When you activate Container Compute Service (ACS), the service requires access to other Alibaba Cloud resources—such as Virtual Private Cloud (VPC), elastic network interfaces (ENIs), Apsara File Storage NAS (NAS), and Server Load Balancer (SLB)—to create clusters, manage networking, and collect logs. To grant this access, you must authorize a set of system default roles to the ACS service account.
This topic describes each default role, the cloud services it covers, and the specific permissions it grants.
Permissions of the default roles
ACS uses 15 default roles. Each role is scoped to a specific cluster function.
| Role | Scope | Description |
|---|
AliyunServiceRoleForAcc | Cluster management | Service-linked role. ACS assumes this role to access resources in Container Service for Kubernetes (ACK), Elastic Compute Service (ECS), VPC, SLB, and Application Real-Time Monitoring Service (ARMS) during cluster management. |
AliyunCCCSIPluginRole | Storage | ACS clusters assume this role to access cloud disks and storage services such as NAS. |
AliyunCCCCMServiceRole | Load balancing | ACS clusters assume this role to create and manage load balancing resources, including SLB and Application Load Balancer (ALB), via the Cloud Controller Manager (CCM) plugin. |
AliyunCCNECRole | Networking | ACS clusters assume this role to access VPC and ECS network resources and to create and manage elastic IP addresses (EIPs). |
AliyunCCKubernetesAuditRole | Audit logging | ACS clusters assume this role to access Simple Log Service (SLS) and collect Kubernetes audit logs. |
AliyunCCManagedLogRole | Container logging | ACS clusters assume this role to access SLS and collect ACS container logs. |
AliyunCCManagedArmsRole | Observability | ACS clusters assume this role to access ARMS, collect container resource metrics, and monitor application performance. |
AliyunCCCISDefaultRole | Health checks | ACS clusters assume this role to access ECS, ACK, VPC, and SLB resources and run periodic health checks on Kubernetes components. |
AliyunCCManagedAcrRole | Image pulling | ACS clusters assume this role to access Container Registry (ACR) and retrieve temporary credentials for starting pods. |
AliyunCCForResourceProviderRole | Pod creation | ACS clusters assume this role to access cloud resources when creating pods. |
AliyunCCManagedVirtualNodeRole | Virtual nodes | ACS clusters assume this role to access cloud resources when creating virtual nodes. |
AliyunCCManagedACSBrokerRole | Pod O&M | ACS clusters assume this role to access cloud resources when retrieving pod operations and maintenance information. |
AliyunCCManagedMseRole | Service mesh | ACS clusters assume this role to access Microservices Engine (MSE) and create MSE gateways. |
AliyunCSManagedKubernetesRole | Control plane | Core control plane components use this role to access ECS, SLB, ALB, CloudMonitor, SLS, Security Center, and other services. |
AliyunCSDefaultRole | Cluster lifecycle | Service-linked role of ACK. ACS assumes this role to create, delete, and upgrade Kubernetes clusters. |
AliyunServiceRoleForAcc
This is a service-linked role. ACS assumes it to access resources in ACK, ECS, VPC, SLB, and ARMS during cluster management.
ECS-related permissions
| Permission (Action) | Description |
|---|
ecs:CreateNetworkInterface | Creates an ENI. |
ecs:DescribeNetworkInterfaces | Queries ENIs. |
ecs:AttachNetworkInterface | Attaches an ENI to a VPC-connected ECS instance. |
ecs:DetachNetworkInterface | Detaches an ENI from an ECS instance. |
ecs:DeleteNetworkInterface | Deletes an ENI. |
ecs:DescribeInstanceAttribute | Queries attributes of one or more ECS instances. |
