events and resource changes.

ess:CreateNotificationConfiguration

Creates a notification of auto scaling events and resource changes.

ess:EnterStandby

Switches the state of an ECS instance in a scaling group to Standby.

ess:DeleteScalingGroup

Deletes a scaling group.

ess:CreateScalingGroup

Creates a scaling group.

ess:DeleteNotificationConfiguration

Deletes a notification of auto scaling events and resource changes.

ess:DisableScalingGroup

Disables a scaling group.

ModifyScalingConfiguration

Modifies a scaling configuration.

SetGroupDeletionProtection

Enables or disables deletion protection for a scaling group.

RAM-related permissions

Permission (Action)

Description

ram:PassRole

Authorizes a RAM user to use other cloud services.

ram:Get*

Queries permissions on RAM resources.

ram:List*

Lists permissions on RAM resources.

ram:DetachPolicyFromRole

Revokes a permission from a role.

ram:AttachPolicyToRole

Grants a permission to a role.

ram:DeletePolicy

Deletes a policy.

ram:DeletePolicyVersion

Deletes a policy of a version.

ram:DeleteRole

Deletes a RAM role.

ram:CreateRole

Creates a RAM role.

ram:CreatePolicy

Creates a RAM policy.

ram:CreateServiceLinkedRole

Creates permissions for service-linked roles.

CloudMonitor-related permissions

Permission (Action)

Description

cms:CreateMyGroups

Creates private application groups.

cms:AddMyGroupInstances

Adds resources to a private application group.

cms:DeleteMyGroupInstances

Deletes resources from a private application group.

cms:DeleteMyGroups

Deletes private application groups.

cms:GetMyGroups

Queries private application groups.

cms:ListMyGroups

Lists private application groups.

cms:UpdateMyGroupInstances

Updates resources in a private application group.

cms:UpdateMyGroups

Updates private application groups.

cms:TaskConfigCreate

Creates configurations for a monitoring task.

cms:TACK ServerlessConfigList

Lists configurations for a monitoring task.

Auto Scaling-related permissions

Permission (Action)

Description

ess:CreateLifecycleHook

Creates one or more lifecycle hooks for a scaling group.

ess:DescribeLifecycleHooks

Queries lifecycle hooks.

ess:ModifyLifecycleHook

Modifies a lifecycle hook.

ess:DeleteLifecycleHook

Deletes a lifecycle hook.

ENS-related permissions

Permission (Action)

Description

ens:Describe*

Queries the permissions on Edge Node Service (ENS) resources.

ens:CreateInstance

Creates an ENS instance.

ens:StartInstance

Starts an ENS instance.

ens:StopInstance

Stops an ENS instance.

ens:ReleasePrePaidInstance

Releases a subscription instance.

AliyunCISDefaultRole

CIS assumes the AliyunCISDefaultRole role to access resources in services such as ECS, VPC, and SLB to perform diagnostics and inspections.

ECS-related permissions

Permission (Action)

Description

ecs:DescribeInstances

Queries the details about one or more ECS instances.

ecs:DescribeInstanceStatus

Queries the status information about one or more ECS instances.

ecs:DescribeInstanceTypes

Queries the instance types provided by ECS.

ecs:DescribeInstanceTypeFamilies

Queries the instance families provided by ECS.

ecs:DescribeInstanceAttribute

Queries the details of an ECS instance.

ecs:CreateDiagnosticReport

Creates a resource diagnostic report.

ecs:DescribeDiagnosticReports

Queries resource diagnostic reports.

ecs:DescribeDiagnosticReportAttributes

Queries the details of a resource diagnostic report.

ecs:DescribeDiagnosticMetricSets

Queries diagnostic metric sets.

ecs:DescribeDiagnosticMetrics

Queries diagnostic metrics.

ecs:DescribeSecurityGroupAttribute

Queries the rules of a security group.

ecs:DescribeSecurityGroups

Queries the basic information about security groups.

ecs:DescribeSecurityGroupReferences

Checks whether a security group is referenced by the rules of other security groups.

ecs:DescribeBandwidthLimitation

Queries bandwidth resources.

ecs:DescribeCloudAssistantStatus

Queries whether Cloud Assistant Agent is installed on one or more ECS instances.

ecs:DescribeCommands

Queries the Cloud Assistant commands that you created.

ecs:DescribeInvocationResults

Queries the execution results of one or more Cloud Assistant commands on ECS instances.

ecs:DescribeNetworkInterfaces

Queries elastic network interfaces (ENIs).

ecs:CreateCommand

Creates a Cloud Assistant command.

ecs:InvokeCommand

Triggers a Cloud Assistant command on one or more ECS instances.

ecs:StopInvocation

Stops the process of a Cloud Assistant command that is running on one or more ECS instances.

ecs:RunCommand

Runs a shell, PowerShell, or batch command on ECS instances.

VPC-related permissions

Permission (Action)

Description

vpc:DescribeVpcs

Queries the VPCs that you have created.

vpc:DescribeVpcAttribute

Queries the configurations of a VPC.

vpc:DescribeVSwitches

Queries the vSwitches that you have created.

vpc:DescribeVSwitchAttributes

Queries the detailed information about a vSwitch.

vpc:DescribeRouteTableList

Queries route tables.

vpc:DescribeRouteEntryList

Queries route entries.

vpc:DescribeNatGateways

Queries NAT gateways that meet specific conditions in a region.

vpc:DescribeEipAddresses

Queries the elastic IP addresses (EIPs) that you have created in a region.

vpc:DescribeRouteTables

Queries information about route tables.

vpc:DescribeSnatTableEntries

Queries the SNAT entries that you have created.

vpc:DescribeNetworkAcls

Queries network access control lists (ACLs).

vpc:DescribeNetworkAclAttributes

Queries the details about a network ACL.

