To perform cluster diagnostics or cluster inspections, you must assign the required service role to Container Intelligent Service (CIS). Then, CIS can assume this role to call services, such as Elastic Compute Service (ECS), Container Service for Kubernetes (ACK), Virtual Private Cloud (VPC), and Server Load Balancer (SLB), to inspect and diagnose clusters. This topic describes how to assign the service role to CIS and the permissions provided by the role.
Assign the service role to CIS
When you use CIS for the first time, you must assign the service role AliyunCISDefaultRole to CIS. To do this, perform the following steps. To do this, perform the following steps.
You can use an Alibaba Cloud account or a Resource Access Management (RAM) user that has administrator permissions to assign the service role to CIS.
Log on to the CIS console.
Click Go to RAM authorization to open the Cloud Resource Access Authorization page and click Agree to Authorization.
After you complete the authorization, refresh the page to use CIS.
Permissions provided by the default role
The service role for CIS is AliyunCISDefaultRole. CIS assumes this role to access your resources in services, such as ECS instances, VPCs, and SLB instances, to provide you with diagnostic and inspection services. The following table describes the permissions provided by the AliyunCISDefaultRole role.
ECS-related permissions
Permission (Action) | Description |
ecs:DescribeInstances | Queries the details about one or more ECS instances. |
ecs:DescribeInstanceStatus | Queries the status information about one or more ECS instances. |
ecs:DescribeInstanceTypes | Queries the instance types provided by ECS. |
ecs:DescribeInstanceTypeFamilies | Queries the instance families provided by ECS. |
ecs:DescribeInstanceAttribute | Queries the details of an ECS instance. |
ecs:CreateDiagnosticReport | Creates a resource diagnostic report. |
ecs:DescribeDiagnosticReports | Queries resource diagnostic reports. |
ecs:DescribeDiagnosticReportAttributes | Queries the details of a resource diagnostic report. |
ecs:DescribeDiagnosticMetricSets | Queries diagnostic metric sets. |
ecs:DescribeDiagnosticMetrics | Queries diagnostic metrics. |
ecs:DescribeSecurityGroupAttribute | Queries the rules of a security group. |
ecs:DescribeSecurityGroups | Queries the basic information about security groups. |
ecs:DescribeSecurityGroupReferences | Checks whether a security group is referenced by the rules of other security groups. |
ecs:DescribeBandwidthLimitation | Queries bandwidth resources. |
ecs:DescribeCloudAssistantStatus | Queries whether Cloud Assistant Agent is installed on one or more ECS instances. |
ecs:DescribeCommands | Queries the Cloud Assistant commands that you created. |
ecs:DescribeInvocationResults | Queries the execution results of one or more Cloud Assistant commands on ECS instances. |
ecs:DescribeNetworkInterfaces | Queries elastic network interfaces (ENIs). |
ecs:CreateCommand | Creates a Cloud Assistant command. |
ecs:InvokeCommand | Triggers a Cloud Assistant command on one or more ECS instances. |
ecs:StopInvocation | Stops the process of a Cloud Assistant command that is running on one or more ECS instances. |
ecs:RunCommand | Runs a shell, PowerShell, or batch command on ECS instances. |
VPC-related permissions
Permission (Action) | Description |
vpc:DescribeVpcs | Queries the VPCs that you have created. |
vpc:DescribeVpcAttribute | Queries the configurations of a VPC. |
vpc:DescribeVSwitches | Queries the vSwitches that you have created. |
vpc:DescribeVSwitchAttributes | Queries the detailed information about a vSwitch. |
vpc:DescribeRouteTableList | Queries route tables. |
vpc:DescribeRouteEntryList | Queries route entries. |
vpc:DescribeNatGateways | Queries NAT gateways that meet specific conditions in a region. |
vpc:DescribeEipAddresses | Queries the elastic IP addresses (EIPs) that you have created in a region. |
vpc:DescribeRouteTables | Queries information about route tables. |
vpc:DescribeSnatTableEntries | Queries the SNAT entries that you have created. |
vpc:DescribeNetworkAcls | Queries network access control lists (ACLs). |
vpc:DescribeNetworkAclAttributes | Queries the details about a network ACL. |
SLB-related permissions
Permission (Action) | Description |