ecs:AssignPrivateIpAddresses | Assigns one or more secondary private IP addresses to an ENI. |
ecs:UnassignPrivateIpAddresses | Unassigns one or more secondary private IP addresses from an ENI. |
ecs:DescribeInstances | Queries details of one or more ECS instances. |
ecs:DescribeInstanceTypes | Queries details of all ECS instance types or a specified type. |
ecs:AssignIpv6Addresses | Assigns one or more IPv6 addresses to an ENI. |
ecs:UnassignIpv6Addresses | Unassigns one or more IPv6 addresses from an ENI. |
ecs:ModifyNetworkInterfaceAttribute | Modifies ENI attributes. |
ecs:CreateNetworkInterfacePermission | Creates an ENI permission. |
ecs:DeleteNetworkInterfacePermission | Deletes an ENI permission. |
ecs:DescribeNetworkInterfacePermissions | Queries ENI permissions. |
ecs:CreateSecurityGroup | Creates a security group. |
ecs:ModifySecurityGroupEgressRule | Modifies an outbound rule in a security group. |
ecs:ModifySecurityGroupPolicy | Modifies the internal access control policy of a basic security group. |
ecs:ModifySecurityGroupRule | Modifies an inbound rule in a security group. |
ecs:DescribeSecurityGroups | Queries basic information about security groups. |
ecs:RevokeSecurityGroup | Revokes a security group rule. |
ecs:RevokeSecurityGroupEgress | Deletes an outbound rule from a security group. |
ecs:DeleteSecurityGroup | Deletes a security group. |
ecs:DescribeSecurityGroupAttribute | Queries the rules of a security group. |
ecs:AuthorizeSecurityGroup | Adds an inbound rule to a security group. |
ecs:AuthorizeSecurityGroupEgress | Adds an outbound rule to a security group. |
VPC-related permissions
| Permission (Action) | Description |
|---|
vpc:DescribeVSwitches | Queries created vSwitches. |
vpc:DescribeVpcs | Queries created VPCs. |
vpc:DescribeVpcAttribute | Queries the configuration of a VPC. |
vpc:DescribeVSwitchAttributes | Queries the configuration of a vSwitch. |
ACK-related permissions
| Permission (Action) | Description |
|---|
cs:CreateCluster | Creates a Kubernetes cluster. |
cs:CreateClusterByResourcesGroup | Creates a Kubernetes cluster in a resource group. |
cs:DeleteCluster | Deletes a Kubernetes cluster. |
cs:DescribeClusterDetail | Queries details of a Kubernetes cluster. |
cs:DescribeClusterUserKubeconfig | Queries the kubeconfig file of a user in a Kubernetes cluster. |
cs:DescribeClusters | Queries Kubernetes clusters. |
cs:DescribeClustersV1 | Queries Kubernetes clusters (v1 API). |
cs:DescribeEvents | Queries cluster exceptions. |
cs:DescribeTaskInfo | Queries execution details of a task by task ID. |
cs:GetClusters | Queries Kubernetes clusters. |
cs:ListTagResources | Queries labels of resources in clusters by cluster ID. |
cs:ModifyCluster | Modifies cluster information. |
cs:ModifyClusterTags | Modifies cluster labels. |
cs:TagResources | Adds labels to a cluster. |
cs:UntagResources | Removes labels from a cluster. |
ARMS-related permissions
| Permission (Action) | Description |
|---|
arms:InstallManagedPrometheus | Creates a managed Prometheus instance. |
arms:UnInstallManagedPrometheus | Deletes a managed Prometheus instance. |
arms:GetManagedPrometheusStatus | Queries the status of a managed Prometheus instance. |
SLB-related permissions
| Permission (Action) | Description |
|---|
slb:AddBackendServers | Adds backend servers to an SLB instance. |
slb:RemoveBackendServers | Removes backend servers from an SLB instance. |
slb:DescribeLoadBalancerAttribute | Queries details of an SLB instance. |
slb:SetLoadBalancerTCPListenerAttribute | Modifies the configuration of a TCP listener. |
slb:DescribeLoadBalancers | Queries created SLB instances. |
AliyunCCCSIPluginRole
ACS clusters assume this role to access cloud disks and storage services such as NAS.
