All Products
Search
Document Center

Container Service for Kubernetes:Activate ACK and assign service roles with Terraform

Last Updated:Jun 24, 2026

When you use ACK for the first time, use Terraform to activate Container Service for Kubernetes (ACK) and assign the required service roles.

This topic's example code is ready to run. Click hereherehere&example=201-use-case-enable-ack-and-assign-role) to run it directly.

To authorize roles in the ACK console instead, see Manage RAM user permissions.

Prerequisites

Ensure you have:

  • AccessKey pair for your RAM user

    Use a RAM user instead of your root account. Limited permissions reduce exposure if credentials are compromised.
  • This policy attached to your RAM user grants minimum permissions to run the Terraform commands here.

    {
      "Version": "1",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "ram:GetRole",
            "ram:ListRoles",
            "ram:AttachPolicyToRole",
            "ram:ListPoliciesForRole",
            "ram:CreateRole",
            "ram:DetachPolicyFromRole",
            "ram:DeleteRole"
          ],
          "Resource": "*"
        }
      ]
    }
  • Terraform runtime environment (choose one):

    Option

    Best for

    Terraform Explorer

    Browser-based setup, no installation

    Cloud Shell

    Terraform pre-installed with credentials configured

    Local machine

    Unstable networks or custom environments

Terraform resources used

All examples use these Terraform resources:

Resource

Type

Purpose

alicloud_ack_service

Data source

Activates ACK

alicloud_ram_role

Resource

Creates a RAM role

alicloud_ram_role_policy_attachment

Resource

Attaches a policy to a RAM role

alicloud_ram_roles

Data source

Lists RAM roles matching a filter

Step 1: Activate ACK

  1. Create a working directory with a main.tf file and copy this content into it:

    // Activate ACK.
    data "alicloud_ack_service" "open" {
        enable = "On"
        type   = "propayasgo"
    }
  2. Initialize the Terraform runtime environment:

    terraform init

    Successful initialization produces this output:

    Terraform has been successfully initialized!
    
    You may now begin working with Terraform. Try running "terraform plan" to see
    any changes that are required for your infrastructure. All Terraform commands
    should now work.
    
    If you ever set or change modules or backend configuration for Terraform,
    rerun this command to reinitialize your working directory. If you forget, other
    commands will detect it and remind you to do so if necessary.
  3. Activate ACK:

    terraform apply

    When prompted, type yes and press Enter. ACK activation output:

    Apply complete!  Resources: 0 added, 0 changed, 0 destroyed.

Step 2: Assign service roles to ACK

ACK needs RAM service roles before you can create clusters so add-ons can access other Alibaba Cloud services on your behalf.

Safe to run multiple times. Existing roles are skipped; only missing roles are created.

Service roles and the ACK components they serve:

Role

Add-on

Cloud services accessed

AliyunCSManagedLogRole

Logging component

Simple Log Service (SLS)

AliyunCSManagedCmsRole

Monitoring component

CloudMonitor, SLS

AliyunCSManagedCsiRole

Volume plug-in

Elastic Compute Service (ECS), File Storage NAS (NAS), Object Storage Service (OSS)

AliyunCSManagedCsiPluginRole

Volume plug-in (csi-plugin)

ECS

AliyunCSManagedCsiProvisionerRole

Volume plug-in (csi-provisioner)

ECS, NAS, OSS

AliyunCSManagedVKRole

VK component (ACK Serverless)

Multiple Alibaba Cloud services

AliyunCSServerlessKubernetesRole

Default role for ACK Serverless and Edge

ECS, Virtual Private Cloud (VPC), Server Load Balancer (SLB), Alibaba Cloud DNS PrivateZone

AliyunCSKubernetesAuditRole

Auditing feature

SLS

AliyunCSManagedNetworkRole

Network plug-in

ECS, VPC

AliyunCSDefaultRole

ACK cluster management (default)

ECS, VPC, SLB, Resource Orchestration Service (ROS), Auto Scaling

AliyunCSManagedKubernetesRole

Default role for ACK managed and Edge clusters

ECS, VPC, SLB, Container Registry

AliyunCSManagedArmsRole

ARMS component

Application Real-Time Monitoring Service (ARMS)

AliyunCISDefaultRole

Container Intelligence Service (CIS)

ECS, VPC, SLB (diagnostics)

AliyunOOSLifecycleHook4CSRole

Node pool scaling (OOS)

ACK, ECS, PolarDB

AliyunCSManagedAutoScalerRole

Auto scaling component

ECS, ACK node pool resources

Select roles for your use case. Adjust the default list in the variable block below.

