When you activate Container Service for Kubernetes (ACK), you must grant default roles to a service account. Then, the service account can be used to call services, such as Elastic Compute Service (ECS), Object Storage Service (OSS), Apsara File Storage NAS, and Server Load Balancer (SLB), create clusters, and save cluster logs. This topic describes the permissions of the ACK default roles.
Role permissions
The following table describes the ACK default roles.
| Role | Description |
|---|---|
| AliyunCSDefaultRole | ACK assumes this role to access your resources in other cloud services when ACK manages clusters. These cloud services include ECS, VPC, SLB, Auto Scaling, and Resource Orchestration Service (ROS). |
| AliyunCSManagedKubernetesRole | By default, an ACK managed cluster assumes this role to access your resources in other cloud services. These cloud services include ECS, VPC, SLB, and Container Registry. |
| AliyunCSServerlessKubernetesRole | By default, a serverless Kubernetes (ASK) cluster assumes this role to access your resources in other cloud services. These cloud services include ECS, VPC, SLB, and Alibaba Cloud DNS PrivateZone. |
| AliyunCSKubernetesAuditRole | The auditing feature of ACK managed clusters and ASK clusters assumes this role to access your resources in Log Service. |
| AliyunCSManagedNetworkRole | The network plug-in of ACK managed clusters and ASK clusters assumes this role to access your resources in ECS and VPC. |
| AliyunCSManagedCsiRole | The volume plug-in of ACK managed clusters and ASK clusters assumes this role to access your resources in ECS and NAS. |
| AliyunCSManagedCmsRole | The monitoring component of ACK managed clusters and ASK clusters assumes this role to access your resources in CloudMonitor and Log Service. |
| AliyunCSManagedLogRole | The Log Service component of ACK managed clusters and ASK clusters assumes this role to access your resources in Log Service. |
| AliyunCSManagedVKRole | The Virtual Node component of ASK clusters assumes this role to access your resources in other cloud services. These cloud services include ECS, VPC, and Elastic Container Instance. |
| AliyunCSManagedArmsRole | The application monitoring component of ACK managed clusters and ASK clusters assumes this role to access your resources in Application Real-Time Monitoring Service (ARMS). |
| AliyunCSManagedAcrRole | The aliyun-acr-credential-helper component of ACK managed clusters and ASK clusters assumes this role to pull images from Container Registry. |
| AliyunCSManagedNlcRole | The node pool control component of ACK managed clusters assumes this role to access resources on ECS instances and in node pools. |
| AliyunCSManagedAutoScalerRole | The auto scaling component of ACK managed clusters and ASK clusters assumes this role to access your resources in Auto Scaling and ECS. |
| AliyunCSManagedSecurityRole | The Secret encryption component of ACK managed clusters and ASK clusters assumes this role to access your resources in Key Management Service (KMS). |
| AliyunCSManagedCostRole | The cost analysis component of ACK managed clusters and ASK clusters assumes this role to access resources in Billing Management (BSS) API, ECS, and Elastic Container Instance. |
| AliyunCSManagedNimitzRole | The network component of ACK Lingjun managed clusters assumes this role to access resources in Intelligent Computing Lingjun. |
| AliyunCSManagedBackupRestoreRole | The backup center component of ACK managed clusters assumes this role to access resources in Hybrid Backup Recovery (HBR) and OSS. |
| AliyunCSManagedEdgeRole | The control plane components of ACK edge clusters assume this role to access resources in Smart Access Gateway (SAG), Virtual Private Cloud (VPC), and Cloud Enterprise Network (CEN). |
AliyunCSDefaultRole
By default, AliyunCSDefaultRole is used to access resources of other cloud services when you perform operations on ACK clusters.
ECS-related permissions
| Permission (Action) | Description |
|---|---|
| ecs:RunInstances | Starts an ECS instance. |
| ecs:RenewInstance | Renews an ECS instance. |
| ecs:Create* | Creates ECS resources, such as ECS instances and disks. |
| ecs:AllocatePublicIpAddress | Assigns a public IP address to an ECS instance. |
| ecs:AllocateEipAddress | Assigns an elastic ip address (EIP) to an ECS instance. |
| ecs:Delete* | Deletes an ECS instance. |
| ecs:StartInstance | Starts ECS resources. |
| ecs:StopInstance | Stops an ECS instance. |
| ecs:RebootInstance | Restarts an ECS instance. |
| ecs:Describe* | Queries ECS resources. |
| ecs:AuthorizeSecurityGroup | Specifies inbound rules for a security group. |
| ecs:RevokeSecurityGroup | Revokes security group rules. |
| ecs:AuthorizeSecurityGroupEgress | Specifies outbound rules for a security group. |
| ecs:AttachDisk | Attaches a disk to an ECS instance. |
| ecs:DetachDisk | Detaches a disk from an ECS instance. |
| ecs:WaitFor* | Waits for the execution of a task. |
| ecs:AddTags | Add labels. |
| ecs:ReplaceSystemDisk | Replaces the system disk of an ECS instance. |
| ecs:ModifyInstanceAttribute | Modifies the attributes of an ECS instance. |
| ecs:JoinSecurityGroup | Adds an ECS instance to a security group. |
| ecs:LeaveSecurityGroup | Removes an ECS instance from a security group. |
| ecs:UnassociateEipAddress | Detaches an EIP from an ECS instance. |
| ecs:ReleaseEipAddress | Releases an EIP. |
| ecs:CreateKeyPair | Creates an SSH key pair. |
| ecs:ImportKeyPair | Imports the public key of an RSA-encrypted key pair that is generated by a third-party tool. |
| ecs:AttachKeyPair | Binds an SSH key pair to one or more Linux instances. |
| ecs:DetachKeyPair | Unbinds an SSH key pair from one or more Linux instances. |
| ecs:DeleteKeyPairs | Deletes one or more SSH key pairs. |
| ecs:AttachInstanceRamRole | Attaches a RAM role to one or more ECS instances. |
| ecs:DetachInstanceRamRole | Detaches a RAM role from one or more ECS instances. |
| ecs:AllocateDedicatedHosts | Creates one or more pay-as-you-go or subscription dedicated hosts. |
| ecs:CreateOrder | Creates an order to purchase ECS instances. |
| ecs:DeleteInstance | Releases a pay-as-you-go ECS instance or an expired subscription ECS instance. |
| ecs:CreateDisk | Creates one or more pay-as-you-go or subscription data disks. |
| ecs:Createvpc | Creates a VPC for an ECS instance. |
| ecs:Deletevpc | Deletes the VPC that is connected to an ECS instance. |
| ecs:DeleteVSwitch | Deletes the vSwitch that is connected to an ECS instance. |
| ecs:ResetDisk | Rolls back a disk to a specific point in time based on a snapshot of the disk. |
| ecs:DeleteSnapshot | Deletes a specified snapshot. |
| ecs:AllocatePublicIpAddress | Assigns a public IP address to an ECS instance. |
| ecs:CreateVSwitch | Creates a vSwitch for an ECS instance. |
| ecs:DeleteSecurityGroup | Deletes a security group. |
| ecs:CreateImage | Creates a custom image. |
