An Alibaba Cloud service may need to access other Alibaba Cloud services to implement specific features. In this case, the Alibaba Cloud service must assume a service-linked role to access other Alibaba Cloud services. A service-linked role is a Resource Access Management (RAM) role. To use all features provided by Distributed Cloud Container Platform for Kubernetes (ACK One), you must assign the required service-linked role to ACK One. This topic introduces the service-linked role for ACK One and describes the permissions of the role.
How to assign the service-linked role
If this is the first time you use ACK One, you need to complete authorization with an Alibaba Cloud account or RAM account administrator.
You do not need to manually create service-linked roles. During the first time you use the ACK One console, the console prompts you to complete the authorization first. You need only to follow the on-screen instructions to complete the authorization.
Important Only Alibaba Cloud accounts and RAM account administrators can complete role authorization. Regular RAM users are not allowed to perform this operation. If the system prompts that you do not have the permissions, use an Alibaba Cloud account or RAM account administrator.
Service-linked role for ACK One
Role name | Permission |
AliyunCSDefaultRole | ACK One can assume this role to access your cloud resources during cluster management, such as resources in Elastic Compute Service (ECS), Virtual Private Cloud (VPC), Server Load Balancer (SLB), Resource Orchestration Service (ROS), and Auto Scaling. To use features provided by ACK One, this role is required.
|
AliyunServiceRoleForAdcp | ACK One can assume this role to access your cloud resources during cluster management, such as resources in ECS, VPC, and SLB. To use features provided by ACK One, this role is required.
|
AliyunAdcpServerlessKubernetesRole | Fleet instances and Kubernetes clusters for distributed Argo workflows of ACK One assume this role to access cloud resources in VPC, ECS, Alibaba Cloud DNS PrivateZone, Elastic Container Instance, and Simple Log Service. To use features provided by ACK One, this role is required.
|
AliyunAdcpManagedMseRole | Fleet instances of ACK One assume this role to access resources in Microservices Engine (MSE). This role is required when you use multi-cluster gateways. This role does not affect the use of other features.
|
Permissions of the service-linked role
AliyunServiceRoleForAdcp
ECS-related permissions
ecs:CreateSecurityGroup
ecs:CreateSecurityGroupPermissions
ecs:DeleteSecurityGroup
ecs:DescribeAccountAttributes
ecs:DescribeSecurityGroups
ecs:AuthorizeSecurityGroup
ecs:RevokeSecurityGroup
ecs:AuthorizeSecurityGroupEgress
ecs:RevokeSecurityGroupEgress
ecs:DescribeNetworkInterfaces
ecs:DescribeZones
VPC-related permissions
vpc:DescribeVpcAttribute
vpc:DescribeVSwitchAttributes
vpc:AllocateEipAddress
vpc:AssociateEipAddress
vpc:UnassociateEipAddress
vpc:ReleaseEipAddress
vpc:DescribeEipAddresses
vpc:TagResources
vpc:DeletionProtection
vpc:DescribeRouteTableList
vpc:CreateRouteEntry
