When you activate Container Service for Kubernetes (ACK), you must grant default roles to a service account. Then, the service account can be used to call services, such as Elastic Compute Service (ECS), Object Storage Service (OSS), Apsara File Storage NAS, and Server Load Balancer (SLB), create clusters, and save cluster logs. This topic describes the permissions of the ACK default roles.

Role permissions

The following table describes the ACK default roles.

RoleDescription
AliyunCSDefaultRoleACK assumes this role to access your resources in other cloud services when ACK manages clusters. These cloud services include ECS, VPC, SLB, Auto Scaling, and Resource Orchestration Service (ROS).
AliyunCSManagedKubernetesRoleBy default, an ACK managed cluster assumes this role to access your resources in other cloud services. These cloud services include ECS, VPC, SLB, and Container Registry.
AliyunCSServerlessKubernetesRoleBy default, a serverless Kubernetes (ASK) cluster assumes this role to access your resources in other cloud services. These cloud services include ECS, VPC, SLB, and Alibaba Cloud DNS PrivateZone.
AliyunCSKubernetesAuditRoleThe auditing feature of ACK managed clusters and ASK clusters assumes this role to access your resources in Log Service.
AliyunCSManagedNetworkRoleThe network plug-in of ACK managed clusters and ASK clusters assumes this role to access your resources in ECS and VPC.
AliyunCSManagedCsiRoleThe volume plug-in of ACK managed clusters and ASK clusters assumes this role to access your resources in ECS and NAS.
AliyunCSManagedCmsRoleThe monitoring component of ACK managed clusters and ASK clusters assumes this role to access your resources in CloudMonitor and Log Service.
AliyunCSManagedLogRoleThe Log Service component of ACK managed clusters and ASK clusters assumes this role to access your resources in Log Service.
AliyunCSManagedVKRoleThe Virtual Node component of ASK clusters assumes this role to access your resources in other cloud services. These cloud services include ECS, VPC, and Elastic Container Instance.
AliyunCSManagedArmsRoleThe application monitoring component of ACK managed clusters and ASK clusters assumes this role to access your resources in Application Real-Time Monitoring Service (ARMS).
AliyunCSManagedAcrRoleThe aliyun-acr-credential-helper component of ACK managed clusters and ASK clusters assumes this role to pull images from Container Registry.
AliyunCSManagedNlcRoleThe node pool control component of ACK managed clusters assumes this role to access resources on ECS instances and in node pools.
AliyunCSManagedAutoScalerRoleThe auto scaling component of ACK managed clusters and ASK clusters assumes this role to access your resources in Auto Scaling and ECS.
AliyunCSManagedSecurityRoleThe Secret encryption component of ACK managed clusters and ASK clusters assumes this role to access your resources in Key Management Service (KMS).
AliyunCSManagedCostRoleThe cost analysis component of ACK managed clusters and ASK clusters assumes this role to access resources in Billing Management (BSS) API, ECS, and Elastic Container Instance.
AliyunCSManagedNimitzRoleThe network component of ACK Lingjun managed clusters assumes this role to access resources in Intelligent Computing Lingjun.
AliyunCSManagedBackupRestoreRoleThe backup center component of ACK managed clusters assumes this role to access resources in Hybrid Backup Recovery (HBR) and OSS.
AliyunCSManagedEdgeRoleThe control plane components of ACK edge clusters assume this role to access resources in Smart Access Gateway (SAG), Virtual Private Cloud (VPC), and Cloud Enterprise Network (CEN).

AliyunCSDefaultRole

By default, AliyunCSDefaultRole is used to access resources of other cloud services when you perform operations on ACK clusters.

ECS-related permissions

Permission (Action)Description
ecs:RunInstancesStarts an ECS instance.
ecs:RenewInstanceRenews an ECS instance.
ecs:Create*Creates ECS resources, such as ECS instances and disks.
ecs:AllocatePublicIpAddressAssigns a public IP address to an ECS instance.
ecs:AllocateEipAddressAssigns an elastic ip address (EIP) to an ECS instance.
ecs:Delete*Deletes an ECS instance.
ecs:StartInstanceStarts ECS resources.
ecs:StopInstanceStops an ECS instance.
ecs:RebootInstanceRestarts an ECS instance.
ecs:Describe*Queries ECS resources.
ecs:AuthorizeSecurityGroupSpecifies inbound rules for a security group.
ecs:RevokeSecurityGroupRevokes security group rules.
ecs:AuthorizeSecurityGroupEgressSpecifies outbound rules for a security group.
ecs:AttachDiskAttaches a disk to an ECS instance.
ecs:DetachDiskDetaches a disk from an ECS instance.
ecs:WaitFor*Waits for the execution of a task.
ecs:AddTagsAdd labels.
ecs:ReplaceSystemDiskReplaces the system disk of an ECS instance.
ecs:ModifyInstanceAttributeModifies the attributes of an ECS instance.
ecs:JoinSecurityGroupAdds an ECS instance to a security group.
ecs:LeaveSecurityGroupRemoves an ECS instance from a security group.
ecs:UnassociateEipAddressDetaches an EIP from an ECS instance.
ecs:ReleaseEipAddressReleases an EIP.
ecs:CreateKeyPairCreates an SSH key pair.
ecs:ImportKeyPairImports the public key of an RSA-encrypted key pair that is generated by a third-party tool.
ecs:AttachKeyPairBinds an SSH key pair to one or more Linux instances.
ecs:DetachKeyPairUnbinds an SSH key pair from one or more Linux instances.
ecs:DeleteKeyPairsDeletes one or more SSH key pairs.
ecs:AttachInstanceRamRoleAttaches a RAM role to one or more ECS instances.
ecs:DetachInstanceRamRoleDetaches a RAM role from one or more ECS instances.
ecs:AllocateDedicatedHostsCreates one or more pay-as-you-go or subscription dedicated hosts.
ecs:CreateOrderCreates an order to purchase ECS instances.
ecs:DeleteInstanceReleases a pay-as-you-go ECS instance or an expired subscription ECS instance.
ecs:CreateDiskCreates one or more pay-as-you-go or subscription data disks.
ecs:CreatevpcCreates a VPC for an ECS instance.
ecs:DeletevpcDeletes the VPC that is connected to an ECS instance.
ecs:DeleteVSwitchDeletes the vSwitch that is connected to an ECS instance.
ecs:ResetDiskRolls back a disk to a specific point in time based on a snapshot of the disk.
ecs:DeleteSnapshotDeletes a specified snapshot.
ecs:AllocatePublicIpAddressAssigns a public IP address to an ECS instance.
ecs:CreateVSwitchCreates a vSwitch for an ECS instance.
ecs:DeleteSecurityGroupDeletes a security group.
ecs:CreateImageCreates a custom image.
ecs:RemoveTagsDeletes tags from an ECS instance.
ecs:ReleaseDedicatedHostReleases a pay-as-you-go dedicated host.
ecs:CreateInstanceCreates a subscription or pay-as-you-go ECS instance.
ecs:RevokeSecurityGroupEgressDeletes an outbound security group rule. After the rule is deleted, the access control implemented by it is removed.
ecs:DeleteDiskDeletes a pay-as-you-go data disk.
ecs:StopInstanceStops an instance.
ecs:CreateSecurityGroupCreates a security group.
ecs:RevokeSecurityGroupDeletes an inbound security group rule. After the rule is deleted, the access control implemented by the rule is removed.
ecs:DeleteImageDeletes a custom image.
ecs:ModifyInstanceSpecModifies the instance type of ECS instances or public bandwidth of a pay-as-you-go ECS instance.
ecs:CreateSnapshotCreates a snapshot for a cloud disk.
ecs:CreateCommandCreates a Cloud Assistant command.
ecs:InvokeCommandTriggers a Cloud Assistant command on one or more ECS instances.
ecs:StopInvocationStops the process of a running Cloud Assistant command on one or more ECS instances.
ecs:DeleteCommandDeletes a Cloud Assistant command.
ecs:RunCommandCreates a Cloud Assistant command of the shell, PowerShell, or batch type, and runs the command on one or more ECS instances.
ecs:DescribeInvocationResultsQueries the result of running a Cloud Assistant command on a specified ECS instance.
ecs:ModifyCommandModifies a Cloud Assistant command.