| ecs:RemoveTags | Deletes tags from an ECS instance. |
| ecs:ReleaseDedicatedHost | Releases a pay-as-you-go dedicated host. |
| ecs:CreateInstance | Creates a subscription or pay-as-you-go ECS instance. |
| ecs:RevokeSecurityGroupEgress | Deletes an outbound security group rule. After the rule is deleted, the access control implemented by it is removed. |
| ecs:DeleteDisk | Deletes a pay-as-you-go data disk. |
| ecs:StopInstance | Stops an instance. |
| ecs:CreateSecurityGroup | Creates a security group. |
| ecs:RevokeSecurityGroup | Deletes an inbound security group rule. After the rule is deleted, the access control implemented by the rule is removed. |
| ecs:DeleteImage | Deletes a custom image. |
| ecs:ModifyInstanceSpec | Modifies the instance type of ECS instances or public bandwidth of a pay-as-you-go ECS instance. |
| ecs:CreateSnapshot | Creates a snapshot for a cloud disk. |
| ecs:CreateCommand | Creates a Cloud Assistant command. |
| ecs:InvokeCommand | Triggers a Cloud Assistant command on one or more ECS instances. |
| ecs:StopInvocation | Stops the process of a running Cloud Assistant command on one or more ECS instances. |
| ecs:DeleteCommand | Deletes a Cloud Assistant command. |
| ecs:RunCommand | Creates a Cloud Assistant command of the shell, PowerShell, or batch type, and runs the command on one or more ECS instances. |
| ecs:DescribeInvocationResults | Queries the result of running a Cloud Assistant command on a specified ECS instance. |
| ecs:ModifyCommand | Modifies a Cloud Assistant command. |
VPC-related permissions
| Permission (Action) | Description |
|---|---|
| vpc:Describe* | Queries VPC resources. |
| vpc:AllocateEipAddress | Assigns an EIP to an ECS instance. |
| vpc:AssociateEipAddress | Binds an EIP to an ECS instance. |
| vpc:UnassociateEipAddress | Unbinds an EIP from an ECS instance. |
| vpc:ReleaseEipAddress | Releases an EIP. |
| vpc:CreateRouteEntry | Creates a route entry. |
| vpc:DeleteRouteEntry | Deletes a route entry. |
| vpc:CreateVSwitch | Creates a vSwitch. |
| vpc:DeleteVSwitch | Deletes a vSwitch. |
| vpc:CreateVpc | Creates a VPC. |
| vpc:DeleteVpc | Deletes a VPC. |
| vpc:CreateNatGateway | Creates a NAT gateway. |
| vpc:DeleteNatGateway | Deletes a specified NAT gateway. |
| vpc:CreateSnatEntry | Adds a SNAT entry to a SNAT table. |
| vpc:DeleteSnatEntry | Deletes a specified SNAT entry. |
| vpc:ModifyEipAddressAttribute | Modifies the name, description, and maximum bandwidth of a specified EIP. |
| vpc:CreateForwardEntry | Adds a DNAT entry to a DNAT table. |
| vpc:DeleteBandwidthPackage | Creates a NAT service plan. |
| vpc:CreateBandwidthPackage | Deletes a specified NAT service plan. |
| vpc:DeleteForwardEntry | Deletes a specified DNAT entry. |
| vpc:TagResources | Creates and adds tags to resources. |
| vpc:DeletionProtection | Enables or disables deletion protection for an instance. |
SLB-related permissions
| Permission (Action) | Description |
|---|---|
| slb:Describe* | Queries the information about an SLB instance. |
| slb:CreateLoadBalancer | Creates an SLB instance. |
| slb:DeleteLoadBalancer | Deletes an SLB instance. |
| slb:RemoveBackendServers | Removes backend servers from an SLB instance. |
| slb:StartLoadBalancerListener | Starts a specified listener. |
| slb:StopLoadBalancerListener | Stops a specified listener. |
| slb:CreateLoadBalancerTCPListener | Creates a TCP listener for an SLB instance. |
| slb:AddBackendServers | Adds backend servers to an SLB instance. |
| slb:CreateVServerGroup | Creates a vServer group and adds backend servers to the vServer group. |
| slb:CreateLoadBalancerHTTPSListener | Creates an HTTPS listener for an SLB instance. |
| slb:CreateLoadBalancerUDPListener | Creates a User Datagram Protocol (UDP) listener. |
| slb:ModifyLoadBalancerInternetSpec | Changes the billing method of a public-facing SLB instance. |
| slb:SetBackendServers | Configures backend servers of an SLB instance and sets weights for the backend servers. The backend servers are ECS instances. |
| slb:AddVServerGroupBackendServers | Adds backend servers to a vServer group. |
| slb:DeleteVServerGroup | Deletes a vServer group. |
| slb:ModifyVServerGroupBackendServers | Changes the backend servers of a vServer group. |
| slb:CreateLoadBalancerHTTPListener | Creates an HTTP listener for an SLB instance. |
| slb:RemoveVServerGroupBackendServers | Removes backend servers from a vServer group. |
| slb:DeleteLoadBalancerListener | Deletes a listener of an SLB instance. |
| slb:AddTags | Adds tags to a specified SLB instance. |
| slb:RemoveTags | Removes tags from a specified SLB instance. |
| slb:SetLoadBalancerDeleteProtection | Enables or disables deletion protection for an SLB instance. |
DNS-related permissions
| Permission (Action) | Description |
|---|---|
| dns:Describe* | Queries DNS resources. |
| dns:AddDomainRecord | Adds a DNS record. |
ApsaraDB RDS-related permissions
| Permission (Action) | Description |
|---|---|
| rds:Describe* | Queries RDS resources. |
| rds:ModifySecurityIps | Modifies the IP address whitelist of an ApsaraDB RDS instance. |
ROS-related permissions
| Permission (Action) | Description |
|---|---|
| ros:Describe* | Queries ROS resources. |
| ros:WaitConditions | Waits for the execution of an ROS script. |
| ros:AbandonStack | Stops a stack. |
| ros:DeleteStack | Deletes a stack. |
| ros:CreateStack | Creates a stack. |
| ros:UpdateStack | Updates a stack. |
| ros:ValidateTemplate | Validates an ROS template. |
| ros:DoActions | Performs actions. |
| ros:InquiryStack | Queries a stack. |
| ros:SetDeletionProtection | Enables or disables deletion protection. |
| ros:PreviewStack | Previews a stack. |
Auto Scaling-related permissions
| Permission (Action) | Description |
|---|---|
| ess:Describe* | Queries ESS resources. |
| ess:CreateScalingConfiguration | Creates a scaling configuration. |
| ess:EnableScalingGroup | Enables a scaling group. |
| ess:ExitStandby | Switches the status of a standby ECS instance in a scaling group to running. |
| ess:DetachDBInstances | Removes one or more RDS instances from a scaling group. |
| ess:DetachLoadBalancers | Removes one or more SLB instances from a scaling group. |
| ess:AttachInstances | Adds one or more ECS instances to a scaling group. |
| ess:DeleteScalingConfiguration | Deletes a scaling configuration. |
| ess:AttachLoadBalancers | Adds one or more SLB instances. |
| ess:DetachInstances | Removes one or more ECS instances from a scaling group. |
| ess:ModifyScalingRule | Modifies a scaling group rule. |
| ess:RemoveInstances | Removes ECS instances from a specified scaling group. |
| ess:ModifyScalingGroup | Modifies a scaling group. |
| ess:AttachDBInstances | Adds one or more RDS instances. |
| ess:CreateScalingRule | Creates a scaling rule. |
| ess:DeleteScalingRule | Deletes a scaling rule. |
| ess:ExecuteScalingRule | Runs a scaling rule. |
| ess:SetInstancesProtection | Enables or disables protection for one or more ECS instances in a scaling group. |