vpc:DeleteeRouteEntry
vpc:AcceptVpcPeerConnection
vpc:GetVpcPeerConnectionAttribute
vpc:DescribeVSwitches
vpc:DescribeVpcs
SLB-related permissions
slb:DescribeLoadBalancerAttribute
slb:CreateLoadBalancer
slb:DeleteLoadBalancer
slb:StartLoadBalancerListener
slb:StopLoadBalancerListener
slb:CreateLoadBalancerTCPListener
slb:CreateLoadBalancerHTTPListener
slb:DeleteLoadBalancerListener
slb:AddTags
slb:RemoveTags
slb:SetLoadBalancerDeleteProtection
slb:SetLoadBalancerModificationProtection
slb:DescribeZones
slb:CreateAccessControlList
slb:DescribeAccessControlLists
slb:AddAccessControlListEntry
slb:RemoveAccessControlListEntry
slb:SetLoadBalancerTCPListenerAttribute
ASM-related permissions
servicemesh:CreateServiceMesh
servicemesh:DeleteServiceMesh
servicemesh:DescribeServiceMeshDetail
servicemesh:DescribeServiceMeshes
servicemesh:DescribeServiceMeshKubeconfig
servicemesh:DescribeServiceMeshLogs
servicemesh:ModifyServiceMesh
servicemesh:ModifyServiceMeshName
servicemesh:DescribeClustersInServiceMesh
servicemesh:AddClusterIntoServiceMesh
servicemesh:RemoveClusterFromServiceMesh
servicemesh:UpdateMeshFeature
servicemesh:DescribeRegions
servicemesh:DescribeServiceMeshUpgradeStatus
servicemesh:DescribeVersions
servicemesh:RevokeKubeconfig
servicemesh:UpdateServiceMeshOwner
AliyunAdcpServerlessKubernetesRole
ECS-related permissions
ecs:DescribeSecurityGroups
ecs:CreateNetworkInterface
ecs:CreateNetworkInterfacePermission
ecs:DescribeNetworkInterfaces
ecs:AttachNetworkInterface
ecs:DetachNetworkInterface
ecs:DeleteNetworkInterface
ecs:DeleteNetworkInterfacePermission
ARMS-related permissions
arms:GetManagedPrometheusStatus
arms:InstallManagedPrometheus
arms:UninstallManagedPrometheus
Alibaba Cloud DNS PrivateZone-related permissions
Elastic Container Instance-related permissions
eci:CreateContainerGroup
eci:DeleteContainerGroup
eci:DescribeContainerGroups
eci:DescribeContainerGroupStatus
eci:DescribeContainerGroupEvents
eci:DescribeContainerLog
eci:UpdateContainerGroup
eci:UpdateContainerGroupByTemplate
eci:CreateContainerGroupFromTemplate
eci:RestartContainerGroup
eci:ExportContainerGroupTemplate
eci:DescribeContainerGroupMetric
eci:DescribeMultiContainerGroupMetric
eci:ResizeContainerGroupVolume
eci:ExecContainerCommand
eci:CreateImageCache
eci:DescribeImageCaches
eci:DeleteImageCache
Simple Log Service-related permissions
RAM-related Permissions
ram:CreateServiceLinkedRole
AliyunAdcpManagedMseRole
MSE-related permissions
mse:AddBlackWhiteList
mse:AddGateway
mse:AddServiceSource
mse:CreateApplication
mse:DeleteGateway
mse:DeleteServiceSource
mse:GetBlackWhiteList
mse:GetGateway
mse:GetGatewayDetail
mse:GetGatewayOption
mse:ListServiceSource
mse:ListTagResources
mse:ModifyLosslessRule
mse:TagResources
mse:UntagResources
mse:UpdateBlackWhiteList
mse:UpdateGatewayOption
mse:UpdateServiceSource
Simple Log Service-related permissions
log:CloseProductDataCollection
log:OpenProductDataCollection
log:GetProductDataCollection
RAM-related permissions
ram:CreateServiceLinkedRole
AliyunCSManagedKubernetesRole
ECS-related permissions
ecs:Describe*