SLB-related permissions

Permission (Action)

Description

slb:DescribeLoadBalancers

Queries the SLB instances that you have created.

slb:DescribeLoadBalancerAttribute

Queries the details about an SLB instance.

slb:DescribeVServerGroups

Queries vServer groups.

slb:DescribeVServerGroupAttribute

Queries the details about a vServer group.

slb:DescribeLoadBalancerTCPListenerAttribute

Queries the configurations of a TCP listener.

slb:DescribeLoadBalancerUDPListenerAttribute

Queries the configurations of a UDP listener.

slb:DescribeAccessControlLists

Queries the network ACLs that you have created.

slb:DescribeAccessControlListAttribute

Queries the configurations of a network ACL.

slb:DescribeLoadBalancerListeners

Queries the listeners of an SLB instance.

slb:DescribeHealthStatus

Queries the health status of a backend server.

Simple Log Service-related permissions

Permission (Action)

Description

sls:GetLogStore

Queries the details about a Logstore.

ACK-related permissions

Permission (Action)

Description

cs:DescribeClusterDetail

Queries the details about an ACK cluster.

cs:DescribeClusterResources

Queries all resources in an ACK cluster.

cs:DescribeTasks

Queries the tasks in an ACK cluster.

cs:DescribeTaskInfo

Queries the task information about an ACK cluster.

cs:DescribeClusterNodePools

Queries the information about all node pools in an ACK cluster.

cs:DescribeNodePoolVuls

Queries node pool vulnerabilities in an ACK cluster.

cs:DescribeClusterAddonsUpgradeStatus

Queries the update progress of multiple components.

Elastic Container Instance-related permissions

Permission (Action)

Description

eci:DescribeContainerGroups

Queries the information about multiple pods.

eci:RunCommand

Executes shell scripts on an elastic container instance.

eci:DescribeCommandResult

Queries the execution result of a command.

eci:ListUsage

Queries the privileges and quotas that you have in a region.

CloudMonitor-related permissions

Permission (Action)

Description

cms:DescribeMetricData

Queries the monitoring data of an Alibaba Cloud service collected within a period of time.

cms:DescribeMetricLast

Queries the latest monitoring data of a metric.

cms:DescribeMetricMetaList

Queries the descriptions of metrics that are supported by CloudMonitor.

cms:DescribeMetricTop

Queries the sorted monitoring data of an Alibaba Cloud service.

cms:QueryMetricMeta

Queries the metrics that are supported by CloudMonitor.

cms:QueryMetricTop

Queries the monitoring data of an Alibaba Cloud service.

cms:ListMetricMeta

Queries the metadata of metrics.

cms:ListMetricMetaProject

Queries the meta projects of metrics.

cms:QueryMetricData

Queries the monitoring data of Alibaba Cloud services.

cms:QueryMetricLast

Queries the latest monitoring data of monitoring metrics.

cms:DescribeMetricList

Queries the monitoring data of a metric of an Alibaba Cloud service.

cms:QueryMetricList

Queries the descriptions of metrics supported by CloudMonitor.

cms:MetricMeta

Queries the metrics that are supported by CloudMonitor.

cms:DescribeAlertLogList

Queries the most recent alerts.

cms:DescribeSystemEventAttribute

Queries the details about a system event.

cms:GetMetricStreamMeta

Queries the description of a CloudMonitor metric.

Quota Center-related permissions

Permission (Action)

Description

quotas:ListProducts

Queries the Alibaba Cloud services that support Quota Center.

quotas:ListProductQuotas

Queries the quotas of an Alibaba Cloud service.

quotas:ListProductQuotaDimensions

Queries the quota dimensions that are supported by an Alibaba Cloud service.

quotas:GetProductQuota

Queries the details about a quota.

quotas:GetProductQuotaDimension

Queries the details about a quota dimension that is supported by an Alibaba Cloud service.

RAM-related permissions

Permission (Action)

Description

ram:ListPoliciesForRole

Queries the policies that are attached to a RAM role.

GRACE-related permissions

Permission (Action)

Description

grace:GetFile

Queries the information about the analysis file provided by the Application Troubleshooting Platform (ATP).

grace:AnalyzeFile

Analyzes files on ATP.

grace:UploadFileByOSS

Uploads files to ATP by using Object Storage Service (OSS).

grace:UploadFileByURL

Uploads files to ATP by specifying URLs.

AliyunCSManagedKubernetesRole

An ACK managed cluster assumes the AliyunCSManagedKubernetesRole role to access resources in other cloud services.

ECS-related permissions

Permission (Action)

Description

ecs:Describe*

Queries ECS resources.

ecs:CreateRouteEntry

Creates a route.

ecs:DeleteRouteEntry

Deletes a route.

ecs:CreateNetworkInterface

Creates an elastic network interface (ENI).

ecs:DeleteNetworkInterface

Deletes an ENI.

ecs:CreateNetworkInterfacePermission

Creates ENI permissions.

ecs:DeleteNetworkInterfacePermission

Revokes ENI permissions.

ecs:ModifyInstanceAttribute

Modifies the attributes of an ECS instance.

ecs:AttachKeyPair

Binds an SSH key pair to one or more Linux-based ECS instances.

ecs:StopInstance

Stops an instance.

ecs:StartInstance

Starts an instance.

ecs:ReplaceSystemDisk

Replaces the system disk or the operating system of an ECS instance.

