All Products
Search
Document Center

Container Service for Kubernetes:ACK default roles

Last Updated:Oct 24, 2023

When you activate Container Service for Kubernetes (ACK), you must grant default roles to a service account. Then, the service account can be used to call services, such as Elastic Compute Service (ECS), Object Storage Service (OSS), Apsara File Storage NAS, and Server Load Balancer (SLB), create clusters, and save cluster logs. This topic describes the permissions of the ACK default roles.

Role permissions

The following table describes the ACK default roles.

Role

Description

AliyunCSDefaultRole

ACK assumes this role to access your resources in other cloud services when ACK manages clusters. These cloud services include ECS, VPC, SLB, Auto Scaling, and Resource Orchestration Service (ROS).

AliyunCSManagedKubernetesRole

By default, an ACK managed cluster assumes this role to access your resources in other cloud services. These cloud services include ECS, VPC, SLB, and Container Registry.

AliyunCSServerlessKubernetesRole

By default, an ACK Serverless cluster assumes this role to access your resources in other cloud services. These cloud services include ECS, VPC, SLB, and Alibaba Cloud DNS PrivateZone.

AliyunCSKubernetesAuditRole

The auditing feature of ACK managed clusters and ACK Serverless clusters assumes this role to access your resources in Log Service.

AliyunCSManagedNetworkRole

The network plug-in of ACK managed clusters and ACK Serverless clusters assumes this role to access your resources in ECS and VPC.

AliyunCSManagedCsiRole

The volume plug-in of ACK managed clusters and ACK Serverless clusters assumes this role to access your resources in ECS and NAS.

AliyunCSManagedCmsRole

The monitoring component of ACK managed clusters and ACK Serverless clusters assumes this role to access your resources in CloudMonitor and Log Service.

AliyunCSManagedLogRole

The Log Service component of ACK managed clusters and ACK Serverless clusters assumes this role to access your resources in Log Service.

AliyunCSManagedVKRole

The Virtual Node component of ACK Serverless clusters assumes this role to access your resources in other cloud services. These cloud services include ECS, VPC, and Elastic Container Instance.

AliyunCSManagedArmsRole

The application monitoring component of ACK managed clusters and ACK Serverless clusters assumes this role to access your resources in Application Real-Time Monitoring Service (ARMS).

AliyunCSManagedAcrRole

The aliyun-acr-credential-helper component of ACK managed clusters and ACK Serverless clusters assumes this role to pull images from Container Registry.

AliyunCSManagedNlcRole

The node pool control component of ACK managed clusters assumes this role to access resources on ECS instances and in node pools.

AliyunCSManagedAutoScalerRole

The auto scaling component of ACK managed clusters and ACK Serverless clusters assumes this role to access your resources in Auto Scaling and ECS.

AliyunCSManagedSecurityRole

The Secret encryption component of ACK managed clusters and ACK Serverless clusters assumes this role to access your resources in Key Management Service (KMS).

AliyunCSManagedCostRole

The cost analysis component of ACK managed clusters and ACK Serverless clusters assumes this role to access resources in Billing Management (BSS) API, ECS, and Elastic Container Instance.

AliyunCSManagedNimitzRole

The network component of ACK Lingjun managed clusters assumes this role to access resources in Intelligent Computing Lingjun.

AliyunCSManagedBackupRestoreRole

The backup center component of ACK managed clusters assumes this role to access resources in Cloud Backup and OSS.

AliyunCSManagedEdgeRole

The control plane components of ACK edge clusters assume this role to access resources in Smart Access Gateway (SAG), Virtual Private Cloud (VPC), and Cloud Enterprise Network (CEN).

AliyunCSDefaultRole

By default, AliyunCSDefaultRole is used to access resources of other cloud services when you perform operations on ACK clusters.

ECS-related permissions

Permission (Action)

Description

ecs:RunInstances

Starts an ECS instance.

ecs:RenewInstance

Renews an ECS instance.

ecs:Create*

Creates ECS resources, such as ECS instances and disks.

ecs:AllocatePublicIpAddress

Assigns a public IP address to an ECS instance.

ecs:AllocateEipAddress

Assigns an elastic ip address (EIP) to an ECS instance.

ecs:Delete*

Deletes an ECS instance.

ecs:StartInstance

Starts ECS resources.

ecs:StopInstance

Stops an ECS instance.

ecs:RebootInstance

Restarts an ECS instance.

ecs:Describe*

Queries ECS resources.

ecs:AuthorizeSecurityGroup

Specifies inbound rules for a security group.

ecs:RevokeSecurityGroup

Revokes security group rules.

ecs:AuthorizeSecurityGroupEgress

Specifies outbound rules for a security group.

ecs:AttachDisk

Attaches a disk to an ECS instance.

ecs:DetachDisk

Detaches a disk from an ECS instance.

ecs:WaitFor*

Waits for the execution of a task.

ecs:AddTags

Add labels.

ecs:ReplaceSystemDisk

Replaces the system disk of an ECS instance.

ecs:ModifyInstanceAttribute

Modifies the attributes of an ECS instance.

ecs:JoinSecurityGroup

Adds an ECS instance to a security group.

ecs:LeaveSecurityGroup

Removes an ECS instance from a security group.

ecs:UnassociateEipAddress

Detaches an EIP from an ECS instance.

ecs:ReleaseEipAddress

Releases an EIP.

ecs:CreateKeyPair

Creates an SSH key pair.

ecs:ImportKeyPair

Imports the public key of an RSA-encrypted key pair that is generated by a third-party tool.

ecs:AttachKeyPair

Binds an SSH key pair to one or more Linux instances.

ecs:DetachKeyPair

Unbinds an SSH key pair from one or more Linux instances.

ecs:DeleteKeyPairs

Deletes one or more SSH key pairs.

ecs:AttachInstanceRamRole

Attaches a RAM role to one or more ECS instances.

ecs:DetachInstanceRamRole

Detaches a RAM role from one or more ECS instances.

ecs:AllocateDedicatedHosts

Creates one or more pay-as-you-go or subscription dedicated hosts.

ecs:CreateOrder

Creates an order to purchase ECS instances.

ecs:DeleteInstance

Releases a pay-as-you-go ECS instance or an expired subscription ECS instance.

ecs:CreateDisk

Creates one or more pay-as-you-go or subscription data disks.

ecs:Createvpc

Creates a VPC for an ECS instance.

ecs:Deletevpc

Deletes the VPC that is connected to an ECS instance.

ecs:DeleteVSwitch

Deletes the vSwitch that is connected to an ECS instance.

ecs:ResetDisk

Rolls back a disk to a specific point in time based on a snapshot of the disk.

ecs:DeleteSnapshot

Deletes a specified snapshot.