VPC-related permissions

Permission (Action)Description
vpc:Describe*Queries VPC resources.
vpc:AllocateEipAddressAssigns an EIP to an ECS instance.
vpc:AssociateEipAddressBinds an EIP to an ECS instance.
vpc:UnassociateEipAddressUnbinds an EIP from an ECS instance.
vpc:ReleaseEipAddressReleases an EIP.
vpc:CreateRouteEntryCreates a route entry.
vpc:DeleteRouteEntryDeletes a route entry.
vpc:CreateVSwitchCreates a vSwitch.
vpc:DeleteVSwitchDeletes a vSwitch.
vpc:CreateVpcCreates a VPC.
vpc:DeleteVpcDeletes a VPC.
vpc:CreateNatGatewayCreates a NAT gateway.
vpc:DeleteNatGatewayDeletes a specified NAT gateway.
vpc:CreateSnatEntryAdds a SNAT entry to a SNAT table.
vpc:DeleteSnatEntryDeletes a specified SNAT entry.
vpc:ModifyEipAddressAttributeModifies the name, description, and maximum bandwidth of a specified EIP.
vpc:CreateForwardEntryAdds a DNAT entry to a DNAT table.
vpc:DeleteBandwidthPackageCreates a NAT service plan.
vpc:CreateBandwidthPackageDeletes a specified NAT service plan.
vpc:DeleteForwardEntryDeletes a specified DNAT entry.
vpc:TagResourcesCreates and adds tags to resources.
vpc:DeletionProtectionEnables or disables deletion protection for an instance.

SLB-related permissions

Permission (Action)Description
slb:Describe*Queries the information about an SLB instance.
slb:CreateLoadBalancerCreates an SLB instance.
slb:DeleteLoadBalancerDeletes an SLB instance.
slb:RemoveBackendServersRemoves backend servers from an SLB instance.
slb:StartLoadBalancerListenerStarts a specified listener.
slb:StopLoadBalancerListenerStops a specified listener.
slb:CreateLoadBalancerTCPListenerCreates a TCP listener for an SLB instance.
slb:AddBackendServersAdds backend servers to an SLB instance.
slb:CreateVServerGroupCreates a vServer group and adds backend servers to the vServer group.
slb:CreateLoadBalancerHTTPSListenerCreates an HTTPS listener for an SLB instance.
slb:CreateLoadBalancerUDPListenerCreates a User Datagram Protocol (UDP) listener.
slb:ModifyLoadBalancerInternetSpecChanges the billing method of a public-facing SLB instance.
slb:SetBackendServersConfigures backend servers of an SLB instance and sets weights for the backend servers. The backend servers are ECS instances.
slb:AddVServerGroupBackendServersAdds backend servers to a vServer group.
slb:DeleteVServerGroupDeletes a vServer group.
slb:ModifyVServerGroupBackendServersChanges the backend servers of a vServer group.
slb:CreateLoadBalancerHTTPListenerCreates an HTTP listener for an SLB instance.
slb:RemoveVServerGroupBackendServersRemoves backend servers from a vServer group.
slb:DeleteLoadBalancerListenerDeletes a listener of an SLB instance.
slb:AddTagsAdds tags to a specified SLB instance.
slb:RemoveTagsRemoves tags from a specified SLB instance.
slb:SetLoadBalancerDeleteProtectionEnables or disables deletion protection for an SLB instance.

DNS-related permissions

Permission (Action)Description
dns:Describe*Queries DNS resources.
dns:AddDomainRecordAdds a DNS record.

ApsaraDB RDS-related permissions

Permission (Action)Description
rds:Describe*Queries RDS resources.
rds:ModifySecurityIpsModifies the IP address whitelist of an ApsaraDB RDS instance.

ROS-related permissions

Permission (Action)Description
ros:Describe*Queries ROS resources.
ros:WaitConditionsWaits for the execution of an ROS script.
ros:AbandonStackStops a stack.
ros:DeleteStackDeletes a stack.
ros:CreateStackCreates a stack.
ros:UpdateStackUpdates a stack.
ros:ValidateTemplateValidates an ROS template.
ros:DoActionsPerforms actions.
ros:InquiryStackQueries a stack.
ros:SetDeletionProtectionEnables or disables deletion protection.
ros:PreviewStackPreviews a stack.

