This topic describes how to assign roles to your Alibaba Cloud account and grant permissions of different roles. Before you activate Alibaba Cloud Container Service for Kubernetes (ACK), you must assign the following system default roles to your Alibaba Cloud account: AliyunCSDefaultRole, AliyunCSServerlessKubernetesRole, AliyunCSClusterRole, AliyunCSManagedKubernetesRole, and KubernetesAuditRole. You can create clusters and store logs by calling other services, such as Elastic Compute Service (ECS), Object Storage Service (OSS), Network Attached Storage (NAS), and Server Load Balancer (SLB).

Considerations

  • If you have started using ACK before January 15, 2018, the system automatically assigns the roles to your Alibaba Cloud account. For more information about role permissions, see AliyunCSDefaultRole permissions. If you used a Resource Access Management (RAM) user to manage ACK, you must upgrade the RAM permission policies. For more information, see Custom RAM policies.
  • Starting January 15, 2018, new users must assign their Alibaba Cloud accounts the default roles to use ACK. To authorize RAM users to use ACK, new users must log on to the RAM console to grant permissions to RAM users. For more information, see Use RAM users.

Procedure

  1. On the overview page of Alibaba Cloud Container Service for Kubernetes, click Get it Free to log on to the ACK console.
  2. If you have not assigned your Alibaba Cloud account the default roles, click Go to RAM console. On the Cloud Resource Access Authorization page that appears, click Confirm Authorization Policy.
    Grant permissions
    Notice
    • If you are using a managed cluster, you also need to assign KubernetesAuditRole to your account to access your cloud resources.
    • The default permission policy WorkerRolePolicy attached to workers in a managed cluster has high permissions. To facilitate data security and resource isolation in multi-tenancy scenarios, ACK reduces the permissions of RAM roles assigned to the workers. For more information, see Container Service for Kubernetes reduces the permissions of worker RAM roles in managed clusters.
    • To modify the permission settings of default roles, log on to the RAM console and choose RAM Roles to find the target roles. You must make sure that ACK is granted the required permissions when you modify the permission settings.
  3. After you assign the roles to your account, reopen the console to start using ACK.
    For more information about the permissions of AliyunCSDefaultRole, AliyunCSServerlessKubernetesRole, AliyunCSClusterRole, AliyunCSManagedKubernetesRole, and KubernetesAuditRole, log on to the RAM console and choose RAM Roles.

AliyunCSDefaultRole permissions

For more information about the permissions of each role, see the API Reference of the corresponding Alibaba Cloud service.

  • ECS-related permissions
    Permission (Action) Description
    ecs:RunInstances Starts an ECS instance.
    ecs:RenewInstance Renews an ECS instance.
    ecs:Create* Creates ECS-related resources, such as ECS instances and disks.
    ecs:AllocatePublicIpAddress Allocates a public IP address to an ECS instance.
    ecs:AllocateEipAddress Allocates an Elastic IP address.
    ecs:Delete* Deletes an ECS instance.
    ecs:StartInstance Starts ECS-related resources.
    ecs:StopInstance Stops an ECS instance.
    ecs:RebootInstance Restarts an ECS instance.
    ecs:Describe* Queries the information about ECS-related resources.
    ecs:AuthorizeSecurityGroup Adds an inbound rule to a security group.
    ecs:RevokeSecurityGroup Deletes an inbound rule from a security group
    ecs:AuthorizeSecurityGroupEgress Adds an outbound rule to a security group
    ecs:AttachDisk Adds a disk.
    ecs:DetachDisk Clears a disk.
    ecs:AddTags Adds a tag.
    ecs:ReplaceSystemDisk Replaces the system disk of an ECS instance.
    ecs:ModifyInstanceAttribute Modifies the attributes of an ECS instance.
    ecs:JoinSecurityGroup Adds an ECS instance to a security group.
    ecs:LeaveSecurityGroup Removes an ECS instance from a security group.
    ecs:UnassociateEipAddress Disassociates an Elastic IP address.
    ecs:ReleaseEipAddress Releases an Elastic IP address.
  • VPC-related permissions
    Permission (Action) Description
    vpc:Describe* Queries VPC-related resources.
    vpc:DescribeVpcs Queries a VPC network.
    vpc:AllocateEipAddress Allocates an Elastic IP address.
    vpc:AssociateEipAddress Binds an Elastic IP address.
    vpc:UnassociateEipAddress Unbinds an Elastic IP address.
    vpc:ReleaseEipAddress Releases an Elastic IP address.
    vpc:CreateRouteEntry Creates a route entry.
    vpc:DeleteRouteEntry Deletes a route entry.
  • SLB-related permissions
    Permission (Action) Description
    slb:Describe* Queries an SLB instance.
    slb:CreateLoadBalancer Creates an SLB instance.
    slb:DeleteLoadBalancer Deletes an SLB instance.
    slb:RemoveBackendServers Removes backend servers from an SLB instance.
    slb:StartLoadBalancerListener Starts a listener.
    slb:StopLoadBalancerListener Stops a listener.
    slb:CreateLoadBalancerTCPListener Creates a TCP listener for an SLB instance.
    slb:AddBackendServers Adds backend servers to an SLB instance.