ecs:AllocatePublicIpAddress

Assigns a public IP address to an ECS instance.

ecs:CreateVSwitch

Creates a vSwitch for an ECS instance.

ecs:DeleteSecurityGroup

Deletes a security group.

ecs:CreateImage

Creates a custom image.

ecs:RemoveTags

Deletes tags from an ECS instance.

ecs:ReleaseDedicatedHost

Releases a pay-as-you-go dedicated host.

ecs:CreateInstance

Creates a subscription or pay-as-you-go ECS instance.

ecs:RevokeSecurityGroupEgress

Deletes an outbound security group rule. After the rule is deleted, the access control implemented by it is removed.

ecs:DeleteDisk

Deletes a pay-as-you-go data disk.

ecs:StopInstance

Stops an instance.

ecs:CreateSecurityGroup

Creates a security group.

ecs:RevokeSecurityGroup

Deletes an inbound security group rule. After the rule is deleted, the access control implemented by the rule is removed.

ecs:DeleteImage

Deletes a custom image.

ecs:ModifyInstanceSpec

Modifies the instance type of ECS instances or public bandwidth of a pay-as-you-go ECS instance.

ecs:CreateSnapshot

Creates a snapshot for a cloud disk.

ecs:CreateCommand

Creates a Cloud Assistant command.

ecs:InvokeCommand

Triggers a Cloud Assistant command on one or more ECS instances.

ecs:StopInvocation

Stops the process of a running Cloud Assistant command on one or more ECS instances.

ecs:DeleteCommand

Deletes a Cloud Assistant command.

ecs:RunCommand

Creates a Cloud Assistant command of the shell, PowerShell, or batch type, and runs the command on one or more ECS instances.

ecs:DescribeInvocationResults

Queries the result of running a Cloud Assistant command on a specified ECS instance.

ecs:ModifyCommand

Modifies a Cloud Assistant command.

VPC-related permissions

Permission (Action)

Description

vpc:Describe*

Queries VPC resources.

vpc:AllocateEipAddress

Assigns an EIP to an ECS instance.

vpc:AssociateEipAddress

Binds an EIP to an ECS instance.

vpc:UnassociateEipAddress

Unbinds an EIP from an ECS instance.

vpc:ReleaseEipAddress

Releases an EIP.

vpc:CreateRouteEntry

Creates a route entry.

vpc:DeleteRouteEntry

Deletes a route entry.

vpc:CreateVSwitch

Creates a vSwitch.

vpc:DeleteVSwitch

Deletes a vSwitch.

vpc:CreateVpc

Creates a VPC.

vpc:DeleteVpc

Deletes a VPC.

vpc:CreateNatGateway

Creates a NAT gateway.

vpc:DeleteNatGateway

Deletes a specified NAT gateway.

vpc:CreateSnatEntry

Adds a SNAT entry to a SNAT table.

vpc:DeleteSnatEntry

Deletes a specified SNAT entry.

vpc:ModifyEipAddressAttribute

Modifies the name, description, and maximum bandwidth of a specified EIP.

vpc:CreateForwardEntry

Adds a DNAT entry to a DNAT table.

vpc:DeleteBandwidthPackage

Creates a NAT service plan.

vpc:CreateBandwidthPackage

Deletes a specified NAT service plan.

vpc:DeleteForwardEntry

Deletes a specified DNAT entry.

vpc:TagResources

Creates and adds tags to resources.

vpc:DeletionProtection

Enables or disables deletion protection for an instance.

SLB-related permissions

Permission (Action)

Description

slb:Describe*

Queries the information about an SLB instance.

slb:CreateLoadBalancer

Creates an SLB instance.

slb:DeleteLoadBalancer

Deletes an SLB instance.

slb:RemoveBackendServers

Removes backend servers from an SLB instance.

slb:StartLoadBalancerListener

Starts a specified listener.

slb:StopLoadBalancerListener

Stops a specified listener.

slb:CreateLoadBalancerTCPListener

Creates a TCP listener for an SLB instance.

slb:AddBackendServers

Adds backend servers to an SLB instance.

slb:CreateVServerGroup

Creates a vServer group and adds backend servers to the vServer group.

slb:CreateLoadBalancerHTTPSListener

Creates an HTTPS listener for an SLB instance.

slb:CreateLoadBalancerUDPListener

Creates a User Datagram Protocol (UDP) listener.

slb:ModifyLoadBalancerInternetSpec

Changes the billing method of a public-facing SLB instance.

slb:SetBackendServers

Configures backend servers of an SLB instance and sets weights for the backend servers. The backend servers are ECS instances.

slb:AddVServerGroupBackendServers

Adds backend servers to a vServer group.

slb:DeleteVServerGroup

Deletes a vServer group.

slb:ModifyVServerGroupBackendServers

Changes the backend servers of a vServer group.

slb:CreateLoadBalancerHTTPListener

Creates an HTTP listener for an SLB instance.

slb:RemoveVServerGroupBackendServers

Removes backend servers from a vServer group.

slb:DeleteLoadBalancerListener

Deletes a listener of an SLB instance.

slb:AddTags

Adds tags to a specified SLB instance.

slb:RemoveTags

Removes tags from a specified SLB instance.

slb:SetLoadBalancerDeleteProtection

Enables or disables deletion protection for an SLB instance.

DNS-related permissions

Permission (Action)

Description

dns:Describe*

Queries DNS resources.

dns:AddDomainRecord

Adds a DNS record.

ApsaraDB RDS-related permissions

Permission (Action)

Description

rds:Describe*

Queries RDS resources.

rds:ModifySecurityIps

Modifies the IP address whitelist of an ApsaraDB RDS instance.

ROS-related permissions

Permission (Action)

Description

ros:Describe*

Queries ROS resources.

ros:WaitConditions

Waits for the execution of an ROS script.

ros:AbandonStack

Stops a stack.

ros:DeleteStack

Deletes a stack.

ros:CreateStack

Creates a stack.

ros:UpdateStack

Updates a stack.

ros:ValidateTemplate

Validates an ROS template.

ros:DoActions

Performs actions.

ros:InquiryStack

Queries a stack.

ros:SetDeletionProtection

Enables or disables deletion protection.

ros:PreviewStack

Previews a stack.