SLB-related permissions

Permission (Action)

Description

slb:Describe*

Queries SLB resources.

slb:CreateLoadBalancer

Creates an SLB instance.

slb:DeleteLoadBalancer

Deletes an SLB instance.

slb:ModifyLoadBalancerInternetSpec

Modifies the billing method of an Internet-facing SLB instance.

slb:RemoveBackendServers

Removes backend servers.

slb:AddBackendServers

Adds backend servers.

slb:RemoveTags

Removes tags from an SLB instance.

slb:AddTags

Adds tags to an SLB instance.

slb:StopLoadBalancerListener

Stops a listener.

slb:StartLoadBalancerListener

Starts a listener.

slb:SetLoadBalancerHTTPListenerAttribute

Modifies the configurations of an HTTP listener.

slb:SetLoadBalancerHTTPSListenerAttribute

Modifies the configurations of an HTTPS listener.

slb:SetLoadBalancerTCPListenerAttribute

Modifies the configurations of a TCP listener.

slb:SetLoadBalancerUDPListenerAttribute

Modifies the configurations of a UDP listener.

slb:CreateLoadBalancerHTTPSListener

Creates an HTTPS listener for an SLB instance.

slb:CreateLoadBalancerHTTPListener

Creates an HTTP listener for an SLB instance.

slb:CreateLoadBalancerTCPListener

Creates a TCP listener for an SLB instance.

slb:CreateLoadBalancerUDPListener

Creates a UDP listener.

slb:DeleteLoadBalancerListener

Deletes a listener of an SLB instance.

slb:CreateVServerGroup

Adds backend servers to a vServer group.

slb:DescribeVServerGroups

Queries vServer groups.

slb:DeleteVServerGroup

Deletes a vServer group.

slb:SetVServerGroupAttribute

Modifies the configurations of a vServer group.

slb:DescribeVServerGroupAttribute

Queries the details of a vServer group.

slb:ModifyVServerGroupBackendServers

Modifies the backend servers of a vServer group.

slb:AddVServerGroupBackendServers

Adds backend servers to a vServer group.

slb:ModifyLoadBalancerInstanceSpec

Modifies the specifications of an SLB instance.

slb:ModifyLoadBalancerInternetSpec

Modifies the billing method of an Internet-facing SLB instance.

slb:RemoveVServerGroupBackendServers

Removes backend servers from a vServer group.

VPC-related permissions

Permission (Action)

Description

vpc:Describe*

Queries VPC resources.

vpc:DeleteRouteEntry

Deletes a custom route.

vpc:CreateRouteEntry

Creates a custom route.

Container Registry-related permissions

Permission (Action)

Description

cr:Get*

Queries Container Registry-related resources.

cr:List*

Queries image repositories.

cr:PullRepository

Pulls an image.

AliyunCSServerlessKubernetesRole

An ACK Serverless cluster assumes the AliyunCSServerlessKubernetesRole role to access your resources in other cloud services.

VPC-related permissions

Permission (Action)

Description

DescribeVSwitches

Queries existing vSwitches.

DescribeVpcs

Queries existing VPCs.

AssociateEipAddress

Associates an EIP with an instance that resides in the same region as the EIP.

DescribeEipAddresses

Queries existing EIPs in a region.

AllocateEipAddress

Applies for an EIP.

ReleaseEipAddress

Releases an EIP.

AddCommonBandwidthPackageIp

Associates an EIP with an EIP bandwidth plan.

RemoveCommonBandwidthPackageIp

Disassociates an EIP from an EIP bandwidth plan.

ECS-related permissions

Permission (Action)

Description

DescribeSecurityGroups

Queries the basic information about security groups.

CreateNetworkInterface

Creates an ENI.

CreateNetworkInterfacePermission

Creates ENI permissions.

DescribeNetworkInterfaces

Queries ENIs.

AttachNetworkInterface

Binds an ENI to a VPC-connected ECS instance.

DetachNetworkInterface

Unbinds an ENI from an ECS instance.

DeleteNetworkInterface

Deletes an ENI.

DeleteNetworkInterfacePermission

Revokes ENI permissions.

SLB-related permissions

Permission (Action)

Description

slb:Describe*

Queries SLB resources.

slb:CreateLoadBalancer

Creates an SLB instance.

slb:DeleteLoadBalancer

Deletes a pay-as-you-go SLB instance.

slb:RemoveBackendServers

Removes backend servers from a vServer group.

slb:StartLoadBalancerListener

Starts a listener.

slb:StopLoadBalancerListener

Stops a listener.

slb:DeleteLoadBalancerListener

Deletes a listener of an SLB instance.

slb:CreateLoadBalancerTCPListener

Creates a TCP listener for an SLB instance.

slb:AddBackendServers*

Adds backend servers to an SLB instance.

slb:UploadServerCertificate

Uploads a server certificate.

slb:CreateLoadBalancerHTTPListener

Creates an HTTP listener for an SLB instance.

slb:CreateLoadBalancerHTTPSListener

Creates an HTTPS listener for an SLB instance.

slb:CreateLoadBalancerUDPListener

Creates a UDP listener.

slb:ModifyLoadBalancerInternetSpec

Modifies the billing method of an Internet-facing SLB instance.

slb:CreateRules

Adds forwarding rules to an HTTP or HTTPS listener.

slb:DeleteRules

Deletes a forwarding rule.

slb:SetRule

Modifies the forwarding rule of a vServer group.

slb:CreateVServerGroup

Adds backend servers to a vServer group.

slb:SetVServerGroupAttribute

Modifies the configurations of a vServer group.

slb:AddVServerGroupBackendServers

Adds backend servers to a vServer group.

slb:RemoveVServerGroupBackendServers

Removes backend servers from a vServer group.

slb:ModifyVServerGroupBackendServers

Modifies the backend servers of a vServer group.

slb:DeleteVServerGroup

Deletes a vServer group.

slb:SetLoadBalancerTCPListenerAttribute

Modifies the configurations of a TCP listener.

slb:SetLoadBalancerHTTPListenerAttribute

Modifies the configurations of an HTTP listener.

slb:SetLoadBalancerHTTPSListenerAttribute

Modifies the configurations of an HTTPS listener.

slb:AddTags

Adds tags to an SLB instance.

Alibaba Cloud DNS PrivateZone-related permissions

Permission (Action)

Description

AddZone

Creates a private zone.

DeleteZone

Deletes a private zone.

DescribeZones

Queries private zones.

DescribeZoneInfo

Queries the information about a private zone.

BindZoneVpc

Binds a private zone to or unbinds a private zone from a VPC.