EBS-related permissions
| Permission (Action) | Description |
|---|
ebs:CreateContainerDisk | Creates a cloud disk. |
ebs:DescribeContainerDisks | Queries cloud disks. |
ebs:GetContainerDisk | Queries a cloud disk. |
ebs:DeleteContainerDisk | Deletes a cloud disk. |
ECS-related permissions
| Permission (Action) | Description |
|---|
ecs:AttachDisk | Attaches a cloud disk to an ECS instance. |
ecs:DetachDisk | Detaches a cloud disk from an ECS instance. |
ecs:DescribeDisks | Queries cloud disks. |
ecs:CreateDisk | Creates a cloud disk. |
ecs:DeleteDisk | Deletes a cloud disk. |
ecs:AddTags | Adds labels to a cloud disk. |
ecs:RemoveTags | Removes labels from a cloud disk. |
ecs:DescribeTags | Queries available labels. |
ecs:DescribeInstances | Queries details of one or more ECS instances. |
NAS-related permissions
| Permission (Action) | Description |
|---|
nas:CreateFileSystem | Creates a file system. |
nas:CreateMountTarget | Creates a mount target in a file system. |
nas:DeleteFileSystem | Deletes a file system. |
nas:DeleteMountTarget | Deletes a mount target from a file system. |
nas:DescribeFileSystems | Queries file system information. |
nas:DescribeMountTargets | Queries mount targets in a file system. |
nas:ModifyFileSystem | Modifies the description of a file system. |
nas:ModifyMountTarget | Modifies the description of a mount target. |
nas:AddTags | Adds labels to a file system. |
nas:DescribeTags | Queries available labels. |
nas:RemoveTags | Removes labels from a file system. |
nas:EnableRecycleBin | Enables the recycle bin feature for a file system. |
nas:GetRecycleBinAttribute | Queries the recycle bin configuration of a General-purpose NAS file system. |
nas:SetDirQuota | Creates a directory quota for a file system. |
nas:DescribeDirQuotas | Queries the directory quotas of a file system. |
AliyunCCCCMServiceRole
ACS clusters assume this role to create and manage load balancing resources—SLB and ALB—using the Cloud Controller Manager (CCM) plugin.
SLB-related permissions
| Permission (Action) | Description |
|---|
slb:AddBackendServers | Adds backend servers to an SLB instance. |
slb:AddTags | Adds labels to an SLB instance. |
slb:AddVServerGroupBackendServers | Adds backend servers to a vServer group. |
slb:CreateLoadBalancer | Creates an SLB instance. |
slb:CreateLoadBalancerHTTPListener | Creates an HTTP listener for an SLB instance. |
slb:CreateLoadBalancerHTTPSListener | Creates an HTTPS listener for an SLB instance. |
slb:CreateLoadBalancerTCPListener | Creates a TCP listener for an SLB instance. |
slb:CreateLoadBalancerUDPListener | Creates a UDP listener for an SLB instance. |
slb:CreateVServerGroup | Creates a vServer group and adds backend servers to it. |
slb:DeleteLoadBalancer | Deletes a pay-as-you-go SLB instance. |
slb:DeleteLoadBalancerListener | Deletes a listener from an SLB instance. |
slb:DeleteVServerGroup | Deletes a vServer group. |
slb:DescribeLoadBalancerAttribute | Queries details of an SLB instance. |
slb:DescribeLoadBalancerHTTPListenerAttribute | Queries the configuration of an HTTP listener. |
slb:DescribeLoadBalancerHTTPSListenerAttribute | Queries the configuration of an HTTPS listener. |
slb:DescribeLoadBalancerListeners | Queries the listeners of an SLB instance. |
slb:DescribeLoadBalancerTCPListenerAttribute | Queries the configuration of a TCP listener. |
slb:DescribeLoadBalancerUDPListenerAttribute | Queries the configuration of a UDP listener. |
slb:DescribeLoadBalancers | Queries created SLB instances. |
slb:DescribeTags | Queries available labels. |
slb:DescribeVServerGroupAttribute | Queries details of a vServer group. |
slb:DescribeVServerGroups | Queries vServer groups. |
slb:ModifyLoadBalancerInstanceSpec | Modifies the specifications of an SLB instance. |
slb:ModifyLoadBalancerInternetSpec | Modifies the billing method of an Internet-facing SLB instance. |
slb:ModifyVServerGroupBackendServers | Replaces the backend servers in a vServer group. |
slb:RemoveBackendServers | Removes backend servers from an SLB instance. |
slb:RemoveTags | Removes labels from an SLB instance. |
slb:RemoveVServerGroupBackendServers | Removes backend servers from a vServer group. |
slb:SetLoadBalancerDeleteProtection | Enables or disables deletion protection for an SLB instance. |
slb:SetLoadBalancerHTTPListenerAttribute | Modifies the configuration of an HTTP listener. |
slb:SetLoadBalancerHTTPSListenerAttribute | Modifies the configuration of an HTTPS listener. |