Auto Scaling-related permissions

Permission (Action)Description
ess:Describe*Queries ESS resources.
ess:CreateScalingConfigurationCreates a scaling configuration.
ess:EnableScalingGroupEnables a scaling group.
ess:ExitStandbySwitches the status of a standby ECS instance in a scaling group to running.
ess:DetachDBInstancesRemoves one or more RDS instances from a scaling group.
ess:DetachLoadBalancersRemoves one or more SLB instances from a scaling group.
ess:AttachInstancesAdds one or more ECS instances to a scaling group.
ess:DeleteScalingConfigurationDeletes a scaling configuration.
ess:AttachLoadBalancersAdds one or more SLB instances.
ess:DetachInstancesRemoves one or more ECS instances from a scaling group.
ess:ModifyScalingRuleModifies a scaling group rule.
ess:RemoveInstancesRemoves ECS instances from a specified scaling group.
ess:ModifyScalingGroupModifies a scaling group.
ess:AttachDBInstancesAdds one or more RDS instances.
ess:CreateScalingRuleCreates a scaling rule.
ess:DeleteScalingRuleDeletes a scaling rule.
ess:ExecuteScalingRuleRuns a scaling rule.
ess:SetInstancesProtectionEnables or disables protection for one or more ECS instances in a scaling group.
ess:ModifyNotificationConfigurationModifies a notification configuration for auto scaling events and resource changes.
ess:CreateNotificationConfigurationCreates a notification configuration for auto scaling events and resource changes.
ess:EnterStandbySwitches the status of an ECS instance in the scaling group to standby.
ess:DeleteScalingGroupDeletes a scaling group.
ess:CreateScalingGroupCreates a scaling group.
ess:DeleteNotificationConfigurationDeletes a notification configuration for auto scaling events and resource changes.
ess:DisableScalingGroupDisables a scaling group.
ModifyScalingConfigurationModifies a scaling configuration.
SetGroupDeletionProtectionEnables or disables deletion protection for a scaling group.

RAM-related permissions

Permission (Action)Description
ram:PassRoleAuthorizes a RAM user to use other cloud services.
ram:Get*Queries permissions on Resource Access Management (RAM) resources.
ram:List*Lists permissions on RAM resources.
ram:DetachPolicyFromRoleRevokes a specified permission from a role.
ram:AttachPolicyToRoleGrants a permission to a specified role.
ram:DeletePolicyDeletes a specified permission policy.
ram:DeletePolicyVersionDeletes a policy of a specified version.
ram:DeleteRoleDelete a RAM role.
ram:CreateRoleCreate a RAM role.
ram:CreatePolicyCreates a RAM policy.
ram:CreateServiceLinkedRoleCreates permissions to be granted to service-linked roles.

CloudMonitor-related permissions

Permission (Action)Description
cms:CreateMyGroupsCreates private application groups.
cms:AddMyGroupInstancesAdds resources to a private application group.
cms:DeleteMyGroupInstancesDeletes resources from a private application group.
cms:DeleteMyGroupsDeletes private application groups.
cms:GetMyGroupsQueries private application groups.
cms:ListMyGroupsLists private application groups.
cms:UpdateMyGroupInstancesUpdates resources in a private application group.
cms:UpdateMyGroupsUpdates private application groups.
cms:TaskConfigCreateCreates a monitoring job configuration.
cms:TaskConfigListLists monitoring job configurations.

Auto Scaling-related permissions

Permission (Action)Description
ess:CreateLifecycleHookCreates one or more lifecycle hooks for a scaling group.
ess:DescribeLifecycleHooksQueries lifecycle hooks.
ess:ModifyLifecycleHookModifies a lifecycle hook.
ess:DeleteLifecycleHookDeletes a lifecycle hook.

ENS-related permissions

Permission (Action)Description
ens:Describe*Queries the permissions on Edge Node Service (ENS) resources.
ens:CreateInstanceCreates an ENS instance.
ens:StartInstanceStarts an ENS instance.
ens:StopInstanceStops an ENS instance.
ens:ReleasePrePaidInstanceReleases a subscription instance.

AliyunCSManagedKubernetesRole

An ACK managed cluster assumes AliyunCSManagedKubernetesRole to access resources of other cloud services.

ECS-related permissions

Permission (Action)Description
ecs:Describe*Queries ECS resources.
ecs:CreateRouteEntryCreates a route entry.
ecs:DeleteRouteEntryDeletes a route entry.
ecs:CreateNetworkInterfaceCreates an elastic network interface (ENI).
ecs:DeleteNetworkInterfaceDeletes an ENI.
ecs:CreateNetworkInterfacePermissionGrants permissions to create an ENI.
ecs:DeleteNetworkInterfacePermissionGrants permissions to delete an ENI.
ecs:ModifyInstanceAttributeModifies the attributes of an ECS instance.
ecs:AttachKeyPairBinds an SSH key pair to one or more Linux instances.
ecs:StopInstanceStops an instance.
ecs:StartInstanceStarts an instance.
ecs:ReplaceSystemDiskReplaces the system disk or the operating system of an Elastic Compute Service ECS instance.

SLB-related permissions

Permission (Action)Description
slb:Describe*Queries SLB resources.
slb:CreateLoadBalancerCreates an SLB instance.
slb:DeleteLoadBalancerDeletes an SLB instance.
slb:ModifyLoadBalancerInternetSpecChanges the billing method of a public-facing SLB instance.
slb:RemoveBackendServersRemoves backend servers.
slb:AddBackendServersAdds backend servers to an SLB instance.
slb:RemoveTagsRemoves tags from a specified SLB instance.
slb:AddTagsAdds tags to a specified SLB instance.
slb:StopLoadBalancerListenerStops a listener.
slb:StartLoadBalancerListenerStarts a listener.
slb:SetLoadBalancerHTTPListenerAttributeModifies the configuration of an HTTP listener.
slb:SetLoadBalancerHTTPSListenerAttributeModifies the configuration of an HTTPS listener.
slb:SetLoadBalancerTCPListenerAttributeModifies the configuration of a TCP listener.
slb:SetLoadBalancerUDPListenerAttributeModifies the configuration of a UDP listener.
slb:CreateLoadBalancerHTTPSListenerCreates an HTTPS listener for an SLB instance.
slb:CreateLoadBalancerHTTPListenerCreates an HTTP listener for an SLB instance.
slb:CreateLoadBalancerTCPListenerCreates a TCP listener for an SLB instance.
slb:CreateLoadBalancerUDPListenerCreates a User Datagram Protocol (UDP) listener.
slb:DeleteLoadBalancerListenerDeletes a listener of an SLB instance.
slb:CreateVServerGroupAdds backend servers to a vServer group.
slb:DescribeVServerGroupsQueries vServer groups.
slb:DeleteVServerGroupDeletes a vServer group.
slb:SetVServerGroupAttributeModifies the configurations of a vServer group.
slb:DescribeVServerGroupAttributeQueries the information about a vServer group.
slb:ModifyVServerGroupBackendServersChanges the backend servers of a vServer group.
slb:AddVServerGroupBackendServersAdds backend servers to a vServer group.
slb:ModifyLoadBalancerInstanceSpecModifies the specifications of an SLB instance.
slb:ModifyLoadBalancerInternetSpecChanges the billing method of a public-facing SLB instance.
slb:RemoveVServerGroupBackendServersRemoves backend servers from a vServer group.