  1. Copy this code into main.tf:

    // The RAM roles to create.
    variable "roles" {
      type = list(object({
        name            = string
        policy_document = string
        description     = string
        policy_name     = string
      }))
      default = [
        {
          name            = "AliyunCSManagedLogRole"
          policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
          description     = "The logging component of ACK clusters assumes this role to access your resources in other Alibaba Cloud services."
          policy_name     = "AliyunCSManagedLogRolePolicy"
        },
        {
          name            = "AliyunCSManagedCmsRole"
          policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
          description     = "The CMS component of ACK clusters assumes this role to access your resources in other Alibaba Cloud services."
          policy_name     = "AliyunCSManagedCmsRolePolicy"
        },
        {
          name            = "AliyunCSManagedCsiRole"
          policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
          description     = "The volume plug-in of ACK clusters assumes this role to access your resources in other Alibaba Cloud services."
          policy_name     = "AliyunCSManagedCsiRolePolicy"
        },
        {
          name            = "AliyunCSManagedCsiPluginRole"
          policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
          description     = "The volume plug-in of ACK clusters assumes this role to access your resources in other Alibaba Cloud services."
          policy_name     = "AliyunCSManagedCsiPluginRolePolicy"
        },
        {
          name            = "AliyunCSManagedCsiProvisionerRole"
          policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
          description     = "The volume plug-in of ACK clusters assumes this role to access your resources in other Alibaba Cloud services."
          policy_name     = "AliyunCSManagedCsiProvisionerRolePolicy"
        },
        {
          name            = "AliyunCSManagedVKRole"
          policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
          description     = "The VK component of ACK Serverless clusters assumes this role to access your resources in other Alibaba Cloud services."
          policy_name     = "AliyunCSManagedVKRolePolicy"
        },
        {
          name            = "AliyunCSServerlessKubernetesRole"
          policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
          description     = "By default, ACK clusters assume this role to access your cloud resources."
          policy_name     = "AliyunCSServerlessKubernetesRolePolicy"
        },
        {
          name            = "AliyunCSKubernetesAuditRole"
          policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
          description     = "The auditing feature of ACK assumes this role to access your resources in other Alibaba Cloud services."
          policy_name     = "AliyunCSKubernetesAuditRolePolicy"
        },
        {
          name            = "AliyunCSManagedNetworkRole"
          policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
          description     = "The network plug-in of ACK clusters assumes this role to access your resources in other Alibaba Cloud services."
          policy_name     = "AliyunCSManagedNetworkRolePolicy"
        },
        {
          name            = "AliyunCSDefaultRole"
          policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
          description     = "By default, ACK assumes this role to access your resources in other Alibaba Cloud services when managing ACK clusters."
          policy_name     = "AliyunCSDefaultRolePolicy"
        },
        {
          name            = "AliyunCSManagedKubernetesRole"
          policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
          description     = "By default, ACK clusters assume this role to access your cloud resources."
          policy_name     = "AliyunCSManagedKubernetesRolePolicy"
        },
        {
          name            = "AliyunCSManagedArmsRole"
          policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
          description     = "The Application Real-Time Monitoring Service (ARMS) plug-in of ACK clusters assumes this role to access your resources in other Alibaba Cloud services."
          policy_name     = "AliyunCSManagedArmsRolePolicy"
        },
        {
          name            = "AliyunCISDefaultRole"
          policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
          description     = "Container Intelligence Service (CIS) assumes this role to access your resources in other Alibaba Cloud services."
          policy_name     = "AliyunCISDefaultRolePolicy"
        },
        {
          name            = "AliyunOOSLifecycleHook4CSRole"
          policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"oos.aliyuncs.com\"]}}],\"Version\":\"1\"}"
          description     = "Operation Orchestration Service (OOS) assumes this role to access your resources in other Alibaba Cloud services. ACK relies on OOS to scale node pools."
          policy_name     = "AliyunOOSLifecycleHook4CSRolePolicy"
        },
        {
          name            = "AliyunCSManagedAutoScalerRole"
          policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
          description     = "The auto scaling component of ACK clusters assumes this role to access your node pool resources in other Alibaba Cloud services."
          policy_name     = "AliyunCSManagedAutoScalerRolePolicy"
        }
      ]
    }
    
