When you activate Container Service for Kubernetes (ACK), you must grant default roles to a service account. Then, the service account can be used to call services, such as Elastic Compute Service (ECS), Object Storage Service (OSS), Apsara File Storage NAS, and Server Load Balancer (SLB), create clusters, and save cluster logs. This topic describes the permissions of the ACK default roles.
Role permissions
This topic describes the permissions of the following roles:
AliyunCSManagedLogRole
The Logtail component of ACK uses AliyunCSManagedLogRole to access resources of other cloud services.
| Permission | Description |
|---|---|
| log:CreateProject | Creates a project. |
| log:GetProject | Queries a project by name. |
| log:DeleteProject | Deletes a specified project. |
| log:CreateLogStore | Creates a Logstore in a project. |
| log:GetLogStore | Queries the attributes of a Logstore. |
| log:UpdateLogStore | Updates the attributes of a Logstore. |
| log:DeleteLogStore | Deletes a Logstore. |
| log:CreateConfig | Creates a log collection configuration. |
| log:UpdateConfig | Updates a log collection configuration. |
| log:GetConfig | Queries the details of a log collection configuration. |
| log:DeleteConfig | Deletes a specified log collection configuration. |
| log:CreateMachineGroup | Creates a machine group to apply log collection configurations. |
| log:UpdateMachineGroup | Updates the information of a machine group. |
| log:GetMachineGroup | Queries the information of a specified machine group. |
| log:DeleteMachineGroup | Deletes a machine group. |
| log:ApplyConfigToGroup | Applies a log collection configuration to a machine group. |
| log:GetAppliedMachineGroups | Queries the machines to which a log collection configuration is applied in a machine group. |
| log:GetAppliedConfigs | Queries the configurations that are applied to a machine group. |
| log:RemoveConfigFromMachineGroup | Removes a configuration from a machine group. |
| log:CreateIndex | Creates an index for a specified Logstore. |
| log:GetIndex | Queries the index of a specified Logstore. |
| log:UpdateIndex | Updates the index of a specified Logstore. |
| log:DeleteIndex | Deletes the index of a specified Logstore. |
| log:CreateSavedSearch | Creates a saved search. |
| log:GetSavedSearch | Queries a specified saved search. |
| log:UpdateSavedSearch | Updates a saved search. |
| log:DeleteSavedSearch | Deletes a saved search. |
| log:CreateDashboard | Creates a dashboard. |
| log:GetDashboard | Queries a specified dashboard. |
| log:UpdateDashboard | Updates a dashboard. |
| log:DeleteDashboard | Deletes a dashboard. |
| log:CreateJob | Creates a job. For example, create an alert or a subscription. |
| log:GetJob | Queries a job. |
| log:DeleteJob | Deletes a job. |
| log:UpdateJob | Updates a job. |
| log:PostLogStoreLogs | Adds logs to a specified Logstore. |
| log:CreateSortedSubStore | Creates a sorted sub-Logstore. |
| log:GetSortedSubStore | Queries a sorted sub-Logstore. |
| log:ListSortedSubStore | Lists sorted sub-Logstores. |
| log:UpdateSortedSubStore | Updates a sorted sub-Logstore. |
| log:DeleteSortedSubStore | Deletes a sorted sub-Logstore. |
| log:CreateApp | Creates applications, such as Cost Manager and Log Audit Service. |
| log:UpdateApp | Updates applications, such as Cost Manager and Log Audit Service. |
| log:GetApp | Queries applications, such as Cost Manager and Log Audit Service. |
| log:DeleteApp | Deletes applications, such as Cost Manager and Log Audit Service. |
| cs:DescribeTemplates | Queries container templates. |
| cs:DescribeTemplateAttribute | Queries the attributes of a container template. |
AliyunCSManagedCmsRole
The Cloud Monitor component of an ACK cluster uses AliyunCSManagedCmsRole to access resources of other cloud services.
| Permission | Description |
|---|---|
| cms:DescribeMonitorGroups | Queries application groups. |
| cms:DescribeMonitorGroupInstances | Queries the resources in a specified application group. |
| cms:CreateMonitorGroup | Creates an application group. |
| cms:DeleteMonitorGroup | Deletes a specified application group. |
| cms:ModifyMonitorGroupInstances | Modifies the resources in an application group. |
| cms:CreateMonitorGroupInstances | Adds resources to an application group. |
| cms:DeleteMonitorGroupInstances | Deletes resources from an application group. |
| cms:TaskConfigCreate | Creates a monitoring job configuration. |
| cms:TaskConfigList | Lists monitoring job configurations. |
| cms:DescribeMetricList | Queries the time series metrics of a cloud service in a specified period. |
| cs:DescribeMonitorToken | Queries the token that is required to use the Cloud Monitor component. |
| ahas:GetSentinelAppSumMetric | Queries the metrics that are monitored by the AHAS Sentinel application. |
| log:GetLogStoreLogs | Queries logs in a Logstore. |
| slb:DescribeMetricList | Queries the time series metrics of a cloud service in a specified period. |
| sls:GetLogs | Queries logs in a Logstore of a specified project in Log Service. |
| sls:PutLogs | Updates logs in a Logstore of a specified project in Log Service. |
AliyunCSManagedCsiRole
The volume plug-in of an ACK cluster uses AliyunCSManagedCsiRole to access resources of other cloud services.