slb:SetLoadBalancerModificationProtection | Sets the modification protection status of an SLB instance. |
slb:SetLoadBalancerName | Changes the name of an SLB instance. |
slb:SetLoadBalancerTCPListenerAttribute | Modifies the configuration of a TCP listener. |
slb:SetLoadBalancerUDPListenerAttribute | Modifies the configuration of a UDP listener. |
slb:SetVServerGroupAttribute | Modifies the configuration of a vServer group. |
slb:StartLoadBalancerListener | Starts a listener. |
slb:StopLoadBalancerListener | Stops a listener. |
ALB-related permissions
| Permission (Action) | Description |
|---|
alb:AddServersToServerGroup | Adds backend servers to a server group. |
alb:AssociateAdditionalCertificatesWithListener | Associates additional certificates with a listener. |
alb:CreateListener | Creates an HTTP, HTTPS, or QUIC listener. |
alb:CreateLoadBalancer | Creates an ALB instance. |
alb:CreateRule | Creates a forwarding rule for a listener. |
alb:CreateRules | Creates multiple forwarding rules. |
alb:CreateServerGroup | Creates a server group. |
alb:DeleteListener | Deletes a listener. |
alb:DeleteLoadBalancer | Deletes an ALB instance. |
alb:DeleteRule | Deletes a forwarding rule. |
alb:DeleteRules | Deletes multiple forwarding rules from a listener. |
alb:DeleteServerGroup | Deletes a server group. |
alb:DescribeZones | Queries zones in a region. |
alb:DisableDeletionProtection | Disables deletion protection for an ALB instance. |
alb:DisableLoadBalancerAccessLog | Disables the access log feature for an ALB instance. |
alb:DissociateAdditionalCertificatesFromListener | Disassociates additional certificates from a listener. |
alb:EnableDeletionProtection | Enables deletion protection for a resource. |
alb:EnableLoadBalancerAccessLog | Enables the access log feature for an ALB instance. |
alb:GetListenerAttribute | Queries details of a listener. |
alb:GetLoadBalancerAttribute | Queries details of an ALB instance. |
alb:ListListenerCertificates | Queries certificates associated with a listener, including additional and default certificates. |
alb:ListListeners | Queries listeners in a region. |
alb:ListLoadBalancers | Queries ALB instances in a region. |
alb:ListRules | Queries forwarding rules in a region. |
alb:ListServerGroupServers | Queries servers in a server group. |
alb:ListServerGroups | Queries server groups in a region. |
alb:RemoveServersFromServerGroup | Removes backend servers from a server group. |
alb:ReplaceServersInServerGroup | Replaces the backend servers in a server group. |
alb:TagResources | Adds labels to resources. |
alb:UnTagResources | Removes labels from resources. |
alb:UpdateListenerAttribute | Updates listener configuration, such as the name and default action. |
alb:UpdateLoadBalancerAttribute | Updates ALB instance attributes, such as the name and read-only mode. |
alb:UpdateLoadBalancerEdition | Changes the edition of an ALB instance. |
alb:UpdateRuleAttribute | Updates forwarding rule configuration, such as conditions, actions, and name. |
alb:UpdateRulesAttribute | Updates the configuration of multiple forwarding rules. |
alb:UpdateServerGroupAttribute | Updates server group configuration, such as health check settings, session persistence, scheduling algorithms, and protocols. |
alb:CreateAcl | Creates an access control list (ACL). |
alb:DeleteAcl | Deletes an ACL. |
alb:ListAcls | Queries ACLs in a region. |
alb:AddEntriesToAcl | Adds IP address entries to an ACL. |
alb:AssociateAclsWithListener | Associates ACLs with a listener. |
alb:ListAclEntries | Queries the entries of an ACL. |
alb:RemoveEntriesFromAcl | Removes entries from an ACL. |
alb:DissociateAclsFromListener | Disassociates ACLs from a listener. |
alb:EnableLoadBalancerIpv6Internet | Changes the private IPv6 address of a dual-stack ALB instance to a public IPv6 address. |
alb:DisableLoadBalancerIpv6Internet | Changes the public IPv6 address of a dual-stack ALB instance to a private IPv6 address. |
ECS-related permissions
| Permission (Action) | Description |
|---|
ecs:DescribeNetworkInterfaces | Queries details of one or more ENIs. |
VPC-related permissions
| Permission (Action) | Description |
|---|
vpc:DescribeVSwitches | Queries available vSwitches used for internal networking. |
vpc:DescribeVpcs | Queries created VPCs. |
RAM-related permissions
| Permission (Action) | Description |
|---|
ram:CreateServiceLinkedRole | Creates a service-linked role. |
AliyunCCNECRole
ACS clusters assume this role to access VPC and ECS network resources and to create and manage EIPs.
