All Products
Search

This Product

    Container Service for Kubernetes:Authorization overview

    Document Center

    Container Service for Kubernetes:Authorization overview

    Last Updated:Mar 26, 2026

    Distributed Cloud Container Platform for Kubernetes (ACK One) uses three permission layers to control access: service-linked roles, Resource Access Management (RAM) system policies, and Role-Based Access Control (RBAC) permissions. Each layer controls a different scope of access. All three must be in place before a RAM user or RAM role can fully use ACK One.

    Who needs to do what

    Role What you need to configure
    Alibaba Cloud account holder Complete service-linked role authorization on first use. No RAM policies or RBAC setup needed — your account has full permissions by default.
    RAM account administrator Complete service-linked role authorization on behalf of the organization. Attach RAM system policies to RAM users or RAM roles. Grant RBAC permissions to RAM users or RAM roles on each cluster.
    RAM user or RAM role No self-configuration needed. Ask your administrator to attach the required RAM policies and grant RBAC permissions.

    Permission types

    ACK One permissions work at two levels:

    • Control-plane permissions (RAM layer): Control who can manage ACK One cluster resources — creating clusters, viewing configurations, and calling ACK One APIs. Covered by service-linked roles and RAM system policies.

    • Data-plane permissions (RBAC layer): Control who can manage Kubernetes objects inside a cluster — deploying applications, managing GitOps pipelines, and running Argo workflows.

    Both levels are required for full access. RAM policies alone do not grant access to Kubernetes resources.

    Permission type Who needs it What it controls
    Service-linked roles First-time setup: Alibaba Cloud account or RAM account administrator ACK One's access to other Alibaba Cloud services
    RAM system policies RAM users and RAM roles (Alibaba Cloud accounts have full permissions by default) Access to ACK One cluster resources via the console and APIs
    RBAC permissions RAM users and RAM roles (Alibaba Cloud accounts have full permissions by default) Access to Kubernetes resources inside ACK One clusters

    Service-linked roles

    ACK One assumes service-linked roles to access other Alibaba Cloud services on your behalf — for example, creating elastic container instances to run Argo workflows, or accessing VPC resources during cluster management.

    ACK One uses the following service-linked roles. For the full list of permissions each role grants, see Permissions of service-linked roles for ACK One.

    Role name What it enables
    AliyunCSDefaultRole Cluster management access to Elastic Compute Service (ECS), Virtual Private Cloud (VPC), Server Load Balancer (SLB), Resource Orchestration Service (ROS), and Auto Scaling. Required for all ACK One features.
    AliyunServiceRoleForAdcp Cluster management access to ECS, VPC, and SLB. Required for all ACK One features.
    AliyunAdcpServerlessKubernetesRole Fleet instances and Kubernetes clusters for distributed Argo workflows access to VPC, ECS, Alibaba Cloud DNS PrivateZone, Elastic Container Instance, and Simple Log Service. Required for all ACK One features.
    AliyunAdcpManagedMseRole Fleet instances access to Microservices Engine (MSE). Required only when using multi-cluster gateways. Does not affect other features.
    AliyunCSManagedKubernetesRole Fleet instances access to ACK resources.
    AliyunCSManagedLogRole The logging component accesses resources in other Alibaba Cloud services.
    AliyunCSManagedCmsRole The Content Management System (CMS) component accesses resources in other Alibaba Cloud services.
    AliyunCSManagedArmsRole The Application Real-Time Monitoring Service (ARMS) plug-in accesses resources in other Alibaba Cloud services.

    Service-linked roles are created automatically — no manual setup is required. The first time you open the ACK One console, the console prompts you to complete authorization. Follow the on-screen instructions.

    Important

    Only Alibaba Cloud accounts and RAM account administrators can complete role authorization. Regular RAM users cannot perform this operation. If you see a permissions error, switch to an Alibaba Cloud account or ask your RAM account administrator.

    RAM system policies

    RAM users and RAM roles have no permissions on Alibaba Cloud services by default. To let a RAM user or RAM role manage ACK One cluster resources, attach one or more of the following system policies.

    For instructions, see Attach a system permission policy to a RAM user or RAM role.

    RAM system policy Permission Registered clusters Fleet instances Workflow clusters
    AliyunAdcpFullAccess Read and write all ACK One resources Yes Yes Yes
    AliyunAdcpReadOnlyAccess Read-only access to all ACK One resources Yes Yes Yes
    AliyunCSFullAccess Read and write all Container Service for Kubernetes (ACK) resources Yes Yes No
    AliyunCSReadOnlyAccess Read-only access to all ACK resources Yes Yes No
    AliyunVPCReadOnlyAccess Specify a VPC when creating an ACK cluster Yes Yes Yes
    AliyunECIReadOnlyAccess Schedule pods to elastic container instances Yes Yes Yes
    AliyunLogReadOnlyAccess Select a log project for a cluster, or view configuration inspection data Yes Yes Yes
    AliyunARMSReadOnlyAccess View monitoring data from the Managed Service for Prometheus plug-in Yes Yes Yes
    AliyunRAMReadOnlyAccess View existing RAM policies Yes Yes Yes
    AliyunECSReadOnlyAccess Add existing nodes to an ACK cluster, or view node details Yes No No
    AliyunContainerRegistryReadOnlyAccess View application images within an Alibaba Cloud account Yes No No
    AliyunAHASReadOnlyAccess Use the cluster topology feature Yes No No
    AliyunYundunSASReadOnlyAccess View runtime monitoring data for an ACK cluster Yes No No
    AliyunKMSReadOnlyAccess Enable Secret encryption when creating an ACK cluster Yes No No
    AliyunESSReadOnlyAccess View, modify, and scale node pools Yes No No

    RBAC permissions

    RAM system policies control access to ACK One as a service. They do not grant access to Kubernetes resources inside a cluster. To let a RAM user or RAM role create GitOps applications, manage Argo workflows, or interact with Kubernetes objects in an ACK One cluster, grant RBAC permissions on that cluster and its namespaces.

    ACK One provides the following predefined RBAC roles:

    Fleet instances and workflow clusters

    RBAC role Permission scope Fleet instances Workflow clusters
    admin (administrator) Read and write access to cluster-wide resources and all namespaces Yes Yes
    dev (developer) Read and write access to resources in the specified namespace Yes Yes
    gitops-dev (GitOps developer) Read and write access to application resources in the argocd namespace Yes No

    For RBAC permissions on registered clusters, see RBAC permissions on registered clusters.

    For instructions on granting RBAC permissions, see Grant RBAC permissions to a RAM user or RAM role.

    What's next