- Permissions on ECS resources
Permission Description ecs:AttachDisk Attaches a pay-as-you-go data disk or a system disk to an ECS instance. ecs:DetachDisk Detaches a pay-as-you-go disk from an ECS instance. ecs:DescribeDisks Queries one or more disks that you have created and local disks. ecs:CreateDisk Creates a pay-as-you-go or subscription data disk. ecs:ResizeDisk Expands a disk. You can expand a system disk or a data disk. ecs:CreateSnapshot Creates a snapshot for a disk. ecs:DeleteSnapshot Deletes a specified snapshot. If you call this operation to delete a snapshot that is being created, the snapshot creation task is canceled. ecs:CreateAutoSnapshotPolicy Creates an automatic snapshot policy. ecs:ApplyAutoSnapshotPolicy Attaches an automatic snapshot policy to one or more disks. ecs:CancelAutoSnapshotPolicy Detaches an automatic snapshot policy from one or more disks. ecs:DeleteAutoSnapshotPolicy Deletes an automatic snapshot policy. ecs:DescribeAutoSnapshotPolicyEX Queries automatic snapshot policies that you have created. ecs:ModifyAutoSnapshotPolicyEx Modifies an automatic snapshot policy. ecs:AddTags Attaches tags to an ECS instance. ecs:DescribeTags Queries tags of an ECS instance. ecs:DescribeSnapshots Queries all the snapshots of an ECS instance or a disk. ecs:ListTagResources Queries tags that are attached to one or more ECS instances. ecs:TagResources Creates tags and attaches the tags to a specified group of ECS instances. ecs:UntagResources Detaches tags from a specified group of ECS instances and deletes the tags. ecs:ModifyDiskSpec Upgrades the performance level of an enhanced SSD. ecs:CreateSnapshot Creates a snapshot for a disk. ecs:DeleteDisk Releases a pay-as-you-go data disk. ecs:DescribeInstanceAttribute Queries all attributes of an ECS instance. ecs:DescribeInstances Queries the information of one or more ECS instances. - Permissions on NAS file systems
Permission Description nas:DescribeFileSystems Queries the descriptions of file systems. nas:DescribeMountTargets Queries the descriptions of mount targets. nas:AddTags Attaches one or more tags to a file system or overwrites the tags. nas:DescribeTags Queries existing tags. nas:RemoveTags Detaches one or more tags from a file system. nas:CreateFileSystem Creates a file system. nas:DeleteFileSystem Deletes a file system. nas:DescribeFileSystems Queries the descriptions of file systems. nas:ModifyFileSystem Modifies the information of file systems. nas:CreateMountTarget Creates a mount target. nas:DeleteMountTarget Deletes a mount target. nas:DescribeMountTargets Queries the descriptions of mount targets. nas:ModifyMountTarget Modifies the information of mount targets.
AliyunCSManagedVKRole
The Virtual Kubelet component of an ACK cluster uses AliyunCSManagedVKRole to access resources of other cloud services.
- Permissions on VPC resources
Permission Description vpc:DescribeVSwitches Queries existing vSwitches. vpc:DescribeVpcs Queries existing VPCs. vpc:AssociateEipAddress Binds an elastic IP address (EIP) to a cloud service instance in the same region. vpc:DescribeEipAddresses Queries the EIPs that you create in a specified region. vpc:AllocateEipAddress Applies for an EIP. vpc:ReleaseEipAddress Releases a specified EIP. - Permissions on ECS resources
Permission Description ecs:DescribeSecurityGroups Queries the basic information of the security groups that you create. ecs:CreateNetworkInterface Creates an elastic network interface (ENI). ecs:CreateNetworkInterfacePermission Grants permissions to create an ENI. ecs:DescribeNetworkInterfaces Queries ENIs. ecs:AttachNetworkInterface Attaches an ENI to a VPC-connected ECS instance. ecs:DetachNetworkInterface Detaches an ENI from an ECS instance. ecs:DeleteNetworkInterface Deletes an ENI. ecs:DeleteNetworkInterfacePermission Grants permissions to delete an ENI. - Permissions on Alibaba Cloud DNS PrivateZone resources
Permission Description pvtz:AddZone Creates a private zone. pvtz:DeleteZone Deletes a private zone. pvtz:DescribeZones Queries private zones. pvtz:DescribeZoneInfo Queries the information of a specified private zone. pvtz:BindZoneVpc Binds a private zone to a VPC or unbinds a private zone from a VPC. pvtz:AddZoneRecord Adds a DNS record to a private zone. pvtz:DeleteZoneRecord Deletes a DNS record. pvtz:DeleteZoneRecordsByRR Deletes DNS records. pvtz:DescribeZoneRecordsByRR Queries DNS records. pvtz:DescribeZoneRecords Queries DNS records. - Permissions on elastic container instances (ECIs)
Permission Description eci:CreateContainerGroup Creates a pod. eci:DeleteContainerGroup Deletes a pod. eci:DescribeContainerGroups Queries the information of multiple pods. eci:DescribeContainerLog Queries the logs of a pod. eci:UpdateContainerGroup Updates a pod. eci:UpdateContainerGroupByTemplate Updates an ECI by template. eci:CreateContainerGroupFromTemplate Creates an ECI by template. eci:RestartContainerGroup Restarts an ECI. eci:ExportContainerGroupTemplate Exports an ECI template. eci:DescribeContainerGroupMetric Queries the monitoring data of an ECI. eci:DescribeMultiContainerGroupMetric Queries the monitoring data of multiple pods. eci:ExecContainerCommand Runs commands on a container. eci:CreateImageCache Creates an image cache. eci:DescribeImageCaches Queries the information of image caches. eci:DeleteImageCache Deletes an image cache.