ecs:CreateRouteEntry
ecs:DeleteRouteEntry
ecs:CreateNetworkInterface
ecs:DeleteNetworkInterface
ecs:CreateNetworkInterfacePermission
ecs:DeleteNetworkInterfacePermission
ecs:ModifyInstanceAttribute
ecs:AttachKeyPair
ecs:StopInstance
ecs:StartInstance
ecs:ReplaceSystemDisk
SLB-related permissions
slb:Describe*
slb:CreateLoadBalancer
slb:DeleteLoadBalancer
slb:ModifyLoadBalancerInternetSpec
slb:RemoveBackendServers
slb:AddBackendServers
slb:RemoveTags
slb:AddTags
slb:TagResources
slb:UnTagResources
slb:ListTagResources
slb:StopLoadBalancerListener
slb:StartLoadBalancerListener
slb:SetLoadBalancerHTTPListenerAttribute
slb:SetLoadBalancerHTTPSListenerAttribute
slb:SetLoadBalancerTCPListenerAttribute
slb:SetLoadBalancerUDPListenerAttribute
slb:CreateLoadBalancerHTTPSListener
slb:CreateLoadBalancerHTTPListener
slb:CreateLoadBalancerTCPListener
slb:CreateLoadBalancerUDPListener
slb:DeleteLoadBalancerListener
slb:CreateVServerGroup
slb:DescribeVServerGroups
slb:DeleteVServerGroup
slb:SetVServerGroupAttribute
slb:DescribeVServerGroupAttribute
slb:ModifyVServerGroupBackendServers
slb:AddVServerGroupBackendServers
slb:ModifyLoadBalancerInstanceSpec
slb:ModifyLoadBalancerInternetSpec
slb:SetLoadBalancerModificationProtection
slb:SetLoadBalancerDeleteProtection
slb:SetLoadBalancerName
slb:ModifyLoadBalancerInstanceChargeType
slb:RemoveVServerGroupBackendServers
VPC-related permissions
vpc:Describe*
vpc:DeleteRouteEntry
vpc:CreateRouteEntry
Simple Log Service-related permissions
log:CreateProject
log:GetProject
log:GetProductDataCollection
log:OpenProductDataCollection
log:CloseProductDataCollection
log:GetLogStoreHistogram
log:AnalyzeProductLog
log:CreateIndex
log:UpdateIndex
log:DeleteIndex
log:CreateLogStore
log:UpdateLogStore
log:DeleteLogStore
log:CreateDashboard
log:UpdateDashboard
log:DeleteDashboard
log:SetGeneralDataAccessConfig
ALB-related permissions
alb:EnableLoadBalancerIpv6Internet
alb:DisableLoadBalancerIpv6Internet
alb:CreateAcl
alb:DeleteAcl
alb:ListAcls
alb:ListAclRelations
alb:AddEntriesToAcl
alb:AssociateAclsWithListener
alb:ListAclEntries
alb:RemoveEntriesFromAcl
alb:DissociateAclsFromListener
alb:TagResources
alb:UnTagResources
alb:ListServerGroups
alb:ListServerGroupServers
alb:AddServersToServerGroup
alb:RemoveServersFromServerGroup
alb:ReplaceServersInServerGroup
alb:CreateLoadBalancer
alb:DeleteLoadBalancer
alb:UpdateLoadBalancerAttribute
alb:UpdateLoadBalancerEdition
alb:EnableLoadBalancerAccessLog
alb:DisableLoadBalancerAccessLog
alb:EnableDeletionProtection
alb:DisableDeletionProtection
alb:ListLoadBalancers
alb:GetLoadBalancerAttribute
alb:ListListeners
alb:CreateListener
alb:GetListenerAttribute
alb:UpdateListenerAttribute
alb:ListListenerCertificates
alb:AssociateAdditionalCertificatesWithListener
alb:DissociateAdditionalCertificatesFromListener
alb:DeleteListener
alb:CreateRule
alb:DeleteRule
alb:UpdateRuleAttribute
alb:CreateRules
alb:UpdateRulesAttribute
alb:DeleteRules
alb:ListRules
alb:UpdateListenerLogConfig
alb:CreateServerGroup
alb:DeleteServerGroup
alb:UpdateServerGroupAttribute
alb:UpdateLoadBalancerAddressTypeConfig