AddZoneRecord

Adds a DNS record to a private zone.

DeleteZoneRecord

Deletes a DNS record.

DescribeZoneRecords

Queries DNS records.

Container Registry-related permissions

Permission (Action)

Description

Get*

Queries Container Registry-related resources.

List*

Queries image repositories.

PullRepository

Pulls an image.

ECI-related permissions

Permission (Action)

Description

CreateContainerGroup

Creates a container group.

DeleteContainerGroup

Deletes a container group.

DescribeContainerGroups

Queries the information about container groups.

DescribeContainerLog

Queries the logs of a container group.

UpdateContainerGroup

Updates an ECI.

UpdateContainerGroupByTemplate

Updates an ECI by using a template.

CreateContainerGroupFromTemplate

Creates an ECI by using a template.

RestartContainerGroup

Restarts an ECI.

ExportContainerGroupTemplate

Exports an ECI template.

DescribeContainerGroupMetric

Queries the monitoring data of an ECI.

DescribeMultiContainerGroupMetric

Queries the monitoring data of multiple container groups.

ExecContainerCommand

Runs a command on a container.

CreateImageCache

Creates an image cache.

DescribeImageCaches

Queries an image cache.

DeleteImageCache

Deletes an image cache.

RAM-related permissions

Permission (Action)

Description

ram:PassRole

Visits the EIP console.

OSS-related permissions

Permission (Action)

Description

oss:GetObject

Queries a file or folder.

oss:GetObjectMeta

Queries the metadata information of an object.

Function Compute-related permissions

Permission (Action)

Description

fc:CreateService

Creates a service.

fc:ListServices

Queries services.

fc:GetService

Queries a service.

fc:UpdateService

Updates a service.

fc:DeleteService

Deletes a service.

fc:CreateFunction

Creates a function.

fc:ListFunctions

Queries the functions of a service.

fc:GetFunction

Queries the configurations of a function.

fc:GetFunctionCode

Queries the code of a function.

fc:UpdateFunction

Updates the configurations and code of a function.

fc:DeleteFunction

Deletes a function.

fc:CreateTrigger

Creates a function trigger.

fc:ListTriggers

Queries the triggers of a function.

fc:GetTrigger

Queries a trigger.

fc:UpdateTrigger

Updates the configurations of a trigger.

fc:DeleteTrigger

Deletes the triggers of a function.

fc:PublishServiceVersion

Releases a Function Compute version.

fc:ListServiceVersions

Lists Function Compute versions.

fc:DeleteServiceVersion

Deletes a Function Compute version.

fc:CreateAlias

Creates an alias and binds it to a customer master key (CMK).

fc:ListAliases

Queries all aliases of the current Alibaba Cloud account in the current region.

fc:GetAlias

Queries the information about an alias.

fc:UpdateAlias

Binds an alias to a different CMK.

fc:DeleteAlias

Deletes an alias.

AliyunCSKubernetesAuditRole

The auditing feature of ACK assumes the AliyunCSKubernetesAuditRole role to access resources of other cloud services.

Permission (Action)

Description

log:CreateProject

Creates a project.

log:GetProject

Queries a project by project name.

log:DeleteProject

Deletes a project.

log:CreateLogStore

Creates a Logstore in a project.

log:GetLogStore

Queries the attributes of a Logstore.

log:UpdateLogStore

Updates the attributes of a Logstore.

log:DeleteLogStore

Deletes a Logstore.

log:CreateConfig

Creates a Logtail configuration.

log:UpdateConfig

Updates a Logtail configuration.

log:GetConfig

Queries the details of a Logtail configuration.

log:DeleteConfig

Deletes a Logtail configuration.

log:CreateMachineGroup

Creates a machine group to apply Logtail configurations.

log:UpdateMachineGroup

Updates a machine group.

log:GetMachineGroup

Queries the information about a machine group.

log:DeleteMachineGroup

Deletes a machine group.

log:ApplyConfigToGroup

Applies a Logtail configuration to a machine group.

log:GetAppliedMachineGroups

Lists the machines to which a Logtail configuration is applied in a machine group.

log:GetAppliedConfigs

Lists the Logtail configurations that are applied to a machine group.

log:RemoveConfigFromMachineGroup

Removes Logtail configurations from a machine group.

log:CreateIndex

Creates indexes for a Logstore.

log:GetIndex

Queries indexes of a Logstore.

log:UpdateIndex

Updates indexes of a Logstore.

log:DeleteIndex

Deletes indexes from a Logstore.

log:CreateSavedSearch

Creates a saved search.

log:GetSavedSearch

Queries a saved search.

log:UpdateSavedSearch

Updates a saved search.

log:DeleteSavedSearch

Deletes a saved search.

log:CreateDashboard

Creates a dashboard.

log:GetDashboard

Queries a dashboard.

log:UpdateDashboard

Updates a dashboard.

log:DeleteDashboard

Deletes a dashboard.

log:CreateJob

Creates a task, such as creating an alert or a subscription.

log:GetJob

Queries a task.

log:DeleteJob

Deletes a task.

log:UpdateJob

Updates a task.

log:PostLogStoreLogs

Writes logs to a Logstore.

AliyunCSManagedNetworkRole

The network component of an ACK cluster assumes the AliyunCSManagedNetworkRole role to access resources of other cloud services.

Permission (Action)

Description

ecs:CreateNetworkInterface

Creates an ENI.

ecs:DescribeNetworkInterfaces

Queries ENIs.

ecs:AttachNetworkInterface

Attaches an ENI to a VPC-connected ECS instance.

ecs:DetachNetworkInterface

Detaches an ENI from an ECS instance.

ecs:DeleteNetworkInterface

Deletes an ENI.

ecs:DescribeInstanceAttribute

Queries the information about one or more ECS instances.

ecs:AssignPrivateIpAddresses

Assigns one or more secondary private IP addresses to an ENI.

ecs:UnassignPrivateIpAddresses

Unassigns one or more secondary private IP addresses from an ENI.

ecs:DescribeInstances

Queries the details of one or more ECS instances.

vpc:DescribeVSwitches

Queries the details of one or more vSwitches.