    // Query existing RAM roles.
    data "alicloud_ram_roles" "roles" {
        policy_type = "Custom"
        name_regex  = "^Aliyun.*Role$"
    }
    
    locals {
      # All role names to create.
      all_role_names = [for role in var.roles : role.name]
      # Roles that already exist.
      created_role_names  = [for role in data.alicloud_ram_roles.roles.roles : role.name]
      # Roles that need to be created (set difference).
      complement_names = setsubtract(local.all_role_names, local.created_role_names)
      # Filter the full list to only the roles that need creating.
      complement_roles = [for role in var.roles : role if contains(local.complement_names, role.name)]
    }
    
    // Create RAM roles.
    resource "alicloud_ram_role" "role" {
      for_each    = { for r in local.complement_roles : r.name => r }
      name        = each.value.name
      document    = each.value.policy_document
      description = each.value.description
      force       = true
    }
    
    // Attach system policies to RAM roles.
    resource "alicloud_ram_role_policy_attachment" "attach" {
      for_each    = { for r in local.complement_roles : r.name => r }
      policy_name = each.value.policy_name
      policy_type = "System"
      role_name   = each.value.name
      depends_on  = [alicloud_ram_role.role]
    }
  2. Preview the changes:

    terraform plan
  3. Apply the changes:

    terraform apply

    When prompted, type yes and press Enter. Role creation output:

    Apply complete!  Resources: 2 added, 0 changed, 0 destroyed.

Verify the results

Confirm the roles exist using either method.

Run terraform show

terraform show

image

Check the RAM console

Log on to the RAM console to view the created roles.

image

Delete resources

Remove all Terraform-created resources:

terraform destroy

See Common commands.

Complete sample code

This topic's example code is ready to run. Click hereherehere&example=201-use-case-enable-ack-and-assign-role) to run it directly.
provider "alicloud" {
    region = var.region_id
}

variable "region_id" {
   type    = string
   default = "cn-hangzhou"
}

// Activate ACK.
data "alicloud_ack_service" "open" {
    enable = "On"
    type   = "propayasgo"
}