| ess:ModifyNotificationConfiguration | Modifies a notification configuration for auto scaling events and resource changes. |
| ess:CreateNotificationConfiguration | Creates a notification configuration for auto scaling events and resource changes. |
| ess:EnterStandby | Switches the status of an ECS instance in the scaling group to standby. |
| ess:DeleteScalingGroup | Deletes a scaling group. |
| ess:CreateScalingGroup | Creates a scaling group. |
| ess:DeleteNotificationConfiguration | Deletes a notification configuration for auto scaling events and resource changes. |
| ess:DisableScalingGroup | Disables a scaling group. |
| ModifyScalingConfiguration | Modifies a scaling configuration. |
| SetGroupDeletionProtection | Enables or disables deletion protection for a scaling group. |
RAM-related permissions
| Permission (Action) | Description |
|---|---|
| ram:PassRole | Authorizes a RAM user to use other cloud services. |
| ram:Get* | Queries permissions on Resource Access Management (RAM) resources. |
| ram:List* | Lists permissions on RAM resources. |
| ram:DetachPolicyFromRole | Revokes a specified permission from a role. |
| ram:AttachPolicyToRole | Grants a permission to a specified role. |
| ram:DeletePolicy | Deletes a specified permission policy. |
| ram:DeletePolicyVersion | Deletes a policy of a specified version. |
| ram:DeleteRole | Delete a RAM role. |
| ram:CreateRole | Create a RAM role. |
| ram:CreatePolicy | Creates a RAM policy. |
| ram:CreateServiceLinkedRole | Creates permissions to be granted to service-linked roles. |
CloudMonitor-related permissions
| Permission (Action) | Description |
|---|---|
| cms:CreateMyGroups | Creates private application groups. |
| cms:AddMyGroupInstances | Adds resources to a private application group. |
| cms:DeleteMyGroupInstances | Deletes resources from a private application group. |
| cms:DeleteMyGroups | Deletes private application groups. |
| cms:GetMyGroups | Queries private application groups. |
| cms:ListMyGroups | Lists private application groups. |
| cms:UpdateMyGroupInstances | Updates resources in a private application group. |
| cms:UpdateMyGroups | Updates private application groups. |
| cms:TaskConfigCreate | Creates a monitoring job configuration. |
| cms:TaskConfigList | Lists monitoring job configurations. |
Auto Scaling-related permissions
| Permission (Action) | Description |
|---|---|
| ess:CreateLifecycleHook | Creates one or more lifecycle hooks for a scaling group. |
| ess:DescribeLifecycleHooks | Queries lifecycle hooks. |
| ess:ModifyLifecycleHook | Modifies a lifecycle hook. |
| ess:DeleteLifecycleHook | Deletes a lifecycle hook. |
ENS-related permissions
| Permission (Action) | Description |
|---|---|
| ens:Describe* | Queries the permissions on Edge Node Service (ENS) resources. |
| ens:CreateInstance | Creates an ENS instance. |
| ens:StartInstance | Starts an ENS instance. |
| ens:StopInstance | Stops an ENS instance. |
| ens:ReleasePrePaidInstance | Releases a subscription instance. |
AliyunCSManagedKubernetesRole
An ACK managed cluster assumes AliyunCSManagedKubernetesRole to access resources of other cloud services.
ECS-related permissions
| Permission (Action) | Description |
|---|---|
| ecs:Describe* | Queries ECS resources. |
| ecs:CreateRouteEntry | Creates a route entry. |
| ecs:DeleteRouteEntry | Deletes a route entry. |
| ecs:CreateNetworkInterface | Creates an elastic network interface (ENI). |
| ecs:DeleteNetworkInterface | Deletes an ENI. |
| ecs:CreateNetworkInterfacePermission | Grants permissions to create an ENI. |
| ecs:DeleteNetworkInterfacePermission | Grants permissions to delete an ENI. |
| ecs:ModifyInstanceAttribute | Modifies the attributes of an ECS instance. |
| ecs:AttachKeyPair | Binds an SSH key pair to one or more Linux instances. |
| ecs:StopInstance | Stops an instance. |
| ecs:StartInstance | Starts an instance. |
| ecs:ReplaceSystemDisk | Replaces the system disk or the operating system of an Elastic Compute Service ECS instance. |
SLB-related permissions
| Permission (Action) | Description |
|---|---|
| slb:Describe* | Queries SLB resources. |
| slb:CreateLoadBalancer | Creates an SLB instance. |
| slb:DeleteLoadBalancer | Deletes an SLB instance. |
| slb:ModifyLoadBalancerInternetSpec | Changes the billing method of a public-facing SLB instance. |
| slb:RemoveBackendServers | Removes backend servers. |
| slb:AddBackendServers | Adds backend servers to an SLB instance. |
| slb:RemoveTags | Removes tags from a specified SLB instance. |
| slb:AddTags | Adds tags to a specified SLB instance. |
| slb:StopLoadBalancerListener | Stops a listener. |
| slb:StartLoadBalancerListener | Starts a listener. |
| slb:SetLoadBalancerHTTPListenerAttribute | Modifies the configuration of an HTTP listener. |
| slb:SetLoadBalancerHTTPSListenerAttribute | Modifies the configuration of an HTTPS listener. |
| slb:SetLoadBalancerTCPListenerAttribute | Modifies the configuration of a TCP listener. |
| slb:SetLoadBalancerUDPListenerAttribute | Modifies the configuration of a UDP listener. |
| slb:CreateLoadBalancerHTTPSListener | Creates an HTTPS listener for an SLB instance. |
| slb:CreateLoadBalancerHTTPListener | Creates an HTTP listener for an SLB instance. |
| slb:CreateLoadBalancerTCPListener | Creates a TCP listener for an SLB instance. |
| slb:CreateLoadBalancerUDPListener | Creates a User Datagram Protocol (UDP) listener. |
| slb:DeleteLoadBalancerListener | Deletes a listener of an SLB instance. |
| slb:CreateVServerGroup | Adds backend servers to a vServer group. |
| slb:DescribeVServerGroups | Queries vServer groups. |
| slb:DeleteVServerGroup | Deletes a vServer group. |
| slb:SetVServerGroupAttribute | Modifies the configurations of a vServer group. |
| slb:DescribeVServerGroupAttribute | Queries the information about a vServer group. |
| slb:ModifyVServerGroupBackendServers | Changes the backend servers of a vServer group. |
| slb:AddVServerGroupBackendServers | Adds backend servers to a vServer group. |
| slb:ModifyLoadBalancerInstanceSpec | Modifies the specifications of an SLB instance. |
| slb:ModifyLoadBalancerInternetSpec | Changes the billing method of a public-facing SLB instance. |
| slb:RemoveVServerGroupBackendServers | Removes backend servers from a vServer group. |
VPC-related permissions
| Permission (Action) | Description |
|---|---|
| vpc:Describe* | Queries VPC resources. |
| vpc:DeleteRouteEntry | Deletes a custom route entry. |
| vpc:CreateRouteEntry | Creates a custom route entry. |
Container Registry-related permissions
| Permission (Action) | Description |
|---|---|
| cr:Get* | Queries Container Registry-related resources. |
| cr:List* | Queries image repositories. |
| cr:PullRepository | Pulls an image. |
AliyunCSServerlessKubernetesRole
By default, an ASK cluster assumes AliyunCSServerlessKubernetesRole to access resources of other cloud services.