AliyunCSManagedCsiRole

The volume plug-in of an ACK cluster assumes the AliyunCSManagedCsiRole role to access resources of other cloud services.

ECS-related permissions

Permission (Action)

Description

ecs:AttachDisk

Attaches a pay-as-you-go data disk or a system disk to an ECS instance.

ecs:DetachDisk

Detaches a pay-as-you-go disk from an ECS instance.

ecs:DescribeDisks

Queries one or more cloud disks and local disks that you have created.

ecs:CreateDisk

Creates a pay-as-you-go or subscription data disk.

ecs:ResizeDisk

Resizes a cloud disk. You can resize a system disk or a data disk.

ecs:CreateSnapshot

Creates a snapshot for a cloud disk.

ecs:DeleteSnapshot

Deletes a snapshot. If you want to cancel a snapshot that is being created, this action can be performed to delete snapshots. This way, the specified snapshot is canceled.

ecs:CreateAutoSnapshotPolicy

Creates an automatic snapshot policy.

ecs:ApplyAutoSnapshotPolicy

Enables an automatic snapshot policy for one or more cloud disks.

ecs:CancelAutoSnapshotPolicy

Disables an automatic snapshot policy for one or more cloud disks.

ecs:DeleteAutoSnapshotPolicy

Deletes an automatic snapshot policy.

ecs:DescribeAutoSnapshotPolicyEX

Queries automatic snapshot policies that you have created.

ecs:ModifyAutoSnapshotPolicyEx

Modifies an automatic snapshot policy.

ecs:AddTags

Attaches tags to an ECS instance.

ecs:DescribeTags

Queries tags.

ecs:DescribeSnapshots

Queries all snapshots of an ECS instance or a cloud disk.

ecs:ListTagResources

Queries tags that are added to one or more ECS resources.

ecs:TagResources

Creates and adds tags to the specified ECS resources.

ecs:UntagResources

Removes tags from the specified ECS resources and deletes the tags.

ecs:ModifyDiskSpec

Upgrades the performance level of an enhanced SSD (ESSD).

ecs:CreateSnapshot

Creates a snapshot for a cloud disk.

ecs:DeleteDisk

Releases a pay-as-you-go data disk.

ecs:DescribeInstanceAttribute

Queries all attributes of an ECS instance.

ecs:DescribeInstances

Queries the details of one or more ECS instances.

NAS-related permissions

Permission (Action)

Description

nas:DescribeFileSystems

Queries the information about file systems.

nas:DescribeMountTargets

Queries the information about mount targets.

nas:AddTags

Adds one or more tags to a file system or overwrites one or more tags of a file system

nas:DescribeTags

Queries existing tags.

nas:RemoveTags

Removes one or more tags from a file system.

nas:CreateFileSystem

Creates a file system.

nas:DeleteFileSystem

Deletes a file system.

nas:DescribeFileSystems

Queries the information about file systems.

nas:ModifyFileSystem

Modifies a file system.

nas:CreateMountTarget

Creates a mount target.

nas:DeleteMountTarget

Deletes a mount target.

nas:DescribeMountTargets

Queries the information about mount targets.

nas:ModifyMountTarget

Modifies a mount target.

AliyunCSManagedCmsRole

The CloudMonitor component of an ACK cluster assumes the AliyunCSManagedCmsRole role to access resources of other cloud services.

Permission (Action)

Description

cms:DescribeMonitorGroups

Queries application groups.

cms:DescribeMonitorGroupInstances

Queries the resources in an application group.

cms:CreateMonitorGroup

Creates an application group.

cms:DeleteMonitorGroup

Deletes an application group.

cms:ModifyMonitorGroupInstances

Modifies the instances that are added to an application group.

cms:CreateMonitorGroupInstances

Adds instances to an application group.

cms:DeleteMonitorGroupInstances

Deletes instances from an application group.

cms:TaskConfigCreate

Creates configurations for a monitoring task.

cms:TaskConfigList

Lists configurations for a monitoring task.

cms:DescribeMetricList

Queries the monitoring data on a time series metric of CloudMonitor in the specified period of time.

cs:DescribeMonitorToken

Queries the token that is required to use the CloudMonitor component.

ahas:GetSentinelAppSumMetric

Queries the metrics that are monitored by the AHAS Sentinel application.

log:GetLogStoreLogs

Queries logs in a Logstore.

slb:DescribeMetricList

Queries the monitoring data on a time series metric of SLB in the specified period of time.

sls:GetLogs

Queries logs in a Logstore of a project in Simple Log Service.

sls:PutLogs

Updates logs in a Logstore of a project in Simple Log Service.

AliyunCSManagedLogRole

The logging component of an ACK cluster assumes the AliyunCSManagedLogRole role to access resources of other cloud services.

Permission (Action)

Description

log:CreateProject

Creates a project.

log:GetProject

Queries a project by project name.

log:DeleteProject

Deletes a project.

log:CreateLogStore

Creates a Logstore in a project.

log:GetLogStore

Queries the attributes of a Logstore.

log:UpdateLogStore

Updates the attributes of a Logstore.

log:DeleteLogStore

Deletes a Logstore.

log:CreateConfig

Creates a Logtail configuration.

log:UpdateConfig

Updates a Logtail configuration.

log:GetConfig

Queries the details of a Logtail configuration.

log:DeleteConfig

Deletes a Logtail configuration.

log:CreateMachineGroup

Creates a machine group to apply Logtail configurations.

log:UpdateMachineGroup

Updates a machine group.

log:GetMachineGroup

Queries the information about a machine group.

log:DeleteMachineGroup

Deletes a machine group.

log:ApplyConfigToGroup

Applies a Logtail configuration to a machine group.

log:GetAppliedMachineGroups

Lists the machines to which a Logtail configuration is applied in a machine group.

