ACK One (Distributed Cloud Container Platform for Kubernetes) uses service-linked roles to access other Alibaba Cloud services on your behalf. This topic describes the service-linked roles for ACK One and their permissions.
Assign the service-linked role
To complete authorization, you must use an Alibaba Cloud account or a RAM account administrator account.
Service-linked roles are created automatically — you don't need to create them manually. The first time you open the ACK One console, the console prompts you to complete authorization. Follow the on-screen instructions to finish.
Only Alibaba Cloud accounts and RAM account administrators can complete role authorization. Regular RAM users cannot perform this operation. If the console shows a permissions error, log in with an Alibaba Cloud account or a RAM account administrator account.
Service-linked roles for ACK One
ACK One uses the following service-linked roles:
| Role name | Purpose | Required |
|---|---|---|
AliyunCSDefaultRole |
Lets ACK One access ECS, VPC, SLB, Resource Orchestration Service (ROS), and Auto Scaling resources during cluster management. | Required for all ACK One features |
AliyunServiceRoleForAdcp |
Lets ACK One access ECS, VPC, and SLB resources during cluster management. | Required for all ACK One features |
AliyunAdcpServerlessKubernetesRole |
Lets ACK One fleet instances and Kubernetes clusters for distributed Argo workflows access VPC, ECS, Alibaba Cloud DNS PrivateZone, Elastic Container Instance, and Simple Log Service resources. | Required for all ACK One features |
AliyunAdcpManagedMseRole |
Lets ACK One fleet instances access Microservices Engine (MSE) resources. | Required only for multi-cluster gateways |
AliyunAdcpManagedMseRole is only needed when you use multi-cluster gateways. It does not affect any other ACK One features.Permissions of the service-linked roles
AliyunServiceRoleForAdcp
This role grants ACK One access to manage security groups and network interfaces in ECS, route tables and load balancers in VPC, CEN topology, SLB instances, ASM service meshes, RAM applications, and ARMS Prometheus monitoring.
ECS-related permissions
-
ecs:CreateSecurityGroup
-
ecs:CreateSecurityGroupPermissions
-
ecs:DeleteSecurityGroup
-
ecs:DescribeAccountAttributes
-
ecs:DescribeSecurityGroups
-
ecs:AuthorizeSecurityGroup
-
ecs:RevokeSecurityGroup
-
ecs:AuthorizeSecurityGroupEgress
-
ecs:RevokeSecurityGroupEgress
-
ecs:DescribeNetworkInterfaces
-
ecs:DescribeZones
VPC-related permissions
-
vpc:DescribeVpcAttribute
-
vpc:DescribeVSwitchAttributes
-
vpc:AllocateEipAddress
-
vpc:AssociateEipAddress
-
vpc:UnassociateEipAddress
-
vpc:ReleaseEipAddress
-
vpc:DescribeEipAddresses
-
vpc:TagResources
-
vpc:DeletionProtection
-
vpc:DescribeRouteTableList
-
vpc:CreateRouteEntry
-
vpc:DeleteeRouteEntry
-
vpc:AcceptVpcPeerConnection
-
vpc:GetVpcPeerConnectionAttribute
-
vpc:DescribeVSwitches
-
vpc:DescribeVpcs
CEN-related permissions