Auto Scaling-related permissions

Permission (Action)

Description

ess:Describe*

Queries ESS resources.

ess:CreateScalingConfiguration

Creates a scaling configuration.

ess:EnableScalingGroup

Enables a scaling group.

ess:ExitStandby

Switches the status of a standby ECS instance in a scaling group to running.

ess:DetachDBInstances

Removes one or more RDS instances from a scaling group.

ess:DetachLoadBalancers

Removes one or more SLB instances from a scaling group.

ess:AttachInstances

Adds one or more ECS instances to a scaling group.

ess:DeleteScalingConfiguration

Deletes a scaling configuration.

ess:AttachLoadBalancers

Adds one or more SLB instances.

ess:DetachInstances

Removes one or more ECS instances from a scaling group.

ess:ModifyScalingRule

Modifies a scaling group rule.

ess:RemoveInstances

Removes ECS instances from a specified scaling group.

ess:ModifyScalingGroup

Modifies a scaling group.

ess:AttachDBInstances

Adds one or more RDS instances.

ess:CreateScalingRule

Creates a scaling rule.

ess:DeleteScalingRule

Deletes a scaling rule.

ess:ExecuteScalingRule

Runs a scaling rule.

ess:SetInstancesProtection

Enables or disables protection for one or more ECS instances in a scaling group.

ess:ModifyNotificationConfiguration

Modifies a notification configuration for auto scaling events and resource changes.

ess:CreateNotificationConfiguration

Creates a notification configuration for auto scaling events and resource changes.

ess:EnterStandby

Switches the status of an ECS instance in the scaling group to standby.

ess:DeleteScalingGroup

Deletes a scaling group.

ess:CreateScalingGroup

Creates a scaling group.

ess:DeleteNotificationConfiguration

Deletes a notification configuration for auto scaling events and resource changes.

ess:DisableScalingGroup

Disables a scaling group.

ModifyScalingConfiguration

Modifies a scaling configuration.

SetGroupDeletionProtection

Enables or disables deletion protection for a scaling group.

RAM-related permissions

Permission (Action)

Description

ram:PassRole

Authorizes a RAM user to use other cloud services.

ram:Get*

Queries permissions on Resource Access Management (RAM) resources.

ram:List*

Lists permissions on RAM resources.

ram:DetachPolicyFromRole

Revokes a specified permission from a role.

ram:AttachPolicyToRole

Grants a permission to a specified role.

ram:DeletePolicy

Deletes a specified permission policy.

ram:DeletePolicyVersion

Deletes a policy of a specified version.

ram:DeleteRole

Delete a RAM role.

ram:CreateRole

Create a RAM role.

ram:CreatePolicy

Creates a RAM policy.

ram:CreateServiceLinkedRole

Creates permissions to be granted to service-linked roles.

CloudMonitor-related permissions

Permission (Action)

Description

cms:CreateMyGroups

Creates private application groups.

cms:AddMyGroupInstances

Adds resources to a private application group.

cms:DeleteMyGroupInstances

Deletes resources from a private application group.

cms:DeleteMyGroups

Deletes private application groups.

cms:GetMyGroups

Queries private application groups.

cms:ListMyGroups

Lists private application groups.

cms:UpdateMyGroupInstances

Updates resources in a private application group.

cms:UpdateMyGroups

Updates private application groups.

cms:TaskConfigCreate

Creates a monitoring job configuration.

cms:TaskConfigList

Lists monitoring job configurations.

Auto Scaling-related permissions

Permission (Action)

Description

ess:CreateLifecycleHook

Creates one or more lifecycle hooks for a scaling group.

ess:DescribeLifecycleHooks

Queries lifecycle hooks.

ess:ModifyLifecycleHook

Modifies a lifecycle hook.

ess:DeleteLifecycleHook

Deletes a lifecycle hook.

ENS-related permissions

Permission (Action)

Description

ens:Describe*

Queries the permissions on Edge Node Service (ENS) resources.

ens:CreateInstance

Creates an ENS instance.

ens:StartInstance

Starts an ENS instance.

ens:StopInstance

Stops an ENS instance.

ens:ReleasePrePaidInstance

Releases a subscription instance.

AliyunCSManagedKubernetesRole

An ACK managed cluster assumes AliyunCSManagedKubernetesRole to access resources of other cloud services.

ECS-related permissions

Permission (Action)

Description

ecs:Describe*

Queries ECS resources.

ecs:CreateRouteEntry

Creates a route entry.

ecs:DeleteRouteEntry

Deletes a route entry.

ecs:CreateNetworkInterface

Creates an elastic network interface (ENI).

ecs:DeleteNetworkInterface

Deletes an ENI.

ecs:CreateNetworkInterfacePermission

Grants permissions to create an ENI.

ecs:DeleteNetworkInterfacePermission

Grants permissions to delete an ENI.

ecs:ModifyInstanceAttribute

Modifies the attributes of an ECS instance.

ecs:AttachKeyPair

Binds an SSH key pair to one or more Linux instances.

ecs:StopInstance

Stops an instance.

ecs:StartInstance

Starts an instance.

ecs:ReplaceSystemDisk

Replaces the system disk or the operating system of an Elastic Compute Service ECS instance.

SLB-related permissions

Permission (Action)

Description

slb:Describe*

Queries SLB resources.

slb:CreateLoadBalancer

Creates an SLB instance.

slb:DeleteLoadBalancer

Deletes an SLB instance.

slb:ModifyLoadBalancerInternetSpec

Changes the billing method of a public-facing SLB instance.

slb:RemoveBackendServers

Removes backend servers.

slb:AddBackendServers

Adds backend servers to an SLB instance.

slb:RemoveTags

Removes tags from a specified SLB instance.

slb:AddTags

Adds tags to a specified SLB instance.

slb:StopLoadBalancerListener

Stops a listener.

slb:StartLoadBalancerListener

Starts a listener.

slb:SetLoadBalancerHTTPListenerAttribute

Modifies the configuration of an HTTP listener.

slb:SetLoadBalancerHTTPSListenerAttribute

Modifies the configuration of an HTTPS listener.

slb:SetLoadBalancerTCPListenerAttribute

Modifies the configuration of a TCP listener.

slb:SetLoadBalancerUDPListenerAttribute

Modifies the configuration of a UDP listener.

slb:CreateLoadBalancerHTTPSListener

Creates an HTTPS listener for an SLB instance.

slb:CreateLoadBalancerHTTPListener

Creates an HTTP listener for an SLB instance.

slb:CreateLoadBalancerTCPListener

Creates a TCP listener for an SLB instance.

slb:CreateLoadBalancerUDPListener

Creates a User Datagram Protocol (UDP) listener.

slb:DeleteLoadBalancerListener

Deletes a listener of an SLB instance.

slb:CreateVServerGroup

Adds backend servers to a vServer group.

slb:DescribeVServerGroups

Queries vServer groups.

slb:DeleteVServerGroup

Deletes a vServer group.

slb:SetVServerGroupAttribute

Modifies the configurations of a vServer group.

slb:DescribeVServerGroupAttribute

Queries the information about a vServer group.

slb:ModifyVServerGroupBackendServers

Changes the backend servers of a vServer group.

slb:AddVServerGroupBackendServers

Adds backend servers to a vServer group.

slb:ModifyLoadBalancerInstanceSpec

Modifies the specifications of an SLB instance.

slb:ModifyLoadBalancerInternetSpec

Changes the billing method of a public-facing SLB instance.

slb:RemoveVServerGroupBackendServers

Removes backend servers from a vServer group.