log:GetAppliedConfigs

Lists the Logtail configurations that are applied to a machine group.

log:RemoveConfigFromMachineGroup

Removes Logtail configurations from a machine group.

log:CreateIndex

Creates indexes for a Logstore.

log:GetIndex

Queries indexes of a Logstore.

log:UpdateIndex

Updates indexes of a Logstore.

log:DeleteIndex

Deletes indexes from a Logstore.

log:CreateSavedSearch

Creates a saved search.

log:GetSavedSearch

Queries a saved search.

log:UpdateSavedSearch

Updates a saved search.

log:DeleteSavedSearch

Deletes a saved search.

log:CreateDashboard

Creates a dashboard.

log:GetDashboard

Queries a dashboard.

log:UpdateDashboard

Updates a dashboard.

log:DeleteDashboard

Deletes a dashboard.

log:CreateJob

Creates a task, such as creating an alert or a subscription.

log:GetJob

Queries a task.

log:DeleteJob

Deletes a task.

log:UpdateJob

Updates a task.

log:PostLogStoreLogs

Writes logs to a Logstore.

log:CreateSortedSubStore

Creates a sorted sub-Logstore.

log:GetSortedSubStore

Queries a sorted sub-Logstore.

log:ListSortedSubStore

Lists sorted sub-Logstores.

log:UpdateSortedSubStore

Updates a sorted sub-Logstore.

log:DeleteSortedSubStore

Deletes a sorted sub-Logstore.

log:CreateApp

Creates Simple Log Service applications such as Cost Manager and Log Audit Service.

log:UpdateApp

Updates Simple Log Service applications such as Cost Manager and Log Audit Service.

log:GetApp

Queries Simple Log Service applications such as Cost Manager and Log Audit Service.

log:DeleteApp

Deletes Simple Log Service applications such as Cost Manager and Log Audit Service.

cs:DescribeTemplates

Queries container templates.

cs:DescribeTemplateAttribute

Queries the attributes of a container template.

AliyunCSManagedVKRole

The Virtual Node component of an ACK cluster assumes the AliyunCSManagedVKRole role to access resources in other cloud services.

VPC-related permissions

Permission (Action)

Description

vpc:DescribeVSwitches

Queries existing vSwitches.

vpc:DescribeVpcs

Queries existing VPCs.

vpc:AssociateEipAddress

Associates an EIP with an instance that resides in the same region as the EIP.

vpc:DescribeEipAddresses

Queries existing EIPs in a region.

vpc:AllocateEipAddress

Applies for an EIP.

vpc:ReleaseEipAddress

Releases an EIP.

ECS-related permissions

Permission (Action)

Description

ecs:DescribeSecurityGroups

Queries the basic information about security groups.

ecs:CreateNetworkInterface

Creates an ENI.

ecs:CreateNetworkInterfacePermission

Creates ENI permissions.

ecs:DescribeNetworkInterfaces

Queries ENIs.

ecs:AttachNetworkInterface

Binds an ENI to a VPC-connected ECS instance.

ecs:DetachNetworkInterface

Unbinds an ENI from an ECS instance.

ecs:DeleteNetworkInterface

Deletes an ENI.

ecs:DeleteNetworkInterfacePermission

Revokes ENI permissions.

Alibaba Cloud DNS PrivateZone-related permissions

Permission (Action)

Description

pvtz:AddZone

Creates a private zone.

pvtz:DeleteZone

Deletes a private zone.

pvtz:DescribeZones

Queries private zones.

pvtz:DescribeZoneInfo

Queries the information about a private zone.

pvtz:BindZoneVpc

Binds a private zone to or unbinds a private zone from a VPC.

pvtz:AddZoneRecord

Adds a DNS record to a private zone.

pvtz:DeleteZoneRecord

Deletes a DNS record.

pvtz:DescribeZoneRecords

Queries DNS records.

ECI-related permissions

Permission (Action)

Description

eci:CreateContainerGroup

Creates a container group.

eci:DeleteContainerGroup

Deletes a container group.

eci:DescribeContainerGroups

Queries the information about container groups.

eci:DescribeContainerLog

Queries the logs of a container group.

eci:UpdateContainerGroup

Updates an ECI.

eci:UpdateContainerGroupByTemplate

Updates an ECI by using a template.

eci:CreateContainerGroupFromTemplate

Creates an ECI by using a template.

eci:RestartContainerGroup

Restarts an ECI.

eci:ExportContainerGroupTemplate

Exports an ECI template.

eci:DescribeContainerGroupMetric

Queries the monitoring data of an ECI.

eci:DescribeMultiContainerGroupMetric

Queries the monitoring data of multiple container groups.

eci:ExecContainerCommand

Runs a command on a container.

eci:CreateImageCache

Creates an image cache.

eci:DescribeImageCaches

Queries an image cache.

eci:DeleteImageCache

Deletes an image cache.

AliyunCSManagedArmsRole

The ARMS monitoring agent of an ACK cluster assumes the AliyunCSManagedArmsRole role to access resources of other cloud services.

Permission (Action)

Description

arms:CreateApp

Creates an application monitoring task.

arms:DeleteApp

Deletes an application monitoring task.

arms:ConfigAgentLabel

Modifies the tags of the application monitoring agent.

arms:GetAssumeRoleCredentials

Queries the key that is required for a RAM user to assume a RAM role during application monitoring.

arms:CreateProm

Creates a monitoring task based on Managed Service for Prometheus.

arms:SearchEvents

Queries alert events.

arms:SearchAlarmHistories

Queries the alert sending history.

arms:SearchAlertRules

Queries alert rules.

arms:GetAlertRules

Obtains alert rules.

arms:CreateAlertRules

Creates alert rules.

arms:UpdateAlertRules

Updates alert rules.

arms:StartAlertRule

Enables an alert rule.

arms:StopAlertRule

Disables an alert rule.

arms:CreateContact

Creates an alert contact.

arms:SearchContact

Queries an alert contact.

arms:UpdateContact

Updates an alert contact.

arms:CreateContactGroup

Creates an alert contact group.

arms:SearchContactGroup

Queries an alert contact group.

arms:UpdateContactGroup

Updates an alert contact group.