AliyunCSClusterRole
When the applications are running, an ACK cluster uses AliyunCSClusterRole to access resources of other cloud services.
- Permissions on ECS resources
Permission Description ecs:Describe* Queries ECS resources. - Permissions on OSS resources
Permission Description oss:PutObject Uploads a file or a folder. oss:GetObject Obtains a file or a folder. oss:ListObjects Queries files. - Permissions on Cloud Monitor Service (CMS)
Permission Description cms:List* Lists permissions on CMS resources. cms:Get* Obtains permissions on CMS resources. cms:UpdateAlert Updates an alert. cms:CreateAlert Creates an alert. cms:DeleteAlert Deletes an alert. cms:UpdateDimensions Updates monitoring metrics configurations. cms:CreateDimensions Creates monitoring metrics configurations. cms:DeleteDimensions Deletes monitoring metrics configurations. cms:SendAlarm Sends a monitoring alert. cms:CreateProject Creates a monitoring project. cms:DeleteProject Deletes a monitoring project. cms:UpdateProject Updates a monitoring project. cms:QueryAlarm Queries a monitoring alert. cms:ListAlarm Lists monitoring alerts. cms:CreateAlarm Creates a monitoring alert. cms:DeleteAlarm Deletes a monitoring alert. cms:UpdateAlarm Updates a monitoring alert. - Permissions on Server Load Balancer (SLB) resources
Permission Description slb:Describe* Queries the information about an SLB instance. slb:CreateLoadBalancer Creates an SLB instance. slb:DeleteLoadBalancer Deletes an SLB instance. slb:RemoveBackendServers Unbinds backend servers from an SLB instance. slb:StartLoadBalancerListener Starts a specified listener. slb:StopLoadBalancerListener Stops a specified listener. slb:CreateLoadBalancerTCPListener Creates a TCP listener for an SLB instance. slb:AddBackendServers* Adds backend servers to an SLB instance. slb:DeleteLoadBalancerListener Deletes an SLB instance. slb:CreateVServerGroup Creates a VServer group and adds backend servers to the VServer group. slb:ModifyVServerGroupBackendServers Modifies backend servers in a VServer group. slb:CreateLoadBalancerHTTPListener Creates an HTTP listener for an SLB instance. slb:SetBackendServers Configures backend servers of an SLB instance and sets weights for the backend servers. The backend servers are ECS instances. slb:AddTags Attaches tags to an SLB instance. - Permissions on Log Service resources
Permission Description log:Get* Obtains permissions on Log Service resources. log:List* Lists permissions on Log Service resources. log:CreateProject Creates a project. log:DeleteProject Deletes a specified project. log:UpdateProject Updates a project. log:CreateMachineGroup Creates a machine group to apply log collection configurations. log:DeleteMachineGroup Deletes a machine group. log:UpdateMachineGroup Updates the information of a machine group. log:CreateLogStore Creates a Logstore in a project. log:DeleteLogStore Deletes a Logstore. log:UpdateLogStore Updates the attributes of a Logstore. log:CreateIndex Creates an index for a specified Logstore. log:DeleteIndex Deletes the index of a specified Logstore. log:UpdateIndex Updates the index of a specified Logstore. log:CreateConfig Creates a log collection configuration. log:DeleteConfig Deletes a specified log collection configuration. log:UpdateConfig Updates a log collection configuration. log:ApplyConfigToGroup Applies a log collection configuration to a machine group.
AliyunCSServerlessKubernetesRole
By default, a serverless Kubernetes cluster uses AliyunCSServerlessKubernetesRole to access resources of other cloud services.
