Default and optional authorization service roles for ACK - Container Service for Kubernetes

When you activate Container Service for Kubernetes (ACK), you must assign RAM roles to ACK. ACK assumes these roles to access other Alibaba Cloud services such as Elastic Compute Service (ECS), Object Storage Service (OSS), File Storage NAS (NAS), and Server Load Balancer (SLB) on your behalf. These roles enable ACK to create clusters, manage infrastructure, and store log files.

ACK uses two categories of roles:

Quick authorization roles: 12 roles assigned through RAM Quick Authorization when you first activate ACK. These roles cover cluster management, networking, storage, monitoring, and logging.
Optional roles: 9 roles that you assign manually for specific features such as auto scaling, backup, or edge computing.

Quick authorization roles

The following roles are assigned to ACK through RAM Quick Authorization when you use ACK for the first time.

Cluster management roles

Role	Description	Policy details
AliyunCSDefaultRole	ACK assumes this role to access your resources in other cloud services when ACK manages clusters. These cloud services include ECS, Virtual Private Cloud (VPC), SLB, Resource Orchestration Service (ROS), and Auto Scaling.	AliyunCSDefaultRolePolicy
AliyunCSManagedKubernetesRole	An ACK managed cluster or ACK Edge cluster assumes this role to access other cloud services such as ECS, VPC, SLB, and Container Registry.	AliyunCSManagedKubernetesRolePolicy
AliyunCSServerlessKubernetesRole	An ACK Edge cluster or ACK Serverless cluster assumes this role to access your resources in other cloud services such as ECS, VPC, SLB, and Private Zone.	AliyunCSServerlessKubernetesRolePolicy

Networking role

Role	Description	Policy details
AliyunCSManagedNetworkRole	The network component of an ACK managed cluster, ACK Edge cluster, or ACK Serverless cluster assumes this role to access your resources in other cloud services such as ECS and VPC.	AliyunCSManagedNetworkRolePolicy

Storage roles

Role	Description	Policy details
AliyunCSManagedCsiRole	The storage component of an ACK managed cluster, ACK Edge cluster, or ACK Serverless cluster assumes this role to access your resources in other cloud services such as ECS, NAS, and OSS.	AliyunCSManagedCsiRolePolicy
AliyunCSManagedCsiProvisionerRole	The storage component (csi-provisioner) of an ACK managed cluster, ACK Edge cluster, or ACK Serverless cluster assumes this role to access your resources in ECS, NAS, and OSS.	AliyunCSManagedCsiProvisionerRolePolicy
AliyunCSManagedCsiPluginRole	The CSI storage component of an ACK managed cluster, ACK Edge cluster, or ACK Serverless cluster assumes this role to access your resources in ECS.	AliyunCSManagedCsiPluginRolePolicy

Monitoring and logging roles

Role	Description	Policy details
AliyunCSKubernetesAuditRole	The audit feature of an ACK managed cluster, ACK Edge cluster, or ACK Serverless cluster assumes this role to access your resources in Simple Log Service (SLS).	AliyunCSKubernetesAuditRolePolicy
AliyunCSManagedCmsRole	The monitoring component of an ACK managed cluster, ACK Edge cluster, or ACK Serverless cluster assumes this role to access your resources in other cloud services such as CloudMonitor and SLS.	AliyunCSManagedCmsRolePolicy
AliyunCSManagedLogRole	The log component of an ACK managed cluster, ACK Edge cluster, or ACK Serverless cluster assumes this role to access your resources in SLS.	AliyunCSManagedLogRolePolicy
AliyunCSManagedArmsRole	The Application Real-Time Monitoring Service (ARMS) component of an ACK managed cluster, ACK Edge cluster, or ACK Serverless cluster assumes this role to access your resources in ARMS.	AliyunCSManagedArmsRolePolicy

Diagnostics role

Role	Description	Policy details
AliyunCISDefaultRole	ACK Container Intelligence Service assumes this role to access your resources in other cloud services such as ECS, VPC, and SLB to provide diagnostic and inspection services.	AliyunCISDefaultRolePolicy

Optional roles

Important

To assign optional roles, you must use an Alibaba Cloud account or a RAM user with administrator permissions.

Role	Description	Policy details
AliyunCSManagedAcrRole	The password-free image pulling plug-in of an ACK managed cluster, ACK Edge cluster, or ACK Serverless cluster assumes this role to access your resources in Container Registry.	AliyunCSManagedAcrRolePolicy
AliyunCSManagedNlcRole	The managed node pool controller of an ACK managed cluster or ACK Edge cluster assumes this role to access your node pool resources in ECS and ACK.	AliyunCSManagedNlcRolePolicy
AliyunCSManagedAutoScalerRole	The auto scaling component of an ACK managed cluster, ACK Edge cluster, or ACK Serverless cluster assumes this role to access your resources in Auto Scaling and ECS.	AliyunCSManagedAutoScalerRolePolicy
AliyunCSManagedSecurityRole	The disk encryption component and the credential management component of an ACK managed cluster, ACK Edge cluster, or ACK Serverless cluster assume this role to access your resources in Key Management Service (KMS).	AliyunCSManagedSecurityRolePolicy
AliyunCSManagedCostRole	The cost analysis component of an ACK managed cluster, ACK Edge cluster, or ACK Serverless cluster assumes this role to access your resources in API, ECS, and Elastic Container Instance.	AliyunCSManagedCostRolePolicy
AliyunCSManagedNimitzRole	The network component of an ACK Lingjun cluster assumes this role to access your resources in Lingjun AI Computing Service.	AliyunCSManagedNimitzRolePolicy
AliyunCSManagedBackupRestoreRole	The backup center component of an ACK managed cluster, ACK Edge cluster, or ACK Serverless cluster assumes this role to access your resources in Cloud Backup service and OSS.	AliyunCSManagedBackupRestoreRolePolicy
AliyunCSManagedEdgeRole	The control component of an ACK Edge cluster assumes this role to access your resources in Smart Access Gateway (SAG), VPC, and Cloud Enterprise Network (CEN).	AliyunCSManagedEdgeRolePolicy
AliyunOOSLifecycleHook4CSRole	CloudOps Orchestration Service (OOS) assumes this role to access your resources in ACK, ECS, and PolarDB.	See the following inline policy.

AliyunOOSLifecycleHook4CSRole inline policy

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "cs:DeleteClusterNodes",
                "cs:DescribeClusterNodes",
                "cs:DescribeTaskInfo"
            ],
            "Resource": [
                "*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "ess:CompleteLifecycleAction"
            ],
            "Resource": [
                "*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "polardb:DescribeDBClusterAccessWhitelist",
                "polardb:ModifyDBClusterAccessWhitelist"
            ],
            "Resource": [
                "*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "ecs:DescribeInstances"
            ],
            "Resource": [
                "*"
            ],
            "Effect": "Allow"
        }
    ]
}