VPC-related permissions
| Permission (Action) | Description |
|---|---|
| DescribeVSwitches | Queries created vSwitches. |
| DescribeVpcs | Queries the VPCs that are created. |
| AssociateEipAddress | Associates an EIP with a cloud service in the same region. |
| DescribeEipAddresses | Queries created EIPs in a specified region. |
| AllocateEipAddress | Applies for an EIP. |
| ReleaseEipAddress | Releases a specified EIP. |
| AddCommonBandwidthPackageIp | Associates an EIP with an EIP bandwidth plan. |
| RemoveCommonBandwidthPackageIp | Disassociates an EIP from an EIP bandwidth plan. |
ECS-related permissions
| Permission (Action) | Description |
|---|---|
| DescribeSecurityGroups | Queries the basic information about security groups. |
| CreateNetworkInterface | Creates an ENI. |
| CreateNetworkInterfacePermission | Grants permissions to create an ENI. |
| DescribeNetworkInterfaces | Queries ENIs. |
| AttachNetworkInterface | Binds an ENI to an ECS instance located in a VPC. |
| DetachNetworkInterface | Unbinds an ENI from an ECS instance. |
| DeleteNetworkInterface | Deletes an ENI. |
| DeleteNetworkInterfacePermission | Revokes ENI permissions. |
SLB-related permissions
| Permission (Action) | Description |
|---|---|
| slb:Describe* | Queries SLB resources. |
| slb:CreateLoadBalancer | Creates an SLB instance. |
| slb:DeleteLoadBalancer | Deletes a pay-as-you-go SLB instance. |
| slb:RemoveBackendServers | Removes backend servers. |
| slb:StartLoadBalancerListener | Starts a listener. |
| slb:StopLoadBalancerListener | Stops a listener. |
| slb:DeleteLoadBalancerListener | Deletes a listener of an SLB instance. |
| slb:CreateLoadBalancerTCPListener | Creates a TCP listener for an SLB instance. |
| slb:AddBackendServers* | Adds backend servers. |
| slb:UploadServerCertificate | Uploads a server certificate. |
| slb:CreateLoadBalancerHTTPListener | Creates an HTTP listener for an SLB instance. |
| slb:CreateLoadBalancerHTTPSListener | Creates an HTTPS listener for an SLB instance. |
| slb:CreateLoadBalancerUDPListener | Creates a User Datagram Protocol (UDP) listener. |
| slb:ModifyLoadBalancerInternetSpec | Changes the billing method of a public-facing SLB instance. |
| slb:CreateRules | Adds forwarding rules to a specified HTTP or HTTPS listener. |
| slb:DeleteRules | Deletes forwarding rules. |
| slb:SetRule | Modifies a forwarding rule of a vServer group. |
| slb:CreateVServerGroup | Adds backend servers to a vServer group. |
| slb:SetVServerGroupAttribute | Modifies the configurations of a vServer group. |
| slb:AddVServerGroupBackendServers | Adds backend servers to a vServer group. |
| slb:RemoveVServerGroupBackendServers | Removes backend servers from a vServer group. |
| slb:ModifyVServerGroupBackendServers | Changes the backend servers of a vServer group. |
| slb:DeleteVServerGroup | Deletes a vServer group. |
| slb:SetLoadBalancerTCPListenerAttribute | Modifies the configuration of a TCP listener. |
| slb:SetLoadBalancerHTTPListenerAttribute | Modifies the configuration of an HTTP listener. |
| slb:SetLoadBalancerHTTPSListenerAttribute | Modifies the configuration of an HTTPS listener. |
| slb:AddTags | Adds tags to a specified SLB instance. |
Alibaba Cloud DNS PrivateZone-related permissions
| Permission (Action) | Description |
|---|---|
| AddZone | Creates a private zone. |
| DeleteZone | Deletes a private zone. |
| DescribeZones | Queries private zones. |
| DescribeZoneInfo | Queries the information about a specified private zone. |
| BindZoneVpc | Binds a private zone to a VPC or unbinds a private zone from a VPC. |
| AddZoneRecord | Adds a DNS record to a private zone. |
| DeleteZoneRecord | Deletes a DNS record. |
| DeleteZoneRecordsByRR | Deletes DNS records. |
| DescribeZoneRecordsByRR | Queries DNS records. |
| DescribeZoneRecords | Queries DNS records. |
Container Registry-related permissions
| Permission (Action) | Description |
|---|---|
| Get* | Queries Container Registry-related resources. |
| List* | Queries image repositories. |
| PullRepository | Pulls an image. |
Elastic Container Instance-related permissions
| Permission (Action) | Description |
|---|---|
| CreateContainerGroup | Creates a container group. |
| DeleteContainerGroup | Deletes a container group. |
| DescribeContainerGroups | Queries the information about multiple pods. |
| DescribeContainerLog | Queries the logs of a pod. |
| UpdateContainerGroup | Updates an elastic container instance. |
| UpdateContainerGroupByTemplate | Updates an elastic container instance by template. |
| CreateContainerGroupFromTemplate | Creates an elastic container instance by using a template. |
| RestartContainerGroup | Restarts an elastic container instance. |
| ExportContainerGroupTemplate | Exports an elastic container instance template. |
| DescribeContainerGroupMetric | Queries the monitoring data of an elastic container instance. |
| DescribeMultiContainerGroupMetric | Queries the monitoring data of multiple container groups. |
| ExecContainerCommand | Runs a command in a container. |
| CreateImageCache | Creates an image cache. |
| DescribeImageCaches | Queries the information about an image cache. |
| DeleteImageCache | Deletes an image cache. |
RAM-related permissions
| Permission (Action) | Description |
|---|---|
| ram:PassRole | Visits the Alibaba Cloud CodePipeline console. |
OSS-related permissions
| Permission (Action) | Description |
|---|---|
| oss:GetObject | Queries a file or folder. |
| oss:GetObjectMeta | Queries the metadata information about an object. |
Function Compute-related permissions
| Permission (Action) | Description |
|---|---|
| fc:CreateService | Creates a service. |
| fc:ListServices | Queries services. |
| fc:GetService | Queries a specified service. |
| fc:UpdateService | Updates a specified service. |
| fc:DeleteService | Deletes a specified service. |
| fc:CreateFunction | Creates a function. |
| fc:ListFunctions | Queries the functions of a service. |
| fc:GetFunction | Queries the configurations of a specified function. |
| fc:GetFunctionCode | Queries the code of a function. |
| fc:UpdateFunction | Updates a function, including its configurations and code. |
| fc:DeleteFunction | Deletes a specified function. |
| fc:CreateTrigger | Creates a function trigger. |
| fc:ListTriggers | Queries the triggers of a function. |
| fc:GetTrigger | Queries a specified trigger. |
| fc:UpdateTrigger | Updates the configurations of a specified trigger. |
| fc:DeleteTrigger | Deletes the triggers of a specified function. |
| fc:PublishServiceVersion | Releases a Function Compute version. |
| fc:ListServiceVersions | Lists Function Compute versions. |
| fc:DeleteServiceVersion | Deletes a Function Compute version. |
| fc:CreateAlias | Creates an alias and binds it to a customer master key (CMK). |
| fc:ListAliases | Queries all aliases of the current Alibaba Cloud account in the current region. |
| fc:GetAlias | Queries the information about an alias. |
| fc:UpdateAlias | Binds an alias to a different CMK. |
| fc:DeleteAlias | Deletes an alias. |
AliyunCSKubernetesAuditRole
The auditing feature of ACK assumes AliyunCSKubernetesAuditRole to access resources of other cloud services.