AliyunCSClusterRole permissions

AliyunCSClusterRole has the following permissions:

  • OSS-related permissions
    Permission (Action) Description
    oss:PutObject Uploads a file or folder object.
    oss:GetObject Retrieves a file or folder object.
    oss:ListObjects Queries a list of files.
  • NAS-related permissions
    Permission (Action) Description
    nas:Describe* Queries a NAS file system.
    nas:CreateAccessRule Creates a permission rule.
  • SLB-related permissions
    Permission (Action) Description
    slb:Describe* Queries an SLB instance.
    slb:CreateLoadBalancer Creates an SLB instance.
    slb:DeleteLoadBalancer Deletes an SLB instance.
    slb:RemoveBackendServers Removes backend servers from an SLB instance.
    slb:StartLoadBalancerListener Starts a listener.
    slb:StopLoadBalancerListener Stops a listener.
    slb:CreateLoadBalancerTCPListener Creates a TCP listener for an SLB instance.
    slb:AddBackendServers Adds backend servers to an SLB instance.
    slb:DeleteLoadBalancerListener Deletes a listener rule.
    slb:CreateVServerGroup Creates a VServer group and adds backend servers to the VServer group.
    slb:ModifyVServerGroupBackendServers Replaces the backend servers in a VServer group.
    slb:CreateLoadBalancerHTTPListener Creates an HTTP listener for an SLB instance.
    slb:SetBackendServers Configures backend servers of an SLB instance and sets weights for the backend servers.
    slb:AddTags Adds tags to an SLB instance.

AliyunCSManagedKubernetesRole permissions

  • ECS-related permissions
    Permission (Action) Description
    ecs:Describe* Queries ECS-related resources.
    ecs:CreateRouteEntry Creates a route entry.
    ecs:DeleteRouteEntry Deletes a route entry.
    ecs:CreateNetworkInterface Creates an Elastic Network Interface (ENI).
    ecs:DeleteNetworkInterface Deletes an ENI.
    ecs:CreateNetworkInterfacePermission Creates ENI permissions.
    ecs:DeleteNetworkInterfacePermission Deletes ENI permissions.
  • SLB-related permissions
    Permission (Action) Description
    slb:Describe* Queries SLB-related resources.
    slb:CreateLoadBalancer Creates an SLB instance.
    slb:DeleteLoadBalancer Deletes an SLB instance.
    slb:ModifyLoadBalancerInternetSpec Changes the billing method of a public-facing SLB instance.
    slb:RemoveBackendServers Removes backend servers from an SLB instance.
    slb:AddBackendServers Adds backend servers to an SLB instance.
    slb:RemoveTags Removes tags from an SLB instance.
    slb:AddTags Adds tags to an SLB instance.
    slb:StopLoadBalancerListener Stops a listener.
    slb:StartLoadBalancerListener Starts a listener.
    slb:SetLoadBalancerHTTPListenerAttribute Modifies the configurations of an HTTP listener.
    slb:SetLoadBalancerHTTPSListenerAttribute Modifies the configurations of an HTTPS listener.
    slb:SetLoadBalancerTCPListenerAttribute Modifies the configurations of a TCP listener.
    slb:SetLoadBalancerUDPListenerAttribute Modifies the configurations of a UDP listener.
    slb:CreateLoadBalancerHTTPSListener Creates an HTTPS listener for an SLB instance.
    slb:CreateLoadBalancerHTTPListener Creates an HTTP listener for an SLB instance.
    slb:CreateLoadBalancerTCPListener Creates a TCP listener for an SLB instance.
    slb:CreateLoadBalancerUDPListener Creates a UDP listener.
    slb:DeleteLoadBalancerListener Deletes a listener rule.
    slb:CreateVServerGroup Adds backend servers to a VServer group.
    slb:DescribeVServerGroups Queries a list of VServer groups.
    slb:DeleteVServerGroup Deletes a VServer group.
    slb:SetVServerGroupAttribute Modifies the configurations of a VServer group.
    slb:DescribeVServerGroupAttribute Queries a VServer group.
    slb:ModifyVServerGroupBackendServers Replaces the backend servers of a VServer group.
    slb:AddVServerGroupBackendServers Adds backend servers to a VServer group.
    slb:ModifyLoadBalancerInstanceSpec Changes the type of an SLB instance.
    slb:ModifyLoadBalancerInternetSpec Changes the billing method of an Internet SLB instance.
    slb:RemoveVServerGroupBackendServers Removes backend servers from a VServer group.
  • VPC-related permissions
    Permission (Action) Description
    Describe* Queries VPC-related resources.
    DeleteRouteEntry Deletes a custom route entry.
    CreateRouteEntry Creates a custom route entry.
  • ACR-related permissions
    Permission (Action) Description
    Get* Queries Container Registry (ACR)-related resources.
    List* Queries a list of image repositories.
    PullRepository Pulls an image.