-
cen:DescribeCenAttachedChildInstances
-
cen:DescribeCens
SLB-related permissions
-
slb:DescribeLoadBalancerAttribute
-
slb:CreateLoadBalancer
-
slb:DeleteLoadBalancer
-
slb:StartLoadBalancerListener
-
slb:StopLoadBalancerListener
-
slb:CreateLoadBalancerTCPListener
-
slb:CreateLoadBalancerHTTPListener
-
slb:DeleteLoadBalancerListener
-
slb:AddTags
-
slb:RemoveTags
-
slb:SetLoadBalancerDeleteProtection
-
slb:SetLoadBalancerModificationProtection
-
slb:DescribeZones
-
slb:CreateAccessControlList
-
slb:DescribeAccessControlLists
-
slb:AddAccessControlListEntry
-
slb:RemoveAccessControlListEntry
-
slb:SetLoadBalancerTCPListenerAttribute
ASM-related permissions
-
servicemesh:CreateServiceMesh
-
servicemesh:DeleteServiceMesh
-
servicemesh:DescribeServiceMeshDetail
-
servicemesh:DescribeServiceMeshes
-
servicemesh:DescribeServiceMeshKubeconfig
-
servicemesh:DescribeServiceMeshLogs
-
servicemesh:ModifyServiceMesh
-
servicemesh:ModifyServiceMeshName
-
servicemesh:DescribeClustersInServiceMesh
-
servicemesh:AddClusterIntoServiceMesh
-
servicemesh:RemoveClusterFromServiceMesh
-
servicemesh:UpdateMeshFeature
-
servicemesh:DescribeRegions
-
servicemesh:DescribeServiceMeshUpgradeStatus
-
servicemesh:DescribeVersions
-
servicemesh:RevokeKubeconfig
-
servicemesh:UpdateServiceMeshOwner
RAM-related permissions
-
ram:CreateApplication
-
ram:ListApplications
-
ram:ListAppSecretIds
-
ram:GetApplication
-
ram:UpdateApplication
-
ram:CreateAppSecret
-
ram:GetAppSecret
-
ram:DeleteApplication
-
ram:DeleteAppSecret
-
ram:CreateApplication
-
ram:ListApplications
-
ram:ListAppSecretIds
-
ram:CreateServiceLinkedRole
ARMS-related permissions
-
arms:InstallManagedPrometheus
-
arms:UninstallManagedPrometheus
AliyunAdcpServerlessKubernetesRole
This role grants ACK One fleet instances and Argo workflow clusters access to manage elastic IP addresses and vSwitches in VPC, network interfaces in ECS, DNS private zones, Elastic Container Instance container groups, and Simple Log Service projects and Logstores.
VPC-related permissions
-
vpc:DescribeVSwitches
-
vpc:DescribeVpcs
-
vpc:AssociateEipAddress
-
vpc:DescribeEipAddresses
-
vpc:AllocateEipAddress
-
vpc:ReleaseEipAddress
-
vpc:AddCommonBandwidthPackageIp
-
vpc:RemoveCommonBandwidthPackageIp
ECS-related permissions
-
ecs:DescribeSecurityGroups
-
ecs:CreateNetworkInterface
-
ecs:CreateNetworkInterfacePermission
-
ecs:DescribeNetworkInterfaces
-
ecs:AttachNetworkInterface
-
ecs:DetachNetworkInterface
-
ecs:DeleteNetworkInterface
-
ecs:DeleteNetworkInterfacePermission
ARMS-related permissions
-
arms:GetManagedPrometheusStatus
-
arms:InstallManagedPrometheus
-
arms:UninstallManagedPrometheus
Alibaba Cloud DNS PrivateZone-related permissions
-
pvtz:AddZone
-
pvtz:DeleteZone
-
pvtz:DescribeZones
-
pvtz:DescribeZoneInfo
-
pvtz:BindZoneVpc
-
pvtz:AddZoneRecord
-
pvtz:DeleteZoneRecord
-
pvtz:DeleteZoneRecordsByRR
-
pvtz:DescribeZoneRecordsByRR
-
pvtz:DescribeZoneRecords