| Permission (Action) | Description |
|---|---|
| log:CreateProject | Creates a project. |
| log:GetProject | Queries a project by name. |
| log:DeleteProject | Deletes a specified project. |
| log:CreateLogStore | Creates a Logstore in a project. |
| log:GetLogStore | Queries the attributes of a Logstore. |
| log:UpdateLogStore | Updates the attributes of a Logstore. |
| log:DeleteLogStore | Deletes a Logstore. |
| log:CreateConfig | Creates a log collection configuration. |
| log:UpdateConfig | Updates a log collection configuration. |
| log:GetConfig | Queries the details of a log collection configuration. |
| log:DeleteConfig | Deletes a specified log collection configuration. |
| log:CreateMachineGroup | Creates a machine group to apply log collection configurations. |
| log:UpdateMachineGroup | Updates a machine group. |
| log:GetMachineGroup | Queries the information about a specified machine group. |
| log:DeleteMachineGroup | Deletes a machine group. |
| log:ApplyConfigToGroup | Applies a Logtail configuration file to a machine group. |
| log:GetAppliedMachineGroups | Lists the machines to which a Logtail configuration is applied. |
| log:GetAppliedConfigs | Lists the Logtail configurations that are applied to a machine group. |
| log:RemoveConfigFromMachineGroup | Removes Logtail configurations from a machine group. |
| log:CreateIndex | Indexes are created for a Logstore. |
| log:GetIndex | Queries the indexes of a Logstore. |
| log:UpdateIndex | Updates the indexes of a Logstore. |
| log:DeleteIndex | Deletes indexes from a Logstore. |
| log:CreateSavedSearch | Creates a saved search. |
| log:GetSavedSearch | Queries a saved search. |
| log:UpdateSavedSearch | Updates a saved search. |
| log:DeleteSavedSearch | Deletes a saved search. |
| log:CreateDashboard | Creates a dashboard. |
| log:GetDashboard | Queries a dashboard. |
| log:UpdateDashboard | Updates a dashboard. |
| log:DeleteDashboard | Deletes a dashboard. |
| log:CreateJob | Creates a task, for example, an alert or a subscription. |
| log:GetJob | Queries a job. |
| log:DeleteJob | Delete the data synchronization solution. |
| log:UpdateJob | Updates a task. |
| log:PostLogStoreLogs | Writes logs to a Logstore. |
AliyunCSManagedNetworkRole
The network component of an ACK cluster assumes AliyunCSManagedNetworkRole to access resources of other cloud services.
| Permission (Action) | Description |
|---|---|
| ecs:CreateNetworkInterface | Creates an ENI. |
| ecs:DescribeNetworkInterfaces | ENIs are queried. |
| ecs:AttachNetworkInterface | Attaches an ENI to a VPC-connected ECS instance. |
| ecs:DetachNetworkInterface | Detaches an ENI from an ECS instance. |
| ecs:DeleteNetworkInterface | Deletes an ENI. |
| ecs:DescribeInstanceAttribute | Queries the information about one or more ECS instances. |
| ecs:AssignPrivateIpAddresses | Assigns one or more secondary private IP addresses to an ENI. |
| ecs:UnassignPrivateIpAddresses | Unassigns one or more secondary private IP addresses from an ENI. |
| ecs:DescribeInstances | Queries the details of one or more ECS instances. |
| vpc:DescribeVSwitches | Queries the information about one or more vSwitches. |
AliyunCSManagedCsiRole
The volume plug-in of an ACK cluster assumes AliyunCSManagedCsiRole to access resources of other cloud services.
ECS-related permissions
| Permission (Action) | Description |
|---|---|
| ecs:AttachDisk | Attaches a pay-as-you-go data disk or a system disk to an ECS instance. |
| ecs:DetachDisk | Detaches a pay-as-you-go disk from an ECS instance. |
| ecs:DescribeDisks | Queries one or more cloud disks and local disks that you have created. |
| ecs:CreateDisk | Creates one or more pay-as-you-go or subscription data disks. |
| ecs:ResizeDisk | Resizes a cloud disk. You can resize a system disk or a data disk. |
| ecs:CreateSnapshot | Creates a snapshot for a cloud disk. |
| ecs:DeleteSnapshot | Deletes a specified snapshot. If you call this operation to delete a snapshot that is being created, the associated snapshot creation task is also canceled. |
| ecs:CreateAutoSnapshotPolicy | Creates an automatic snapshot policy. |
| ecs:ApplyAutoSnapshotPolicy | Attaches an automatic snapshot policy to one or more disks. |
| ecs:CancelAutoSnapshotPolicy | Disables an automatic snapshot policy for one or more cloud disks. |
| ecs:DeleteAutoSnapshotPolicy | Deletes an automatic snapshot policy. |
| ecs:DescribeAutoSnapshotPolicyEX | Queries automatic snapshot policies that you have created. |
| ecs:ModifyAutoSnapshotPolicyEx | Modifies an automatic snapshot policy. |
| ecs:AddTags | Attaches tags to an ECS instance. |
| ecs:DescribeTags | Queries tags. |
| ecs:DescribeSnapshots | Queries all the snapshots of an ECS instance or a disk. |
| ecs:ListTagResources | Queries the tags that are added to one or more ECS resources. |
| ecs:TagResources | Adds tags to specified ECS resources. |
| ecs:UntagResources | Removes tags from specified ECS resources. After a tag is removed from a resource, it is automatically deleted if it is not added to other resources. |
| ecs:ModifyDiskSpec | Upgrades the performance level of an enhanced SSD (ESSD). |
| ecs:CreateSnapshot | Creates a snapshot for a cloud disk. |
| ecs:DeleteDisk | Deletes a pay-as-you-go data disk. |
| ecs:DescribeInstanceAttribute | Queries all attributes of an ECS instance. |
| ecs:DescribeInstances | Queries the details of one or more ECS instances. |
NAS-related permissions
| Permission (Action) | Description |
|---|---|
| nas:DescribeFileSystems | Queries the information about file systems. |
| nas:DescribeMountTargets | Queries the information about mount targets. |
| nas:AddTags | Adds one or more tags to a file system or overwrites one or more tags of a file system |
| nas:DescribeTags | Queries existing tags. |
| nas:RemoveTags | Detaches one or more tags from a file system. |
| nas:CreateFileSystem | Creates a file system. |
| nas:DeleteFileSystem | Deletes a file system. |
| nas:DescribeFileSystems | Queries the information about file systems. |
| nas:ModifyFileSystem | Modifies the description of a file system. |
| nas:CreateMountTarget | Creates a mount target. |
| nas:DeleteMountTarget | Deletes a mount target. |
| nas:DescribeMountTargets | Queries the information about mount targets. |
| nas:ModifyMountTarget | Modifies a mount target. |
AliyunCSManagedCmsRole
The CloudMonitor component of an ACK cluster assumes AliyunCSManagedCmsRole to access resources of other cloud services.