AliyunCSServerlessKubernetesRole permissions

  • VPC-related permissions
    Permission (Action) Description
    DescribeVSwitches Queries a VSwitch.
    DescribeVpcs Queries existing VPC networks.
    AssociateEipAddress Associates an Elastic IP address to a cloud service in the same region.
    DescribeEipAddresses Queries the Elastic IP addresses that have been created for the specified region.
    AllocateEipAddress Applies for an Elastic IP address.
    ReleaseEipAddress Releases an Elastic IP address.
  • ECS-related permissions
    Permission (Action) Description
    DescribeSecurityGroups Queries a security group.
    CreateNetworkInterface Creates an ENI.
    CreateNetworkInterfacePermission Creates an ENI permission.
    DescribeNetworkInterfaces Queries a list of ENIs.
    AttachNetworkInterface Attaches an ENI to a VPC-connected ECS instance.
    DetachNetworkInterface Detaches an ENI from an ECS instance.
    DeleteNetworkInterface Deletes an ENI.
    DeleteNetworkInterfacePermission Deletes an ENI permission.
  • SLB-related permissions
    Permission (Action) Description
    slb:Describe* Queries SLB-related resources.
    slb:CreateLoadBalancer Creates an SLB instance.
    slb:DeleteLoadBalancer Deletes a pay-as-you-go SLB instance.
    slb:RemoveBackendServers Removes backend servers from an SLB instance.
    slb:StartLoadBalancerListener Starts a listener.
    slb:StopLoadBalancerListener Stops a listener.
    slb:DeleteLoadBalancerListener Deletes a listener rule.
    slb:CreateLoadBalancerTCPListener Creates a TCP listener for an SLB instance.
    slb:AddBackendServers* Adds backend servers to an SLB instance.
    slb:UploadServerCertificate Uploads a server certificate.
    slb:CreateLoadBalancerHTTPListener Creates an HTTP listener for an SLB instance.
    slb:CreateLoadBalancerHTTPSListener Creates an HTTPS listener for an SLB instance.
    slb:CreateLoadBalancerUDPListener Creates a UDP listener.
    slb:ModifyLoadBalancerInternetSpec Changes the billing method of a public-facing SLB instance.
    slb:CreateRules Adds forwarding rules to a specified HTTP or HTTPS listener.
    slb:DeleteRules Deletes a forwarding rule.
    slb:SetRule Modifies the forwarding rules of a VServer group.
    slb:CreateVServerGroup Adds backend servers to a VServer group.
    slb:SetVServerGroupAttribute Modifies the configurations of a VServer group.
    slb:AddVServerGroupBackendServers Adds backend servers to a VServer group.
    slb:RemoveVServerGroupBackendServers Removes backend servers from a VServer group.
    slb:ModifyVServerGroupBackendServers Replaces the backend servers of a VServer group.
    slb:DeleteVServerGroup Deletes a VServer group.
    slb:SetLoadBalancerTCPListenerAttribute Modifies the configurations of a TCP listener.
    slb:SetLoadBalancerHTTPListenerAttribute Modifies the configuration of an HTTP listener.
    slb:SetLoadBalancerHTTPSListenerAttribute Modifies the configuration of an HTTPS listener.
    slb:AddTags Adds tags to an SLB instance.
  • PrivateZone-related permissions
    Permission (Action) Description
    AddZone Creates a private zone.
    DeleteZone Deletes a private zone.
    DescribeZones Queries the zone list under a specified user.
    DescribeZoneInfo Queries the details about a specified private zone.
    BindZoneVpc Binds or unbinds a private zone to or from a VPC network.
    AddZoneRecord Adds a record to a private zone.
    DeleteZoneRecord Deletes a record from a private zone.
    DeleteZoneRecordsByRR Deletes a list of records.
    DescribeZoneRecordsByRR Queries a list of records.
    DescribeZoneRecords Queries a list of records.
  • ACR-related permissions
    Permission (Action) Description
    Get* Queries Container Registry (ACR)-related resources.
    List* Queries a list of image repositories.
    PullRepository Pulls an image.
  • ECI-related permissions
    Permission (Action) Description
    CreateContainerGroup Creates a container group.
    DeleteContainerGroup Deletes a container group.
    DescribeContainerGroups Queries a list of container groups.
    DescribeContainerLog Queries container group logs.
    UpdateContainerGroup Updates a container group.
    UpdateContainerGroupByTemplate Updates a container group by template.
    CreateContainerGroupFromTemplate Creates a container group by template.
    RestartContainerGroup Restarts a container group.
    ExportContainerGroupTemplate Exports a container group template.
    DescribeContainerGroupMetric Queries monitoring metrics of a container group.
    DescribeMultiContainerGroupMetric Queries monitoring metrics of multiple container groups.
    ExecContainerCommand Executes commands on a container.
    CreateImageCache Creates an image cache.
    DescribeImageCaches Queries an image cache.
    DeleteImageCache Deletes an image cache.