VPC-related permissions
| Permission (Action) | Description |
|---|
vpc:DescribeVSwitches | Queries available vSwitches used for internal networking. |
vpc:AllocateEipAddress | Allocates an EIP. |
vpc:AllocateEipAddressPro | Allocates a specified EIP. |
vpc:DescribeEipAddresses | Queries created EIPs in a region. |
vpc:AssociateEipAddress | Associates an EIP with an instance in the same region. |
vpc:UnassociateEipAddress | Disassociates an EIP from a cloud resource. |
vpc:ReleaseEipAddress | Releases an EIP. |
vpc:ModifyEipAddressAttribute | Modifies the name, description, and maximum bandwidth of an EIP. |
vpc:AddCommonBandwidthPackageIp | Associates an EIP with an EIP bandwidth plan. |
vpc:RemoveCommonBandwidthPackageIp | Disassociates an EIP from an EIP bandwidth plan. |
vpc:TagResources | Creates and adds labels to resources. |
ECS-related permissions
| Permission (Action) | Description |
|---|
ecs:DescribeNetworkInterfaces | Queries details of one or more ENIs. |
AliyunCCKubernetesAuditRole
ACS clusters assume this role to access SLS and collect Kubernetes audit logs. All permissions in this role are required to create and manage the SLS projects, Logstores, and Logtail configurations used for audit log collection and display.
| Permission (Action) | Description |
|---|
log:CreateProject | Creates a project. |
log:GetProject | Queries a project by name. |
log:DeleteProject | Deletes a project. |
log:CreateLogStore | Creates a Logstore in a project. |
log:GetLogStore | Queries the attributes of a Logstore. |
log:UpdateLogStore | Updates the attributes of a Logstore. |
log:DeleteLogStore | Deletes a Logstore. |
log:CreateConfig | Creates a Logtail configuration. |
log:UpdateConfig | Updates a Logtail configuration. |
log:GetConfig | Queries details of a Logtail configuration. |
log:DeleteConfig | Deletes a Logtail configuration. |
log:CreateMachineGroup | Creates a machine group to apply Logtail configurations. |
log:UpdateMachineGroup | Updates a machine group. |
log:GetMachineGroup | Queries information about a machine group. |
log:DeleteMachineGroup | Deletes a machine group. |
log:ApplyConfigToGroup | Applies a Logtail configuration to a machine group. |
log:GetAppliedMachineGroups | Queries machines in a machine group. |
log:GetAppliedConfigs | Queries Logtail configurations applied to a machine group. |
log:RemoveConfigFromMachineGroup | Removes Logtail configurations from a machine group. |
log:CreateIndex | Creates indexes for a Logstore. |
log:GetIndex | Queries indexes of a Logstore. |
log:UpdateIndex | Updates indexes of a Logstore. |
log:DeleteIndex | Removes indexes from a Logstore. |
log:CreateSavedSearch | Creates a saved search. |
log:GetSavedSearch | Queries a saved search. |
log:UpdateSavedSearch | Updates a saved search. |
log:DeleteSavedSearch | Deletes a saved search. |
log:CreateDashboard | Creates a dashboard. |
log:GetDashboard | Queries a dashboard. |
log:UpdateDashboard | Updates a dashboard. |
log:DeleteDashboard | Deletes a dashboard. |
log:CreateJob | Creates a task, such as an alert or subscription task. |
log:GetJob | Queries a task. |
log:DeleteJob | Deletes a task. |
log:UpdateJob | Updates a task. |
log:PostLogStoreLogs | Writes logs to a Logstore. |
AliyunCCManagedLogRole
ACS clusters assume this role to collect and display ACS container logs using SLS.
