All Products
Search

This Product

    Container Service for Kubernetes:Grant permissions

    Document Center

    Container Service for Kubernetes:Grant permissions

    Last Updated:Mar 26, 2026

    Container Intelligent Service (CIS) requires access to your Elastic Compute Service (ECS) instances, Virtual Private Cloud (VPC), Server Load Balancer (SLB) instances, and other resources to run cluster diagnostics and inspections. This access is granted through the AliyunCISDefaultRole service role. Assign this role once, and CIS can call the required APIs to inspect and diagnose your ACK clusters.

    Prerequisites

    Before you begin, ensure that you have:

    • An Alibaba Cloud account, or a Resource Access Management (RAM) user with administrator permissions

    Assign the service role

    If you have previously used CIS, the AliyunCISDefaultRole role may already be assigned. To confirm, check whether you can access cluster diagnostics and inspections in the CIS console without being prompted to authorize.

    1. Log on to the CIS console.

    2. Click Go to RAM authorization to open the Cloud Resource Access Authorization page, then click Agree to Authorization.

    3. After authorization completes, refresh the CIS console page to start using diagnostics and inspections.

    Permissions granted by AliyunCISDefaultRole

    The following tables list all permissions granted to CIS through AliyunCISDefaultRole.

    ECS-related permissions

    CIS uses these permissions to inspect ECS instance configurations, security groups, network interfaces, and bandwidth, and to run diagnostic commands during active inspections.

    Permission Description Purpose
    ecs:DescribeInstances Queries details of one or more ECS instances Identify cluster nodes and their configurations
    ecs:DescribeInstanceStatus Queries the status of one or more ECS instances Check node availability during diagnostics
    ecs:DescribeInstanceTypes Queries available ECS instance types Validate node instance type configurations
    ecs:DescribeInstanceTypeFamilies Queries available ECS instance type families Validate node instance family configurations
    ecs:DescribeInstanceAttribute Queries the details of a specific ECS instance Inspect individual node attributes
    ecs:CreateDiagnosticReport Creates a resource diagnostic report Run instance-level diagnostics
    ecs:DescribeDiagnosticReports Queries resource diagnostic reports Retrieve diagnostic report results
    ecs:DescribeDiagnosticReportAttributes Queries the details of a diagnostic report Inspect diagnostic report details
    ecs:DescribeDiagnosticMetricSets Queries diagnostic metric sets Access available diagnostic metrics
    ecs:DescribeDiagnosticMetrics Queries diagnostic metrics Retrieve specific diagnostic metric data
    ecs:DescribeSecurityGroupAttribute Queries the rules of a security group Inspect security group rules for network diagnostics
    ecs:DescribeSecurityGroups Queries basic information about security groups List security groups associated with cluster nodes
    ecs:DescribeSecurityGroupReferences Checks whether a security group is referenced by other security group rules Detect cross-group rule dependencies
    ecs:DescribeBandwidthLimitation Queries bandwidth resources Check bandwidth limits during network diagnostics
    ecs:DescribeCloudAssistantStatus Checks whether Cloud Assistant Agent is installed on ECS instances Verify Cloud Assistant availability before running commands
    ecs:DescribeCommands Queries Cloud Assistant commands List diagnostic commands available on nodes
    ecs:DescribeInvocationResults Queries the execution results of Cloud Assistant commands on ECS instances Retrieve command output during active diagnostics
    ecs:DescribeNetworkInterfaces Queries elastic network interfaces (ENIs) Inspect ENI configurations for network diagnostics
    ecs:CreateCommand Creates a Cloud Assistant command Create diagnostic scripts for active inspections
    ecs:InvokeCommand Triggers a Cloud Assistant command on one or more ECS instances Run diagnostic commands on nodes during active inspections
    ecs:StopInvocation Stops a running Cloud Assistant command on one or more ECS instances Cancel diagnostic commands if needed
    ecs:RunCommand Runs a shell, PowerShell, or batch command on ECS instances Execute diagnostic scripts directly on nodes

    VPC-related permissions

    CIS uses these permissions to inspect VPC topology, routing, NAT gateways, and network access control lists (ACLs) for network diagnostics.