| Permission (Action) | Description |
|---|---|
| cms:DescribeMonitorGroups | Queries application groups. |
| cms:DescribeMonitorGroupInstances | Queries the resources in a specified application group. |
| cms:CreateMonitorGroup | Creates an application group. |
| cms:DeleteMonitorGroup | Deletes a specified application group. |
| cms:ModifyMonitorGroupInstances | Modifies the resources in an application group. |
| cms:CreateMonitorGroupInstances | Adds resources to an application group. |
| cms:DeleteMonitorGroupInstances | Deletes resources from an application group. |
| cms:TaskConfigCreate | Creates a monitoring job configuration. |
| cms:TaskConfigList | Lists monitoring job configurations. |
| cms:DescribeMetricList | Queries the time series metrics of a cloud service in a specified period. |
| cs:DescribeMonitorToken | Queries the token that is required to use the CloudMonitor component. |
| ahas:GetSentinelAppSumMetric | Queries the metrics that are monitored by the AHAS Sentinel application. |
| log:GetLogStoreLogs | Queries logs in a Logstore. |
| slb:DescribeMetricList | Queries the time series metrics of a cloud service in a specified period. |
| sls:GetLogs | Queries logs in a Logstore of a specified project in Log Service. |
| sls:PutLogs | Updates logs in a Logstore of a specified project in Log Service. |
AliyunCSManagedLogRole
The Logtail component of ACK assumes AliyunCSManagedLogRole to access resources of other cloud services.
| Permission (Action) | Description |
|---|---|
| log:CreateProject | Creates a project. |
| log:GetProject | Queries a project by name. |
| log:DeleteProject | Deletes a specified project. |
| log:CreateLogStore | Creates a Logstore in a project. |
| log:GetLogStore | Queries the attributes of a Logstore. |
| log:UpdateLogStore | Updates the attributes of a Logstore. |
| log:DeleteLogStore | Deletes a Logstore. |
| log:CreateConfig | Creates a log collection configuration. |
| log:UpdateConfig | Updates a log collection configuration. |
| log:GetConfig | Queries the details of a log collection configuration. |
| log:DeleteConfig | Deletes a specified log collection configuration. |
| log:CreateMachineGroup | Creates a machine group to apply log collection configurations. |
| log:UpdateMachineGroup | Updates a machine group. |
| log:GetMachineGroup | Queries the information about a specified machine group. |
| log:DeleteMachineGroup | Deletes a machine group. |
| log:ApplyConfigToGroup | Applies a Logtail configuration file to a machine group. |
| log:GetAppliedMachineGroups | Lists the machines to which a Logtail configuration is applied. |
| log:GetAppliedConfigs | Lists the Logtail configurations that are applied to a machine group. |
| log:RemoveConfigFromMachineGroup | Removes Logtail configurations from a machine group. |
| log:CreateIndex | Indexes are created for a Logstore. |
| log:GetIndex | Queries the indexes of a Logstore. |
| log:UpdateIndex | Updates the indexes of a Logstore. |
| log:DeleteIndex | Deletes indexes from a Logstore. |
| log:CreateSavedSearch | Creates a saved search. |
| log:GetSavedSearch | Queries a saved search. |
| log:UpdateSavedSearch | Updates a saved search. |
| log:DeleteSavedSearch | Deletes a saved search. |
| log:CreateDashboard | Creates a dashboard. |
| log:GetDashboard | Queries a dashboard. |
| log:UpdateDashboard | Updates a dashboard. |
| log:DeleteDashboard | Deletes a dashboard. |
| log:CreateJob | Creates a task, for example, an alert or a subscription. |
| log:GetJob | Queries a job. |
| log:DeleteJob | Deletes a task. |
| log:UpdateJob | Updates a task. |
| log:PostLogStoreLogs | Writes logs to a Logstore. |
| log:CreateSortedSubStore | Creates a sorted sub-Logstore. |
| log:GetSortedSubStore | Queries a sorted sub-Logstore. |
| log:ListSortedSubStore | Lists sorted sub-Logstores. |
| log:UpdateSortedSubStore | Updates a sorted sub-Logstore. |
| log:DeleteSortedSubStore | Deletes a sorted sub-Logstore. |
| log:CreateApp | Creates applications, such as Cost Manager and Log Audit Service. |
| log:UpdateApp | Updates applications, such as Cost Manager and Log Audit Service. |
| log:GetApp | Queries applications, such as Cost Manager and Log Audit Service. |
| log:DeleteApp | Deletes applications, such as Cost Manager and Log Audit Service. |
| cs:DescribeTemplates | Queries container templates. |
| cs:DescribeTemplateAttribute | Queries the attributes of a container template. |
AliyunCSManagedVKRole
The Virtual Node component of ACK clusters assumes AliyunCSManagedVKRole to access resources in other cloud services.