VPC-related permissions

Permission (Action)

Description

vpc:Describe*

Queries VPC resources.

vpc:DeleteRouteEntry

Deletes a custom route entry.

vpc:CreateRouteEntry

Creates a custom route entry.

Container Registry-related permissions

Permission (Action)

Description

cr:Get*

Queries Container Registry-related resources.

cr:List*

Queries image repositories.

cr:PullRepository

Pulls an image.

AliyunCSServerlessKubernetesRole

By default, an ACK Serverless cluster assumes AliyunCSServerlessKubernetesRole to access resources of other cloud services.

VPC-related permissions

Permission (Action)

Description

DescribeVSwitches

Queries created vSwitches.

DescribeVpcs

Queries the VPCs that are created.

AssociateEipAddress

Associates an EIP with a cloud service in the same region.

DescribeEipAddresses

Queries created EIPs in a specified region.

AllocateEipAddress

Applies for an EIP.

ReleaseEipAddress

Releases a specified EIP.

AddCommonBandwidthPackageIp

Associates an EIP with an EIP bandwidth plan.

RemoveCommonBandwidthPackageIp

Disassociates an EIP from an EIP bandwidth plan.

ECS-related permissions

Permission (Action)

Description

DescribeSecurityGroups

Queries the basic information about security groups.

CreateNetworkInterface

Creates an ENI.

CreateNetworkInterfacePermission

Grants permissions to create an ENI.

DescribeNetworkInterfaces

Queries ENIs.

AttachNetworkInterface

Binds an ENI to an ECS instance located in a VPC.

DetachNetworkInterface

Unbinds an ENI from an ECS instance.

DeleteNetworkInterface

Deletes an ENI.

DeleteNetworkInterfacePermission

Revokes ENI permissions.

SLB-related permissions

Permission (Action)

Description

slb:Describe*

Queries SLB resources.

slb:CreateLoadBalancer

Creates an SLB instance.

slb:DeleteLoadBalancer

Deletes a pay-as-you-go SLB instance.

slb:RemoveBackendServers

Removes backend servers.

slb:StartLoadBalancerListener

Starts a listener.

slb:StopLoadBalancerListener

Stops a listener.

slb:DeleteLoadBalancerListener

Deletes a listener of an SLB instance.

slb:CreateLoadBalancerTCPListener

Creates a TCP listener for an SLB instance.

slb:AddBackendServers*

Adds backend servers.

slb:UploadServerCertificate

Uploads a server certificate.

slb:CreateLoadBalancerHTTPListener

Creates an HTTP listener for an SLB instance.

slb:CreateLoadBalancerHTTPSListener

Creates an HTTPS listener for an SLB instance.

slb:CreateLoadBalancerUDPListener

Creates a User Datagram Protocol (UDP) listener.

slb:ModifyLoadBalancerInternetSpec

Changes the billing method of a public-facing SLB instance.

slb:CreateRules

Adds forwarding rules to a specified HTTP or HTTPS listener.

slb:DeleteRules

Deletes forwarding rules.

slb:SetRule

Modifies a forwarding rule of a vServer group.

slb:CreateVServerGroup

Adds backend servers to a vServer group.

slb:SetVServerGroupAttribute

Modifies the configurations of a vServer group.

slb:AddVServerGroupBackendServers

Adds backend servers to a vServer group.

slb:RemoveVServerGroupBackendServers

Removes backend servers from a vServer group.

slb:ModifyVServerGroupBackendServers

Changes the backend servers of a vServer group.

slb:DeleteVServerGroup

Deletes a vServer group.

slb:SetLoadBalancerTCPListenerAttribute

Modifies the configuration of a TCP listener.

slb:SetLoadBalancerHTTPListenerAttribute

Modifies the configuration of an HTTP listener.

slb:SetLoadBalancerHTTPSListenerAttribute

Modifies the configuration of an HTTPS listener.

slb:AddTags

Adds tags to a specified SLB instance.

Alibaba Cloud DNS PrivateZone-related permissions

Permission (Action)

Description

AddZone

Creates a private zone.

DeleteZone

Deletes a private zone.

DescribeZones

Queries private zones.

DescribeZoneInfo

Queries the information about a specified private zone.

BindZoneVpc

Binds a private zone to a VPC or unbinds a private zone from a VPC.

AddZoneRecord

Adds a DNS record to a private zone.

DeleteZoneRecord

Deletes a DNS record.

DeleteZoneRecordsByRR

Deletes DNS records.

DescribeZoneRecordsByRR

Queries DNS records.

DescribeZoneRecords

Queries DNS records.

Container Registry-related permissions

Permission (Action)

Description

Get*

Queries Container Registry-related resources.

List*

Queries image repositories.

PullRepository

Pulls an image.

Elastic Container Instance-related permissions

Permission (Action)

Description

CreateContainerGroup

Creates a container group.

DeleteContainerGroup

Deletes a container group.

DescribeContainerGroups

Queries the information about multiple pods.

DescribeContainerLog

Queries the logs of a pod.

UpdateContainerGroup

Updates an elastic container instance.

UpdateContainerGroupByTemplate

Updates an elastic container instance by template.

CreateContainerGroupFromTemplate

Creates an elastic container instance by using a template.

RestartContainerGroup

Restarts an elastic container instance.

ExportContainerGroupTemplate

Exports an elastic container instance template.

DescribeContainerGroupMetric

Queries the monitoring data of an elastic container instance.

DescribeMultiContainerGroupMetric

Queries the monitoring data of multiple container groups.

ExecContainerCommand

Runs a command in a container.

CreateImageCache

Creates an image cache.

DescribeImageCaches

Queries the information about an image cache.

DeleteImageCache

Deletes an image cache.

RAM-related permissions

Permission (Action)

Description

ram:PassRole

Visits the Alibaba Cloud CodePipeline console.

OSS-related permissions

Permission (Action)

Description

oss:GetObject

Queries a file or folder.

oss:GetObjectMeta

Queries the metadata information about an object.