AliyunCSManagedAcrRole

The password-free image pulling plug-in of an ACK managed cluster or ACK Serverless cluster assumes this role to access your resources in Container Registry.

Permission (Action)

Description

cr:GetAuthorizationToken

Obtains a temporary account and password that you use to log on to a Container Registry instance.

cr:ListInstanceEndpoint

Queries endpoints of an instance.

cr:PullRepository

Pulls an image.

AliyunCSManagedNlcRole

The managed node pool controller of an ACK managed cluster assumes this role to access your node pool resources in ECS and ACK.

ECS-related permissions

Permission (Action)

Description

ecs:ModifyInstanceAttribute

Modifies the information about an ECS instance, such as the password, name, description, hostname, security group, and user data. If the instance is a burstable instance, you can also change the performance mode of the instance.

ecs:AttachKeyPair

Binds an SSH key pair to one or more Linux-based ECS instances.

ecs:StopInstance

Stops an ECS instance that is in the Running state. After the action is performed, the state of the instance changes to Stopping and then to Stopped.

ecs:StartInstance

Starts an ECS instance. After the action is performed, the state of the ECS instance changes to Starting.

ecs:DescribeInvocations

Queries the execution list and status of Cloud Assistant commands.

ecs:DescribeInstanceAttribute

Queries the attributes of an ECS instance, such as the instance ID and description.

ecs:DescribeInstances

Queries the details of one or more ECS instances.

ecs:DeleteInstance

Releases a pay-as-you-go instance or an expired subscription instance.

ecs:RunCommand

Runs a Cloud Assistant command of the Shell, PowerShell, or Bat type on one or more ECS instances.

ecs:DescribeInvocationResults

Queries the result of running one or more Cloud Assistant commands on an ECS instance.

ecs:ReplaceSystemDisk

Replaces the system disk or the operating system of an ECS instance. If the system disk is replaced, the original cloud disk is released, and the ID of the new cloud disk is used.

ecs:DescribeUserData

Queries the user data of an ECS instance.

Auto Scaling-related permissions

Permission name

Description

ess:DescribeScalingGroups

Queries scaling groups.

ess:DescribeScalingConfigurations

Queries scaling configurations.

ACK-related permissions

Permission (Action)

Description

cs:RepairClusterNodePool

Fixes the issues on the specified nodes in a managed node pool.

cs:DescribeClusterNodePoolDetail

Queries the details of a node pool in a cluster by node pool ID.

cs:DescribeTaskInfo

Queries the execution details of a task by task ID.

cs:FixNodePoolVuls

Automatically fixes node pool vulnerabilities in a cluster.

cs:DescribeTaskInfo

Queries the execution details of a task by task ID.

cs:CancelTask

Cancels a task.

cs:PauseTask

Pauses a task.

cs:ResumeTask

Resumes a task.

cs:DescribeNodePoolVuls

Queries node pool vulnerabilities in a cluster.

AliyunCSManagedAutoScalerRole

The auto scaling component of an ACK managed cluster or ACK Serverless cluster assumes this role to access your resources in Auto Scaling and ECS.

Auto Scaling-related permissions

Permission (Action)

Description

ess:DescribeScalingGroups

Queries scaling groups.

ess:DescribeScalingInstances

Queries information about the ECS instances in a scaling group.

ess:DescribeScalingActivities

Queries scaling activities.

ess:DescribeScalingConfigurations

Queries scaling configurations.

ess:DescribeScalingRules

Queries information about the scaling rules in a scaling group.

ess:DescribeScheduledTasks

Queries scheduled tasks.

ess:DescribeLifecycleHooks

Queries lifecycle hooks.

ess:DescribeNotificationConfigurations

Queries notifications that you create for auto scaling events and resource changes.

ess:DescribeNotificationTypes

Queries the types of notifications for auto scaling events and resource changes.

ess:DescribeRegions

Queries the regions in which Auto Scaling is available.

ess:CreateScalingRule

Creates a scaling rule.

ess:ModifyScalingGroup

Modifies a scaling group.

ess:RemoveInstances

Deletes one or more ECS instances or ECIs from a scaling group.

ess:ExecuteScalingRule

Runs a scaling rule.

ess:ModifyScalingRule

Modifies a scaling rule.

ess:DeleteScalingRule

Deletes a scaling rule.

ess:DetachInstances

Removes one or more ECS instances or ECIs from a scaling group.

ess:CompleteLifecycleAction

Takes a scaling activity out of the wait state in advance.

ess:ScaleWithAdjustment

Scales instances in a scaling group based on the specified scaling rule.

ECS-related permissions

Permission (Action)

Description

ecs:DescribeInstanceTypes

Queries all instance types of ECS instances or the instance type of an ECS instance.

ecs:DescribeImages

Queries available OS images.

ACK-related permissions

Permission (Action)

Description

cs:DeleteClusterNodes

Removes the specified nodes from a cluster by node name.

cs:DescribeClusterNodes

Queries the details of all nodes in a cluster by cluster ID

VPC-related permissions

Permission (Action)

Description

vpc:DescribeVSwitches

Queries the information about available vSwitches that are used in an internal network.

AliyunCSManagedSecurityRole

The disk encryption component of an ACK managed cluster or ACK Serverless cluster assumes this role to access your resources in KMS.

KMS-related permissions

Permission (Action)

Description

kms:GetSecretValue

Queries a secret.

kms:ListSecrets

Queries all secrets that are created by the current user in the current region.

kms:ListKeys

Queries the IDs of all CMKs of the current Alibaba Cloud account in the current region.

kms:ListSecretVersionIds

Queries all versions of a secret.

kms:ListAliasesByKeyId

Queries all aliases that are bound to a CMK.

kms:SetDeletionProtection

Enables or disables deletion protection for a CMK.

kms:DescribeKey

Queries the details of a CMK.

kms:Encrypt

Encrypts plaintext by using a symmetric CMK.

kms:Decrypt

Decrypts the ciphertext specified by CiphertextBlob.