VPC-related permissions
| Permission (Action) | Description |
|---|---|
| vpc:DescribeVSwitches | Queries vSwitches in a VPC. |
| vpc:DescribeVpcs | Queries created VPCs. |
| vpc:AssociateEipAddress | Binds an EIP to a cloud service instance in the same region. |
| vpc:DescribeEipAddresses | Queries created EIPs in a specified region. |
| vpc:AllocateEipAddress | Applies for an EIP. |
| vpc:ReleaseEipAddress | Releases a specified EIP. |
ECS-related permissions
| Permission (Action) | Description |
|---|---|
| ecs:DescribeSecurityGroups | Queries the basic information about security groups. |
| ecs:CreateNetworkInterface | Creates an ENI. |
| ecs:CreateNetworkInterfacePermission | Grants permissions to create an ENI. |
| ecs:DescribeNetworkInterfaces | ENIs are queried. |
| ecs:AttachNetworkInterface | Attaches an ENI to a VPC-connected ECS instance. |
| ecs:DetachNetworkInterface | Detaches an ENI from an ECS instance. |
| ecs:DeleteNetworkInterface | Deletes an ENI. |
| ecs:DeleteNetworkInterfacePermission | Grants permissions to delete an ENI. |
Permissions on Alibaba Cloud DNS PrivateZone resources
| Permission (Action) | Description |
|---|---|
| pvtz:AddZone | Creates a private zone. |
| pvtz:DeleteZone | Deletes a private zone. |
| pvtz:DescribeZones | Queries private zones. |
| pvtz:DescribeZoneInfo | Queries the information about a specified private zone. |
| pvtz:BindZoneVpc | Binds a private zone to a VPC or unbinds a private zone from a VPC. |
| pvtz:AddZoneRecord | Adds a DNS record to a private zone. |
| pvtz:DeleteZoneRecord | Deletes a DNS record. |
| pvtz:DeleteZoneRecordsByRR | Deletes DNS records. |
| pvtz:DescribeZoneRecordsByRR | Queries DNS records. |
| pvtz:DescribeZoneRecords | Queries DNS records. |
Elastic Container Instance-related permissions
| Permission (Action) | Description |
|---|---|
| eci:CreateContainerGroup | Creates a pod. |
| eci:DeleteContainerGroup | Deletes a pod. |
| eci:DescribeContainerGroups | Queries the information about multiple pods. |
| eci:DescribeContainerLog | Queries the logs of a pod. |
| eci:UpdateContainerGroup | Updates a pod. |
| eci:UpdateContainerGroupByTemplate | Updates an elastic container instance by using a template. |
| eci:CreateContainerGroupFromTemplate | Creates an elastic container instance by using a template. |
| eci:RestartContainerGroup | Restarts an elastic container instance. |
| eci:ExportContainerGroupTemplate | Exports an elastic container instance template. |
| eci:DescribeContainerGroupMetric | Queries the monitoring data of an elastic container instance. |
| eci:DescribeMultiContainerGroupMetric | Queries the monitoring data of multiple pods. |
| eci:ExecContainerCommand | Runs commands on a container. |
| eci:CreateImageCache | Creates an image cache. |
| eci:DescribeImageCaches | Queries the information about image caches. |
| eci:DeleteImageCache | Deletes an image cache. |
AliyunCSManagedArmsRole
The ARMS monitoring agent of an ACK cluster assumes AliyunCSManagedArmsRole to access resources of other cloud services.
| Permission (Action) | Description |
|---|---|
| arms:CreateApp | Creates an application monitoring job. |
| arms:DeleteApp | Deletes an application monitoring job. |
| arms:ConfigAgentLabel | Modifies the tags of the application monitoring agent. |
| arms:GetAssumeRoleCredentials | Queries the key that is required for a RAM user to assume a RAM role during application monitoring. |
| arms:CreateProm | Creates a monitoring job based on Alibaba Cloud Prometheus Monitoring. |
| arms:SearchEvents | Queries alert event records. |
| arms:SearchAlarmHistories | Queries the records of sending alerts. |
| arms:SearchAlertRules | Queries monitoring alert rules. |
| arms:GetAlertRules | Obtains monitoring alert rules. |
| arms:CreateAlertRules | Creates monitoring alert rules. |
| arms:UpdateAlertRules | Updates monitoring alert rules. |
| arms:StartAlertRule | Enables a monitoring alert rule. |
| arms:StopAlertRule | Disables a monitoring alert rule. |
| arms:CreateContact | Creates an alert contact. |
| arms:SearchContact | Queries an alert contact. |
| arms:UpdateContact | Updates an alert contact. |
| arms:CreateContactGroup | Creates an alert contact group. |
| arms:SearchContactGroup | Queries an alert contact group. |
| arms:UpdateContactGroup | Updates an alert contact group. |
AliyunCSManagedAcrRole
The aliyun-acr-credential-helper component of ACK managed clusters and ASK clusters assumes this role to pull images from Container Registry.
| Permission (Action) | Description |
|---|---|
| cr:GetAuthorizationToken | Queries a temporary username and a password that you use to log on to a Container Registry instance. |
| cr:ListInstanceEndpoint | Queries endpoints of an instance. |
| cr:PullRepository | Pulls an image. |
AliyunCSManagedNlcRole
The node pool control component of ACK managed clusters assumes this role to access resources on ECS instances and in node pools.
ECS-related permissions
| Permission (Action) | Description |
|---|---|
| ecs:ModifyInstanceAttribute | Modifies the information about an ECS instance, such as the password, name, description, hostname, security groups, and user data. If the instance is a burstable instance, you can also change its performance mode. |
| ecs:AttachKeyPair | Binds an SSH key pair to one or more Linux instances. |
| ecs:StopInstance | Stops an ECS instance that is in the Running state. After the operation is called, the state of the instance changes to Stopping and then to Stopped. |
| ecs:StartInstance | Starts an ECS instance. After the operation is called, the ECS instance changes to the Running state. |
| ecs:DescribeInvocations | You can call this operation to view the invocation list and status of cloud assistant commands. |
| ecs:DescribeInstanceAttribute | Queries the attributes of an ECS instance, such as the instance ID and description. |
| ecs:DescribeInstances | Queries the details of one or more ECS instances. |
| ecs:DeleteInstance | Releases a pay-as-you-go ECS instance or an expired subscription ECS instance. |
| ecs:RunCommand | Runs a shell, PowerShell, or batch command on one or more ECS instances. |
| ecs:DescribeInvocationResults | Queries the result of running one or more Cloud Assistant commands on an ECS instance. |
| ecs:ReplaceSystemDisk | Replaces the system disk or the operating system of an ECS instance. After the system disk is replaced, the ID of the system disk changes and the original disk is released. |
| ecs:DescribeUserData | Queries the user data of an ECS instance. |
Auto Scaling-related permissions
| Permission (Action) | Description |
|---|---|
| ess:DescribeScalingGroups | Queries scaling groups. |
| ess:DescribeScalingConfigurations | Queries scaling configurations. |
ACK-related permissions
| Permission (Action) | Description |
|---|---|
| cs:RepairClusterNodePool | Fixes the issues on specified nodes in a specified manage node pool. |
| cs:DescribeClusterNodePoolDetail | Queries the details about a node pool in a cluster by node pool ID. |
| cs:DescribeTaskInfo | Queries the execution details about a task by task ID. |
| cs:FixNodePoolVuls | Automatically fixes node pool vulnerabilities in a specified cluster. |
| cs:DescribeTaskInfo | Queries the execution details about a task by task ID. |
| cs:CancelTask | Cancels a task. |
| cs:PauseTask | Pauses a task. |
| cs:ResumeTask | Resumes a task. |
| cs:DescribeNodePoolVuls | Queries node pool vulnerabilities in a specified cluster. |
AliyunCSManagedAutoScalerRole
The volume plug-in of ACK managed clusters and ASK clusters assumes this role to access your resources in ECS and NAS.