Function Compute-related permissions

Permission (Action)

Description

fc:CreateService

Creates a service.

fc:ListServices

Queries services.

fc:GetService

Queries a specified service.

fc:UpdateService

Updates a specified service.

fc:DeleteService

Deletes a specified service.

fc:CreateFunction

Creates a function.

fc:ListFunctions

Queries the functions of a service.

fc:GetFunction

Queries the configurations of a specified function.

fc:GetFunctionCode

Queries the code of a function.

fc:UpdateFunction

Updates a function, including its configurations and code.

fc:DeleteFunction

Deletes a specified function.

fc:CreateTrigger

Creates a function trigger.

fc:ListTriggers

Queries the triggers of a function.

fc:GetTrigger

Queries a specified trigger.

fc:UpdateTrigger

Updates the configurations of a specified trigger.

fc:DeleteTrigger

Deletes the triggers of a specified function.

fc:PublishServiceVersion

Releases a Function Compute version.

fc:ListServiceVersions

Lists Function Compute versions.

fc:DeleteServiceVersion

Deletes a Function Compute version.

fc:CreateAlias

Creates an alias and binds it to a customer master key (CMK).

fc:ListAliases

Queries all aliases of the current Alibaba Cloud account in the current region.

fc:GetAlias

Queries the information about an alias.

fc:UpdateAlias

Binds an alias to a different CMK.

fc:DeleteAlias

Deletes an alias.

AliyunCSKubernetesAuditRole

The auditing feature of ACK assumes AliyunCSKubernetesAuditRole to access resources of other cloud services.

Permission (Action)

Description

log:CreateProject

Creates a project.

log:GetProject

Queries a project by name.

log:DeleteProject

Deletes a specified project.

log:CreateLogStore

Creates a Logstore in a project.

log:GetLogStore

Queries the attributes of a Logstore.

log:UpdateLogStore

Updates the attributes of a Logstore.

log:DeleteLogStore

Deletes a Logstore.

log:CreateConfig

Creates a log collection configuration.

log:UpdateConfig

Updates a log collection configuration.

log:GetConfig

Queries the details of a log collection configuration.

log:DeleteConfig

Deletes a specified log collection configuration.

log:CreateMachineGroup

Creates a machine group to apply log collection configurations.

log:UpdateMachineGroup

Updates a machine group.

log:GetMachineGroup

Queries the information about a specified machine group.

log:DeleteMachineGroup

Deletes a machine group.

log:ApplyConfigToGroup

Applies a Logtail configuration file to a machine group.

log:GetAppliedMachineGroups

Lists the machines to which a Logtail configuration is applied.

log:GetAppliedConfigs

Lists the Logtail configurations that are applied to a machine group.

log:RemoveConfigFromMachineGroup

Removes Logtail configurations from a machine group.

log:CreateIndex

Indexes are created for a Logstore.

log:GetIndex

Queries the indexes of a Logstore.

log:UpdateIndex

Updates the indexes of a Logstore.

log:DeleteIndex

Deletes indexes from a Logstore.

log:CreateSavedSearch

Creates a saved search.

log:GetSavedSearch

Queries a saved search.

log:UpdateSavedSearch

Updates a saved search.

log:DeleteSavedSearch

Deletes a saved search.

log:CreateDashboard

Creates a dashboard.

log:GetDashboard

Queries a dashboard.

log:UpdateDashboard

Updates a dashboard.

log:DeleteDashboard

Deletes a dashboard.

log:CreateJob

Creates a task, for example, an alert or a subscription.

log:GetJob

Queries a job.

log:DeleteJob

Delete the data synchronization solution.

log:UpdateJob

Updates a task.

log:PostLogStoreLogs

Writes logs to a Logstore.

AliyunCSManagedNetworkRole

The network component of an ACK cluster assumes AliyunCSManagedNetworkRole to access resources of other cloud services.

Permission (Action)

Description

ecs:CreateNetworkInterface

Creates an ENI.

ecs:DescribeNetworkInterfaces

ENIs are queried.

ecs:AttachNetworkInterface

Attaches an ENI to a VPC-connected ECS instance.

ecs:DetachNetworkInterface

Detaches an ENI from an ECS instance.

ecs:DeleteNetworkInterface

Deletes an ENI.

ecs:DescribeInstanceAttribute

Queries the information about one or more ECS instances.

ecs:AssignPrivateIpAddresses

Assigns one or more secondary private IP addresses to an ENI.

ecs:UnassignPrivateIpAddresses

Unassigns one or more secondary private IP addresses from an ENI.

ecs:DescribeInstances

Queries the details of one or more ECS instances.

vpc:DescribeVSwitches

Queries the information about one or more vSwitches.

AliyunCSManagedCsiRole

The volume plug-in of an ACK cluster assumes AliyunCSManagedCsiRole to access resources of other cloud services.

ECS-related permissions

Permission (Action)

Description

ecs:AttachDisk

Attaches a pay-as-you-go data disk or a system disk to an ECS instance.

ecs:DetachDisk

Detaches a pay-as-you-go disk from an ECS instance.

ecs:DescribeDisks

Queries one or more cloud disks and local disks that you have created.

ecs:CreateDisk

Creates one or more pay-as-you-go or subscription data disks.

ecs:ResizeDisk

Resizes a cloud disk. You can resize a system disk or a data disk.

ecs:CreateSnapshot

Creates a snapshot for a cloud disk.

ecs:DeleteSnapshot

Deletes a specified snapshot. If you call this operation to delete a snapshot that is being created, the associated snapshot creation task is also canceled.

ecs:CreateAutoSnapshotPolicy

Creates an automatic snapshot policy.

ecs:ApplyAutoSnapshotPolicy

Attaches an automatic snapshot policy to one or more disks.

ecs:CancelAutoSnapshotPolicy

Disables an automatic snapshot policy for one or more cloud disks.

ecs:DeleteAutoSnapshotPolicy

Deletes an automatic snapshot policy.

ecs:DescribeAutoSnapshotPolicyEX

Queries automatic snapshot policies that you have created.

ecs:ModifyAutoSnapshotPolicyEx

Modifies an automatic snapshot policy.

ecs:AddTags

Attaches tags to an ECS instance.

ecs:DescribeTags

Queries tags.

ecs:DescribeSnapshots

Queries all the snapshots of an ECS instance or a disk.

ecs:ListTagResources

Queries the tags that are added to one or more ECS resources.

ecs:TagResources

Adds tags to specified ECS resources.

ecs:UntagResources

Removes tags from specified ECS resources. After a tag is removed from a resource, it is automatically deleted if it is not added to other resources.

ecs:ModifyDiskSpec

Upgrades the performance level of an enhanced SSD (ESSD).

ecs:CreateSnapshot

Creates a snapshot for a cloud disk.

ecs:DeleteDisk

Deletes a pay-as-you-go data disk.

ecs:DescribeInstanceAttribute

Queries all attributes of an ECS instance.

ecs:DescribeInstances

Queries the details of one or more ECS instances.