Elastic Container Instance-related permissions
-
eci:CreateContainerGroup
-
eci:DeleteContainerGroup
-
eci:DescribeContainerGroups
-
eci:DescribeContainerGroupStatus
-
eci:DescribeContainerGroupEvents
-
eci:DescribeContainerLog
-
eci:UpdateContainerGroup
-
eci:UpdateContainerGroupByTemplate
-
eci:CreateContainerGroupFromTemplate
-
eci:RestartContainerGroup
-
eci:ExportContainerGroupTemplate
-
eci:DescribeContainerGroupMetric
-
eci:DescribeMultiContainerGroupMetric
-
eci:ResizeContainerGroupVolume
-
eci:ExecContainerCommand
-
eci:CreateImageCache
-
eci:DescribeImageCaches
-
eci:DeleteImageCache
Simple Log Service-related permissions
-
log:CreateProject
-
log:GetProject
-
log:DeleteProject
-
log:CreateLogStore
-
log:GetLogStore
-
log:UpdateLogStore
-
log:DeleteLogStore
-
log:CreateConfig
-
log:UpdateConfig
-
log:GetConfig
-
log:DeleteConfig
-
log:CreateMachineGroup
-
log:UpdateMachineGroup
-
log:GetMachineGroup
-
log:DeleteMachineGroup
-
log:ApplyConfigToGroup
-
log:GetAppliedMachineGroups
-
log:GetAppliedConfigs
-
log:RemoveConfigFromMachineGroup
-
log:CreateIndex
-
log:GetIndex
-
log:UpdateIndex
-
log:DeleteIndex
-
log:CreateSavedSearch
-
log:GetSavedSearch
-
log:UpdateSavedSearch
-
log:DeleteSavedSearch
-
log:CreateDashboard
-
log:GetDashboard
-
log:UpdateDashboard
-
log:DeleteDashboard
-
log:CreateJob
-
log:GetJob
-
log:DeleteJob
-
log:PostLogStoreLogs
-
log:UpdateJob
RAM-related permissions
-
ram:CreateServiceLinkedRole
AliyunAdcpManagedMseRole
This role grants ACK One fleet instances access to manage gateways, service sources, and traffic control rules in Microservices Engine (MSE), along with Simple Log Service data collection and the ability to create additional service-linked roles.
MSE-related permissions
-
mse:AddBlackWhiteList
-
mse:AddGateway
-
mse:AddServiceSource
-
mse:CreateApplication
-
mse:DeleteGateway
-
mse:GetBlackWhiteList
-
mse:GetGateway
-
mse:GetGatewayDetail
-
mse:GetGatewayOption
-
mse:ListServiceSource
-
mse:ListTagResources
-
mse:ModifyLosslessRule
-
mse:TagResources
-
mse:UntagResources
-
mse:UpdateBlackWhiteList
-
mse:UpdateGatewayOption
-
mse:UpdateServiceSource
Simple Log Service-related permissions
-
log:CloseProductDataCollection
-
log:OpenProductDataCollection
-
log:GetProductDataCollection
RAM-related permissions
-
ram:CreateServiceLinkedRole
AliyunCSManagedKubernetesRole
This role grants ACK One clusters access to manage instances, network interfaces, and route entries in ECS, load balancers and server groups in SLB, route entries in VPC, log projects and Logstores in Simple Log Service, ALB and NLB resources, and CloudMonitor (CMS) metrics and Container Registry (ACR) images.
ECS-related permissions
-
ecs:Describe\*
-
ecs:CreateRouteEntry
-
ecs:DeleteRouteEntry
-
ecs:CreateNetworkInterface
-
ecs:DeleteNetworkInterface
-
ecs:CreateNetworkInterfacePermission
-
ecs:DeleteNetworkInterfacePermission
-
ecs:ModifyInstanceAttribute
-
ecs:AttachKeyPair
-
ecs:StopInstance
-