alb:AttachCommonBandwidthPackageToLoadBalancer
alb:DetachCommonBandwidthPackageFromLoadBalancer
alb:UpdateServerGroupServersAttribute
alb:MoveResourceGroup
alb:ListAScripts
alb:CreateAScripts
alb:UpdateAScripts
alb:DeleteAScripts
alb:LoadBalancerJoinSecurityGroup
alb:LoadBalancerLeaveSecurityGroup
alb:DescribeZones
NLB-related permissions
nlb:TagResources
nlb:UnTagResources
nlb:ListTagResources
nlb:CreateLoadBalancer
nlb:DeleteLoadBalancer
nlb:GetLoadBalancerAttribute
nlb:ListLoadBalancers
nlb:UpdateLoadBalancerAttribute
nlb:UpdateLoadBalancerAddressTypeConfig
nlb:UpdateLoadBalancerZones
nlb:CreateListener
nlb:DeleteListener
nlb:ListListeners
nlb:UpdateListenerAttribute
nlb:StopListener
nlb:StartListener
nlb:GetListenerAttribute
nlb:GetListenerHealthStatus
nlb:CreateServerGroup
nlb:DeleteServerGroup
nlb:UpdateServerGroupAttribute
nlb:AddServersToServerGroup
nlb:RemoveServersFromServerGroup
nlb:UpdateServerGroupServersAttribute
nlb:ListServerGroups
nlb:ListServerGroupServers
nlb:LoadBalancerLeaveSecurityGroup
nlb:LoadBalancerJoinSecurityGroup
nlb:DisableLoadBalancerIpv6Internet
nlb:EnableLoadBalancerIpv6Internet
nlb:UpdateLoadBalancerProtection
nlb:AttachCommonBandwidthPackageToLoadBalancer
nlb:DetachCommonBandwidthPackageFromLoadBalancer
nlb:GetJobStatus
ACR-related permissions
cr:Get*
cr:List*
cr:PullRepository
AliyunCSManagedLogRole
Simple Log Service-related permissions
log:CreateProject
log:GetProject
log:DeleteProject
log:CreateLogStore
log:GetLogStore
log:UpdateLogStore
log:DeleteLogStore
log:CreateConfig
log:UpdateConfig
log:GetConfig
log:DeleteConfig
log:CreateMachineGroup
log:UpdateMachineGroup
log:GetMachineGroup
log:DeleteMachineGroup
log:ApplyConfigToGroup
log:GetAppliedMachineGroups
log:GetAppliedConfigs
log:RemoveConfigFromMachineGroup
log:RemoveConfigFromGroup
log:CreateIndex
log:GetIndex
log:UpdateIndex
log:DeleteIndex
log:CreateSavedSearch
log:GetSavedSearch
log:UpdateSavedSearch
log:DeleteSavedSearch
log:CreateDashboard
log:GetDashboard
log:UpdateDashboard
log:DeleteDashboard
log:CreateJob
log:GetJob
log:DeleteJob
log:UpdateJob
log:PostLogStoreLogs
log:CreateSortedSubStore
log:GetSortedSubStore
log:ListSortedSubStore
log:UpdateSortedSubStore
log:DeleteSortedSubStore
log:CreateApp
log:UpdateApp
log:GetApp
log:DeleteApp
log:GetLogStoreLogs
log:TagResources
log:ListJobs
log:ListTagResources
log:UntagResources
log:CreateResourceRecord
log:UpdateResourceRecord
log:UpsertResourceRecord
log:GetResourceRecord
log:DeleteResourceRecord
log:ListResourceRecords
log:ListResources
log:GetResource
log:PutLogs
log:UpdateLogStoreMeteringMode
log:GetLogStoreMeteringMode
log:CreateLogtailPipelineConfig
log:DeleteLogtailPipelineConfig
log:GetLogtailPipelineConfig
log:UpdateLogtailPipelineConfig
log:ListLogtailPipelineConfig
log:CreateSubStore
cs:UpdateContactGroup
cs:DescribeTemplates
cs:DescribeTemplateAttribute
eventbridge:PutEvents
AliyunCSManagedCmsRole
CMS-related permissions
cms:DescribeMonitorGroups
cms:DescribeMonitorGroupInstances
cms:CreateMonitorGroup
cms:DeleteMonitorGroup
cms:ModifyMonitorGroupInstances