NAS-related permissions

Permission (Action)

Description

nas:DescribeFileSystems

Queries the information about file systems.

nas:DescribeMountTargets

Queries the information about mount targets.

nas:AddTags

Adds one or more tags to a file system or overwrites one or more tags of a file system

nas:DescribeTags

Queries existing tags.

nas:RemoveTags

Detaches one or more tags from a file system.

nas:CreateFileSystem

Creates a file system.

nas:DeleteFileSystem

Deletes a file system.

nas:DescribeFileSystems

Queries the information about file systems.

nas:ModifyFileSystem

Modifies the description of a file system.

nas:CreateMountTarget

Creates a mount target.

nas:DeleteMountTarget

Deletes a mount target.

nas:DescribeMountTargets

Queries the information about mount targets.

nas:ModifyMountTarget

Modifies a mount target.

AliyunCSManagedCmsRole

The CloudMonitor component of an ACK cluster assumes AliyunCSManagedCmsRole to access resources of other cloud services.

Permission (Action)

Description

cms:DescribeMonitorGroups

Queries application groups.

cms:DescribeMonitorGroupInstances

Queries the resources in a specified application group.

cms:CreateMonitorGroup

Creates an application group.

cms:DeleteMonitorGroup

Deletes a specified application group.

cms:ModifyMonitorGroupInstances

Modifies the resources in an application group.

cms:CreateMonitorGroupInstances

Adds resources to an application group.

cms:DeleteMonitorGroupInstances

Deletes resources from an application group.

cms:TaskConfigCreate

Creates a monitoring job configuration.

cms:TaskConfigList

Lists monitoring job configurations.

cms:DescribeMetricList

Queries the time series metrics of a cloud service in a specified period.

cs:DescribeMonitorToken

Queries the token that is required to use the CloudMonitor component.

ahas:GetSentinelAppSumMetric

Queries the metrics that are monitored by the AHAS Sentinel application.

log:GetLogStoreLogs

Queries logs in a Logstore.

slb:DescribeMetricList

Queries the time series metrics of a cloud service in a specified period.

sls:GetLogs

Queries logs in a Logstore of a specified project in Log Service.

sls:PutLogs

Updates logs in a Logstore of a specified project in Log Service.

AliyunCSManagedLogRole

The Logtail component of ACK assumes AliyunCSManagedLogRole to access resources of other cloud services.

Permission (Action)

Description

log:CreateProject

Creates a project.

log:GetProject

Queries a project by name.

log:DeleteProject

Deletes a specified project.

log:CreateLogStore

Creates a Logstore in a project.

log:GetLogStore

Queries the attributes of a Logstore.

log:UpdateLogStore

Updates the attributes of a Logstore.

log:DeleteLogStore

Deletes a Logstore.

log:CreateConfig

Creates a log collection configuration.

log:UpdateConfig

Updates a log collection configuration.

log:GetConfig

Queries the details of a log collection configuration.

log:DeleteConfig

Deletes a specified log collection configuration.

log:CreateMachineGroup

Creates a machine group to apply log collection configurations.

log:UpdateMachineGroup

Updates a machine group.

log:GetMachineGroup

Queries the information about a specified machine group.

log:DeleteMachineGroup

Deletes a machine group.

log:ApplyConfigToGroup

Applies a Logtail configuration file to a machine group.

log:GetAppliedMachineGroups

Lists the machines to which a Logtail configuration is applied.

log:GetAppliedConfigs

Lists the Logtail configurations that are applied to a machine group.

log:RemoveConfigFromMachineGroup

Removes Logtail configurations from a machine group.

log:CreateIndex

Indexes are created for a Logstore.

log:GetIndex

Queries the indexes of a Logstore.

log:UpdateIndex

Updates the indexes of a Logstore.

log:DeleteIndex

Deletes indexes from a Logstore.

log:CreateSavedSearch

Creates a saved search.

log:GetSavedSearch

Queries a saved search.

log:UpdateSavedSearch

Updates a saved search.

log:DeleteSavedSearch

Deletes a saved search.

log:CreateDashboard

Creates a dashboard.

log:GetDashboard

Queries a dashboard.

log:UpdateDashboard

Updates a dashboard.

log:DeleteDashboard

Deletes a dashboard.

log:CreateJob

Creates a task, for example, an alert or a subscription.

log:GetJob

Queries a job.

log:DeleteJob

Deletes a task.

log:UpdateJob

Updates a task.

log:PostLogStoreLogs

Writes logs to a Logstore.

log:CreateSortedSubStore

Creates a sorted sub-Logstore.

log:GetSortedSubStore

Queries a sorted sub-Logstore.

log:ListSortedSubStore

Lists sorted sub-Logstores.

log:UpdateSortedSubStore

Updates a sorted sub-Logstore.

log:DeleteSortedSubStore

Deletes a sorted sub-Logstore.

log:CreateApp

Creates applications, such as Cost Manager and Log Audit Service.

log:UpdateApp

Updates applications, such as Cost Manager and Log Audit Service.

log:GetApp

Queries applications, such as Cost Manager and Log Audit Service.

log:DeleteApp

Deletes applications, such as Cost Manager and Log Audit Service.

cs:DescribeTemplates

Queries container templates.

cs:DescribeTemplateAttribute

Queries the attributes of a container template.

AliyunCSManagedVKRole

The Virtual Node component of ACK clusters assumes AliyunCSManagedVKRole to access resources in other cloud services.

VPC-related permissions

Permission (Action)

Description

vpc:DescribeVSwitches

Queries vSwitches in a VPC.

vpc:DescribeVpcs

Queries created VPCs.

vpc:AssociateEipAddress

Binds an EIP to a cloud service instance in the same region.

vpc:DescribeEipAddresses

Queries created EIPs in a specified region.

vpc:AllocateEipAddress

Applies for an EIP.

vpc:ReleaseEipAddress

Releases a specified EIP.

ECS-related permissions

Permission (Action)

Description

ecs:DescribeSecurityGroups

Queries the basic information about security groups.

ecs:CreateNetworkInterface

Creates an ENI.

ecs:CreateNetworkInterfacePermission

Grants permissions to create an ENI.

ecs:DescribeNetworkInterfaces

ENIs are queried.

ecs:AttachNetworkInterface

Attaches an ENI to a VPC-connected ECS instance.

ecs:DetachNetworkInterface

Detaches an ENI from an ECS instance.

ecs:DeleteNetworkInterface

Deletes an ENI.

ecs:DeleteNetworkInterfacePermission

Grants permissions to delete an ENI.