- Permissions on VPC resources
Permission Description DescribeVSwitches Queries existing vSwitches. DescribeVpcs Queries existing VPCs. AssociateEipAddress Binds an EIP to a cloud service instance in the same region. DescribeEipAddresses Queries the EIPs that you create in a specified region. AllocateEipAddress Applies for an EIP. ReleaseEipAddress Releases a specified EIP. AddCommonBandwidthPackageIp Binds an EIP to an EIP bandwidth plan. RemoveCommonBandwidthPackageIp Unbinds an EIP from an EIP bandwidth plan. - Permissions on ECS resources
Permission Description DescribeSecurityGroups Queries the basic information of the security groups that you create. CreateNetworkInterface Creates an ENI. CreateNetworkInterfacePermission Grants permissions to create an ENI. DescribeNetworkInterfaces Queries ENIs. AttachNetworkInterface Attaches an ENI to a VPC-connected ECS instance. DetachNetworkInterface Detaches an ENI from an ECS instance. DeleteNetworkInterface Deletes an ENI. DeleteNetworkInterfacePermission Grants permissions to delete an ENI. - Permissions on SLB resources
Permission Description slb:Describe* Queries SLB resources. slb:CreateLoadBalancer Creates an SLB instance. slb:DeleteLoadBalancer Deletes a pay-as-you-go SLB instance. slb:RemoveBackendServers Removes backend servers from an SLB instance. slb:StartLoadBalancerListener Starts a listener. slb:StopLoadBalancerListener Stops a listener. slb:DeleteLoadBalancerListener Deletes a listener of an SLB instance. slb:CreateLoadBalancerTCPListener Creates a TCP listener for an SLB instance. slb:AddBackendServers* Adds backend servers to an SLB instance. slb:UploadServerCertificate Uploads a server certificate. slb:CreateLoadBalancerHTTPListener Creates an HTTP listener for an SLB instance. slb:CreateLoadBalancerHTTPSListener Creates an HTTPS listener for an SLB instance. slb:CreateLoadBalancerUDPListener Creates a UDP listener. slb:ModifyLoadBalancerInternetSpec Changes the billing method of a public-facing SLB instance. slb:CreateRules Adds forwarding rules to a specified HTTP or HTTPS listener. slb:DeleteRules Deletes forwarding rules. slb:SetRule Modifies a forwarding rule of a VServer group. slb:CreateVServerGroup Adds backend servers to a VServer group. slb:SetVServerGroupAttribute Modifies the configurations of a VServer group. slb:AddVServerGroupBackendServers Adds backend servers to a VServer group. slb:RemoveVServerGroupBackendServers Removes backend servers from a specified VServer group. slb:ModifyVServerGroupBackendServers Changes the backend servers of a VServer group. slb:DeleteVServerGroup Deletes a VServer group. slb:SetLoadBalancerTCPListenerAttribute Modifies the configuration of a TCP listener. slb:SetLoadBalancerHTTPListenerAttribute Modifies the configuration of an HTTP listener. slb:SetLoadBalancerHTTPSListenerAttribute Modifies the configuration of an HTTPS listener. slb:AddTags Adds tags to a specified SLB instance. - Permissions on Alibaba Cloud DNS PrivateZone
Permission Description AddZone Creates a private zone. DeleteZone Deletes a private zone. DescribeZones Queries private zones. DescribeZoneInfo Queries the information of a specified private zone. BindZoneVpc Binds a private zone to a VPC or unbinds a private zone from a VPC. AddZoneRecord Adds a DNS record to a private zone. DeleteZoneRecord Deletes a DNS record. DeleteZoneRecordsByRR Deletes DNS records. DescribeZoneRecordsByRR Queries DNS records. DescribeZoneRecords Queries DNS records. - Permissions on Container Registry (ACR) resources
Permission Description Get* Queries ACR resources. List* Queries image repositories. PullRepository Pulls an image. - Permissions on ECIs
Permission Description CreateContainerGroup Creates a pod. DeleteContainerGroup Deletes a pod. DescribeContainerGroups Queries the information of multiple pods. DescribeContainerLog Queries the logs of a pod. UpdateContainerGroup Updates a pod. UpdateContainerGroupByTemplate Updates an ECI by template. CreateContainerGroupFromTemplate Creates an ECI by template. RestartContainerGroup Restarts an ECI. ExportContainerGroupTemplate Exports an ECI template. DescribeContainerGroupMetric Queries the monitoring data of an ECI. DescribeMultiContainerGroupMetric Queries the monitoring data of multiple pods. ExecContainerCommand Runs commands on a container. CreateImageCache Creates an image cache. DescribeImageCaches Queries the information of image caches. DeleteImageCache Deletes an image cache. - Permissions on RAM resources
Permission Description ram:PassRole Visits the Alibaba Cloud CodePipeline console. - Permissions on OSS resources
Permission Description oss:GetObject Obtains a file or a folder. oss:GetObjectMeta Queries the metadata information of an object. - Permissions on Function Compute
Permission Description fc:CreateService Creates a service. fc:ListServices Queries services. fc:GetService Queries a specified service. fc:UpdateService Updates a specified service. fc:DeleteService Deletes a specified service. fc:CreateFunction Creates a function. fc:ListFunctions Queries the functions of a service. fc:GetFunction Queries the configurations of a specified function. fc:GetFunctionCode Queries the code of a function. fc:UpdateFunction Updates a function, including its configurations and code. fc:DeleteFunction Deletes a specified function. fc:CreateTrigger Creates a function trigger. fc:ListTriggers Queries the triggers of a function. fc:GetTrigger Queries a specified trigger. fc:UpdateTrigger Updates the configurations of a specified trigger. fc:DeleteTrigger Deletes the triggers of a specified function. fc:PublishServiceVersion Releases a Function Compute version. fc:ListServiceVersions Lists Function Compute versions. fc:DeleteServiceVersion Deletes a Function Compute version. fc:CreateAlias Creates an alias and binds it to a customer master key (CMK). fc:ListAliases Lists all aliases of the current Alibaba Cloud account in the current region. fc:GetAlias Queries the information about an alias. fc:UpdateAlias Binds an alias to a different CMK. fc:DeleteAlias Deletes an alias.
