When you use ACK for the first time, use Terraform to activate Container Service for Kubernetes (ACK) and assign the required service roles.
This topic's example code is ready to run. Click hereherehere&example=201-use-case-enable-ack-and-assign-role) to run it directly.
To authorize roles in the ACK console instead, see Manage RAM user permissions.
Prerequisites
Ensure you have:
-
AccessKey pair for your RAM user
Use a RAM user instead of your root account. Limited permissions reduce exposure if credentials are compromised.
-
This policy attached to your RAM user grants minimum permissions to run the Terraform commands here.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ram:GetRole", "ram:ListRoles", "ram:AttachPolicyToRole", "ram:ListPoliciesForRole", "ram:CreateRole", "ram:DetachPolicyFromRole", "ram:DeleteRole" ], "Resource": "*" } ] } -
Terraform runtime environment (choose one):
Option
Best for
Browser-based setup, no installation
Terraform pre-installed with credentials configured
Unstable networks or custom environments
Terraform resources used
-
alicloud_ack_service: Activates ACK automatically.
-
alicloud_ram_role: Creates a RAM role.
-
alicloud_ram_role_policy_attachment: Attaches a policy to a RAM role.
-
alicloud_ram_roles: Lists RAM roles in your account matching the specified filters.
All examples use these Terraform resources:
|
Resource |
Type |
Purpose |
|
Data source |
Activates ACK |
|
|
Resource |
Creates a RAM role |
|
|
Resource |
Attaches a policy to a RAM role |
|
|
Data source |
Lists RAM roles matching a filter |
Step 1: Activate ACK
-
Create a working directory with a
main.tffile and copy this content into it:// Activate ACK. data "alicloud_ack_service" "open" { enable = "On" type = "propayasgo" } -
Initialize the Terraform runtime environment:
terraform initSuccessful initialization produces this output:
Terraform has been successfully initialized! You may now begin working with Terraform. Try running "terraform plan" to see any changes that are required for your infrastructure. All Terraform commands should now work. If you ever set or change modules or backend configuration for Terraform, rerun this command to reinitialize your working directory. If you forget, other commands will detect it and remind you to do so if necessary. -
Activate ACK:
terraform applyWhen prompted, type
yesand press Enter. ACK activation output:Apply complete! Resources: 0 added, 0 changed, 0 destroyed.
Step 2: Assign service roles to ACK
ACK needs RAM service roles before you can create clusters so add-ons can access other Alibaba Cloud services on your behalf.
Safe to run multiple times. Existing roles are skipped; only missing roles are created.
Service roles and the ACK components they serve:
|
Role |
Add-on |
Cloud services accessed |
|
|
Logging component |
Simple Log Service (SLS) |
|
|
Monitoring component |
CloudMonitor, SLS |
|
|
Volume plug-in |
Elastic Compute Service (ECS), File Storage NAS (NAS), Object Storage Service (OSS) |
|
|
Volume plug-in (csi-plugin) |
ECS |
|
|
Volume plug-in (csi-provisioner) |
ECS, NAS, OSS |
|
|
VK component (ACK Serverless) |
Multiple Alibaba Cloud services |
|
|
Default role for ACK Serverless and Edge |
ECS, Virtual Private Cloud (VPC), Server Load Balancer (SLB), Alibaba Cloud DNS PrivateZone |
|
|
Auditing feature |
SLS |
|
|
Network plug-in |
ECS, VPC |
|
|
ACK cluster management (default) |
ECS, VPC, SLB, Resource Orchestration Service (ROS), Auto Scaling |
|
|
Default role for ACK managed and Edge clusters |
ECS, VPC, SLB, Container Registry |
|
|
ARMS component |
Application Real-Time Monitoring Service (ARMS) |
|
|
Container Intelligence Service (CIS) |
ECS, VPC, SLB (diagnostics) |
|
|
Node pool scaling (OOS) |
ACK, ECS, PolarDB |
|
|
Auto scaling component |
ECS, ACK node pool resources |
Select roles for your use case. Adjust the default list in the variable block below.