Permissions on Alibaba Cloud DNS PrivateZone resources

Permission (Action)

Description

pvtz:AddZone

Creates a private zone.

pvtz:DeleteZone

Deletes a private zone.

pvtz:DescribeZones

Queries private zones.

pvtz:DescribeZoneInfo

Queries the information about a specified private zone.

pvtz:BindZoneVpc

Binds a private zone to a VPC or unbinds a private zone from a VPC.

pvtz:AddZoneRecord

Adds a DNS record to a private zone.

pvtz:DeleteZoneRecord

Deletes a DNS record.

pvtz:DeleteZoneRecordsByRR

Deletes DNS records.

pvtz:DescribeZoneRecordsByRR

Queries DNS records.

pvtz:DescribeZoneRecords

Queries DNS records.

Elastic Container Instance-related permissions

Permission (Action)

Description

eci:CreateContainerGroup

Creates a pod.

eci:DeleteContainerGroup

Deletes a pod.

eci:DescribeContainerGroups

Queries the information about multiple pods.

eci:DescribeContainerLog

Queries the logs of a pod.

eci:UpdateContainerGroup

Updates a pod.

eci:UpdateContainerGroupByTemplate

Updates an elastic container instance by using a template.

eci:CreateContainerGroupFromTemplate

Creates an elastic container instance by using a template.

eci:RestartContainerGroup

Restarts an elastic container instance.

eci:ExportContainerGroupTemplate

Exports an elastic container instance template.

eci:DescribeContainerGroupMetric

Queries the monitoring data of an elastic container instance.

eci:DescribeMultiContainerGroupMetric

Queries the monitoring data of multiple pods.

eci:ExecContainerCommand

Runs commands on a container.

eci:CreateImageCache

Creates an image cache.

eci:DescribeImageCaches

Queries the information about image caches.

eci:DeleteImageCache

Deletes an image cache.

AliyunCSManagedArmsRole

The ARMS monitoring agent of an ACK cluster assumes AliyunCSManagedArmsRole to access resources of other cloud services.

Permission (Action)

Description

arms:CreateApp

Creates an application monitoring job.

arms:DeleteApp

Deletes an application monitoring job.

arms:ConfigAgentLabel

Modifies the tags of the application monitoring agent.

arms:GetAssumeRoleCredentials

Queries the key that is required for a RAM user to assume a RAM role during application monitoring.

arms:CreateProm

Creates a monitoring job based on Alibaba Cloud Prometheus Monitoring.

arms:SearchEvents

Queries alert event records.

arms:SearchAlarmHistories

Queries the records of sending alerts.

arms:SearchAlertRules

Queries monitoring alert rules.

arms:GetAlertRules

Obtains monitoring alert rules.

arms:CreateAlertRules

Creates monitoring alert rules.

arms:UpdateAlertRules

Updates monitoring alert rules.

arms:StartAlertRule

Enables a monitoring alert rule.

arms:StopAlertRule

Disables a monitoring alert rule.

arms:CreateContact

Creates an alert contact.

arms:SearchContact

Queries an alert contact.

arms:UpdateContact

Updates an alert contact.

arms:CreateContactGroup

Creates an alert contact group.

arms:SearchContactGroup

Queries an alert contact group.

arms:UpdateContactGroup

Updates an alert contact group.

AliyunCSManagedAcrRole

The aliyun-acr-credential-helper component of ACK managed clusters and ACK Serverless clusters assumes this role to pull images from Container Registry.

Permission (Action)

Description

cr:GetAuthorizationToken

Queries a temporary username and a password that you use to log on to a Container Registry instance.

cr:ListInstanceEndpoint

Queries endpoints of an instance.

cr:PullRepository

Pulls an image.

AliyunCSManagedNlcRole

The node pool control component of ACK managed clusters assumes this role to access resources on ECS instances and in node pools.

ECS-related permissions

Permission (Action)

Description

ecs:ModifyInstanceAttribute

Modifies the information about an ECS instance, such as the password, name, description, hostname, security groups, and user data. If the instance is a burstable instance, you can also change its performance mode.

ecs:AttachKeyPair

Binds an SSH key pair to one or more Linux instances.

ecs:StopInstance

Stops an ECS instance that is in the Running state. After the operation is called, the state of the instance changes to Stopping and then to Stopped.

ecs:StartInstance

Starts an ECS instance. After the operation is called, the ECS instance changes to the Running state.

ecs:DescribeInvocations

You can call this operation to view the invocation list and status of cloud assistant commands.

ecs:DescribeInstanceAttribute

Queries the attributes of an ECS instance, such as the instance ID and description.

ecs:DescribeInstances

Queries the details of one or more ECS instances.

ecs:DeleteInstance

Releases a pay-as-you-go ECS instance or an expired subscription ECS instance.

ecs:RunCommand

Runs a shell, PowerShell, or batch command on one or more ECS instances.

ecs:DescribeInvocationResults

Queries the result of running one or more Cloud Assistant commands on an ECS instance.

ecs:ReplaceSystemDisk

Replaces the system disk or the operating system of an ECS instance. After the system disk is replaced, the ID of the system disk changes and the original disk is released.

ecs:DescribeUserData

Queries the user data of an ECS instance.

Auto Scaling-related permissions

Permission (Action)

Description

ess:DescribeScalingGroups

Queries scaling groups.

ess:DescribeScalingConfigurations

Queries scaling configurations.

ACK-related permissions

Permission (Action)

Description

cs:RepairClusterNodePool

Fixes the issues on specified nodes in a specified manage node pool.

cs:DescribeClusterNodePoolDetail

Queries the details about a node pool in a cluster by node pool ID.

cs:DescribeTaskInfo

Queries the execution details about a task by task ID.

cs:FixNodePoolVuls

Automatically fixes node pool vulnerabilities in a specified cluster.

cs:DescribeTaskInfo

Queries the execution details about a task by task ID.

cs:CancelTask

Cancels a task.

cs:PauseTask

Pauses a task.

cs:ResumeTask

Resumes a task.

cs:DescribeNodePoolVuls

Queries node pool vulnerabilities in a specified cluster.

AliyunCSManagedAutoScalerRole

The volume plug-in of ACK managed clusters and ACK Serverless clusters assumes this role to access your resources in ECS and NAS.