// The RAM roles to create.
variable "roles" {
  type = list(object({
    name            = string
    policy_document = string
    description     = string
    policy_name     = string
  }))
  default = [
    {
      name            = "AliyunCSManagedLogRole"
      policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
      description     = "The logging component of ACK clusters assumes this role to access your resources in other Alibaba Cloud services."
      policy_name     = "AliyunCSManagedLogRolePolicy"
    },
    {
      name            = "AliyunCSManagedCmsRole"
      policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
      description     = "The CMS component of ACK clusters assumes this role to access your resources in other Alibaba Cloud services."
      policy_name     = "AliyunCSManagedCmsRolePolicy"
    },
    {
      name            = "AliyunCSManagedCsiRole"
      policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
      description     = "The volume plug-in of ACK clusters assumes this role to access your resources in other Alibaba Cloud services."
      policy_name     = "AliyunCSManagedCsiRolePolicy"
    },
    {
      name            = "AliyunCSManagedCsiPluginRole"
      policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
      description     = "The volume plug-in of ACK clusters assumes this role to access your resources in other Alibaba Cloud services."
      policy_name     = "AliyunCSManagedCsiPluginRolePolicy"
    },
    {
      name            = "AliyunCSManagedCsiProvisionerRole"
      policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
      description     = "The volume plug-in of ACK clusters assumes this role to access your resources in other Alibaba Cloud services."
      policy_name     = "AliyunCSManagedCsiProvisionerRolePolicy"
    },
    {
      name            = "AliyunCSManagedVKRole"
      policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
      description     = "The VK component of ACK Serverless clusters assumes this role to access your resources in other Alibaba Cloud services."
      policy_name     = "AliyunCSManagedVKRolePolicy"
    },
    {
      name            = "AliyunCSServerlessKubernetesRole"
      policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
      description     = "By default, ACK clusters assume this role to access your cloud resources."
      policy_name     = "AliyunCSServerlessKubernetesRolePolicy"
    },
    {
      name            = "AliyunCSKubernetesAuditRole"
      policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
      description     = "The auditing feature of ACK assumes this role to access your resources in other Alibaba Cloud services."
      policy_name     = "AliyunCSKubernetesAuditRolePolicy"
    },
    {
      name            = "AliyunCSManagedNetworkRole"
      policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
      description     = "The network plug-in of ACK clusters assumes this role to access your resources in other Alibaba Cloud services."
      policy_name     = "AliyunCSManagedNetworkRolePolicy"
    },
    {
      name            = "AliyunCSDefaultRole"
      policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
      description     = "By default, ACK assumes this role to access your resources in other Alibaba Cloud services when managing ACK clusters."
      policy_name     = "AliyunCSDefaultRolePolicy"
    },
    {
      name            = "AliyunCSManagedKubernetesRole"
      policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
      description     = "By default, ACK clusters assume this role to access your cloud resources."
      policy_name     = "AliyunCSManagedKubernetesRolePolicy"
    },
    {
      name            = "AliyunCSManagedArmsRole"
      policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
      description     = "The ARMS plug-in of ACK clusters assumes this role to access your resources in other Alibaba Cloud services."
      policy_name     = "AliyunCSManagedArmsRolePolicy"
    },
    {
      name            = "AliyunCISDefaultRole"
      policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
      description     = "CIS assumes this role to access your resources in other Alibaba Cloud services."
      policy_name     = "AliyunCISDefaultRolePolicy"
    },
    {
      name            = "AliyunOOSLifecycleHook4CSRole"
      policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"oos.aliyuncs.com\"]}}],\"Version\":\"1\"}"
      description     = "OOS assumes this role to access your resources in other Alibaba Cloud services. ACK relies on OOS to scale node pools."
      policy_name     = "AliyunOOSLifecycleHook4CSRolePolicy"
    },
    {
      name            = "AliyunCSManagedAutoScalerRole"
      policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
      description     = "The auto scaling component of ACK clusters assumes this role to access your node pool resources in other Alibaba Cloud services."
      policy_name     = "AliyunCSManagedAutoScalerRolePolicy"
    }
  ]
}

// Query existing RAM roles.
data "alicloud_ram_roles" "roles" {
    policy_type = "Custom"
    name_regex  = "^Aliyun.*Role$"
}

locals {
  # All role names to create.
  all_role_names = [for role in var.roles : role.name]
  # Roles that already exist.
  created_role_names  = [for role in data.alicloud_ram_roles.roles.roles : role.name]
  # Roles that need to be created (set difference).
  complement_names = setsubtract(local.all_role_names, local.created_role_names)
  # Filter the full list to only the roles that need creating.
  complement_roles = [for role in var.roles : role if contains(local.complement_names, role.name)]
}

// Create RAM roles.
resource "alicloud_ram_role" "role" {
  for_each    = { for r in local.complement_roles : r.name => r }
  name        = each.value.name
  document    = each.value.policy_document
  description = each.value.description
  force       = true
}

// Attach system policies to RAM roles.
resource "alicloud_ram_role_policy_attachment" "attach" {
  for_each    = { for r in local.complement_roles : r.name => r }
  policy_name = each.value.policy_name
  policy_type = "System"
  role_name   = each.value.name
  depends_on  = [alicloud_ram_role.role]
}

Appendix

Service roles

AliyunCSManagedLogRole

The logging component of ACK managed, Edge, and Serverless clusters assumes this role to access resources in Simple Log Service (SLS).

name            = "AliyunCSManagedLogRole"
policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
description     = "The logging component of ACK clusters assumes this role to access your resources in other Alibaba Cloud services."
policy_name     = "AliyunCSManagedLogRolePolicy"

AliyunCSManagedCmsRole

The monitoring component of ACK managed, Edge, and Serverless clusters assumes this role to access resources in cloud services such as CloudMonitor and SLS.

