All Products
Search

This Product

    Container Service for Kubernetes:Permission dependencies for the Container Service console

    Document Center

    Container Service for Kubernetes:Permission dependencies for the Container Service console

    Last Updated:Mar 26, 2026

    Container Service for Kubernetes (ACK) integrates with multiple Alibaba Cloud services. When a RAM user accesses the ACK console, certain console features require permissions on those dependent services. This page lists the dependent services and the minimum required permissions for each ACK console feature.

    Important

    • This page covers only the permissions for dependent cloud services. To manage the ACK console itself, also grant the RAM user AliyunCSFullAccess or the required custom permissions. For details, see Use RAM to authorize access to clusters and cloud resources.

    • For dependent services, grant only read-only permissions unless the RAM user needs to create new resources. For example, if the RAM user selects an existing Virtual Private Cloud (VPC) when creating a cluster, grant only AliyunVPCReadOnlyAccess. Grant AliyunVPCFullAccess only if the RAM user needs to create a new VPC.

    • After configuring permissions for dependent services, also use RBAC to manage the operation permissions on the resources in a cluster so that the RAM user can manage cluster resources.

    Permission reference

    Feature

    Dependent service

    System permission

    Action

    Resource

    Permissions managed in the console

    Apply for more quotas

    Quota Center

    AliyunQuotasFullAccess

    quotas:ListProductQuotas

    *

    List the quotas for a service.

    quotas:ListProductQuotaDimensions

    *

    List the quota dimensions supported by a service.

    quotas:ListProductDimensionGroups

    *

    List the dimension groups for a service.

    quotas:ListDependentQuotas

    *

    List the quotas that a given quota depends on.

    quotas:CreateQuotaApplication

    *

    Submit a quota increase application.

    Create a cluster

    Expenses and costs

    AliyunBSSFullAccess / AliyunBSSReadOnlyAccess

    bssapi:GetPayAsYouGoPrice

    *

    Display pay-as-you-go pricing for resources selected during cluster creation.

    VPC

    AliyunVPCFullAccess / AliyunVPCReadOnlyAccess

    vpc:DescribeVSwitches

    *

    Cluster Configurations > Network Settings > VPC > Select Existing VPC

    AliyunVPCFullAccess / AliyunVPCReadOnlyAccess

    vpc:DescribeVpcs

    *

    Cluster Configurations > Network Settings > vSwitch > Select Existing vSwitch

    AliyunVPCFullAccess

    vpc:CreateVpc

    *

    Cluster Configurations > Network Settings > VPC > Create VPC

    AliyunVPCFullAccess

    vpc:CreateVSwitch

    *

    Cluster Configurations > Network Settings > vSwitch > Create vSwitch

    Server Load Balancer (SLB)

    AliyunSLBFullAccess / AliyunSLBReadOnlyAccess

    slb:DescribeLoadBalancers

    *

    Cluster Configurations > Network Settings > Access to API Server > SLB Source > Select Existing VPC

    AliyunSLBFullAccess / AliyunSLBReadOnlyAccess

    slb:DescribeLoadBalancerListeners

    *

    AliyunSLBFullAccess

    slb:CreateLoadBalancer

    *

    Cluster Configurations > Network Settings > Access to API Server > SLB Source > Create

    Elastic Compute Service (ECS)

    AliyunECSFullAccess / AliyunECSReadOnlyAccess

    ecs:DescribeSecurityGroups

    *

    Cluster Configurations > Network Settings > Security Group > Select Existing Security Group

    AliyunECSFullAccess / AliyunECSReadOnlyAccess

    ecs:DescribePrice

    *

    Node Pool Configurations > Instance and Image > Instance Type — display pricing for a selected instance type.

    AliyunECSFullAccess / AliyunECSReadOnlyAccess

    ecs:DescribeImages

    *

    Node Pool Configurations > Instance and Image > Operating System — list custom images and Marketplace images.

    AliyunECSFullAccess / AliyunECSReadOnlyAccess

    ecs:DescribeKeyPairs

    *

    Node Pool Configurations > Instance and Image > Logon Type > Key Pair

    AliyunECSFullAccess / AliyunECSReadOnlyAccess

    ecs:DescribeDeploymentSets

    *

    Master Configurations > Deployment Set > Select a deployment set

    AliyunECSFullAccess

    ecs:CreateSecurityGroup

    *

    Cluster Configurations > Network Settings > Security Group — create a basic or advanced security group.