-
Copy this code into
main.tf:// The RAM roles to create. variable "roles" { type = list(object({ name = string policy_document = string description = string policy_name = string })) default = [ { name = "AliyunCSManagedLogRole" policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "The logging component of ACK clusters assumes this role to access your resources in other Alibaba Cloud services." policy_name = "AliyunCSManagedLogRolePolicy" }, { name = "AliyunCSManagedCmsRole" policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "The CMS component of ACK clusters assumes this role to access your resources in other Alibaba Cloud services." policy_name = "AliyunCSManagedCmsRolePolicy" }, { name = "AliyunCSManagedCsiRole" policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "The volume plug-in of ACK clusters assumes this role to access your resources in other Alibaba Cloud services." policy_name = "AliyunCSManagedCsiRolePolicy" }, { name = "AliyunCSManagedCsiPluginRole" policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "The volume plug-in of ACK clusters assumes this role to access your resources in other Alibaba Cloud services." policy_name = "AliyunCSManagedCsiPluginRolePolicy" }, { name = "AliyunCSManagedCsiProvisionerRole" policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "The volume plug-in of ACK clusters assumes this role to access your resources in other Alibaba Cloud services." policy_name = "AliyunCSManagedCsiProvisionerRolePolicy" }, { name = "AliyunCSManagedVKRole" policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "The VK component of ACK Serverless clusters assumes this role to access your resources in other Alibaba Cloud services." policy_name = "AliyunCSManagedVKRolePolicy" }, { name = "AliyunCSServerlessKubernetesRole" policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "By default, ACK clusters assume this role to access your cloud resources." policy_name = "AliyunCSServerlessKubernetesRolePolicy" }, { name = "AliyunCSKubernetesAuditRole" policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "The auditing feature of ACK assumes this role to access your resources in other Alibaba Cloud services." policy_name = "AliyunCSKubernetesAuditRolePolicy" }, { name = "AliyunCSManagedNetworkRole" policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "The network plug-in of ACK clusters assumes this role to access your resources in other Alibaba Cloud services." policy_name = "AliyunCSManagedNetworkRolePolicy" }, { name = "AliyunCSDefaultRole" policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "By default, ACK assumes this role to access your resources in other Alibaba Cloud services when managing ACK clusters." policy_name = "AliyunCSDefaultRolePolicy" }, { name = "AliyunCSManagedKubernetesRole" policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "By default, ACK clusters assume this role to access your cloud resources." policy_name = "AliyunCSManagedKubernetesRolePolicy" }, { name = "AliyunCSManagedArmsRole" policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "The Application Real-Time Monitoring Service (ARMS) plug-in of ACK clusters assumes this role to access your resources in other Alibaba Cloud services." policy_name = "AliyunCSManagedArmsRolePolicy" }, { name = "AliyunCISDefaultRole" policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "Container Intelligence Service (CIS) assumes this role to access your resources in other Alibaba Cloud services." policy_name = "AliyunCISDefaultRolePolicy" }, { name = "AliyunOOSLifecycleHook4CSRole" policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"oos.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "Operation Orchestration Service (OOS) assumes this role to access your resources in other Alibaba Cloud services. ACK relies on OOS to scale node pools." policy_name = "AliyunOOSLifecycleHook4CSRolePolicy" }, { name = "AliyunCSManagedAutoScalerRole" policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "The auto scaling component of ACK clusters assumes this role to access your node pool resources in other Alibaba Cloud services." policy_name = "AliyunCSManagedAutoScalerRolePolicy" } ] } // Query existing RAM roles. data "alicloud_ram_roles" "roles" { policy_type = "Custom" name_regex = "^Aliyun.*Role$" } locals { # All role names to create. all_role_names = [for role in var.roles : role.name] # Roles that already exist. created_role_names = [for role in data.alicloud_ram_roles.roles.roles : role.name] # Roles that need to be created (set difference). complement_names = setsubtract(local.all_role_names, local.created_role_names) # Filter the full list to only the roles that need creating. complement_roles = [for role in var.roles : role if contains(local.complement_names, role.name)] } // Create RAM roles. resource "alicloud_ram_role" "role" { for_each = { for r in local.complement_roles : r.name => r } name = each.value.name document = each.value.policy_document description = each.value.description force = true } // Attach system policies to RAM roles. resource "alicloud_ram_role_policy_attachment" "attach" { for_each = { for r in local.complement_roles : r.name => r } policy_name = each.value.policy_name policy_type = "System" role_name = each.value.name depends_on = [alicloud_ram_role.role] } -
Preview the changes:
terraform plan -
Apply the changes:
terraform applyWhen prompted, type
yesand press Enter. Role creation output:Apply complete! Resources: 2 added, 0 changed, 0 destroyed.
Verify the results
Confirm the roles exist using either method.
Run terraform show
terraform show

Check the RAM console
Log on to the RAM console to view the created roles.