name            = "AliyunCSManagedCmsRole"
policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
description     = "The CMS component of ACK clusters assumes this role to access your resources in other Alibaba Cloud services."
policy_name     = "AliyunCSManagedCmsRolePolicy"

AliyunCSManagedCsiRole

The volume plug-in of ACK managed, Edge, and Serverless clusters assumes this role to access resources in Elastic Compute Service (ECS), File Storage NAS (NAS), and Object Storage Service (OSS).

name            = "AliyunCSManagedCsiRole"
policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
description     = "The volume plug-in of ACK clusters assumes this role to access your resources in other Alibaba Cloud services."
policy_name     = "AliyunCSManagedCsiRolePolicy"

AliyunCSManagedCsiPluginRole

The csi-plugin component of ACK managed, Edge, and Serverless clusters assumes this role to access resources in ECS.

name            = "AliyunCSManagedCsiPluginRole"
policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
description     = "The volume plug-in (new csi-plugin) of ACK managed clusters, ACK Edge clusters, and ACK Serverless clusters assumes this role to access your resources in ECS."
policy_name     = "AliyunCSManagedCsiPluginRolePolicy"

AliyunCSManagedCsiProvisionerRole

The csi-provisioner component of ACK managed, Edge, and Serverless clusters assumes this role to access resources in ECS, NAS, and OSS.

name            = "AliyunCSManagedCsiProvisionerRole"
policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
description     = "The volume plug-in (new csi-provisioner) of ACK managed clusters, ACK Edge clusters, and ACK Serverless clusters assumes this role to access your resources in ECS, NAS, and OSS."
policy_name     = "AliyunCSManagedCsiProvisionerRolePolicy"

AliyunCSServerlessKubernetesRole

ACK Edge and Serverless clusters assume this role to access resources in ECS, Virtual Private Cloud (VPC), Server Load Balancer (SLB), and Alibaba Cloud DNS PrivateZone.

name            = "AliyunCSServerlessKubernetesRole"
policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
description     = "By default, ACK Serverless clusters assume this role to access your resources in other cloud services."
policy_name     = "AliyunCSServerlessKubernetesRolePolicy"

AliyunCSKubernetesAuditRole

The auditing component of ACK managed, Edge, and Serverless clusters assumes this role to access resources in SLS.

name            = "AliyunCSKubernetesAuditRole"
policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
description     = "The auditing feature of ACK assumes this role to access your resources in other Alibaba Cloud services."
policy_name     = "AliyunCSKubernetesAuditRolePolicy"

AliyunCSManagedNetworkRole

The network plug-in of ACK managed, Edge, and Serverless clusters assumes this role to access resources in ECS and VPC.

name            = "AliyunCSManagedNetworkRole"
policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
description     = "The network plug-in of ACK clusters assumes this role to access your resources in other Alibaba Cloud services."
policy_name     = "AliyunCSManagedNetworkRolePolicy"

AliyunCSDefaultRole

ACK assumes this role to access resources in ECS, VPC, SLB, Resource Orchestration Service (ROS), and Auto Scaling when managing clusters.

name            = "AliyunCSDefaultRole"
policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
description     = "By default, ACK assumes this role to access your resources in other Alibaba Cloud services when managing ACK clusters."
policy_name     = "AliyunCSDefaultRolePolicy"

AliyunCSManagedKubernetesRole

ACK managed and Edge clusters assume this role to access resources in ECS, VPC, SLB, and Container Registry.

name            = "AliyunCSManagedKubernetesRole"
policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
description     = "By default, ACK clusters assume this role to access your cloud resources."
policy_name     = "AliyunCSManagedKubernetesRolePolicy"

AliyunCSManagedArmsRole

The Application Real-Time Monitoring Service (ARMS) component of ACK Edge and Serverless clusters assumes this role to access resources in ARMS.

name            = "AliyunCSManagedArmsRole"
policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
description     = "The ARMS plug-in of ACK clusters assumes this role to access your resources in other Alibaba Cloud services."
policy_name     = "AliyunCSManagedArmsRolePolicy"

AliyunCISDefaultRole

Container Intelligence Service (CIS) assumes this role to access resources in ECS, VPC, and SLB for diagnostics and inspections.