ecs:StartInstance
-
ecs:ReplaceSystemDisk
SLB-related permissions
-
slb:Describe\*
-
slb:CreateLoadBalancer
-
slb:DeleteLoadBalancer
-
slb:ModifyLoadBalancerInternetSpec
-
slb:RemoveBackendServers
-
slb:AddBackendServers
-
slb:RemoveTags
-
slb:AddTags
-
slb:TagResources
-
slb:UnTagResources
-
slb:ListTagResources
-
slb:StopLoadBalancerListener
-
slb:StartLoadBalancerListener
-
slb:SetLoadBalancerHTTPListenerAttribute
-
slb:SetLoadBalancerHTTPSListenerAttribute
-
slb:SetLoadBalancerTCPListenerAttribute
-
slb:SetLoadBalancerUDPListenerAttribute
-
slb:CreateLoadBalancerHTTPSListener
-
slb:CreateLoadBalancerHTTPListener
-
slb:CreateLoadBalancerTCPListener
-
slb:CreateLoadBalancerUDPListener
-
slb:DeleteLoadBalancerListener
-
slb:CreateVServerGroup
-
slb:DescribeVServerGroups
-
slb:DeleteVServerGroup
-
slb:SetVServerGroupAttribute
-
slb:DescribeVServerGroupAttribute
-
slb:ModifyVServerGroupBackendServers
-
slb:AddVServerGroupBackendServers
-
slb:ModifyLoadBalancerInstanceSpec
-
slb:ModifyLoadBalancerInternetSpec
-
slb:SetLoadBalancerModificationProtection
-
slb:SetLoadBalancerDeleteProtection
-
slb:SetLoadBalancerName
-
slb:ModifyLoadBalancerInstanceChargeType
-
slb:RemoveVServerGroupBackendServers
VPC-related permissions
-
vpc:Describe\*
-
vpc:DeleteRouteEntry
-
vpc:CreateRouteEntry
Simple Log Service-related permissions
-
log:CreateProject
-
log:GetProject
-
log:GetProductDataCollection
-
log:OpenProductDataCollection
-
log:CloseProductDataCollection
-
log:GetLogStoreHistogram
-
log:AnalyzeProductLog
-
log:CreateIndex
-
log:UpdateIndex
-
log:DeleteIndex
-
log:CreateLogStore
-
log:UpdateLogStore
-
log:DeleteLogStore
-
log:CreateDashboard
-
log:UpdateDashboard
-
log:DeleteDashboard
-
log:SetGeneralDataAccessConfig
ALB-related permissions
-
alb:EnableLoadBalancerIpv6Internet
-
alb:DisableLoadBalancerIpv6Internet
-
alb:CreateAcl
-
alb:DeleteAcl
-
alb:ListAcls
-
alb:ListAclRelations
-
alb:AddEntriesToAcl
-
alb:AssociateAclsWithListener
-
alb:ListAclEntries
-
alb:RemoveEntriesFromAcl
-
alb:DissociateAclsFromListener
-
alb:TagResources
-
alb:UnTagResources
-
alb:ListServerGroups
-
alb:ListServerGroupServers
-
alb:AddServersToServerGroup
-
alb:RemoveServersFromServerGroup
-
alb:ReplaceServersInServerGroup
-
alb:CreateLoadBalancer
-
alb:DeleteLoadBalancer
-
alb:UpdateLoadBalancerAttribute
-
alb:UpdateLoadBalancerEdition
-
alb:EnableLoadBalancerAccessLog
-
alb:DisableLoadBalancerAccessLog
-
alb:EnableDeletionProtection
-
alb:DisableDeletionProtection
-
alb:ListLoadBalancers
-
alb:GetLoadBalancerAttribute
-
alb:ListListeners
-
alb:CreateListener
-
alb:GetListenerAttribute
-
alb:UpdateListenerAttribute
-
alb:ListListenerCertificates
-
alb:AssociateAdditionalCertificatesWithListener
-
alb:DissociateAdditionalCertificatesFromListener
-
alb:DeleteListener
-
alb:CreateRule
-
alb:DeleteRule
-
alb:UpdateRuleAttribute
-
alb:CreateRules
-
alb:UpdateRulesAttribute
-
alb:DeleteRules
-
alb:ListRules
-
alb:UpdateListenerLogConfig