SLS-related permissions
| Permission (Action) | Description |
|---|
log:CreateProject | Creates a project. |
log:GetProject | Queries a project by name. |
log:DeleteProject | Deletes a project. |
log:CreateLogStore | Creates a Logstore in a project. |
log:GetLogStore | Queries the attributes of a Logstore. |
log:UpdateLogStore | Updates the attributes of a Logstore. |
log:DeleteLogStore | Deletes a Logstore. |
log:CreateConfig | Creates a Logtail configuration. |
log:UpdateConfig | Updates a Logtail configuration. |
log:GetConfig | Queries details of a Logtail configuration. |
log:DeleteConfig | Deletes a Logtail configuration. |
log:CreateMachineGroup | Creates a machine group to apply Logtail configurations. |
log:UpdateMachineGroup | Updates a machine group. |
log:GetMachineGroup | Queries information about a machine group. |
log:DeleteMachineGroup | Deletes a machine group. |
log:ApplyConfigToGroup | Applies a Logtail configuration to a machine group. |
log:GetAppliedMachineGroups | Queries machines to which a Logtail configuration is applied. |
log:GetAppliedConfigs | Queries Logtail configurations applied to a machine group. |
log:RemoveConfigFromMachineGroup | Removes Logtail configurations from a machine group. |
log:CreateIndex | Creates indexes for a Logstore. |
log:GetIndex | Queries indexes of a Logstore. |
log:UpdateIndex | Updates indexes of a Logstore. |
log:DeleteIndex | Removes indexes from a Logstore. |
log:CreateSavedSearch | Creates a saved search. |
log:GetSavedSearch | Queries a saved search. |
log:UpdateSavedSearch | Updates a saved search. |
log:DeleteSavedSearch | Deletes a saved search. |
log:CreateDashboard | Creates a dashboard. |
log:GetDashboard | Queries a dashboard. |
log:UpdateDashboard | Updates a dashboard. |
log:DeleteDashboard | Deletes a dashboard. |
log:CreateJob | Creates a task, such as an alert or subscription task. |
log:GetJob | Queries a task. |
log:DeleteJob | Deletes a task. |
log:UpdateJob | Updates a task. |
log:PostLogStoreLogs | Writes logs to a Logstore. |
log:CreateSortedSubStore | Creates a sorted sub-Logstore. |
log:GetSortedSubStore | Queries a sorted sub-Logstore. |
log:ListSortedSubStore | Lists sorted sub-Logstores. |
log:UpdateSortedSubStore | Updates a sorted sub-Logstore. |
log:DeleteSortedSubStore | Deletes a sorted sub-Logstore. |
log:CreateApp | Creates an SLS application, such as Cost Manager or Log Audit Service. |
log:UpdateApp | Updates an SLS application. |
log:GetApp | Queries an SLS application. |
log:DeleteApp | Deletes an SLS application. |
cs:DescribeTemplates | Queries container templates. |
cs:DescribeTemplateAttribute | Queries the attributes of a container template. |
ACK-related permissions
| Permission (Action) | Description |
|---|
cs:UpdateContactGroup | Updates an alert contact group. |
cs:DescribeTemplates | Queries all orchestration templates. |
cs:DescribeTemplateAttribute | Queries details of an orchestration template. |
AliyunCCManagedArmsRole
ACS clusters assume this role to access ARMS, collect container resource metrics, and monitor application performance. This role enables the cluster to create and manage Prometheus monitoring instances, configure alert rules, and manage alert contacts.
ARMS-related permissions
| Permission (Action) | Description |
|---|
arms:CreateApp | Creates an application monitoring task. |
arms:DeleteApp | Deletes an application monitoring task. |
arms:ConfigAgentLabel | Modifies labels of the application monitoring agent. |
arms:GetAssumeRoleCredentials | Queries the key required for a RAM user to assume a RAM role during application monitoring. |
arms:CreateProm | Creates a monitoring task based on Managed Service for Prometheus. |
arms:SearchEvents | Queries alert events. |
arms:SearchAlarmHistories | Queries the alert sending history. |
arms:SearchAlertRules | Queries alert rules. |
arms:GetAlertRules | Retrieves alert rules. |
arms:CreateAlertRules | Creates alert rules. |
arms:UpdateAlertRules | Updates alert rules. |
arms:StartAlertRule | Enables an alert rule. |
arms:StopAlertRule | Disables an alert rule. |
arms:CreateContact | Creates an alert contact. |
arms:SearchContact | Queries an alert contact. |
arms:UpdateContact | Updates an alert contact. |
arms:CreateContactGroup | Creates an alert contact group. |
arms:SearchContactGroup | Queries an alert contact group. |
arms:UpdateContactGroup | Updates an alert contact group. |
Xtrace-related permissions
| Permission (Action) | Description |
|---|
xtrace:GetToken | |
AliyunCCCISDefaultRole
ACS clusters assume this role to access ECS, ACK, VPC, and SLB resources and run periodic health checks on Kubernetes components. This role enables the cluster inspection service (CIS) to query instance status, run diagnostic commands via Cloud Assistant, and check networking and load balancing configurations.