    Key Management Service (KMS)

    AliyunKMSFullAccess / AliyunKMSReadOnlyAccess

    kms:ListKeys

    *

    Cluster Configurations > Advanced Options (Optional) > Secret Encryption > Select Key

    Auto Scaling

    AliyunESSFullAccess / AliyunESSReadOnlyAccess

    ess:DescribePatternTypes

    *

    Node Pool Configurations > Instance Configuration Mode > Specify Instance Attributes

    ApsaraDB RDS

    AliyunRDSFullAccess / AliyunRDSReadOnlyAccess

    rds:DescribeDBInstances

    *

    Node Pool Configurations > Advanced Options (Optional) > RDS Whitelist > Select RDS Instance

    Application Load Balancer (ALB)

    AliyunALBFullAccess / AliyunALBReadOnlyAccess

    alb:ListLoadBalancers

    *

    Component Configurations > ALB Ingress > ALB Ingress > Existing

    AliyunALBFullAccess

    alb:CreateLoadBalancer

    *

    Component Configurations > ALB Ingress > ALB Ingress > New

    Microservices Engine (MSE)

    AliyunMSEFullAccess / AliyunMSEReadOnlyAccess

    mse:ListGateway

    *

    Component Configurations > ALB Ingress > MSE Ingress > Existing

    AliyunMSEFullAccess

    mse:AddGateway

    *

    Component Configurations > ALB Ingress > MSE Ingress > New

    Simple Log Service (SLS)

    AliyunLogFullAccess / AliyunLogReadOnlyAccess

    log:ListProject

    *

    • Component Configurations > Log Service > Select Project

    • Component Configurations > Control Plane Component Logs > Select Project

    AliyunLogFullAccess

    log:CreateProject

    *

    • Component Configurations > Log Service > Create Project

    • Component Configurations > Control Plane Component Logs > Create Project

    Cluster Information > Basic Information

    VPC

    AliyunVPCFullAccess / AliyunVPCReadOnlyAccess

    vpc:DescribeVSwitches

    *

    List vSwitches when replacing control plane switches.

    AliyunVPCFullAccess / AliyunVPCReadOnlyAccess

    vpc:DescribeEipAddresses

    *

    List elastic IP addresses (EIPs) when replacing the public endpoint of the API Server.

    KMS

    AliyunKMSFullAccess / AliyunKMSReadOnlyAccess

    kms:ListKeys

    *

    Enable Secret encryption.

    Cluster Information > Cluster Monitoring

    Application Real-Time Monitoring Service (ARMS)

    AliyunARMSFullAccess / AliyunARMSReadOnlyAccess

    arms:ListDashboards

    *

    List Grafana dashboards for the cluster.

    Manage Cluster in Cloud Shell

    Cloud Shell

    AliyunCloudShellFullAccess

    cloudshell:CreateEnvironment

    *

    Create a Cloud Shell environment and session.

    cloudshell:AttachStorage

    *

    cloudshell:DetachStorage

    *

    cloudshell:CreateSession

    *

    cloudshell:DownloadFile

    *

    Upload and download files in Cloud Shell.

    cloudshell:UploadFile

    *

    File Storage NAS (NAS)

    AliyunNASFullAccess

    nas:DescribeFileSystems

    *

    Create and bind a NAS file system.

    nas:CreateFileSystem

    *

    nas:DescribeAccessRules

    *

    Node Pools > Create Node Pool

    ECS

    AliyunECSFullAccess / AliyunECSReadOnlyAccess

    ecs:DescribeImages

    *

    List custom images and Marketplace images when selecting an operating system.

    ecs:DescribePrice

    *

    Display current pricing for ECS instance types.

    Node Pools > Create Node Pool or Edit

    VPC

    AliyunVPCFullAccess / AliyunVPCReadOnlyAccess

    vpc:DescribeVpcs

    *

    List available VPCs.

    Node Pools > Logon Mode

    ECS

    AliyunECSFullAccess / AliyunECSReadOnlyAccess

    ecs:DescribeKeyPairs

    *

    List key pairs for SSH logon.

    Node Pools > Add Existing Node

    ECS

    AliyunECSFullAccess / AliyunECSReadOnlyAccess

    ecs:DescribeInstances

    *

    List ECS instances available to add to the node pool.

    ecs:DescribeSecurityGroups

    *

    List security groups.

    Node Pools > Details > Scaling Activities

    Auto Scaling

    AliyunESSFullAccess / AliyunESSReadOnlyAccess

    ess:DescribeScalingActivities

    *

    List scaling activities.

    ess:DescribeScalingActivityDetail

    *

    View the details of a scaling activity.

    ess:DescribeLifecycleActions

    *

    View the lifecycle actions of scaling activities.

    CloudOps Orchestration Service (OOS)

    AliyunOSSFullAccess / AliyunOSSReadOnlyAccess

    oos:ListExecutions

    *

    List OOS execution records associated with scaling activities.