AliyunCSKubernetesAuditRole
The auditing feature of ACK uses AliyunCSKubernetesAuditRole to access resources of other cloud services.
| Permission | Description |
|---|---|
| log:CreateProject | Creates a project. |
| log:GetProject | Queries a project by name. |
| log:DeleteProject | Deletes a specified project. |
| log:CreateLogStore | Creates a Logstore in a project. |
| log:GetLogStore | Queries the attributes of a Logstore. |
| log:UpdateLogStore | Updates the attributes of a Logstore. |
| log:DeleteLogStore | Deletes a Logstore. |
| log:CreateConfig | Creates a log collection configuration. |
| log:UpdateConfig | Updates a log collection configuration. |
| log:GetConfig | Queries the details of a log collection configuration. |
| log:DeleteConfig | Deletes a specified log collection configuration. |
| log:CreateMachineGroup | Creates a machine group to apply log collection configurations. |
| log:UpdateMachineGroup | Updates the information of a machine group. |
| log:GetMachineGroup | Queries the information of a specified machine group. |
| log:DeleteMachineGroup | Deletes a machine group. |
| log:ApplyConfigToGroup | Applies a log collection configuration to a machine group. |
| log:GetAppliedMachineGroups | Queries the machines to which a log collection configuration is applied in a machine group. |
| log:GetAppliedConfigs | Queries the configurations that are applied to a machine group. |
| log:RemoveConfigFromMachineGroup | Removes a configuration from a machine group. |
| log:CreateIndex | Creates an index for a specified Logstore. |
| log:GetIndex | Queries the index of a specified Logstore. |
| log:UpdateIndex | Updates the index of a specified Logstore. |
| log:DeleteIndex | Deletes the index of a specified Logstore. |
| log:CreateSavedSearch | Creates a saved search. |
| log:GetSavedSearch | Queries a specified saved search. |
| log:UpdateSavedSearch | Updates a saved search. |
| log:DeleteSavedSearch | Deletes a saved search. |
| log:CreateDashboard | Creates a dashboard. |
| log:GetDashboard | Queries a specified dashboard. |
| log:UpdateDashboard | Updates a dashboard. |
| log:DeleteDashboard | Deletes a dashboard. |
| log:CreateJob | Creates a job. For example, create an alert or a subscription. |
| log:GetJob | Queries a job. |
| log:DeleteJob | Deletes a job. |
| log:UpdateJob | Updates a job. |
| log:PostLogStoreLogs | Adds logs to a specified Logstore. |
AliyunCSManagedNetworkRole
The network component of an ACK cluster uses AliyunCSManagedNetworkRole to access resources of other cloud services.
| Permission | Description |
|---|---|
| ecs:CreateNetworkInterface | Creates an ENI. |
| ecs:DescribeNetworkInterfaces | Queries ENIs. |
| ecs:AttachNetworkInterface | Attaches an ENI to a VPC-connected ECS instance. |
| ecs:DetachNetworkInterface | Detaches an ENI from an ECS instance. |
| ecs:DeleteNetworkInterface | Deletes an ENI. |
| ecs:DescribeInstanceAttribute | Queries the information of one or more ECS instances. |
| ecs:AssignPrivateIpAddresses | Assigns one or more secondary private IP addresses to an ENI. |
| ecs:UnassignPrivateIpAddresses | Unbinds one or more secondary private IP addresses from an ENI. |
| ecs:DescribeInstances | Queries the information of one or more ECS instances. |
| vpc:DescribeVSwitches | Queries the information of one or more vSwitches. |
AliyunCSDefaultRole
By default, AliyunCSDefaultRole is used to access resources of other cloud services when you perform operations on ACK clusters.
- Permissions on ECS resources
Permission Description ecs:RunInstances Starts an ECS instance. ecs:RenewInstance Renews an ECS instance. ecs:Create* Creates ECS resources, such as ECS instances and disks. ecs:AllocatePublicIpAddress Assigns a public IP address to an ECS instance. ecs:AllocateEipAddress Assigns an EIP to an ECS instance. ecs:Delete* Deletes an ECS instance. ecs:StartInstance Starts ECS resources. ecs:StopInstance Stops an ECS instance. ecs:RebootInstance Restarts an ECS instance. ecs:Describe* Queries ECS resources. ecs:AuthorizeSecurityGroup Sets inbound rules for a security group. ecs:RevokeSecurityGroup Revokes security group rules. ecs:AuthorizeSecurityGroupEgress Sets outbound rules for a security group. ecs:AttachDisk Attaches a disk to an ECS instance. ecs:DetachDisk Detaches a disk from an ECS instance. ecs:WaitFor* Waits for the execution of a task. ecs:AddTags Adds tags to an ECS instance. ecs:ReplaceSystemDisk Replaces the system disk of an ECS instance. ecs:ModifyInstanceAttribute Modifies the attributes of an ECS instance. ecs:JoinSecurityGroup Adds an ECS instance to a security group. ecs:LeaveSecurityGroup Removes an ECS instance from a security group. ecs:UnassociateEipAddress Detaches an EIP from an ECS instance. ecs:ReleaseEipAddress Releases an EIP. ecs:CreateKeyPair Creates an SSH key pair. ecs:ImportKeyPair Imports the public key of an RSA key pair that is created by using a third-party tool. ecs:AttachKeyPair Attaches an SSH key pair to one or more Linux-based ECS instances. ecs:DetachKeyPair Detaches an SSH key pair from one or more Linux-based ECS