Auto Scaling-related permissions

Permission (Action)

Description

ess:DescribeScalingGroups

Queries scaling groups.

ess:DescribeScalingInstances

Queries information about the ECS instances in a scaling group.

ess:DescribeScalingActivities

Queries scaling activities.

ess:DescribeScalingConfigurations

Queries scaling configurations.

ess:DescribeScalingRules

Queries information about the scaling rules in a scaling group.

ess:DescribeScheduledTasks

Queries scheduled tasks.

ess:DescribeLifecycleHooks

Queries lifecycle hooks.

ess:DescribeNotificationConfigurations

Queries notifications that you create for scaling activities and resource changes.

ess:DescribeNotificationTypes

Queries the types of notifications that you create for scaling activities and resource changes.

ess:DescribeRegions

Queries the regions in which Auto Scaling is available.

ess:CreateScalingRule

Creates a scaling rule.

ess:ModifyScalingGroup

Modifies a scaling group.

ess:RemoveInstances

Removes one or more ECS instances or elastic container instances from a scaling group.

ess:ExecuteScalingRule

Executes a scaling rule.

ess:ModifyScalingRule

Modifies a scaling rule.

ess:DeleteScalingRule

Deletes a scaling rule.

ess:DetachInstances

Removes one or more ECS instances from a scaling group.

ess:CompleteLifecycleAction

Takes a scaling activity out of the wait state in advance.

ess:ScaleWithAdjustment

Scales instances in a scaling group based on the specified scaling policy.

ECS-related permissions

Permission (Action)

Description

ecs:DescribeInstanceTypes

Queries the details of all instance types or a specific instance type provided by ECS.

ecs:DescribeImages

Queries available OS images.

ACK-related permissions

Permission (Action)

Description

cs:DeleteClusterNodes

Removes specified nodes from a cluster by node names.

cs:DescribeClusterNodes

Queries the details about all nodes in a cluster by cluster ID

VPC-related permissions

Permission (Action)

Description

vpc:DescribeVSwitches

Queries the information about available vSwitches that are used in an internal network.

AliyunCSManagedSecurityRole

The Secret encryption component of ACK managed clusters and ACK Serverless clusters assumes this role to access your resources in Key Management Service (KMS).

KMS-related permissions

Permission (Action)

Description

kms:GetSecretValue

Queries a secret value.

kms:ListSecrets

Queries all secrets of the current user in the current region.

kms:ListKeys

Queries the IDs of all CMKs of the current Alibaba Cloud account in the current region.

kms:ListSecretVersionIds

Queries all versions of a secret.

kms:ListAliasesByKeyId

Queries all aliases that are bound to a specified CMK.

kms:SetDeletionProtection

Enables or disables deletion protection for a CMK.

kms:DescribeKey

Queries the details of a CMK.

kms:Encrypt

Encrypts plaintext by using a symmetric CMK.

kms:Decrypt

Decrypts the ciphertext specified by CiphertextBlob.

AliyunCSManagedCostRole

The cost analysis component of ACK managed clusters and ACK Serverless clusters assumes this role to access resources in Billing Management (BSS) API, ECS, and Elastic Container Instance.

BSS OpenAPI-related permissions

Permission (Action)

Description

bssapi:QueryInstanceBill

Queries the billing information about instances or billable items in a billing cycle. This API is upgraded to DescribeInstanceBill. You can call the QueryInstanceBill operation to query a maximum of 50,000 data rows in a bill.

bssapi:DescribeInstanceBill

Queries the billing information about instances or billable items in a billing cycle.

ECS-related permissions

Permission (Action)

Description

ecs:DescribeDisks

Queries one or more Elastic Block Storage (EBS) devices that you have created, including cloud disks and local disks, are queried.

ecs:DescribeSpotPriceHistory

Queries the price history of a preemptible instance in the last 30 days.

ecs:DescribeInstances

Queries the details of one or more ECS instances.

ecs:DescribePrice

Queries the most recent prices of ECS resources.

Elastic Container Instance-related permissions

Permission (Action)

Description

eci: DescribeContainerGroupPrice

Queries the price of an elastic container instance.

AliyunCSManagedNimitzRole

The network component of ACK Lingjun managed clusters assumes this role to access resources in Intelligent Computing Lingjun.

eflo-related permissions

Permission (Action)

Description

eflo:ListNetworkInterfaces

Queries Lingjun network interfaces (LNIs).

eflo:GetNetworkInterface

Queries information about a specified LNI.

eflo:AssignPrivateIpAddress

Applies for a private secondary IP address for the current LNI. You can also call this operation to assign a secondary MAC address to the current LNI.

eflo:UnAssignPrivateIpAddress

Deletes an assigned secondary private IP address.

eflo:UpdateNetworkInterfacePrivateMac

Changes the MAC address of an LNI.

AliyunCSManagedBackupRestoreRole

The backup center component of ACK managed clusters assumes this role to access resources in Cloud Backup and OSS.

Cloud Backup-related permissions

Permission (Action)

Description

hbr:CreateVault

Creates a backup vault.

hbr:CreateBackupJob

Creates a backup task.

hbr:DescribeVaults

Queries the information about one or more backup vaults that meet the specified conditions.

hbr:DescribeBackupJobs2

Queries the information about one or more backup jobs that meet the specified conditions.

hbr:DescribeRestoreJobs

Queries a restoration task.

hbr:SearchHistoricalSnapshots

Queries the information about one or more backup snapshots that meet the specified conditions.

hbr:CreateRestoreJob

Creates a restoration task.

hbr:AddContainerCluster

Registers a Kubernetes cluster.

hbr:DescribeContainerCluster

Queries one or more Kubernetes clusters.

hbr:DescribeRestoreJobs2

Queries one or more restoration tasks.

OSS-related permissions

Permission (Action)

Description

oss:PutObject

Uploads an object.

oss:IsObjectExist

Queries whether an object exists.

oss:ListObjects

Lists the information about all objects in a bucket.

oss:GetObject

Queries an object.

oss:DeleteObject

Deletes an object.

oss:GetBucket

Queries information about a bucket.

AliyunCSManagedEdgeRole

The control plane components of ACK edge clusters assume this role to access resources in SAG, VPC, and CEN.

SAG-related permissions

Permissions (Action)

Description

smartag:BindSmartAccessGateway

Associates an SAG instance with a specified Cloud Connect Network (CCN) instance.

smartag:UnbindSmartAccessGateway

Disassociates an SAG instance from a specified CCN instance.

smartag:GrantSagInstanceToCcn

Authorizes an SAG instance to communicate with a CCN instance that belongs to another account.

smartag:RevokeSagInstanceFromCcn

Disallows an SAG instance to communicate with a CCN instance that belongs to another account.

VPC-related permissions

Permission (Action)

Description

vpc:DescribeVpcs

Queries created VPCs.

vpc:DescribeRouteEntryList

Queries route entries.

CEN-related permissions

Permission (Action)

Description

cen:DescribePublishedRouteEntries

Queries whether the routes of VPCs and VBRs are advertised to the CEN instance to which the VPCs and VBRs are attached.

cen:PublishRouteEntries

Advertises the routes of a VPC or a VBR to a CEN instance to which the VPC or VBR is attached.

cen:WithdrawPublishedRouteEntries

Withdraws the routes of a VPC or a VBR from a CEN instance