ECS-related permissions
| Permission (Action) | Description |
|---|
ecs:DescribeInstances | Queries details of one or more ECS instances. |
ecs:DescribeInstanceStatus | Queries the status of multiple ECS instances. |
ecs:DescribeInstanceTypes | Queries details of all ECS instance types or a specified type. |
ecs:DescribeInstanceTypeFamilies | Queries ECS instance families. |
ecs:DescribeInstanceAttribute | Queries details of an ECS instance. |
ecs:DescribeDiagnosticReports | Queries resource diagnostic reports. |
ecs:DescribeDiagnosticReportAttributes | Queries details of a resource diagnostic report. |
ecs:DescribeDiagnosticMetricSets | Queries diagnostic metric sets. |
ecs:DescribeDiagnosticMetrics | Queries diagnostic metrics. |
ecs:DescribeSecurityGroupAttribute | Queries the rules of a security group. |
ecs:DescribeSecurityGroups | Queries basic information about security groups. |
ecs:DescribeSecurityGroupReferences | Checks whether a security group is referenced by other security groups. |
ecs:DescribeBandwidthLimitation | Queries the maximum public bandwidth available for different instance types. |
ecs:DescribeCloudAssistantStatus | Queries whether Cloud Assistant Agent is installed on one or more ECS instances and retrieves command execution statistics. |
ecs:DescribeCommands | Queries Cloud Assistant commands. |
ecs:DescribeInvocationResults | Queries the result of running one or more Cloud Assistant commands on an ECS instance. |
ecs:CreateCommand | Creates a Cloud Assistant command. |
ecs:InvokeCommand | Runs a Cloud Assistant command on one or more ECS instances. |
ecs:StopInvocation | Stops a running Cloud Assistant command on one or more ECS instances. |
ecs:CreateDiagnosticReport | Creates a resource diagnostic report. |
ecs:DescribeNetworkInterfaces | Queries details of one or more ENIs. |
ecs:RunCommand | Runs a shell, PowerShell, or batch script on one or more ECS instances. |
VPC-related permissions
| Permission (Action) | Description |
|---|
vpc:DescribeVpcs | Queries created VPCs. |
vpc:DescribeVpcAttribute | Queries the configuration of a VPC. |
vpc:DescribeVSwitches | Queries available vSwitches used for internal networking. |
vpc:DescribeVSwitchAttributes | Queries the configuration of a vSwitch. |
vpc:DescribeRouteTableList | Queries route tables. |
vpc:DescribeRouteEntryList | Queries route entries. |
vpc:DescribeNatGateways | Queries NAT gateways in a region. |
vpc:DescribeRouteTables | Queries route tables. |
vpc:DescribeSnatTableEntries | Queries SNAT table entries. |
vpc:DescribeNetworkAcls | Queries network ACLs. |
vpc:DescribeNetworkAclAttributes | Queries details of a network ACL. |
vpc:DescribeEipAddresses | Queries created EIPs in a region. |
SLB-related permissions
| Permission (Action) | Description |
|---|
slb:DescribeLoadBalancers | Queries created SLB instances. |
slb:DescribeLoadBalancerAttribute | Queries details of an SLB instance. |
slb:DescribeVServerGroups | Queries vServer groups. |
slb:DescribeVServerGroupAttribute | Queries details of a vServer group. |
slb:DescribeLoadBalancerTCPListenerAttribute | Queries the configuration of a TCP listener. |
slb:DescribeLoadBalancerUDPListenerAttribute | Queries the configuration of a UDP listener. |
slb:DescribeAccessControlLists | Queries created network ACLs. |
slb:DescribeAccessControlListAttribute | Queries the configuration of a network ACL. |
slb:DescribeLoadBalancerListeners | Queries the listeners of an SLB instance. |
slb:DescribeHealthStatus | Queries the health status of backend servers. |
SLS-related permissions
| Permission (Action) | Description |
|---|
sls:GetLogStore | Queries details of a Logstore. |
ATP-related permissions
| Permission (Action) | Description |
|---|
grace:GetFile | Queries information about a file. |
grace:AnalyzeFile | Analyzes a file. |
grace:UploadFileByOSS | Uploads files using Object Storage Service (OSS). |
grace:UploadFileByURL | Uploads files by specifying URLs. |
CloudMonitor-related permissions
| Permission (Action) | Description |
|---|
cms:DescribeMetricData | Queries monitoring data of a metric for a cloud service. |
cms:DescribeMetricLast | Queries the latest monitoring data of a metric. |
cms:DescribeMetricMetaList | Queries details of metrics supported in CloudMonitor. |
cms:DescribeMetricTop | Queries and ranks the latest monitoring data of a metric. |