VPC-related permissions

Permission (Action)Description
vpc:Describe*Queries VPC resources.
vpc:DeleteRouteEntryDeletes a custom route entry.
vpc:CreateRouteEntryCreates a custom route entry.

Container Registry-related permissions

Permission (Action)Description
cr:Get*Queries Container Registry-related resources.
cr:List*Queries image repositories.
cr:PullRepositoryPulls an image.

AliyunCSServerlessKubernetesRole

By default, an ASK cluster assumes AliyunCSServerlessKubernetesRole to access resources of other cloud services.

VPC-related permissions

Permission (Action)Description
DescribeVSwitchesQueries created vSwitches.
DescribeVpcsQueries the VPCs that are created.
AssociateEipAddressAssociates an EIP with a cloud service in the same region.
DescribeEipAddressesQueries created EIPs in a specified region.
AllocateEipAddressApplies for an EIP.
ReleaseEipAddressReleases a specified EIP.
AddCommonBandwidthPackageIpAssociates an EIP with an EIP bandwidth plan.
RemoveCommonBandwidthPackageIpDisassociates an EIP from an EIP bandwidth plan.

ECS-related permissions

Permission (Action)Description
DescribeSecurityGroupsQueries the basic information about security groups.
CreateNetworkInterfaceCreates an ENI.
CreateNetworkInterfacePermissionGrants permissions to create an ENI.
DescribeNetworkInterfacesQueries ENIs.
AttachNetworkInterfaceBinds an ENI to an ECS instance located in a VPC.
DetachNetworkInterfaceUnbinds an ENI from an ECS instance.
DeleteNetworkInterfaceDeletes an ENI.
DeleteNetworkInterfacePermissionRevokes ENI permissions.

SLB-related permissions

Permission (Action)Description
slb:Describe*Queries SLB resources.
slb:CreateLoadBalancerCreates an SLB instance.
slb:DeleteLoadBalancerDeletes a pay-as-you-go SLB instance.
slb:RemoveBackendServersRemoves backend servers.
slb:StartLoadBalancerListenerStarts a listener.
slb:StopLoadBalancerListenerStops a listener.
slb:DeleteLoadBalancerListenerDeletes a listener of an SLB instance.
slb:CreateLoadBalancerTCPListenerCreates a TCP listener for an SLB instance.
slb:AddBackendServers*Adds backend servers.
slb:UploadServerCertificateUploads a server certificate.
slb:CreateLoadBalancerHTTPListenerCreates an HTTP listener for an SLB instance.
slb:CreateLoadBalancerHTTPSListenerCreates an HTTPS listener for an SLB instance.
slb:CreateLoadBalancerUDPListenerCreates a User Datagram Protocol (UDP) listener.
slb:ModifyLoadBalancerInternetSpecChanges the billing method of a public-facing SLB instance.
slb:CreateRulesAdds forwarding rules to a specified HTTP or HTTPS listener.
slb:DeleteRulesDeletes forwarding rules.
slb:SetRuleModifies a forwarding rule of a vServer group.
slb:CreateVServerGroupAdds backend servers to a vServer group.
slb:SetVServerGroupAttributeModifies the configurations of a vServer group.
slb:AddVServerGroupBackendServersAdds backend servers to a vServer group.
slb:RemoveVServerGroupBackendServersRemoves backend servers from a vServer group.
slb:ModifyVServerGroupBackendServersChanges the backend servers of a vServer group.
slb:DeleteVServerGroupDeletes a vServer group.
slb:SetLoadBalancerTCPListenerAttributeModifies the configuration of a TCP listener.
slb:SetLoadBalancerHTTPListenerAttributeModifies the configuration of an HTTP listener.
slb:SetLoadBalancerHTTPSListenerAttributeModifies the configuration of an HTTPS listener.
slb:AddTagsAdds tags to a specified SLB instance.

Alibaba Cloud DNS PrivateZone-related permissions

Permission (Action)Description
AddZoneCreates a private zone.
DeleteZoneDeletes a private zone.
DescribeZonesQueries private zones.
DescribeZoneInfoQueries the information about a specified private zone.
BindZoneVpcBinds a private zone to a VPC or unbinds a private zone from a VPC.
AddZoneRecordAdds a DNS record to a private zone.
DeleteZoneRecordDeletes a DNS record.
DeleteZoneRecordsByRRDeletes DNS records.
DescribeZoneRecordsByRRQueries DNS records.
DescribeZoneRecordsQueries DNS records.

Container Registry-related permissions

Permission (Action)Description
Get*Queries Container Registry-related resources.
List*Queries image repositories.
PullRepositoryPulls an image.

Elastic Container Instance-related permissions

Permission (Action)Description
CreateContainerGroupCreates a container group.
DeleteContainerGroupDeletes a container group.
DescribeContainerGroupsQueries the information about multiple pods.
DescribeContainerLogQueries the logs of a pod.
UpdateContainerGroupUpdates an elastic container instance.
UpdateContainerGroupByTemplateUpdates an elastic container instance by template.
CreateContainerGroupFromTemplateCreates an elastic container instance by using a template.
RestartContainerGroupRestarts an elastic container instance.
ExportContainerGroupTemplateExports an elastic container instance template.
DescribeContainerGroupMetricQueries the monitoring data of an elastic container instance.
DescribeMultiContainerGroupMetricQueries the monitoring data of multiple container groups.
ExecContainerCommandRuns a command in a container.
CreateImageCacheCreates an image cache.
DescribeImageCachesQueries the information about an image cache.
DeleteImageCacheDeletes an image cache.

RAM-related permissions

Permission (Action)Description
ram:PassRoleVisits the Alibaba Cloud CodePipeline console.

OSS-related permissions

Permission (Action)Description
oss:GetObjectQueries a file or folder.
oss:GetObjectMetaQueries the metadata information about an object.