AliyunCSManagedCostRole

The cost analysis component of an ACK managed cluster or ACK Serverless cluster assumes this role to access your resources in ECS and ECI and call API operations of BSS.

BSS API-related permissions

Permission (Action)

Description

bssapi:QueryInstanceBill

Queries the billing information of instances or billable items in a billing cycle. This action is updated to DescribeInstanceBill. This action can be performed to query up to 50,000 data rows.

bssapi:DescribeInstanceBill

Queries the billing information of instances or billable items in a billing cycle.

ECS-related permissions

Permission (Action)

Description

ecs:DescribeDisks

Queries one or more Elastic Block Storage (EBS) devices that you have created. The EBS devices include cloud disks and local disks.

ecs:DescribeSpotPriceHistory

Queries the price history of a preemptible instance in the previous 30 days.

ecs:DescribeInstances

Queries the details of one or more ECS instances.

ecs:DescribePrice

Queries the most recent prices of ECS resources.

ECI-related permissions

Permission (Action)

Description

eci: DescribeContainerGroupPrice

Queries the price of an ECI.

AliyunCSManagedNimitzRole

The network component of an ACK Lingjun managed cluster assumes this role to access your resources in Intelligent Computing LINGJUN.

eflo-related permissions

Permission name

Description

eflo:ListNetworkInterfaces

Queries Lingjun network interfaces (LNIs).

eflo:GetNetworkInterface

Queries information about an LNI.

eflo:AssignPrivateIpAddress

Applies for a private secondary IP address for the current LNI. You can also perform this action to assign a secondary Media Access Control (MAC) address to the current LNI.

eflo:UnAssignPrivateIpAddress

Deletes an assigned secondary private IP address.

eflo:UpdateNetworkInterfacePrivateMac

Changes the MAC address of an LNI.

AliyunCSManagedBackupRestoreRole

The backup center component of an ACK managed cluster assumes this role to access your resources in Cloud Backup and OSS.

Cloud Backup-related permissions

Permission (Action)

Description

hbr:CreateVault

Creates a backup vault.

hbr:CreateBackupJob

Creates a manual backup task.

hbr:DescribeVaults

Queries one or more backup vaults that meet the specified conditions.

hbr:DescribeBackupJobs2

Queries one or more backup tasks that meet the specified conditions.

hbr:DescribeRestoreJobs

Queries a restoration task.

hbr:SearchHistoricalSnapshots

Queries one or more historical backup snapshots that meet the specified conditions.

hbr:CreateRestoreJob

Creates a restoration task.

hbr:AddContainerCluster

Registers a Kubernetes cluster.

hbr:DescribeContainerCluster

Queries one or more Kubernetes clusters that meet the specified conditions.

hbr:DescribeRestoreJobs2

Queries one or more restore tasks that meet the specified conditions.

OSS-related permissions

Permissions

Description

oss:PutObject

Uploads an object.

oss:IsObjectExist

Checks whether an object exists.

oss:ListObjects

Queries the information about all objects in a bucket.

oss:GetObject

Queries an object.

oss:DeleteObject

Deletes an object.

oss:GetBucket

Queries the information about a bucket.

AliyunCSManagedEdgeRole

The control component of an ACK Edge cluster assumes this role to access your resources in SAG, VPC, and CEN.

SLB-related permissions

Permission (Action)

Description

slb:CreateLoadBalancer

Creates an SLB instance.

slb:DeleteLoadBalancer

Deletes an SLB instance.

slb:DescribeLoadBalancers

Queries existing SLB instances.

slb:DescribeLoadBalancerAttribute

Queries the details of an SLB instance.

slb:CreateAccessControlList

Creates an access control list (ACL).

slb:DeleteAccessControlList

Deletes an ACL.

slb:AddAccessControlListEntry

Adds IP entries to an ACL.

slb:RemoveAccessControlListEntry

Removes IP entries from an ACL.

slb:DescribeAccessControlListAttribute

Queries the configurations of an ACL.

slb:DescribeAccessControlLists

Queries existing ACLs.

slb:TagResources

Adds tags to resources.

VPC-related permissions

Permission (Action)

Description

vpc:AllocateEipAddress

Assigns an EIP to a VPC.

vpc:AssociateEipAddress

Binds an EIP to a VPC.

vpc:UnassociateEipAddress

Unbinds an EIP from a VPC.

vpc:ReleaseEipAddress

Releases an EIP.

vpc:DescribeEipAddresses

Queries the configurations of an EIP.

vpc:DescribeVpcs

Queries created VPCs.

vpc:DescribeRouteEntryList

Queries routes.

SAG-related permissions

Permission (Action)

Description

smartag:BindSmartAccessGateway

Associates a SAG instance with a Cloud Connect Network (CCN) instance.

smartag:UnbindSmartAccessGateway

Disassociates a SAG instance from a CCN instance.

smartag:GrantSagInstanceToCcn

Authorizes a SAG instance to communicate with a CCN instance that belongs to another Alibaba Cloud account.

smartag:RevokeSagInstanceFromCcn

Disallows a SAG instance to communicate with a CCN instance that belongs to another Alibaba Cloud account.

CEN-related permissions

Permission (Action)

Description

cen:DescribePublishedRouteEntries

Queries whether the routes of VPCs and virtual border routers (VBRs) are published to the CEN instance to which the VPCs and VBRs are attached.

cen:PublishRouteEntries

Publishes the routes of a VPC or a VBR to a CEN instance to which the VPC or VBR is attached.

cen:WithdrawPublishedRouteEntries

Withdraws the routes of a VPC or a VBR from a CEN instance.