    Permission Description Purpose
    vpc:DescribeVpcs Queries your VPCs Identify the VPC associated with the cluster
    vpc:DescribeVpcAttribute Queries the configuration of a VPC Inspect VPC settings during network diagnostics
    vpc:DescribeVSwitches Queries your vSwitches List vSwitches used by cluster nodes
    vpc:DescribeVSwitchAttributes Queries the details of a vSwitch Inspect vSwitch configuration and available IP addresses
    vpc:DescribeRouteTableList Queries route tables List route tables associated with the cluster VPC
    vpc:DescribeRouteEntryList Queries route entries Inspect routing rules for network path diagnostics
    vpc:DescribeNatGateways Queries NAT gateways in a region Check NAT gateway configuration for outbound traffic diagnostics
    vpc:DescribeEipAddresses Queries elastic IP addresses (EIPs) in a region Inspect EIP bindings for public access diagnostics
    vpc:DescribeRouteTables Queries route table information Retrieve detailed route table data
    vpc:DescribeSnatTableEntries Queries SNAT entries Inspect SNAT rules for outbound connectivity diagnostics
    vpc:DescribeNetworkAcls Queries network ACLs List network ACLs that may affect cluster traffic
    vpc:DescribeNetworkAclAttributes Queries the details of a network ACL Inspect ACL rules for network diagnostics

    SLB-related permissions

    CIS uses these permissions to inspect Server Load Balancer (SLB) instances, listener configurations, backend server groups, and health status for load balancer diagnostics.

    Permission Description Purpose
    slb:DescribeLoadBalancers Queries your SLB instances Identify SLB instances associated with cluster services
    slb:DescribeLoadBalancerAttribute Queries the details of an SLB instance Inspect SLB configuration during diagnostics
    slb:DescribeVServerGroups Queries vServer groups List backend server groups for cluster services
    slb:DescribeVServerGroupAttribute Queries the details of a vServer group Inspect backend server group configuration
    slb:DescribeLoadBalancerTCPListenerAttribute Queries the configuration of a TCP listener Inspect TCP listener settings for diagnostics
    slb:DescribeLoadBalancerUDPListenerAttribute Queries the configuration of a UDP listener Inspect UDP listener settings for diagnostics
    slb:DescribeAccessControlLists Queries network ACLs List ACLs applied to SLB listeners
    slb:DescribeAccessControlListAttribute Queries the configuration of a network ACL Inspect ACL rules applied to SLB listeners
    slb:DescribeLoadBalancerListeners Queries the listeners of an SLB instance List all listeners for a given SLB instance
    slb:DescribeHealthStatus Queries the health status of backend servers Check backend server health during diagnostics

    Simple Log Service-related permissions

    CIS uses this permission to access Logstore metadata for log-based diagnostics.

    Permission Description Purpose
    sls:GetLogStore Queries the details of a Logstore Access log data for cluster diagnostics

    ACK-related permissions

    CIS uses these permissions to inspect ACK cluster details, node pools, tasks, and component upgrade status.

    Permission Description Purpose
    cs:DescribeClusterDetail Queries the details of an ACK cluster Retrieve cluster configuration for diagnostics
    cs:DescribeClusterResources Queries all resources in an ACK cluster Inventory cluster resources during inspections
    cs:DescribeTasks Queries tasks in an ACK cluster Monitor cluster task status during diagnostics
    cs:DescribeTaskInfo Queries task information in an ACK cluster Retrieve details of specific cluster tasks
    cs:DescribeClusterNodePools Queries all node pools in an ACK cluster Inspect node pool configuration and status
    cs:DescribeNodePoolVuls Queries node pool vulnerabilities in an ACK cluster Identify security vulnerabilities in node pools
    cs:DescribeClusterAddonsUpgradeStatus Queries the upgrade progress of cluster components Check component upgrade status during inspections

    Elastic Container Instance-related permissions

    CIS uses these permissions to inspect Elastic Container Instance (ECI) pods and run diagnostic commands on serverless containers.