instances. ecs:DeleteKeyPairs Deletes one or more SSH key pairs. ecs:AttachInstanceRamRole Attaches a RAM role to one or more ECS instances. ecs:DetachInstanceRamRole Detaches a RAM role from one or more ECS instances. ecs:AllocateDedicatedHosts Creates one or more pay-as-you-go or subscription dedicated hosts. ecs:CreateOrder Creates an order to purchase ECS instances. ecs:DeleteInstance Releases a pay-as-you-go instance or an expired subscription instance. ecs:CreateDisk Creates a pay-as-you-go or subscription data disk. ecs:Createvpc Creates a VPC for an ECS instance. ecs:Deletevpc Deletes the VPC that is connected to an ECS instance. ecs:DeleteVSwitch Deletes the vSwitch that is connected to an ECS instance. ecs:ResetDisk Rolls back a disk to a specified state by using a disk snapshot. ecs:DeleteSnapshot Deletes a specified snapshot. ecs:AllocatePublicIpAddress Assigns a public IP address to an ECS instance. ecs:CreateVSwitch Creates a vSwitch for an ECS instance. ecs:DeleteSecurityGroup Deletes a security group. ecs:CreateImage Creates a custom image. ecs:RemoveTags Deletes tags from an ECS instance. ecs:ReleaseDedicatedHost Releases a pay-as-you-go dedicated host. ecs:CreateInstance Creates a subscription or pay-as-you-go ECS instance. ecs:RevokeSecurityGroupEgress Deletes an outbound rule of a security group. This revokes outbound permissions of the security group. ecs:DeleteDisk Releases a pay-as-you-go data disk. ecs:StopInstance Stops an ECS instance. ecs:CreateSecurityGroup Creates a security group. ecs:RevokeSecurityGroup Deletes an inbound rule of a security group. This revokes inbound permissions of the security group. ecs:DeleteImage Deletes a custom image. ecs:ModifyInstanceSpec Modifies the instance type of ECS instances or public bandwidth of a pay-as-you-go ECS instance. ecs:CreateSnapshot Creates a snapshot for a disk. ecs:CreateCommand Creates a Cloud Assistant command. ecs:InvokeCommand Triggers a Cloud Assistant command on one or more ECS instances. ecs:StopInvocation Stops the process of a running Cloud Assistant command on one or more ECS instances. ecs:DeleteCommand Deletes a Cloud Assistant command. ecs:RunCommand Creates a Cloud Assistant command of the shell, PowerShell, or batch type, and runs the command on one or more ECS instances. ecs:DescribeInvocationResults Queries the result of running a Cloud Assistant command on a specified ECS instance. ecs:ModifyCommand Modifies a Cloud Assistant command. - Permissions on VPC resources
Permission Description vpc:Describe* Queries VPC resources. vpc:AllocateEipAddress Assigns an EIP to an ECS instance. vpc:AssociateEipAddress Binds an EIP to an ECS instance. vpc:UnassociateEipAddress Unbinds an EIP from an ECS instance. vpc:ReleaseEipAddress Releases an EIP. vpc:CreateRouteEntry Creates a route entry. vpc:DeleteRouteEntry Deletes a route entry. vpc:CreateVSwitch Creates a vSwitch. vpc:DeleteVSwitch Deletes a vSwitch. vpc:CreateVpc Creates a VPC. vpc:DeleteVpc Deletes a VPC. vpc:CreateNatGateway Creates a network address translation (NAT) gateway. vpc:DeleteNatGateway Deletes a specified NAT gateway. vpc:CreateSnatEntry Adds a source network address translation (SNAT) entry to a specified SNAT table. vpc:DeleteSnatEntry Deletes an SNAT entry from a specified SNAT table. vpc:ModifyEipAddressAttribute Modifies the name, description, and peak bandwidth of a specified EIP. vpc:CreateForwardEntry Adds a destination network address translation (DNAT) entry to a specified DNAT table. vpc:DeleteBandwidthPackage Creates a NAT service plan. vpc:CreateBandwidthPackage Deletes a NAT service plan. vpc:DeleteForwardEntry Deletes a DNAT entry from a specified DNAT table. vpc:TagResources Creates tags and attaches them to a specified resource. vpc:DeletionProtection Enables or disables deletion protection for an instance. - Permissions on SLB resources
Permission Description slb:Describe* Queries the information about an SLB instance. slb:CreateLoadBalancer Creates an SLB instance. slb:DeleteLoadBalancer Deletes an SLB instance. slb:RemoveBackendServers Unbinds backend servers from an SLB instance. slb:StartLoadBalancerListener Starts a specified listener. slb:StopLoadBalancerListener Stops a specified listener. slb:CreateLoadBalancerTCPListener Creates a TCP listener for an SLB instance. slb:AddBackendServers Adds backend servers to an SLB instance. slb:CreateVServerGroup Creates a VServer group and adds backend servers to the VServer group. slb:CreateLoadBalancerHTTPSListener Creates an HTTPS listener for an SLB instance. slb:CreateLoadBalancerUDPListener Creates a UDP listener. slb:ModifyLoadBalancerInternetSpec Changes the billing method of a public-facing SLB instance. slb:SetBackendServers Configures backend servers of an SLB instance and sets weights for the backend servers. The backend servers are ECS instances. slb:AddVServerGroupBackendServers Adds backend servers to a VServer group. slb:DeleteVServerGroup Deletes a VServer group. slb:ModifyVServerGroupBackendServers Changes the backend servers of a VServer group. slb:CreateLoadBalancerHTTPListener Creates an HTTP listener for an SLB instance. slb:RemoveVServerGroupBackendServers Removes backend servers from a specified VServer group. slb:DeleteLoadBalancerListener Deletes a listener of an SLB instance. slb:AddTags Adds tags to a specified SLB instance. slb:RemoveTags Removes tags from a specified SLB instance. slb:SetLoadBalancerDeleteProtection Enables or disables deletion protection for an SLB instance. - Permissions on Domain Name System (DNS) resources