-
alb:CreateServerGroup
-
alb:DeleteServerGroup
-
alb:UpdateServerGroupAttribute
-
alb:UpdateLoadBalancerAddressTypeConfig
-
alb:AttachCommonBandwidthPackageToLoadBalancer
-
alb:DetachCommonBandwidthPackageFromLoadBalancer
-
alb:UpdateServerGroupServersAttribute
-
alb:MoveResourceGroup
-
alb:ListAScripts
-
alb:CreateAScripts
-
alb:UpdateAScripts
-
alb:DeleteAScripts
-
alb:LoadBalancerJoinSecurityGroup
-
alb:LoadBalancerLeaveSecurityGroup
-
alb:DescribeZones
NLB-related permissions
-
nlb:TagResources
-
nlb:UnTagResources
-
nlb:ListTagResources
-
nlb:CreateLoadBalancer
-
nlb:DeleteLoadBalancer
-
nlb:GetLoadBalancerAttribute
-
nlb:ListLoadBalancers
-
nlb:UpdateLoadBalancerAttribute
-
nlb:UpdateLoadBalancerAddressTypeConfig
-
nlb:UpdateLoadBalancerZones
-
nlb:CreateListener
-
nlb:DeleteListener
-
nlb:ListListeners
-
nlb:UpdateListenerAttribute
-
nlb:StopListener
-
nlb:StartListener
-
nlb:GetListenerAttribute
-
nlb:GetListenerHealthStatus
-
nlb:CreateServerGroup
-
nlb:DeleteServerGroup
-
nlb:UpdateServerGroupAttribute
-
nlb:AddServersToServerGroup
-
nlb:RemoveServersFromServerGroup
-
nlb:UpdateServerGroupServersAttribute
-
nlb:ListServerGroups
-
nlb:ListServerGroupServers
-
nlb:LoadBalancerLeaveSecurityGroup
-
nlb:LoadBalancerJoinSecurityGroup
-
nlb:DisableLoadBalancerIpv6Internet
-
nlb:EnableLoadBalancerIpv6Internet
-
nlb:UpdateLoadBalancerProtection
-
nlb:AttachCommonBandwidthPackageToLoadBalancer
-
nlb:DetachCommonBandwidthPackageFromLoadBalancer
-
nlb:GetJobStatus
CMS-related permissions
-
cms:DescribeMetricData
-
cms:DescribeMetricLast
-
cms:DescribeMetricMetaList
-
cms:DescribeMetricTop
-
cms:QueryMetricData
-
cms:QueryMetricLast
-
cms:DescribeMetricList
-
cms:QueryMetricList
-
cms:MetricMeta
ACR-related permissions
-
cr:Get\*
-
cr:List\*
-
cr:PullRepository
AliyunCSManagedLogRole
This role grants ACK One clusters full lifecycle management of Simple Log Service resources — including log projects, Logstores, configs, machine groups, indexes, saved searches, dashboards, and jobs — along with the ability to post log entries and trigger EventBridge events.
Simple Log Service-related permissions
-
log:CreateProject
-
log:GetProject
-
log:DeleteProject
-
log:CreateLogStore
-
log:GetLogStore
-
log:UpdateLogStore
-
log:DeleteLogStore
-
log:CreateConfig
-
log:UpdateConfig
-
log:GetConfig
-
log:DeleteConfig
-
log:CreateMachineGroup
-
log:UpdateMachineGroup
-
log:GetMachineGroup
-
log:DeleteMachineGroup
-
log:ApplyConfigToGroup
-
log:GetAppliedMachineGroups
-
log:GetAppliedConfigs
-
log:RemoveConfigFromMachineGroup
-
log:RemoveConfigFromGroup
-
log:CreateIndex
-
log:GetIndex
-
log:UpdateIndex
-
log:DeleteIndex
-
log:CreateSavedSearch
-
log:GetSavedSearch
-
log:UpdateSavedSearch
-
log:DeleteSavedSearch
-
log:CreateDashboard
-
log:GetDashboard
-
log:UpdateDashboard
-
log:DeleteDashboard
-
log:CreateJob
-
log:GetJob
-
log:DeleteJob
-
log:UpdateJob
-
log:PostLogStoreLogs
-
log:CreateSortedSubStore
-
