When you activate Container Service, you must grant your Alibaba Cloud account the following default roles: AliyunCSDefaultRole and AliyunCSClusterRole. This enables Container Service to call other services, such as ECS, OSS, NAS, and SLB when creating clusters and managing logs.

Before you begin

  • If you had used Container Service before January 15, 2018, the system would grant the roles to your Alibaba Cloud account by default. For more information about the role permissions, see the tables at the end of this page. If you used a RAM user to access Container Service, you need to grant the RAM user advanced permissions. For more information, see Custom RAM policies.
  • Beginning January 15, 2018, new users must grant their Alibaba Cloud accounts the default roles before they can use Container Service. If new users want to authorize RAM users to use Container Service, they can go to the RAM console to perform authorization. For more information, see Use RAM users.

Procedure

  1. If you have not granted your Alibaba Cloud account the default roles, the following message appears when you log on to the Container Service console. Click Confirm Authorization Policy.
    Authorize
    Note Container Service has configured default role permissions. To modify the role permissions, go to the RAM Roles page in the RAM console. Note that incorrect configurations may cause errors when Container Service attempts to access certain resources.
  2. After the authorization is complete, refresh the current page and perform other operations based on needs.
    You can go to the RAM console to view the policy details regarding AliyunCSDefaultRole and AliyunCSClusterRole.

Default role permissions

For more information about the permissions of each role, see the API documents of the corresponding product.

  • ECS-related permissions
    Action Description
    ecs:RunInstances Query ECS instances.
    ecs:RenewInstance Renew ECS instances.
    ecs:Create* Create ECS-related resources, such as ECS instances and disks.
    ecs:AllocatePublicIpAddress Assign public IP addresses.
    ecs:AllocateEipAddress Assign elastic IP addresses.
    ecs:Delete* Delete ECS instances.
    ecs:StartInstance Start ECS-related resources.
    ecs:StopInstance Stop ECS instances.
    ecs:RebootInstance Restart ECS instances.
    ecs:Describe* Query ECS-related resources.
    ecs:AuthorizeSecurityGroup Set inbound security group rules.
    ecs:RevokeSecurityGroup Revoke security group rules.
    ecs:AuthorizeSecurityGroupEgress Set outbound security group rules.
    ecs:AttachDisk Mount disks.
    ecs:DetachDisk Remove disks.
    ecs:AddTags Add labels.
    ecs:ReplaceSystemDisk Change system disks of ECS instances.
    ecs:ModifyInstanceAttribute Modify instance attributes.
    ecs:JoinSecurityGroup Add instances to security groups.
    ecs:LeaveSecurityGroup Remove instances from security groups.
    ecs:UnassociateEipAddress Unbind elastic IP addresses.
    ecs:ReleaseEipAddress Release elastic IP addresses.
  • VPC-related permissions
    Action Description
    vpc:Describe* Query VPC-related resources.
    vpc:DescribeVpcs Query VPC networks.
    vpc:AllocateEipAddress Assign elastic IP addresses.
    vpc:AssociateEipAddress Associate elastic IP addresses with VPC networks.
    vpc:UnassociateEipAddress Disassociate elastic IP addresses from VPC networks.
    vpc:ReleaseEipAddress Release elastic IP addresses.
    vpc:CreateRouteEntry Create route entries.
    vpc:DeleteRouteEntry Delete route entries.
  • SLB-related permissions
    Action Description
    slb:Describe* Query SLB-related resources.
    slb:CreateLoadBalancer Create SLB instances.
    slb:DeleteLoadBalancer Delete SLB instances.
    slb:RemoveBackendServers Unbind SLB instances.
    slb:StartLoadBalancerListener Start listeners.
    slb:StopLoadBalancerListener Stop listeners.
    slb:CreateLoadBalancerTCPListener Create TCP-based listener rules.
    slb:AddBackendServers Add backend servers.

AliyunCSClusterRole permissions

AliyunCSClusterRole includes the following permissions:

  • OSS-related permissions
    Action Description
    oss:PutObject Upload files or folders.
    oss:GetObject Retrieve files or folders.
    oss:ListObjects Query file information.
  • NAS-related permissions
    Action Description
    nas:Describe* Query NAS-related resources.
    nas:CreateAccessRule Create permission rules.
  • SLB-related permissions
    Action Description
    slb:Describe* Query SLB-related resources.
    slb:CreateLoadBalancer Create SLB instances.
    slb:DeleteLoadBalancer Delete SLB instances.
    slb:RemoveBackendServers Unbind SLB instances.
    slb:StartLoadBalancerListener Start listeners.
    slb:StopLoadBalancerListener Stop listeners.
    slb:CreateLoadBalancerTCPListener Create TCP-based listener rules.
    slb:AddBackendServers Add backend servers.
    slb:DeleteLoadBalancerListener Delete listener rules.
    slb:CreateVServerGroup Create VServer groups and add backend servers.
    slb:ModifyVServerGroupBackendServers Change backend servers for VServer groups.
    slb:CreateLoadBalancerHTTPListener Create HTTP-based listener rules.
    slb:SetBackendServers Configure backend servers and set weights for the servers.
    slb:AddTags Add labels.