name            = "AliyunCISDefaultRole"
policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
description     = "CIS assumes this role to access your resources in other Alibaba Cloud services."
policy_name     = "AliyunCISDefaultRolePolicy"

AliyunOOSLifecycleHook4CSRole

Operation Orchestration Service (OOS) assumes this role to access resources in ACK, ECS, and PolarDB. ACK uses OOS to scale node pools.

name            = "AliyunOOSLifecycleHook4CSRole"
policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"oos.aliyuncs.com\"]}}],\"Version\":\"1\"}"
description     = "OOS assumes this role to access your resources in other Alibaba Cloud services. ACK relies on OOS to scale node pools."
policy_name     = "AliyunOOSLifecycleHook4CSRolePolicy"

Optional roles

These roles are optional for basic cluster creation but required for specific features.

AliyunCSManagedAcrRole

The Secret-free image pulling plug-in of ACK managed, Edge, and Serverless clusters assumes this role to access resources in Container Registry.

name            = "AliyunCSManagedAcrRole"
policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
description     = "The Secret-free image pulling component of ACK clusters assumes this role to pull images from Container Registry."
policy_name     = "AliyunCSManagedAcrRolePolicy"

AliyunCSManagedNlcRole

The node lifecycle controller of ACK managed and Edge clusters assumes this role to access node pool resources in ECS and ACK.

name            = "AliyunCSManagedNlcRole"
policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
description     = "The managed node pool controller of ACK clusters assumes this role to access your node pool resources in ECS and ACK."
policy_name     = "AliyunCSManagedNlcRolePolicy"

AliyunCSManagedAutoScalerRole

The auto scaling component of ACK managed, Edge, and Serverless clusters assumes this role to access node pool resources in ECS and ACK.

name            = "AliyunCSManagedAutoScalerRole"
policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
description     = "The auto scaling component of ACK clusters assumes this role to access your node pool resources in other Alibaba Cloud services."
policy_name     = "AliyunCSManagedAutoScalerRolePolicy"

AliyunCSManagedSecurityRole

The Secret encryption and credential management component of ACK managed, Edge, and Serverless clusters assumes this role to access resources in Key Management Service (KMS).

name            = "AliyunCSManagedSecurityRole"
policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
description     = "The Secret encryption component of ACK clusters assumes this role to access your node pool resources in KMS."
policy_name     = "AliyunCSManagedSecurityRolePolicy"

AliyunCSManagedCostRole

The cost analysis component of ACK managed, Edge, and Serverless clusters assumes this role to access resources in ECS and Elastic Container Instance and call Bills Management APIs.

name            = "AliyunCSManagedCostRole"
policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
description     = "The cost analysis component of ACK clusters assumes this role to access your resources in ECS and Elastic Container Instance, and call API operations of Bills Management."
policy_name     = "AliyunCSManagedCostRolePolicy"

AliyunCSManagedNimitzRole

The control component of ACK Edge clusters assumes this role to access resources in Smart Access Gateway (SAG), VPC, and Cloud Enterprise Network (CEN).

name            = "AliyunCSManagedNimitzRole"
policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
description     = "The network plug-in of ACK Lingjun clusters assumes this role to access your resources in Intelligent Computing LINGJUN."
policy_name     = "AliyunCSManagedNimitzRolePolicy"

AliyunCSManagedBackupRestoreRole

The backup center component of ACK managed, Edge, and Serverless clusters assumes this role to access resources in Cloud Backup and Object Storage Service (OSS).

name            = "AliyunCSManagedBackupRestoreRole"
policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
description     = "The backup center component of ACK clusters assumes this role to access your resources in Cloud Backup and OSS."
policy_name     = "AliyunCSManagedBackupRestoreRolePolicy"

AliyunCSManagedEdgeRole

The control component of ACK Edge clusters assumes this role to access resources in SAG, VPC, and CEN.

name            = "AliyunCSManagedEdgeRole"
policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
description     = "The control component of ACK Edge clusters assumes this role to access your resources in SAG, VPC, and Cloud CEN."
policy_name     = "AliyunCSManagedEdgeRolePolicy"

Next steps

References