log:GetSortedSubStore
-
log:ListSortedSubStore
-
log:UpdateSortedSubStore
-
log:DeleteSortedSubStore
-
log:CreateApp
-
log:UpdateApp
-
log:GetApp
-
log:DeleteApp
-
log:GetLogStoreLogs
-
log:TagResources
-
log:ListJobs
-
log:ListTagResources
-
log:UntagResources
-
log:CreateResourceRecord
-
log:UpdateResourceRecord
-
log:UpsertResourceRecord
-
log:GetResourceRecord
-
log:DeleteResourceRecord
-
log:ListResourceRecords
-
log:ListResources
-
log:GetResource
-
log:PutLogs
-
log:UpdateLogStoreMeteringMode
-
log:GetLogStoreMeteringMode
-
log:CreateLogtailPipelineConfig
-
log:DeleteLogtailPipelineConfig
-
log:GetLogtailPipelineConfig
-
log:UpdateLogtailPipelineConfig
-
log:ListLogtailPipelineConfig
-
log:CreateSubStore
-
cs:UpdateContactGroup
-
cs:DescribeTemplates
-
cs:DescribeTemplateAttribute
-
eventbridge:PutEvents
AliyunCSManagedCmsRole
This role grants ACK One clusters access to manage CloudMonitor (CMS) monitor groups, metric rules, and dynamic tag groups, as well as read metrics from SLS and SLB and report data via ARMS Sentinel.
CMS-related permissions
-
cms:DescribeMonitorGroups
-
cms:DescribeMonitorGroupInstances
-
cms:CreateMonitorGroup
-
cms:DeleteMonitorGroup
-
cms:ModifyMonitorGroupInstances
-
cms:CreateMonitorGroupInstances
-
cms:DeleteMonitorGroupInstances
-
cms:TaskConfigCreate
-
cms:TaskConfigList
-
cms:DescribeMetricList
-
cms:QueryMetricList
-
cms:CreateDynamicTagGroup
-
cms:PutGroupMetricRule
-
cms:DescribeMetricRuleList
-
cms:DeleteMetricRules
-
cs:DescribeMonitorToken
-
ahas:GetSentinelAppSumMetric
-
log:GetLogStoreLogs
-
slb:DescribeMetricList
-
sls:GetLogs
-
sls:PutLogs
AliyunCSManagedArmsRole
This role grants ACK One clusters access to the full Application Real-Time Monitoring Service (ARMS) API — including alert rules, contact groups, dispatch rules, Prometheus monitoring, and environment management — along with MSE gateway management and Simple Log Service log writing.
ARMS-related permissions
-
arms:CMonitorCloudInstances
-
arms:CMonitorRegister
-
arms:ConfigAgentLabel
-
arms:CreateAlertRules
-
arms:CreateAlertTemplate
-
arms:CreateApp
-
arms:CreateContact
-
arms:CreateContactGroup
-
arms:CreateDispatchRule
-
arms:CreateOrUpdateIMRobot
-
arms:CreateOrUpdateWebhookContact
-
arms:CreateProm
-
arms:CreatePrometheusAlertRule
-
arms:DeleteAlert
-
arms:DeleteAlertContact
-
arms:DeleteAlertContactGroup
-
arms:DeleteAlertRules
-
arms:DeleteAlertTemplate
-
arms:DeleteApp
-
arms:DeleteContact
-
arms:DeleteContactGroup
-
arms:DeleteContactLink
-
arms:DeleteContactMember
-
arms:DeleteDispatchRule
-
arms:DeleteIMRobot
-
arms:DeletePrometheusAlertRule
-
arms:DeleteWebhookContact
-
arms:DescribeDispatchRule
-
arms:DescribeIMRobots
-
arms:DescribePrometheusAlertRule
-
arms:DescribeWebhookContacts
-
arms:DisableAlertTemplate
-
arms:EnableAlertTemplate
-
arms:GetAlarmHistories
-
arms:GetAlert
-
arms:GetAlertEvents
-
arms:GetAlertRules
-
arms:GetAlertRulesByPage
-
arms:GetAssumeRoleCredentials
-