Delete resources
Remove all Terraform-created resources:
terraform destroy
See Common commands.
Complete sample code
Appendix
Service roles
AliyunCSManagedLogRole
The logging component of ACK managed, Edge, and Serverless clusters assumes this role to access resources in Simple Log Service (SLS).
name = "AliyunCSManagedLogRole"
policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
description = "The logging component of ACK clusters assumes this role to access your resources in other Alibaba Cloud services."
policy_name = "AliyunCSManagedLogRolePolicy"
AliyunCSManagedCmsRole
The monitoring component of ACK managed, Edge, and Serverless clusters assumes this role to access resources in cloud services such as CloudMonitor and SLS.
name = "AliyunCSManagedCmsRole"
policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
description = "The CMS component of ACK clusters assumes this role to access your resources in other Alibaba Cloud services."
policy_name = "AliyunCSManagedCmsRolePolicy"
AliyunCSManagedCsiRole
The volume plug-in of ACK managed, Edge, and Serverless clusters assumes this role to access resources in Elastic Compute Service (ECS), File Storage NAS (NAS), and Object Storage Service (OSS).
name = "AliyunCSManagedCsiRole"
policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
description = "The volume plug-in of ACK clusters assumes this role to access your resources in other Alibaba Cloud services."
policy_name = "AliyunCSManagedCsiRolePolicy"
AliyunCSManagedCsiPluginRole
The csi-plugin component of ACK managed, Edge, and Serverless clusters assumes this role to access resources in ECS.
name = "AliyunCSManagedCsiPluginRole"
policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
description = "The volume plug-in (new csi-plugin) of ACK managed clusters, ACK Edge clusters, and ACK Serverless clusters assumes this role to access your resources in ECS."
policy_name = "AliyunCSManagedCsiPluginRolePolicy"
AliyunCSManagedCsiProvisionerRole
The csi-provisioner component of ACK managed, Edge, and Serverless clusters assumes this role to access resources in ECS, NAS, and OSS.
name = "AliyunCSManagedCsiProvisionerRole"
policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
description = "The volume plug-in (new csi-provisioner) of ACK managed clusters, ACK Edge clusters, and ACK Serverless clusters assumes this role to access your resources in ECS, NAS, and OSS."
policy_name = "AliyunCSManagedCsiProvisionerRolePolicy"
AliyunCSServerlessKubernetesRole
ACK Edge and Serverless clusters assume this role to access resources in ECS, Virtual Private Cloud (VPC), Server Load Balancer (SLB), and Alibaba Cloud DNS PrivateZone.
name = "AliyunCSServerlessKubernetesRole"
policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
description = "By default, ACK Serverless clusters assume this role to access your resources in other cloud services."
policy_name = "AliyunCSServerlessKubernetesRolePolicy"
AliyunCSKubernetesAuditRole
The auditing component of ACK managed, Edge, and Serverless clusters assumes this role to access resources in SLS.
name = "AliyunCSKubernetesAuditRole"
policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
description = "The auditing feature of ACK assumes this role to access your resources in other Alibaba Cloud services."
policy_name = "AliyunCSKubernetesAuditRolePolicy"
AliyunCSManagedNetworkRole
The network plug-in of ACK managed, Edge, and Serverless clusters assumes this role to access resources in ECS and VPC.
name = "AliyunCSManagedNetworkRole"
policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
description = "The network plug-in of ACK clusters assumes this role to access your resources in other Alibaba Cloud services."
policy_name = "AliyunCSManagedNetworkRolePolicy"
AliyunCSDefaultRole
ACK assumes this role to access resources in ECS, VPC, SLB, Resource Orchestration Service (ROS), and Auto Scaling when managing clusters.
name = "AliyunCSDefaultRole"
policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
description = "By default, ACK assumes this role to access your resources in other Alibaba Cloud services when managing ACK clusters."
policy_name = "AliyunCSDefaultRolePolicy"
AliyunCSManagedKubernetesRole
ACK managed and Edge clusters assume this role to access resources in ECS, VPC, SLB, and Container Registry.
name = "AliyunCSManagedKubernetesRole"
policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
description = "By default, ACK clusters assume this role to access your cloud resources."
policy_name = "AliyunCSManagedKubernetesRolePolicy"
AliyunCSManagedArmsRole
The Application Real-Time Monitoring Service (ARMS) component of ACK Edge and Serverless clusters assumes this role to access resources in ARMS.