Auto Scaling-related permissions
| Permission (Action) | Description |
|---|---|
| ess:DescribeScalingGroups | Queries scaling groups. |
| ess:DescribeScalingInstances | Queries information about the ECS instances in a scaling group. |
| ess:DescribeScalingActivities | Queries scaling activities. |
| ess:DescribeScalingConfigurations | Queries scaling configurations. |
| ess:DescribeScalingRules | Queries information about the scaling rules in a scaling group. |
| ess:DescribeScheduledTasks | Queries scheduled tasks. |
| ess:DescribeLifecycleHooks | Queries lifecycle hooks. |
| ess:DescribeNotificationConfigurations | Queries notifications that you create for scaling activities and resource changes. |
| ess:DescribeNotificationTypes | Queries the types of notifications that you create for scaling activities and resource changes. |
| ess:DescribeRegions | Queries the regions in which Auto Scaling is available. |
| ess:CreateScalingRule | Creates a scaling rule. |
| ess:ModifyScalingGroup | Modifies a scaling group. |
| ess:RemoveInstances | Removes one or more ECS instances or elastic container instances from a scaling group. |
| ess:ExecuteScalingRule | Executes a scaling rule. |
| ess:ModifyScalingRule | Modifies a scaling rule. |
| ess:DeleteScalingRule | Deletes a scaling rule. |
| ess:DetachInstances | Removes one or more ECS instances from a scaling group. |
| ess:CompleteLifecycleAction | Takes a scaling activity out of the wait state in advance. |
| ess:ScaleWithAdjustment | Scales instances in a scaling group based on the specified scaling policy. |
ECS-related permissions
| Permission (Action) | Description |
|---|---|
| ecs:DescribeInstanceTypes | Queries the details of all instance types or a specific instance type provided by ECS. |
| ecs:DescribeImages | Queries available OS images. |
ACK-related permissions
| Permission (Action) | Description |
|---|---|
| cs:DeleteClusterNodes | Removes specified nodes from a cluster by node names. |
| cs:DescribeClusterNodes | Queries the details about all nodes in a cluster by cluster ID |
VPC-related permissions
| Permission (Action) | Description |
|---|---|
| vpc:DescribeVSwitches | Queries the information about available vSwitches that are used in an internal network. |
AliyunCSManagedSecurityRole
The Secret encryption component of ACK managed clusters and ASK clusters assumes this role to access your resources in Key Management Service (KMS).
KMS-related permissions
| Permission (Action) | Description |
|---|---|
| kms:GetSecretValue | Queries a secret value. |
| kms:ListSecrets | Queries all secrets of the current user in the current region. |
| kms:ListKeys | Queries the IDs of all CMKs of the current Alibaba Cloud account in the current region. |
| kms:ListSecretVersionIds | Queries all versions of a secret. |
| kms:ListAliasesByKeyId | Queries all aliases that are bound to a specified CMK. |
| kms:SetDeletionProtection | Enables or disables deletion protection for a CMK. |
| kms:DescribeKey | Queries the details of a CMK. |
| kms:Encrypt | Encrypts plaintext by using a symmetric CMK. |
| kms:Decrypt | Decrypts the ciphertext specified by CiphertextBlob. |
AliyunCSManagedCostRole
The cost analysis component of ACK managed clusters and ASK clusters assumes this role to access resources in Billing Management (BSS) API, ECS, and Elastic Container Instance.
BSS OpenAPI-related permissions
| Permission (Action) | Description |
|---|---|
| bssapi:QueryInstanceBill | Queries the billing information about instances or billable items in a billing cycle. This API is upgraded to DescribeInstanceBill. You can call the QueryInstanceBill operation to query a maximum of 50,000 data rows in a bill. |
| bssapi:DescribeInstanceBill | Queries the billing information about instances or billable items in a billing cycle. |
ECS-related permissions
| Permission (Action) | Description |
|---|---|
| ecs:DescribeDisks | Queries one or more Elastic Block Storage (EBS) devices that you have created, including cloud disks and local disks, are queried. |
| ecs:DescribeSpotPriceHistory | Queries the price history of a preemptible instance in the last 30 days. |
| ecs:DescribeInstances | Queries the details of one or more ECS instances. |
| ecs:DescribePrice | Queries the most recent prices of ECS resources. |
Elastic Container Instance-related permissions
| Permission (Action) | Description |
|---|---|
| eci: DescribeContainerGroupPrice | Queries the price of an elastic container instance. |
AliyunCSManagedNimitzRole
The network component of ACK Lingjun managed clusters assumes this role to access resources in Intelligent Computing Lingjun.
eflo-related permissions
| Permission (Action) | Description |
|---|---|
| eflo:ListNetworkInterfaces | Queries Lingjun network interfaces (LNIs). |
| eflo:GetNetworkInterface | Queries information about a specified LNI. |
| eflo:AssignPrivateIpAddress | Applies for a private secondary IP address for the current LNI. You can also call this operation to assign a secondary MAC address to the current LNI. |
| eflo:UnAssignPrivateIpAddress | Deletes an assigned secondary private IP address. |
| eflo:UpdateNetworkInterfacePrivateMac | Changes the MAC address of an LNI. |
AliyunCSManagedBackupRestoreRole
The backup center component of ACK managed clusters assumes this role to access resources in Hybrid Backup Recovery (HBR) and OSS.
HBR-related permissions
| Permission (Action) | Description |
|---|---|
| hbr:CreateVault | Creates a backup vault. |
| hbr:CreateBackupJob | Creates a backup task. |
| hbr:DescribeVaults | Queries the information about one or more backup vaults that meet the specified conditions. |
| hbr:DescribeBackupJobs2 | Queries the information about one or more backup jobs that meet the specified conditions. |
| hbr:DescribeRestoreJobs | Queries a restoration task. |
| hbr:SearchHistoricalSnapshots | Queries the information about one or more backup snapshots that meet the specified conditions. |
| hbr:CreateRestoreJob | Creates a restoration task. |
| hbr:AddContainerCluster | Registers a Kubernetes cluster. |
| hbr:DescribeContainerCluster | Queries one or more Kubernetes clusters. |
| hbr:DescribeRestoreJobs2 | Queries one or more restoration tasks. |
OSS-related permissions
| Permission (Action) | Description |
|---|---|
| oss:PutObject | Uploads an object. |
| oss:IsObjectExist | Queries whether an object exists. |
| oss:ListObjects | Lists the information about all objects in a bucket. |
| oss:GetObject | Queries an object. |
| oss:DeleteObject | Deletes an object. |
| oss:GetBucket | Queries information about a bucket. |
AliyunCSManagedEdgeRole
The control plane components of ACK edge clusters assume this tole to access resources in SAG, VPC, and CEN.
SAG-related permissions
| Permissions (Action) | Description |
|---|---|
| smartag:BindSmartAccessGateway | Associates an SAG instance with a specified Cloud Connect Network (CCN) instance. |
| smartag:UnbindSmartAccessGateway | Disassociates an SAG instance from a specified CCN instance. |
| smartag:GrantSagInstanceToCcn | Authorizes an SAG instance to communicate with a CCN instance that belongs to another account. |
| smartag:RevokeSagInstanceFromCcn | Disallows an SAG instance to communicate with a CCN instance that belongs to another account. |
VPC-related permissions
| Permission (Action) | Description |
|---|---|
| vpc:DescribeVpcs | Queries created VPCs. |
| vpc:DescribeRouteEntryList | Queries route entries. |
CEN-related permissions
| Permission (Action) | Description |
|---|---|
| cen:DescribePublishedRouteEntries | Queries whether the routes of VPCs and VBRs are advertised to the CEN instance to which the VPCs and VBRs are attached. |
| cen:PublishRouteEntries | Advertises the routes of a VPC or a VBR to a CEN instance to which the VPC or VBR is attached. |
| cen:WithdrawPublishedRouteEntries | Withdraws the routes of a VPC or a VBR from a CEN instance |