Permission Description dns:Describe* Queries DNS resources. dns:AddDomainRecord Adds a DNS record. - Permissions on RDS resources
Permission Description rds:Describe* Queries RDS resources. rds:ModifySecurityIps Modifies the IP address whitelist of an RDS instance. - Permissions on Resource Orchestration Service (ROS)
Permission Description ros:Describe* Queries ROS resources. ros:WaitConditions Waits for the execution of an ROS script. ros:AbandonStack Stops a stack. ros:DeleteStack Deletes a stack. ros:CreateStack Creates a stack. ros:UpdateStack Updates a stack. ros:ValidateTemplate Validates an ROS template. ros:DoActions Performs actions. ros:InquiryStack Queries a stack. ros:SetDeletionProtection Enables or disables deletion protection. ros:PreviewStack Previews a stack. - Permissions on Auto Scaling (ESS)
Permission Description ess:Describe* Queries ESS resources. ess:CreateScalingConfiguration Creates a scaling configuration. ess:EnableScalingGroup Enables a scaling group. ess:ExitStandby Switches the status of a standby ECS instance in a scaling group to running. ess:DetachDBInstances Removes one or more RDS instances from a scaling group. ess:DetachLoadBalancers Removes one or more SLB instances from a scaling group. ess:AttachInstances Adds one or more ECS instances to a scaling group. ess:DeleteScalingConfiguration Deletes a scaling configuration. ess:AttachLoadBalancers Adds one or more SLB instances. ess:DetachInstances Removes one or more ECS instances from a scaling group. ess:ModifyScalingRule Modifies a scaling group rule. ess:RemoveInstances Removes ECS instances from a specified scaling group. ess:ModifyScalingGroup Modifies a scaling group. ess:AttachDBInstances Adds one or more RDS instances. ess:CreateScalingRule Creates a scaling rule. ess:DeleteScalingRule Deletes a scaling rule. ess:ExecuteScalingRule Runs a scaling rule. ess:SetInstancesProtection Enables or disables protection for one or more ECS instances in a scaling group. ess:ModifyNotificationConfiguration Modifies a notification configuration for auto scaling events and resource changes. ess:CreateNotificationConfiguration Creates a notification configuration for auto scaling events and resource changes. ess:EnterStandby Switches the status of an ECS instance in the scaling group to standby. ess:DeleteScalingGroup Deletes a scaling group. ess:CreateScalingGroup Creates a scaling group. ess:DeleteNotificationConfiguration Deletes a notification configuration for auto scaling events and resource changes. ess:DisableScalingGroup Disables a scaling group. ModifyScalingConfiguration Modifies a scaling configuration. SetGroupDeletionProtection Enables or disables deletion protection for a scaling group. - Permissions on RAM resources
Permission Description ram:PassRole Authorizes a RAM user to use other cloud services. ram:Get* Queries permissions on RAM resources. ram:List* Lists permissions on RAM resources. ram:DetachPolicyFromRole Revokes a specified permission from a role. ram:AttachPolicyToRole Grants a permission to a specified role. ram:DeletePolicy Deletes a specified permission policy. ram:DeletePolicyVersion Deletes a policy of a specified version. ram:DeleteRole Deletes a RAM role. ram:CreateRole Creates a RAM role. ram:CreatePolicy Creates a RAM policy. ram:CreateServiceLinkedRole Creates permissions to be granted to service linked roles. - Permissions on CMS resources
Permission Description cms:CreateMyGroups Creates private application groups. cms:AddMyGroupInstances Adds resources to a private application group. cms:DeleteMyGroupInstances Deletes resources from a private application group. cms:DeleteMyGroups Deletes private application groups. cms:GetMyGroups Queries private application groups. cms:ListMyGroups Lists private application groups. cms:UpdateMyGroupInstances Updates resources in a private application group. cms:UpdateMyGroups Updates private application groups. cms:TaskConfigCreate Creates a monitoring job configuration. cms:TaskConfigList Lists monitoring job configurations. - Permissions on ESS resources
Permission Description ess:CreateLifecycleHook Creates one or more lifecycle hooks for a scaling group. ess:DescribeLifecycleHooks Queries lifecycle hooks. ess:ModifyLifecycleHook Modifies a lifecycle hook. ess:DeleteLifecycleHook Deletes a lifecycle hook. - Permissions on Edge Node Service (ENS) resources
Permission Description ens:Describe* Queries the permissions on ENS resources. ens:CreateInstance Creates an ENS instance. ens:StartInstance Starts an ENS instance. ens:StopInstance Stops an ENS instance. ens:ReleasePrePaidInstance Releases a subscription instance.