    Permission Description Purpose
    eci:DescribeContainerGroups Queries information about pods in Elastic Container Instance (ECI) Inspect ECI pod configurations and status
    eci:RunCommand Runs a shell script on an elastic container instance Execute diagnostic scripts on serverless containers
    eci:DescribeCommandResult Queries the execution result of a command Retrieve diagnostic command output from ECI pods
    eci:ListUsage Queries privileges and quotas in a region Check ECI quota usage during diagnostics

    CloudMonitor-related permissions

    CIS uses these permissions to retrieve monitoring metrics and alert data for performance and health diagnostics.

    Permission Description Purpose
    cms:DescribeMetricData Queries monitoring data collected over a period of time Retrieve historical metric data for diagnostics
    cms:DescribeMetricLast Queries the latest monitoring data for a metric Get current metric values during inspections
    cms:DescribeMetricMetaList Queries descriptions of metrics supported by CloudMonitor List available metrics for diagnostic analysis
    cms:DescribeMetricTop Queries sorted monitoring data for an Alibaba Cloud service Identify top resource consumers during diagnostics
    cms:QueryMetricMeta Queries metrics supported by CloudMonitor Retrieve metric metadata for diagnostic queries
    cms:QueryMetricTop Queries monitoring data for an Alibaba Cloud service Retrieve sorted metric data for analysis
    cms:ListMetricMeta Queries metric metadata List metadata for available metrics
    cms:ListMetricMetaProject Queries metric meta projects List metric projects for targeted diagnostics
    cms:QueryMetricData Queries monitoring data for Alibaba Cloud services Retrieve metric data for multiple services
    cms:QueryMetricLast Queries the latest monitoring data for metrics Get the most recent metric values
    cms:DescribeMetricList Queries monitoring data for a specific metric Retrieve time-series data for a specific metric
    cms:QueryMetricList Queries descriptions of metrics supported by CloudMonitor List metric descriptions for diagnostic reference
    cms:MetricMeta Queries metrics supported by CloudMonitor Access metric definitions for diagnostic analysis
    cms:DescribeAlertLogList Queries recent alerts Retrieve alert history during health inspections
    cms:DescribeSystemEventAttribute Queries the details of a system event Inspect system events related to cluster resources
    cms:GetMetricStreamMeta Queries the description of a CloudMonitor metric Retrieve streaming metric metadata

    Quota Center-related permissions

    CIS uses these permissions to check service quotas during diagnostics, helping identify whether quota limits may be affecting cluster operations.

    Permission Description Purpose
    quotas:ListProducts Queries Alibaba Cloud services that support Quota Center List services whose quotas can be inspected
    quotas:ListProductQuotas Queries quotas for an Alibaba Cloud service Retrieve quota limits for cluster-related services
    quotas:ListProductQuotaDimensions Queries quota dimensions supported by an Alibaba Cloud service Access dimension-specific quota data
    quotas:GetProductQuota Queries the details of a quota Inspect a specific quota value and its usage
    quotas:GetProductQuotaDimension Queries the details of a quota dimension Retrieve quota details for a specific dimension

    RAM-related permissions

    CIS uses this permission to verify that the policies attached to the AliyunCISDefaultRole are correctly configured.

    Permission Description Purpose
    ram:ListPoliciesForRole Queries policies attached to a RAM role Verify that the service role has the required policies

    Application Troubleshooting Platform-related permissions

    CIS uses these permissions to upload and analyze diagnostic files on the Application Troubleshooting Platform (ATP) for in-depth root cause analysis.

    Permission Description Purpose
    grace:GetFile Queries information about an analysis file on the Application Troubleshooting Platform (ATP) Retrieve diagnostic file metadata from ATP
    grace:AnalyzeFile Analyzes files on ATP Trigger automated analysis of diagnostic files
    grace:UploadFileByOSS Uploads files to ATP using Object Storage Service (OSS) Upload diagnostic files to ATP via OSS
    grace:UploadFileByURL Uploads files to ATP by specifying URLs Upload diagnostic files to ATP by URL