cms:QueryMetricMeta | Queries descriptions of time series metrics supported in CloudMonitor. |
cms:QueryMetricTop | Queries the top metrics. |
cms:ListMetricMeta | Lists data source metrics. |
cms:QueryMetricData | Queries monitoring data of a time series metric in a specified period. |
cms:QueryMetricLast | Queries the latest monitoring data of a metric. |
cms:DescribeMetricList | Queries monitoring data of a metric for an Alibaba Cloud service. |
cms:QueryMetricList | Queries monitoring data of instances or clusters of a specific service within a period. |
cms:DescribeAlertLogList | Queries alert logs from the past year. |
cms:DescribeSystemEventAttribute | Queries details of a system event. |
ACK-related permissions
| Permission (Action) | Description |
|---|
cs:DescribeClusterDetail | Queries details of a cluster by cluster ID. |
cs:DescribeClusterResources | Queries all resources in a cluster by cluster ID. |
cs:DescribeTaskInfo | Queries execution details of a task by task ID. |
cs:DescribeClusterAddonsUpgradeStatus | Queries the update progress of a component by component name. |
Resource quota-related permissions
| Permission (Action) | Description |
|---|
quotas:ListProducts | Queries Alibaba Cloud services supported by Quota Center. |
quotas:ListProductQuotas | Queries the quotas of an Alibaba Cloud service. |
quotas:ListProductQuotaDimensions | Queries the quota dimensions supported by an Alibaba Cloud service. |
quotas:GetProductQuota | Queries details of a quota. |
quotas:GetProductQuotaDimension | Queries details of a quota dimension. |
RAM-related permissions
| Permission (Action) | Description |
|---|
ram:CreateServiceLinkedRole | Creates a service-linked role. |
AliyunCCManagedAcrRole
ACS clusters assume this role to access Container Registry (ACR) and retrieve temporary credentials—a username and password pair—used to pull images when starting pods.
CR-related permissions
| Permission (Action) | Description |
|---|
cr:GetAuthorizationToken | Retrieves temporary credentials for logging in to a Container Registry instance. |
cr:ListInstanceEndpoint | Queries the endpoints of a Container Registry instance. |
AliyunCCForResourceProviderRole
ACS clusters assume this role to access cloud resources when creating pods. This role enables the cluster to manage ENIs and cloud disks needed for pod networking and storage.
ECS-related permissions
| Permission (Action) | Description |
|---|
ecs:CreateNetworkInterfacePermission | Creates an ENI permission. |
ecs:DeleteNetworkInterfacePermission | Deletes an ENI permission. |
ecs:CreateNetworkInterface | Creates an ENI. |
ecs:DeleteNetworkInterface | Deletes an ENI. |
ecs:DescribeSecurityGroups | Queries basic information about security groups. |
ecs:DescribeNetworkInterfaces | Queries ENIs. |
ecs:CreateDisk | Creates a cloud disk. |
ecs:DescribeDisks | Queries cloud disks. |
ecs:AttachDisk | Attaches a cloud disk to an ECS instance. |
ecs:DetachDisk | Detaches a cloud disk from an ECS instance. |
VPC-related permissions
| Permission (Action) | Description |
|---|
vpc:DescribeVSwitches | Queries created vSwitches. |
vpc:DescribeVpcs | Queries created VPCs. |
vpc:AllocateEipAddress | Allocates an EIP. |
vpc:AssociateEipAddress | Associates an EIP with an instance in the same region. |
vpc:UnassociateEipAddress | Disassociates an EIP from a cloud resource. |
vpc:ReleaseEipAddress | Releases an EIP. |
AliyunCCManagedVirtualNodeRole
ACS clusters assume this role to access cloud resources when creating virtual nodes. This role enables the virtual node controller to manage private zone DNS records and vSwitch configurations required for virtual node networking.
PVTZ-related permissions
| Permission (Action) | Description |
|---|
pvtz:AddZone | Adds a private zone. |
pvtz:DeleteZone | Deletes a private zone. |
pvtz:DescribeZones | Queries private zones. |
pvtz:BindZoneVpc | Associates a private zone with a VPC. |
pvtz:AddZoneRecord | Adds a DNS record. |
pvtz:DeleteZoneRecord | Deletes a DNS record. |
pvtz:DescribeZoneRecords | Queries DNS records. |
VPC-related permissions
| Permission (Action) | Description |
|---|
vpc:DescribeVSwitches | Queries created vSwitches. |
AliyunCSDefaultRole
This is a service-linked role of ACK. ACS assumes this role to create, delete, and upgrade Kubernetes clusters.
For more information about this role, see ACK roles.