AliyunCSManagedKubernetesRole
A managed Kubernetes cluster uses AliyunCSManagedKubernetesRole to access resources of other cloud services.
- Permissions on ECS resources
Permission Description ecs:Describe* Queries ECS resources. ecs:CreateRouteEntry Creates a route entry. ecs:DeleteRouteEntry Deletes a route entry. ecs:CreateNetworkInterface Creates an ENI. ecs:DeleteNetworkInterface Deletes an ENI. ecs:CreateNetworkInterfacePermission Grants permissions to create an ENI. ecs:DeleteNetworkInterfacePermission Grants permissions to delete an ENI. ecs:ModifyInstanceAttribute Modifies the attributes of an instance. ecs:AttachKeyPair Attaches an SSH key pair to one or more Linux-based ECS instances. ecs:StopInstance Stops an instance. ecs:StartInstance Starts an instance. ecs:ReplaceSystemDisk Replaces the system disk or the operating system of an ECS instance. - Permissions on SLB resources
Permission Description slb:Describe* Queries SLB resources. slb:CreateLoadBalancer Creates an SLB instance. slb:DeleteLoadBalancer Deletes an SLB instance. slb:ModifyLoadBalancerInternetSpec Changes the billing method of a public-facing SLB instance. slb:RemoveBackendServers Removes backend servers from an SLB instance. slb:AddBackendServers Adds backend servers to an SLB instance. slb:RemoveTags Removes tags from a specified SLB instance. slb:AddTags Adds tags to a specified SLB instance. slb:StopLoadBalancerListener Stops a listener. slb:StartLoadBalancerListener Starts a listener. slb:SetLoadBalancerHTTPListenerAttribute Modifies the configuration of an HTTP listener. slb:SetLoadBalancerHTTPSListenerAttribute Modifies the configuration of an HTTPS listener. slb:SetLoadBalancerTCPListenerAttribute Modifies the configuration of a TCP listener. slb:SetLoadBalancerUDPListenerAttribute Modifies the configuration of a UDP listener. slb:CreateLoadBalancerHTTPSListener Creates an HTTPS listener for an SLB instance. slb:CreateLoadBalancerHTTPListener Creates an HTTP listener for an SLB instance. slb:CreateLoadBalancerTCPListener Creates a TCP listener for an SLB instance. slb:CreateLoadBalancerUDPListener Creates a UDP listener. slb:DeleteLoadBalancerListener Deletes a listener of an SLB instance. slb:CreateVServerGroup Adds backend servers to a VServer group. slb:DescribeVServerGroups Queries VServer groups. slb:DeleteVServerGroup Deletes a VServer group. slb:SetVServerGroupAttribute Modifies the configurations of a VServer group. slb:DescribeVServerGroupAttribute Queries the information about a VServer group. slb:ModifyVServerGroupBackendServers Changes the backend servers of a VServer group. slb:AddVServerGroupBackendServers Adds backend servers to a VServer group. slb:ModifyLoadBalancerInstanceSpec Modifies the specifications of an SLB instance. slb:ModifyLoadBalancerInternetSpec Changes the billing method of a public-facing SLB instance. slb:RemoveVServerGroupBackendServers Removes backend servers from a specified VServer group. - Permissions on VPC resources
Permission Description vpc:Describe* Queries VPC resources. vpc:DeleteRouteEntry Deletes a custom route entry. vpc:CreateRouteEntry Creates a custom route entry. - Permissions on ACR resources
Permission Description cr:Get* Queries ACR resources. cr:List* Queries image repositories. cr:PullRepository Pulls an image.
AliyunCSManagedArmsRole
The application real-time monitoring agent of an ACK cluster uses AliyunCSManagedArmsRole to access resources of other cloud services.
| Permission | Description |
|---|---|
| arms:CreateApp | Creates an application monitoring job. |
| arms:DeleteApp | Deletes an application monitoring job. |
| arms:ConfigAgentLabel | Modifies the tags of the application monitoring agent. |
| arms:GetAssumeRoleCredentials | Queries the key that is required for a RAM user to assume a RAM role during application monitoring. |
| arms:CreateProm | Creates a monitoring job based on Alibaba Cloud Prometheus Monitoring. |
| arms:SearchEvents | Queries alert events. |
| arms:SearchAlarmHistories | Queries the records of sending alerts. |
| arms:SearchAlertRules | Queries monitoring alert rules. |
| arms:GetAlertRules | Obtains monitoring alert rules. |
| arms:CreateAlertRules | Creates monitoring alert rules. |
| arms:UpdateAlertRules | Updates monitoring alert rules. |
| arms:StartAlertRule | Enables a monitoring alert rule. |
| arms:StopAlertRule | Disables a monitoring alert rule. |
| arms:CreateContact | Creates an alert contact. |
| arms:SearchContact | Queries an alert contact. |
| arms:UpdateContact | Updates an alert contact. |
| arms:CreateContactGroup | Creates an alert contact group. |
| arms:SearchContactGroup | Queries an alert contact group. |
| arms:UpdateContactGroup | Updates an alert contact group. |