Default and optional authorization service roles for ACK - Container Service for Kubernetes

When you activate Container Service for Kubernetes (ACK), you must assign roles to ACK. ACK assumes the roles to use other cloud services, create clusters, and save log files. The cloud services include Elastic Compute Service (ECS), Object Storage Service (OSS), File Storage NAS (NAS), and Server Load Balancer (SLB). This topic describes the permissions of the ACK roles.

Roles that can be assigned with a few clicks

The following table describes the roles assigned to ACK by using RAM Quick Authorization when you use ACK for the first time.

Role	Description	Details
AliyunCSDefaultRole	ACK assumes this role to access your resources in other cloud services when ACK manages clusters. These cloud services include ECS, Virtual Private Cloud (VPC), SLB, Resource Orchestration Service (ROS), and Auto Scaling.	AliyunCSDefaultRolePolicy
AliyunCSManagedKubernetesRole	An ACK managed cluster or ACK Edge cluster assumes this role to access other cloud services such as ECS, VPC, SLB, and Container Registry.	AliyunCSManagedKubernetesRolePolicy
AliyunCSServerlessKubernetesRole	An ACK Edge cluster or ACK Serverless cluster assumes this role to access your resources in other cloud services such as ECS, VPC, SLB, and Private Zone.	AliyunCSServerlessKubernetesRolePolicy
AliyunCSKubernetesAuditRole	The audit feature of an ACK managed cluster, ACK Edge cluster, or ACK Serverless cluster assumes this role to access your resources in Simple Log Service (SLS).	AliyunCSKubernetesAuditRolePolicy
AliyunCSManagedNetworkRole	The network component of an ACK managed cluster, ACK Edge cluster, or ACK Serverless cluster assumes this role to access your resources in other cloud services such as ECS and VPC.	AliyunCSManagedNetworkRolePolicy
AliyunCSManagedCsiRole	The storage component of an ACK managed cluster, ACK Edge cluster, or ACK Serverless cluster assumes this role to access your resources in other cloud services such as ECS, NAS, and OSS.	AliyunCSManagedCsiRolePolicy
AliyunCSManagedCmsRole	The monitoring component of an ACK managed cluster, ACK Edge cluster, or ACK Serverless cluster assumes this role to access your resources in other cloud services such as CloudMonitor and SLS.	AliyunCSManagedCmsRolePolicy
AliyunCSManagedLogRole	The log component of an ACK managed cluster, ACK Edge cluster, or ACK Serverless cluster assumes this role to access your resources in SLS.	AliyunCSManagedLogRolePolicy
AliyunCSManagedArmsRole	The Application Real-Time Monitoring Service (ARMS) component of an ACK managed cluster, ACK Edge cluster, or ACK Serverless cluster assumes this role to access your resources in ARMS.	AliyunCSManagedArmsRolePolicy
AliyunCISDefaultRole	ACK Container Intelligence Service assumes this role to access your resources in other cloud services such as ECS, VPC, and SLB to provide you with diagnostic and inspection services.	AliyunCISDefaultRolePolicy
AliyunCSManagedCsiProvisionerRole	The storage component (csi-provisioner) of an ACK managed cluster, ACK Edge cluster, or ACK Serverless cluster assumes this role to access your resources in ECS, NAS, and OSS.	AliyunCSManagedCsiProvisionerRolePolicy
AliyunCSManagedCsiPluginRole	The CSI storage component of an ACK managed cluster, ACK Edge cluster, or ACK Serverless cluster assumes this role to access your resources in ECS.	AliyunCSManagedCsiPluginRolePolicy

Optional roles

When you use ACK and require the following roles, authorization must be performed by an Alibaba Cloud account or a RAM user with administrator permissions.

Role	Description	Details
AliyunCSManagedAcrRole	The password-free image pulling plug-in of an ACK managed cluster, ACK Edge cluster, or ACK Serverless cluster assumes this role to access your resources in Container Registry.	AliyunCSManagedAcrRolePolicy
AliyunCSManagedNlcRole	The managed node pool controller of an ACK managed cluster or ACK Edge cluster assumes this role to access your node pool resources in ECS and ACK.	AliyunCSManagedNlcRolePolicy
AliyunCSManagedAutoScalerRole	The auto scaling component of an ACK managed cluster, ACK Edge cluster, or ACK Serverless cluster assumes this role to access your resources in Auto Scaling and ECS.	AliyunCSManagedAutoScalerRolePolicy
AliyunCSManagedSecurityRole	The disk encryption component and the credential management component of an ACK managed cluster, ACK Edge cluster, or ACK Serverless cluster assume this role to access your resources in Key Management Service (KMS).	AliyunCSManagedSecurityRolePolicy
AliyunCSManagedCostRole	The cost analysis component of an ACK managed cluster, ACK Edge cluster, or ACK Serverless cluster assumes this role to access your resources in API, ECS, and Elastic Container Instance.	AliyunCSManagedCostRolePolicy
AliyunCSManagedNimitzRole	The network component of an ACK Lingjun cluster assumes this role to access your resources in Lingjun AI Computing Service.	AliyunCSManagedNimitzRolePolicy
AliyunCSManagedBackupRestoreRole	The backup center component of an ACK managed cluster, ACK Edge cluster, or ACK Serverless cluster assumes this role to access your resources in Cloud Backup service and OSS.	AliyunCSManagedBackupRestoreRolePolicy
AliyunCSManagedEdgeRole	The control component of an ACK Edge cluster assumes this role to access your resources in Smart Access Gateway (SAG), VPC, and Cloud Enterprise Network (CEN).	AliyunCSManagedEdgeRolePolicy
AliyunOOSLifecycleHook4CSRole	CloudOps Orchestration Service (OOS) assumes this role to access your resources in ACK, ECS, and PolarDB.	View the role details `{ "Version": "1", "Statement": [ { "Action": [ "cs:DeleteClusterNodes", "cs:DescribeClusterNodes", "cs:DescribeTaskInfo" ], "Resource": [ "" ], "Effect": "Allow" }, { "Action": [ "ess:CompleteLifecycleAction" ], "Resource": [ "" ], "Effect": "Allow" }, { "Action": [ "polardb:DescribeDBClusterAccessWhitelist", "polardb:ModifyDBClusterAccessWhitelist" ], "Resource": [ "" ], "Effect": "Allow" }, { "Action": [ "ecs:DescribeInstances" ], "Resource": [ "" ], "Effect": "Allow" } ] }`