    Workloads > Create from Image

    Container Registry

    AliyunContainerRegistryFullAccess / AliyunContainerRegistryReadOnlyAccess

    cr:ListInstance

    *

    List Container Registry instances.

    cr:ListInstanceDomain

    *

    List the domains of a Container Registry instance.

    cr:ListRepository

    *

    List image repositories in a Container Registry instance.

    cr:ListArtifactTag

    *

    List image tags in a Container Registry instance.

    Applications > Knative > Monitoring Dashboards

    ARMS

    AliyunARMSFullAccess / AliyunARMSReadOnlyAccess

    arms:InstallAddon

    *

    Install an ARMS add-on.

    Inspections and Diagnostics > Cluster Inspections and Diagnosis

    RAM

    AliyunRAMFullAccess / AliyunRAMReadOnlyAccess

    ram:GetRole

    acs:ram:*:*:role/aliyuncisdefaultrole

    Verify that AliyunCISDefaultRole exists — required for fault diagnosis and cluster inspection.

    Inspections and Diagnostics > Cluster Check > Log

    SLS

    AliyunLogFullAccess

    log:GetDashboard

    *

    Query log data and dashboards.

    log:ListDashboard

    *

    log:ListLogStores

    *

    log:ListSavedSearch

    *

    log:GetLogStoreLogs

    *

    log:GetSavedSearch

    *

    Retrieve a saved log search.

    log:GetIndex

    *

    Read and update log index configurations.

    log:UpdateIndex

    *

    log:GetLogStore

    *

    log:CreateDashboardSharing

    *

    Create password-free dashboard shares.

    Operations > Log Center > Control Plane Component Logs

    SLS

    AliyunLogFullAccess / AliyunLogReadOnlyAccess

    log:ListProject

    *

    List SLS projects to select a Logstore.

    Operations > Log Center > Network Component Logs

    SLS

    AliyunLogFullAccess

    log:GetProjectLogs

    *

    Manage ALB Ingress logs.

    log:GetResourceRecord

    *

    log:CreateResourceRecord

    *

    log:UpdateResourceRecord

    *

    Security > Inspections

    Security Center

    AliyunYundunSASFullAccess

    yundun-sas:DescribeVersionConfig

    *

    Display the purchased Security Center edition.

    yundun-sas:GetClusterSuspEventStatistics

    *

    Display security alert statistics.

    yundun-sas:ListAccountsInResourceDirectory

    *

    yundun-sas:DescribeMonitorAccounts

    *

    yundun-sas:DescribeSuspEvents

    *

    yundun-sas:ListGroups

    *

    yundun-sas:DescribeClusterVulStatistics

    *

    Display vulnerability risk statistics and details.

    yundun-sas:DescribeGroupedVul

    *

    yundun-sas:DescribeVulExportInfo

    *

    yundun-sas:ExportVul

    *

    yundun-aegis:DescribeVulNumStatistics

    *

    yundun-sas:DescribeFixUsedCount

    *

    yundun-sas:DescribeVulList

    *

    yundun-sas:GetClusterCheckItemWarningStatistics

    *

    Display baseline risk statistics and items.

    yundun-sas:DescribeRiskType

    *

    yundun-sas:ListCheckItemWarningSummary

    *

    yundun-sas:ValidateHcWarnings

    *

    yundun-sas:DescribeCheckWarningMachines

    *

    yundun-sas:GetInterceptionSummary

    *

    Display container firewall alert statistics and history.

    yundun-sas:ListInterceptionHistory

    *

    yundun-sas:ListClusterInterceptionConfig

    *

    yundun-sas:DescribeGroupedInstances

    *

    Support asset and instance queries across Security Inspections pages.

    yundun-sas:DescribeServiceLinkedRoleStatus

    *

    yundun-sas:DescribeVulConfig

    *

    yundun-sas:GetAssetDetailByUuid

    *

    yundun-sas:ListPluginForUuid

    *

    yundun-sas:IgnoreCheckItems

    *

    Acknowledge or suppress baseline risk items.

    yundun-sas:ListCheckItemWarningMachine

    *

    List machines affected by container firewall alerts.

    Storage > Create CNFS File System

    Object Storage Service (OSS)

    AliyunOSSFullAccess / AliyunOSSReadOnlyAccess

    oss:ListBucketsByRegion

    *

    List OSS buckets when setting File System Type to OSS.

    Application backup

    OSS

    AliyunOSSFullAccess / AliyunOSSReadOnlyAccess

    oss:ListBucketsByRegion

    *

    List OSS buckets when creating a backup vault.

    Authorizations > RAM Users

    RAM

    AliyunRAMFullAccess / AliyunRAMReadOnlyAccess

    ram:ListUserBasicInfos

    *

    List all RAM users.

    Authorizations > RAM Roles

    AliyunRAMFullAccess / AliyunRAMReadOnlyAccess

    ram:ListRoles

    *

    List all RAM roles.