name = "AliyunCSManagedArmsRole"
policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
description = "The ARMS plug-in of ACK clusters assumes this role to access your resources in other Alibaba Cloud services."
policy_name = "AliyunCSManagedArmsRolePolicy"
AliyunCISDefaultRole
Container Intelligence Service (CIS) assumes this role to access resources in ECS, VPC, and SLB for diagnostics and inspections.
name = "AliyunCISDefaultRole"
policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
description = "CIS assumes this role to access your resources in other Alibaba Cloud services."
policy_name = "AliyunCISDefaultRolePolicy"
AliyunOOSLifecycleHook4CSRole
Operation Orchestration Service (OOS) assumes this role to access resources in ACK, ECS, and PolarDB. ACK uses OOS to scale node pools.
name = "AliyunOOSLifecycleHook4CSRole"
policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"oos.aliyuncs.com\"]}}],\"Version\":\"1\"}"
description = "OOS assumes this role to access your resources in other Alibaba Cloud services. ACK relies on OOS to scale node pools."
policy_name = "AliyunOOSLifecycleHook4CSRolePolicy"
Optional roles
These roles are optional for basic cluster creation but required for specific features.
AliyunCSManagedAcrRole
The Secret-free image pulling plug-in of ACK managed, Edge, and Serverless clusters assumes this role to access resources in Container Registry.
name = "AliyunCSManagedAcrRole"
policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
description = "The Secret-free image pulling component of ACK clusters assumes this role to pull images from Container Registry."
policy_name = "AliyunCSManagedAcrRolePolicy"
AliyunCSManagedNlcRole
The node lifecycle controller of ACK managed and Edge clusters assumes this role to access node pool resources in ECS and ACK.
name = "AliyunCSManagedNlcRole"
policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
description = "The managed node pool controller of ACK clusters assumes this role to access your node pool resources in ECS and ACK."
policy_name = "AliyunCSManagedNlcRolePolicy"
AliyunCSManagedAutoScalerRole
The auto scaling component of ACK managed, Edge, and Serverless clusters assumes this role to access node pool resources in ECS and ACK.
name = "AliyunCSManagedAutoScalerRole"
policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
description = "The auto scaling component of ACK clusters assumes this role to access your node pool resources in other Alibaba Cloud services."
policy_name = "AliyunCSManagedAutoScalerRolePolicy"
AliyunCSManagedSecurityRole
The Secret encryption and credential management component of ACK managed, Edge, and Serverless clusters assumes this role to access resources in Key Management Service (KMS).
name = "AliyunCSManagedSecurityRole"
policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
description = "The Secret encryption component of ACK clusters assumes this role to access your node pool resources in KMS."
policy_name = "AliyunCSManagedSecurityRolePolicy"
AliyunCSManagedCostRole
The cost analysis component of ACK managed, Edge, and Serverless clusters assumes this role to access resources in ECS and Elastic Container Instance and call Bills Management APIs.
name = "AliyunCSManagedCostRole"
policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
description = "The cost analysis component of ACK clusters assumes this role to access your resources in ECS and Elastic Container Instance, and call API operations of Bills Management."
policy_name = "AliyunCSManagedCostRolePolicy"
AliyunCSManagedNimitzRole
The control component of ACK Edge clusters assumes this role to access resources in Smart Access Gateway (SAG), VPC, and Cloud Enterprise Network (CEN).
name = "AliyunCSManagedNimitzRole"
policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
description = "The network plug-in of ACK Lingjun clusters assumes this role to access your resources in Intelligent Computing LINGJUN."
policy_name = "AliyunCSManagedNimitzRolePolicy"
AliyunCSManagedBackupRestoreRole
The backup center component of ACK managed, Edge, and Serverless clusters assumes this role to access resources in Cloud Backup and Object Storage Service (OSS).
name = "AliyunCSManagedBackupRestoreRole"
policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
description = "The backup center component of ACK clusters assumes this role to access your resources in Cloud Backup and OSS."
policy_name = "AliyunCSManagedBackupRestoreRolePolicy"
AliyunCSManagedEdgeRole
The control component of ACK Edge clusters assumes this role to access resources in SAG, VPC, and CEN.
name = "AliyunCSManagedEdgeRole"
policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
description = "The control component of ACK Edge clusters assumes this role to access your resources in SAG, VPC, and Cloud CEN."
policy_name = "AliyunCSManagedEdgeRolePolicy"
Next steps
-
Create a Terraform stack — deploy templates with Resource Orchestration Service (ROS) from the ROS console