Function Compute-related permissions

Permission (Action)Description
fc:CreateServiceCreates a service.
fc:ListServicesQueries services.
fc:GetServiceQueries a specified service.
fc:UpdateServiceUpdates a specified service.
fc:DeleteServiceDeletes a specified service.
fc:CreateFunctionCreates a function.
fc:ListFunctionsQueries the functions of a service.
fc:GetFunctionQueries the configurations of a specified function.
fc:GetFunctionCodeQueries the code of a function.
fc:UpdateFunctionUpdates a function, including its configurations and code.
fc:DeleteFunctionDeletes a specified function.
fc:CreateTriggerCreates a function trigger.
fc:ListTriggersQueries the triggers of a function.
fc:GetTriggerQueries a specified trigger.
fc:UpdateTriggerUpdates the configurations of a specified trigger.
fc:DeleteTriggerDeletes the triggers of a specified function.
fc:PublishServiceVersionReleases a Function Compute version.
fc:ListServiceVersionsLists Function Compute versions.
fc:DeleteServiceVersionDeletes a Function Compute version.
fc:CreateAliasCreates an alias and binds it to a customer master key (CMK).
fc:ListAliasesQueries all aliases of the current Alibaba Cloud account in the current region.
fc:GetAliasQueries the information about an alias.
fc:UpdateAliasBinds an alias to a different CMK.
fc:DeleteAliasDeletes an alias.

AliyunCSKubernetesAuditRole

The auditing feature of ACK assumes AliyunCSKubernetesAuditRole to access resources of other cloud services.

Permission (Action)Description
log:CreateProjectCreates a project.
log:GetProjectQueries a project by name.
log:DeleteProjectDeletes a specified project.
log:CreateLogStoreCreates a Logstore in a project.
log:GetLogStoreQueries the attributes of a Logstore.
log:UpdateLogStoreUpdates the attributes of a Logstore.
log:DeleteLogStoreDeletes a Logstore.
log:CreateConfigCreates a log collection configuration.
log:UpdateConfigUpdates a log collection configuration.
log:GetConfigQueries the details of a log collection configuration.
log:DeleteConfigDeletes a specified log collection configuration.
log:CreateMachineGroupCreates a machine group to apply log collection configurations.
log:UpdateMachineGroupUpdates a machine group.
log:GetMachineGroupQueries the information about a specified machine group.
log:DeleteMachineGroupDeletes a machine group.
log:ApplyConfigToGroupApplies a Logtail configuration file to a machine group.
log:GetAppliedMachineGroupsLists the machines to which a Logtail configuration is applied.
log:GetAppliedConfigsLists the Logtail configurations that are applied to a machine group.
log:RemoveConfigFromMachineGroupRemoves Logtail configurations from a machine group.
log:CreateIndexIndexes are created for a Logstore.
log:GetIndexQueries the indexes of a Logstore.
log:UpdateIndexUpdates the indexes of a Logstore.
log:DeleteIndexDeletes indexes from a Logstore.
log:CreateSavedSearchCreates a saved search.
log:GetSavedSearchQueries a saved search.
log:UpdateSavedSearchUpdates a saved search.
log:DeleteSavedSearchDeletes a saved search.
log:CreateDashboardCreates a dashboard.
log:GetDashboardQueries a dashboard.
log:UpdateDashboardUpdates a dashboard.
log:DeleteDashboardDeletes a dashboard.
log:CreateJobCreates a task, for example, an alert or a subscription.
log:GetJobQueries a job.
log:DeleteJobDelete the data synchronization solution.
log:UpdateJobUpdates a task.
log:PostLogStoreLogsWrites logs to a Logstore.

AliyunCSManagedNetworkRole

The network component of an ACK cluster assumes AliyunCSManagedNetworkRole to access resources of other cloud services.

Permission (Action)Description
ecs:CreateNetworkInterfaceCreates an ENI.
ecs:DescribeNetworkInterfacesENIs are queried.
ecs:AttachNetworkInterfaceAttaches an ENI to a VPC-connected ECS instance.
ecs:DetachNetworkInterfaceDetaches an ENI from an ECS instance.
ecs:DeleteNetworkInterfaceDeletes an ENI.
ecs:DescribeInstanceAttributeQueries the information about one or more ECS instances.
ecs:AssignPrivateIpAddressesAssigns one or more secondary private IP addresses to an ENI.
ecs:UnassignPrivateIpAddressesUnassigns one or more secondary private IP addresses from an ENI.
ecs:DescribeInstancesQueries the details of one or more ECS instances.
vpc:DescribeVSwitchesQueries the information about one or more vSwitches.

AliyunCSManagedCsiRole

The volume plug-in of an ACK cluster assumes AliyunCSManagedCsiRole to access resources of other cloud services.

ECS-related permissions

Permission (Action)Description
ecs:AttachDiskAttaches a pay-as-you-go data disk or a system disk to an ECS instance.
ecs:DetachDiskDetaches a pay-as-you-go disk from an ECS instance.
ecs:DescribeDisksQueries one or more cloud disks and local disks that you have created.
ecs:CreateDiskCreates one or more pay-as-you-go or subscription data disks.
ecs:ResizeDiskResizes a cloud disk. You can resize a system disk or a data disk.
ecs:CreateSnapshotCreates a snapshot for a cloud disk.
ecs:DeleteSnapshotDeletes a specified snapshot. If you call this operation to delete a snapshot that is being created, the associated snapshot creation task is also canceled.
ecs:CreateAutoSnapshotPolicyCreates an automatic snapshot policy.
ecs:ApplyAutoSnapshotPolicyAttaches an automatic snapshot policy to one or more disks.
ecs:CancelAutoSnapshotPolicyDisables an automatic snapshot policy for one or more cloud disks.
ecs:DeleteAutoSnapshotPolicyDeletes an automatic snapshot policy.
ecs:DescribeAutoSnapshotPolicyEXQueries automatic snapshot policies that you have created.
ecs:ModifyAutoSnapshotPolicyExModifies an automatic snapshot policy.
ecs:AddTagsAttaches tags to an ECS instance.
ecs:DescribeTagsQueries tags.
ecs:DescribeSnapshotsQueries all the snapshots of an ECS instance or a disk.
ecs:ListTagResourcesQueries the tags that are added to one or more ECS resources.
ecs:TagResourcesAdds tags to specified ECS resources.
ecs:UntagResourcesRemoves tags from specified ECS resources. After a tag is removed from a resource, it is automatically deleted if it is not added to other resources.
ecs:ModifyDiskSpecUpgrades the performance level of an enhanced SSD (ESSD).
ecs:CreateSnapshotCreates a snapshot for a cloud disk.
ecs:DeleteDiskDeletes a pay-as-you-go data disk.
ecs:DescribeInstanceAttributeQueries all attributes of an ECS instance.
ecs:DescribeInstancesQueries the details of one or more ECS instances.