slb:DescribeLoadBalancers | Queries the SLB instances that you have created. |
slb:DescribeLoadBalancerAttribute | Queries the details about an SLB instance. |
slb:DescribeVServerGroups | Queries vServer groups. |
slb:DescribeVServerGroupAttribute | Queries the details about a vServer group. |
slb:DescribeLoadBalancerTCPListenerAttribute | Queries the configurations of a TCP listener. |
slb:DescribeLoadBalancerUDPListenerAttribute | Queries the configurations of a UDP listener. |
slb:DescribeAccessControlLists | Queries the network ACLs that you have created. |
slb:DescribeAccessControlListAttribute | Queries the configurations of a network ACL. |
slb:DescribeLoadBalancerListeners | Queries the listeners of an SLB instance. |
slb:DescribeHealthStatus | Queries the health status of a backend server. |
Simple Log Service-related permissions
Permission (Action) | Description |
sls:GetLogStore | Queries the details about a Logstore. |
ACK-related permissions
Permission (Action) | Description |
cs:DescribeClusterDetail | Queries the details about an ACK cluster. |
cs:DescribeClusterResources | Queries all resources in an ACK cluster. |
cs:DescribeTasks | Queries the tasks in an ACK cluster. |
cs:DescribeTaskInfo | Queries the task information about an ACK cluster. |
cs:DescribeClusterNodePools | Queries the information about all node pools in an ACK cluster. |
cs:DescribeNodePoolVuls | Queries node pool vulnerabilities in an ACK cluster. |
cs:DescribeClusterAddonsUpgradeStatus | Queries the update progress of multiple components. |
Elastic Container Instance-related permissions
Permission (Action) | Description |
eci:DescribeContainerGroups | Queries the information about multiple pods. |
eci:RunCommand | Executes shell scripts on an elastic container instance. |
eci:DescribeCommandResult | Queries the execution result of a command. |
eci:ListUsage | Queries the privileges and quotas that you have in a region. |
CloudMonitor-related permissions
Permission (Action) | Description |
cms:DescribeMetricData | Queries the monitoring data of an Alibaba Cloud service collected within a period of time. |
cms:DescribeMetricLast | Queries the latest monitoring data of a metric. |
cms:DescribeMetricMetaList | Queries the descriptions of metrics that are supported by CloudMonitor. |
cms:DescribeMetricTop | Queries the sorted monitoring data of an Alibaba Cloud service. |
cms:QueryMetricMeta | Queries the metrics that are supported by CloudMonitor. |
cms:QueryMetricTop | Queries the monitoring data of an Alibaba Cloud service. |
cms:ListMetricMeta | Queries the metadata of metrics. |
cms:ListMetricMetaProject | Queries the meta projects of metrics. |
cms:QueryMetricData | Queries the monitoring data of Alibaba Cloud services. |
cms:QueryMetricLast | Queries the latest monitoring data of monitoring metrics. |
cms:DescribeMetricList | Queries the monitoring data of a metric of an Alibaba Cloud service. |
cms:QueryMetricList | Queries the descriptions of metrics supported by CloudMonitor. |
cms:MetricMeta | Queries the metrics that are supported by CloudMonitor. |
cms:DescribeAlertLogList | Queries the most recent alerts. |
cms:DescribeSystemEventAttribute | Queries the details about a system event. |
cms:GetMetricStreamMeta | Queries the description of a CloudMonitor metric. |
Quota Center-related permissions
Permission (Action) | Description |
quotas:ListProducts | Queries the Alibaba Cloud services that support Quota Center. |
quotas:ListProductQuotas | Queries the quotas of an Alibaba Cloud service. |
quotas:ListProductQuotaDimensions | Queries the quota dimensions that are supported by an Alibaba Cloud service. |
quotas:GetProductQuota | Queries the details about a quota. |
quotas:GetProductQuotaDimension | Queries the details about a quota dimension that is supported by an Alibaba Cloud service. |
RAM-related permissions
Permission (Action) | Description |
ram:ListPoliciesForRole | Queries the policies that are attached to a RAM role. |
GRACE-related permissions
Permission (Action) | Description |
grace:GetFile | Queries the information about the analysis file provided by the Application Troubleshooting Platform (ATP). |
grace:AnalyzeFile | Analyzes files on ATP. |
grace:UploadFileByOSS | Uploads files to ATP by using Object Storage Service (OSS). |
grace:UploadFileByURL | Uploads files to ATP by specifying URLs. |