KubernetesAuditRole permissions

Permission (Action) Description
log:CreateProject Creates a project.
log:GetProject Queries a project by name.
log:DeleteProject Deletes a project.
log:CreateLogStore Creates a Logstore in a project.
log:GetLogStore Queries the attributes of a Logstore.
log:UpdateLogStore Updates the attributes of a Logstore.
log:DeleteLogStore Deletes the Logstore.
log:CreateConfig Creates a collection configuration.
log:UpdateConfig Updates a collection configuration.
log:GetConfig Queries the details of a collection configuration.
log:DeleteConfig Deletes a collection configuration.
log:CreateMachineGroup Creates a machine group to apply collection configurations.
log:UpdateMachineGroup Updates a machine group.
log:GetMachineGroup Queries the details of a machine group.
log:DeleteMachineGroup Deletes a machine group.
log:ApplyConfigToGroup Applies configurations to a machine group.
log:GetAppliedMachineGroups Queries the machines to which the configurations are applied in a machine group.
log:GetAppliedConfigs Queries the configurations that are applied to a machine group.
log:RemoveConfigFromMachineGroup Removes a configuration from a machine group.
log:CreateIndex Creates one or more indexes for a specified Logstore.
log:GetIndex Queries one or more indexes of a specified Logstore.
log:UpdateIndex Updates one or more indexes of a specified Logstore.
log:DeleteIndex Deletes one or more indexes from a specified Logstore.
log:CreateSavedSearch Creates a saved search.
log:GetSavedSearch Queries a saved search.
log:UpdateSavedSearch Updates a saved search.
log:DeleteSavedSearch Deletes a saved search.
log:CreateDashboard Creates a dashboard.
log:GetDashboard Queries a dashboard.
log:UpdateDashboard Updates a dashboard.
log:DeleteDashboard Deletes a dashboard.
log:CreateJob Creates a job. For example, you can create alerts and subscriptions.
log:GetJob Queries a job.
log:DeleteJob Deletes a job.
log:UpdateJob Updates a job.
log:PostLogStoreLogs Writes logs to a Logstore.