NAS-related permissions

Permission (Action)Description
nas:DescribeFileSystemsQueries the information about file systems.
nas:DescribeMountTargetsQueries the information about mount targets.
nas:AddTagsAdds one or more tags to a file system or overwrites one or more tags of a file system
nas:DescribeTagsQueries existing tags.
nas:RemoveTagsDetaches one or more tags from a file system.
nas:CreateFileSystemCreates a file system.
nas:DeleteFileSystemDeletes a file system.
nas:DescribeFileSystemsQueries the information about file systems.
nas:ModifyFileSystemModifies the description of a file system.
nas:CreateMountTargetCreates a mount target.
nas:DeleteMountTargetDeletes a mount target.
nas:DescribeMountTargetsQueries the information about mount targets.
nas:ModifyMountTargetModifies a mount target.

AliyunCSManagedCmsRole

The CloudMonitor component of an ACK cluster assumes AliyunCSManagedCmsRole to access resources of other cloud services.

Permission (Action)Description
cms:DescribeMonitorGroupsQueries application groups.
cms:DescribeMonitorGroupInstancesQueries the resources in a specified application group.
cms:CreateMonitorGroupCreates an application group.
cms:DeleteMonitorGroupDeletes a specified application group.
cms:ModifyMonitorGroupInstancesModifies the resources in an application group.
cms:CreateMonitorGroupInstancesAdds resources to an application group.
cms:DeleteMonitorGroupInstancesDeletes resources from an application group.
cms:TaskConfigCreateCreates a monitoring job configuration.
cms:TaskConfigListLists monitoring job configurations.
cms:DescribeMetricListQueries the time series metrics of a cloud service in a specified period.
cs:DescribeMonitorTokenQueries the token that is required to use the CloudMonitor component.
ahas:GetSentinelAppSumMetricQueries the metrics that are monitored by the AHAS Sentinel application.
log:GetLogStoreLogsQueries logs in a Logstore.
slb:DescribeMetricListQueries the time series metrics of a cloud service in a specified period.
sls:GetLogsQueries logs in a Logstore of a specified project in Log Service.
sls:PutLogsUpdates logs in a Logstore of a specified project in Log Service.

AliyunCSManagedLogRole

The Logtail component of ACK assumes AliyunCSManagedLogRole to access resources of other cloud services.

Permission (Action)Description
log:CreateProjectCreates a project.
log:GetProjectQueries a project by name.
log:DeleteProjectDeletes a specified project.
log:CreateLogStoreCreates a Logstore in a project.
log:GetLogStoreQueries the attributes of a Logstore.
log:UpdateLogStoreUpdates the attributes of a Logstore.
log:DeleteLogStoreDeletes a Logstore.
log:CreateConfigCreates a log collection configuration.
log:UpdateConfigUpdates a log collection configuration.
log:GetConfigQueries the details of a log collection configuration.
log:DeleteConfigDeletes a specified log collection configuration.
log:CreateMachineGroupCreates a machine group to apply log collection configurations.
log:UpdateMachineGroupUpdates a machine group.
log:GetMachineGroupQueries the information about a specified machine group.
log:DeleteMachineGroupDeletes a machine group.
log:ApplyConfigToGroupApplies a Logtail configuration file to a machine group.
log:GetAppliedMachineGroupsLists the machines to which a Logtail configuration is applied.
log:GetAppliedConfigsLists the Logtail configurations that are applied to a machine group.
log:RemoveConfigFromMachineGroupRemoves Logtail configurations from a machine group.
log:CreateIndexIndexes are created for a Logstore.
log:GetIndexQueries the indexes of a Logstore.
log:UpdateIndexUpdates the indexes of a Logstore.
log:DeleteIndexDeletes indexes from a Logstore.
log:CreateSavedSearchCreates a saved search.
log:GetSavedSearchQueries a saved search.
log:UpdateSavedSearchUpdates a saved search.
log:DeleteSavedSearchDeletes a saved search.
log:CreateDashboardCreates a dashboard.
log:GetDashboardQueries a dashboard.
log:UpdateDashboardUpdates a dashboard.
log:DeleteDashboardDeletes a dashboard.
log:CreateJobCreates a task, for example, an alert or a subscription.
log:GetJobQueries a job.
log:DeleteJobDeletes a task.
log:UpdateJobUpdates a task.
log:PostLogStoreLogsWrites logs to a Logstore.
log:CreateSortedSubStoreCreates a sorted sub-Logstore.
log:GetSortedSubStoreQueries a sorted sub-Logstore.
log:ListSortedSubStoreLists sorted sub-Logstores.
log:UpdateSortedSubStoreUpdates a sorted sub-Logstore.
log:DeleteSortedSubStoreDeletes a sorted sub-Logstore.
log:CreateAppCreates applications, such as Cost Manager and Log Audit Service.
log:UpdateAppUpdates applications, such as Cost Manager and Log Audit Service.
log:GetAppQueries applications, such as Cost Manager and Log Audit Service.
log:DeleteAppDeletes applications, such as Cost Manager and Log Audit Service.
cs:DescribeTemplatesQueries container templates.
cs:DescribeTemplateAttributeQueries the attributes of a container template.

AliyunCSManagedVKRole

The Virtual Node component of ACK clusters assumes AliyunCSManagedVKRole to access resources in other cloud services.

VPC-related permissions

Permission (Action)Description
vpc:DescribeVSwitchesQueries vSwitches in a VPC.
vpc:DescribeVpcsQueries created VPCs.
vpc:AssociateEipAddressBinds an EIP to a cloud service instance in the same region.
vpc:DescribeEipAddressesQueries created EIPs in a specified region.
vpc:AllocateEipAddressApplies for an EIP.
vpc:ReleaseEipAddressReleases a specified EIP.

ECS-related permissions

Permission (Action)Description
ecs:DescribeSecurityGroupsQueries the basic information about security groups.
ecs:CreateNetworkInterfaceCreates an ENI.
ecs:CreateNetworkInterfacePermissionGrants permissions to create an ENI.
ecs:DescribeNetworkInterfacesENIs are queried.
ecs:AttachNetworkInterfaceAttaches an ENI to a VPC-connected ECS instance.
ecs:DetachNetworkInterfaceDetaches an ENI from an ECS instance.
ecs:DeleteNetworkInterfaceDeletes an ENI.
ecs:DeleteNetworkInterfacePermissionGrants permissions to delete an ENI.