cms:CreateMonitorGroupInstances
cms:DeleteMonitorGroupInstances
cms:TaskConfigCreate
cms:TaskConfigList
cms:DescribeMetricList
cms:QueryMetricList
cms:CreateDynamicTagGroup
cms:PutGroupMetricRule
cms:DescribeMetricRuleList
cms:DeleteMetricRules
cs:DescribeMonitorToken
ahas:GetSentinelAppSumMetric
log:GetLogStoreLogs
slb:DescribeMetricList
sls:GetLogs
sls:PutLogs
AliyunCSManagedArmsRole
ARMS-related permissions
arms:CMonitorCloudInstances
arms:CMonitorRegister
arms:ConfigAgentLabel
arms:CreateAlertRules
arms:CreateAlertTemplate
arms:CreateApp
arms:CreateContact
arms:CreateContactGroup
arms:CreateDispatchRule
arms:CreateOrUpdateIMRobot
arms:CreateOrUpdateWebhookContact
arms:CreateProm
arms:CreatePrometheusAlertRule
arms:DeleteAlert
arms:DeleteAlertContact
arms:DeleteAlertContactGroup
arms:DeleteAlertRules
arms:DeleteAlertTemplate
arms:DeleteApp
arms:DeleteContact
arms:DeleteContactGroup
arms:DeleteContactLink
arms:DeleteContactMember
arms:DeleteDispatchRule
arms:DeleteIMRobot
arms:DeletePrometheusAlertRule
arms:DeleteWebhookContact
arms:DescribeDispatchRule
arms:DescribeIMRobots
arms:DescribePrometheusAlertRule
arms:DescribeWebhookContacts
arms:DisableAlertTemplate
arms:EnableAlertTemplate
arms:GetAlarmHistories
arms:GetAlert
arms:GetAlertEvents
arms:GetAlertRules
arms:GetAlertRulesByPage
arms:GetAssumeRoleCredentials
arms:GetCommercialStatus
arms:InstallEventer
arms:InstallManagedPrometheus
arms:ListActivatedAlerts
arms:ListAlertTemplates
arms:ListDashboards
arms:ListDispatchRule
arms:ListEscalationPolicies
arms:ListOnCallSchedules
arms:ListPrometheusAlertRules
arms:ListPrometheusAlertTemplates
arms:QueryAlarmHistory
arms:QueryAlarmName
arms:SaveAlert
arms:SaveContactGroup
arms:SaveContactMember
arms:SaveTraceAppConfig
arms:SearchAlarmHistories
arms:SearchAlertRules
arms:SearchContact
arms:SearchContactGroup
arms:SearchEvents
arms:SendTTSVerifyLink
arms:StartAlert
arms:StartAlertRule
arms:StopAlert
arms:StopAlertRule
arms:UninstallManagedPrometheus
arms:UpdateAlertRules
arms:UpdateAlertTemplate
arms:UpdateContact
arms:UpdateContactGroup
arms:UpdateContactMember
arms:UpdateDispatchRule
arms:UpdatePrometheusAlertRule
arms:UpgradeAddonRelease
arms:CheckServiceStatus
arms:GetClusterAllUrl
arms:GetClusterInfoForArms
arms:GetExploreUrl
arms:GetIntegrationState
arms:GetManagedPrometheusStatus
arms:ListAlertEvents
arms:QueryMetric
arms:QueryPromInstallStatus
arms:SearchAlertContactGroup
arms:SearchAlertHistories
arms:CreateAlertContact
arms:CreateAlertContactGroup
arms:ImportCustomAlertRules
arms:SearchAlertContact
arms:UpdateAlertContact
arms:UpdateAlertContactGroup
arms:UpdateAlertRule
arms:UpdateWebhook
arms:InnerFetchContactGroupByArmsContactGroupId
xtrace:GetToken
arms:ListEnvironments
arms:DescribeAddonRelease
arms:InstallAddon
arms:DeleteAddonRelease
arms:ListEnvironmentDashboards
arms:ListAddonReleases
arms:CreateEnvironment
arms:InitEnvironment
arms:DescribeEnvironment
arms:InstallEnvironmentFeature
arms:ListEnvironmentFeatures
arms:UpdateEnvironment
arms:GetPrometheusInstance
arms:GetPrometheusApiToken
Simple Log Service-related permissions