arms:GetCommercialStatus
-
arms:InstallEventer
-
arms:InstallManagedPrometheus
-
arms:ListActivatedAlerts
-
arms:ListAlertTemplates
-
arms:ListDashboards
-
arms:ListDispatchRule
-
arms:ListEscalationPolicies
-
arms:ListOnCallSchedules
-
arms:ListPrometheusAlertRules
-
arms:ListPrometheusAlertTemplates
-
arms:QueryAlarmHistory
-
arms:QueryAlarmName
-
arms:SaveAlert
-
arms:SaveContactGroup
-
arms:SaveContactMember
-
arms:SaveTraceAppConfig
-
arms:SearchAlarmHistories
-
arms:SearchAlertRules
-
arms:SearchContact
-
arms:SearchContactGroup
-
arms:SearchEvents
-
arms:SendTTSVerifyLink
-
arms:StartAlert
-
arms:StartAlertRule
-
arms:StopAlert
-
arms:StopAlertRule
-
arms:UninstallManagedPrometheus
-
arms:UpdateAlertRules
-
arms:UpdateAlertTemplate
-
arms:UpdateContact
-
arms:UpdateContactGroup
-
arms:UpdateContactMember
-
arms:UpdateDispatchRule
-
arms:UpdatePrometheusAlertRule
-
arms:UpgradeAddonRelease
-
arms:CheckServiceStatus
-
arms:GetClusterAllUrl
-
arms:GetClusterInfoForArms
-
arms:GetExploreUrl
-
arms:GetIntegrationState
-
arms:GetManagedPrometheusStatus
-
arms:ListAlertEvents
-
arms:QueryMetric
-
arms:QueryPromInstallStatus
-
arms:SearchAlertContactGroup
-
arms:SearchAlertHistories
-
arms:CreateAlertContact
-
arms:CreateAlertContactGroup
-
arms:ImportCustomAlertRules
-
arms:SearchAlertContact
-
arms:UpdateAlertContact
-
arms:UpdateAlertContactGroup
-
arms:UpdateAlertRule
-
arms:UpdateWebhook
-
arms:InnerFetchContactGroupByArmsContactGroupId
-
xtrace:GetToken
-
arms:ListEnvironments
-
arms:DescribeAddonRelease
-
arms:InstallAddon
-
arms:DeleteAddonRelease
-
arms:ListEnvironmentDashboards
-
arms:ListAddonReleases
-
arms:CreateEnvironment
-
arms:InitEnvironment
-
arms:DescribeEnvironment
-
arms:InstallEnvironmentFeature
-
arms:ListEnvironmentFeatures
-
arms:UpdateEnvironment
-
arms:GetPrometheusInstance
-
arms:GetPrometheusApiToken
MSE-related permissions
-
mse:AddBlackWhiteList
-
mse:AddGateway
-
mse:AddServiceSource
-
mse:CreateApplication
-
mse:DeleteGateway
-
mse:GetBlackWhiteList
-
mse:GetGateway
-
mse:GetGatewayDetail
-
mse:GetGatewayOption
-
mse:ListServiceSource
-
mse:ListTagResources
-
mse:ModifyLosslessRule
-
mse:TagResources
-
mse:UntagResources
-
mse:UpdateBlackWhiteList
-
mse:UpdateGatewayOption
-
mse:UpdateServiceSource
-
mse:GetLicenseKey
-
mse:CreateGovernanceKubernetesCluster
-
mse:ReportOnePilotInfo
-
mse:GenerateAgentLogSts
-
mse:GetOpenSergoInfoByClusterId
-
mse:ListNamespaces
-
mse:ReportAppProfile
Simple Log Service-related permissions
-
log:PostLogStoreLogs
-
log:RemoteWritePrometheus
-
log:RemoteWrite
What's next
-
For an overview of ACK One permissions and authorization scenarios, see Authorization overview.
-
To grant a RAM user or RAM role permissions on ACK One resources, see Attach a system permission policy to a RAM user or RAM role.
-
To grant a RAM user or RAM role permissions on Kubernetes resources in a specific cluster, see Grant RBAC permissions to a RAM user or RAM role.