Permissions on Alibaba Cloud DNS PrivateZone resources

Permission (Action)Description
pvtz:AddZoneCreates a private zone.
pvtz:DeleteZoneDeletes a private zone.
pvtz:DescribeZonesQueries private zones.
pvtz:DescribeZoneInfoQueries the information about a specified private zone.
pvtz:BindZoneVpcBinds a private zone to a VPC or unbinds a private zone from a VPC.
pvtz:AddZoneRecordAdds a DNS record to a private zone.
pvtz:DeleteZoneRecordDeletes a DNS record.
pvtz:DeleteZoneRecordsByRRDeletes DNS records.
pvtz:DescribeZoneRecordsByRRQueries DNS records.
pvtz:DescribeZoneRecordsQueries DNS records.

Elastic Container Instance-related permissions

Permission (Action)Description
eci:CreateContainerGroupCreates a pod.
eci:DeleteContainerGroupDeletes a pod.
eci:DescribeContainerGroupsQueries the information about multiple pods.
eci:DescribeContainerLogQueries the logs of a pod.
eci:UpdateContainerGroupUpdates a pod.
eci:UpdateContainerGroupByTemplateUpdates an elastic container instance by using a template.
eci:CreateContainerGroupFromTemplateCreates an elastic container instance by using a template.
eci:RestartContainerGroupRestarts an elastic container instance.
eci:ExportContainerGroupTemplateExports an elastic container instance template.
eci:DescribeContainerGroupMetricQueries the monitoring data of an elastic container instance.
eci:DescribeMultiContainerGroupMetricQueries the monitoring data of multiple pods.
eci:ExecContainerCommandRuns commands on a container.
eci:CreateImageCacheCreates an image cache.
eci:DescribeImageCachesQueries the information about image caches.
eci:DeleteImageCacheDeletes an image cache.

AliyunCSManagedArmsRole

The ARMS monitoring agent of an ACK cluster assumes AliyunCSManagedArmsRole to access resources of other cloud services.

Permission (Action)Description
arms:CreateAppCreates an application monitoring job.
arms:DeleteAppDeletes an application monitoring job.
arms:ConfigAgentLabelModifies the tags of the application monitoring agent.
arms:GetAssumeRoleCredentialsQueries the key that is required for a RAM user to assume a RAM role during application monitoring.
arms:CreatePromCreates a monitoring job based on Alibaba Cloud Prometheus Monitoring.
arms:SearchEventsQueries alert event records.
arms:SearchAlarmHistoriesQueries the records of sending alerts.
arms:SearchAlertRulesQueries monitoring alert rules.
arms:GetAlertRulesObtains monitoring alert rules.
arms:CreateAlertRulesCreates monitoring alert rules.
arms:UpdateAlertRulesUpdates monitoring alert rules.
arms:StartAlertRuleEnables a monitoring alert rule.
arms:StopAlertRuleDisables a monitoring alert rule.
arms:CreateContactCreates an alert contact.
arms:SearchContactQueries an alert contact.
arms:UpdateContactUpdates an alert contact.
arms:CreateContactGroupCreates an alert contact group.
arms:SearchContactGroupQueries an alert contact group.
arms:UpdateContactGroupUpdates an alert contact group.

AliyunCSManagedAcrRole

The aliyun-acr-credential-helper component of ACK managed clusters and ASK clusters assumes this role to pull images from Container Registry.

Permission (Action)Description
cr:GetAuthorizationTokenQueries a temporary username and a password that you use to log on to a Container Registry instance.
cr:ListInstanceEndpointQueries endpoints of an instance.
cr:PullRepositoryPulls an image.

AliyunCSManagedNlcRole

The node pool control component of ACK managed clusters assumes this role to access resources on ECS instances and in node pools.

ECS-related permissions

Permission (Action)Description
ecs:ModifyInstanceAttributeModifies the information about an ECS instance, such as the password, name, description, hostname, security groups, and user data. If the instance is a burstable instance, you can also change its performance mode.
ecs:AttachKeyPairBinds an SSH key pair to one or more Linux instances.
ecs:StopInstanceStops an ECS instance that is in the Running state. After the operation is called, the state of the instance changes to Stopping and then to Stopped.
ecs:StartInstanceStarts an ECS instance. After the operation is called, the ECS instance changes to the Running state.
ecs:DescribeInvocationsYou can call this operation to view the invocation list and status of cloud assistant commands.
ecs:DescribeInstanceAttributeQueries the attributes of an ECS instance, such as the instance ID and description.
ecs:DescribeInstancesQueries the details of one or more ECS instances.
ecs:DeleteInstanceReleases a pay-as-you-go ECS instance or an expired subscription ECS instance.
ecs:RunCommandRuns a shell, PowerShell, or batch command on one or more ECS instances.
ecs:DescribeInvocationResultsQueries the result of running one or more Cloud Assistant commands on an ECS instance.
ecs:ReplaceSystemDiskReplaces the system disk or the operating system of an ECS instance. After the system disk is replaced, the ID of the system disk changes and the original disk is released.
ecs:DescribeUserDataQueries the user data of an ECS instance.

Auto Scaling-related permissions

Permission (Action)Description
ess:DescribeScalingGroupsQueries scaling groups.
ess:DescribeScalingConfigurationsQueries scaling configurations.

ACK-related permissions

Permission (Action)Description
cs:RepairClusterNodePoolFixes the issues on specified nodes in a specified manage node pool.
cs:DescribeClusterNodePoolDetailQueries the details about a node pool in a cluster by node pool ID.
cs:DescribeTaskInfoQueries the execution details about a task by task ID.
cs:FixNodePoolVulsAutomatically fixes node pool vulnerabilities in a specified cluster.
cs:DescribeTaskInfoQueries the execution details about a task by task ID.
cs:CancelTaskCancels a task.
cs:PauseTaskPauses a task.
cs:ResumeTaskResumes a task.
cs:DescribeNodePoolVulsQueries node pool vulnerabilities in a specified cluster.

AliyunCSManagedAutoScalerRole

The volume plug-in of ACK managed clusters and ASK clusters assumes this role to access your resources in ECS and NAS.

Auto Scaling-related permissions

Permission (Action)Description
ess:DescribeScalingGroupsQueries scaling groups.
ess:DescribeScalingInstancesQueries information about the ECS instances in a scaling group.
ess:DescribeScalingActivitiesQueries scaling activities.
ess:DescribeScalingConfigurationsQueries scaling configurations.
ess:DescribeScalingRulesQueries information about the scaling rules in a scaling group.
ess:DescribeScheduledTasksQueries scheduled tasks.
ess:DescribeLifecycleHooksQueries lifecycle hooks.
ess:DescribeNotificationConfigurationsQueries notifications that you create for scaling activities and resource changes.
ess:DescribeNotificationTypesQueries the types of notifications that you create for scaling activities and resource changes.
ess:DescribeRegionsQueries the regions in which Auto Scaling is available.
ess:CreateScalingRuleCreates a scaling rule.
ess:ModifyScalingGroupModifies a scaling group.
ess:RemoveInstancesRemoves one or more ECS instances or elastic container instances from a scaling group.
ess:ExecuteScalingRuleExecutes a scaling rule.
ess:ModifyScalingRuleModifies a scaling rule.
ess:DeleteScalingRuleDeletes a scaling rule.
ess:DetachInstancesRemoves one or more ECS instances from a scaling group.
ess:CompleteLifecycleActionTakes a scaling activity out of the wait state in advance.
ess:ScaleWithAdjustmentScales instances in a scaling group based on the specified scaling policy.

ECS-related permissions

Permission (Action)Description
ecs:DescribeInstanceTypesQueries the details of all instance types or a specific instance type provided by ECS.
ecs:DescribeImagesQueries available OS images.

ACK-related permissions

Permission (Action)Description
cs:DeleteClusterNodesRemoves specified nodes from a cluster by node names.
cs:DescribeClusterNodesQueries the details about all nodes in a cluster by cluster ID

VPC-related permissions

Permission (Action)Description
vpc:DescribeVSwitchesQueries the information about available vSwitches that are used in an internal network.

AliyunCSManagedSecurityRole

The Secret encryption component of ACK managed clusters and ASK clusters assumes this role to access your resources in Key Management Service (KMS).

KMS-related permissions

Permission (Action)Description
kms:GetSecretValueQueries a secret value.
kms:ListSecretsQueries all secrets of the current user in the current region.
kms:ListKeysQueries the IDs of all CMKs of the current Alibaba Cloud account in the current region.
kms:ListSecretVersionIdsQueries all versions of a secret.
kms:ListAliasesByKeyIdQueries all aliases that are bound to a specified CMK.
kms:SetDeletionProtectionEnables or disables deletion protection for a CMK.
kms:DescribeKeyQueries the details of a CMK.
kms:EncryptEncrypts plaintext by using a symmetric CMK.
kms:DecryptDecrypts the ciphertext specified by CiphertextBlob.

AliyunCSManagedCostRole

The cost analysis component of ACK managed clusters and ASK clusters assumes this role to access resources in Billing Management (BSS) API, ECS, and Elastic Container Instance.

BSS OpenAPI-related permissions

Permission (Action)Description
bssapi:QueryInstanceBillQueries the billing information about instances or billable items in a billing cycle. This API is upgraded to DescribeInstanceBill. You can call the QueryInstanceBill operation to query a maximum of 50,000 data rows in a bill.
bssapi:DescribeInstanceBillQueries the billing information about instances or billable items in a billing cycle.

ECS-related permissions

Permission (Action)Description
ecs:DescribeDisksQueries one or more Elastic Block Storage (EBS) devices that you have created, including cloud disks and local disks, are queried.
ecs:DescribeSpotPriceHistoryQueries the price history of a preemptible instance in the last 30 days.
ecs:DescribeInstancesQueries the details of one or more ECS instances.
ecs:DescribePriceQueries the most recent prices of ECS resources.

Elastic Container Instance-related permissions

Permission (Action)Description
eci: DescribeContainerGroupPriceQueries the price of an elastic container instance.

AliyunCSManagedNimitzRole

The network component of ACK Lingjun managed clusters assumes this role to access resources in Intelligent Computing Lingjun.

eflo-related permissions

Permission (Action)Description
eflo:ListNetworkInterfacesQueries Lingjun network interfaces (LNIs).
eflo:GetNetworkInterfaceQueries information about a specified LNI.
eflo:AssignPrivateIpAddressApplies for a private secondary IP address for the current LNI. You can also call this operation to assign a secondary MAC address to the current LNI.
eflo:UnAssignPrivateIpAddressDeletes an assigned secondary private IP address.
eflo:UpdateNetworkInterfacePrivateMacChanges the MAC address of an LNI.

AliyunCSManagedBackupRestoreRole

The backup center component of ACK managed clusters assumes this role to access resources in Hybrid Backup Recovery (HBR) and OSS.

HBR-related permissions

Permission (Action)Description
hbr:CreateVaultCreates a backup vault.
hbr:CreateBackupJobCreates a backup task.
hbr:DescribeVaultsQueries the information about one or more backup vaults that meet the specified conditions.
hbr:DescribeBackupJobs2Queries the information about one or more backup jobs that meet the specified conditions.
hbr:DescribeRestoreJobsQueries a restoration task.
hbr:SearchHistoricalSnapshotsQueries the information about one or more backup snapshots that meet the specified conditions.
hbr:CreateRestoreJobCreates a restoration task.
hbr:AddContainerClusterRegisters a Kubernetes cluster.
hbr:DescribeContainerClusterQueries one or more Kubernetes clusters.
hbr:DescribeRestoreJobs2Queries one or more restoration tasks.

OSS-related permissions

Permission (Action)Description
oss:PutObjectUploads an object.
oss:IsObjectExistQueries whether an object exists.
oss:ListObjectsLists the information about all objects in a bucket.
oss:GetObjectQueries an object.
oss:DeleteObjectDeletes an object.
oss:GetBucketQueries information about a bucket.

AliyunCSManagedEdgeRole

The control plane components of ACK edge clusters assume this tole to access resources in SAG, VPC, and CEN.

SAG-related permissions

Permissions (Action)Description
smartag:BindSmartAccessGatewayAssociates an SAG instance with a specified Cloud Connect Network (CCN) instance.
smartag:UnbindSmartAccessGatewayDisassociates an SAG instance from a specified CCN instance.
smartag:GrantSagInstanceToCcnAuthorizes an SAG instance to communicate with a CCN instance that belongs to another account.
smartag:RevokeSagInstanceFromCcnDisallows an SAG instance to communicate with a CCN instance that belongs to another account.

VPC-related permissions

Permission (Action)Description
vpc:DescribeVpcsQueries created VPCs.
vpc:DescribeRouteEntryListQueries route entries.

CEN-related permissions

Permission (Action)Description
cen:DescribePublishedRouteEntriesQueries whether the routes of VPCs and VBRs are advertised to the CEN instance to which the VPCs and VBRs are attached.
cen:PublishRouteEntriesAdvertises the routes of a VPC or a VBR to a CEN instance to which the VPC or VBR is attached.
cen:WithdrawPublishedRouteEntriesWithdraws the routes of a VPC or a VBR from a CEN instance