AliyunServiceRoleForPaiEasManageCustomerClusters is a Resource Access Management (RAM) service-linked role that Elastic Algorithm Service (EAS) assumes to manage the underlying infrastructure of self-managed resource groups. To implement specific features, EAS may need to access Object Storage Service (OSS), Simple Log Service, Elastic Compute Service (ECS), and Virtual Private Cloud (VPC) resources.
Before using EAS self-managed resource groups, assign this service-linked role to EAS using your Alibaba Cloud account. For background on service-linked roles, see Service-linked roles.
Permissions
The role grants EAS access to the following cloud services.
PrivateLink
EAS uses PrivateLink to create and manage VPC endpoints that connect self-managed clusters to Alibaba Cloud services over private networks.
| Action | Description |
|---|---|
privatelink:OpenPrivateLinkService | Activate the PrivateLink service |
privatelink:CheckProductOpen | Check whether PrivateLink is activated |
privatelink:ListVpcEndpointServices | List available VPC endpoint services |
privatelink:CreateVpcEndpoint | Create a VPC endpoint |
privatelink:ListVpcEndpoints | List VPC endpoints |
privatelink:UpdateVpcEndpointAttribute | Update VPC endpoint attributes |
privatelink:GetVpcEndpointAttribute | Get VPC endpoint attributes |
privatelink:ListVpcEndpointSecurityGroups | List security groups attached to a VPC endpoint |
privatelink:AttachSecurityGroupToVpcEndpoint | Attach a security group to a VPC endpoint |
privatelink:DetachSecurityGroupFromVpcEndpoint | Detach a security group from a VPC endpoint |
privatelink:AddZoneToVpcEndpoint | Add a zone to a VPC endpoint |
privatelink:RemoveZoneFromVpcEndpoint | Remove a zone from a VPC endpoint |
privatelink:ListVpcEndpointZones | List zones associated with a VPC endpoint |
privatelink:DeleteVpcEndpoint | Delete a VPC endpoint |
Resource scope: *
Virtual Private Cloud (VPC)
EAS reads VPC and vSwitch configurations to provision networking for self-managed clusters.
| Action | Description |
|---|---|
vpc:DescribeVpcs | List VPCs |
vpc:DescribeVpcAttribute | Get VPC details |
vpc:DescribeVSwitches | List vSwitches |
vpc:DescribeVSwitchAttributes | Get vSwitch details |
Resource scope: *
Elastic Compute Service (ECS)
EAS manages security groups to control traffic between cluster nodes and Alibaba Cloud services.
| Action | Description |
|---|---|
ecs:DescribeSecurityGroups | List security groups |
ecs:CreateSecurityGroup | Create a security group |
ecs:DeleteSecurityGroup | Delete a security group |
ecs:AuthorizeSecurityGroup | Add an inbound rule to a security group |
ecs:AuthorizeSecurityGroupEgress | Add an outbound rule to a security group |
ecs:RevokeSecurityGroup | Remove an inbound rule from a security group |
ecs:RevokeSecurityGroupEgress | Remove an outbound rule from a security group |
Resource scope: *
Container Service for Kubernetes (ACK)
EAS reads cluster metadata and kubeconfig to deploy and manage workloads on self-managed Kubernetes clusters.
| Action | Description |
|---|---|
cs:DescribeClusterDetail | Get cluster details |
cs:DescribeClusterUserKubeconfig | Get the kubeconfig for a cluster |
Resource scope: *
Simple Log Service
EAS creates and manages log projects and Logstores to collect logs from self-managed resource groups. Permissions are scoped to EAS-prefixed resources only.
| Action | Description |
|---|---|
log:GetProject | Get a log project |
log:CreateProject | Create a log project |
log:DeleteProject | Delete a log project |
log:GetLogStore | Get a Logstore |
log:CreateLogStore | Create a Logstore |
log:DeleteLogStore | Delete a Logstore |
log:GetIndex | Get an index |
log:CreateIndex | Create an index |
log:DeleteIndex | Delete an index |
log:GetConfig | Get a Logtail configuration |
log:CreateConfig | Create a Logtail configuration |
log:DeleteConfig | Delete a Logtail configuration |
log:GetMachineGroup | Get a machine group |
log:CreateMachineGroup | Create a machine group |
log:DeleteMachineGroup | Delete a machine group |
log:GetLogStoreLogs | Query logs in a Logstore |
log:ApplyConfigToGroup | Apply a Logtail configuration to a machine group |
Resource scope:
acs:log:*:*:project/*/logstore/eas-*acs:log:*:*:project/eas-*
Alibaba Cloud DNS PrivateZone
EAS manages private DNS zones to resolve internal service endpoints within self-managed resource groups.
| Action | Description |
|---|---|
pvtz:AddZone | Create a private zone |
pvtz:BindZoneVpc | Associate a private zone with a VPC |
pvtz:AddZoneRecord | Add a DNS record to a private zone |
pvtz:DeleteZone | Delete a private zone |
Resource scope: *
Delete the service-linked role
Deleting AliyunServiceRoleForPaiEasManageCustomerClusters may affect services deployed in EAS. After deletion, you may be unable to deploy or update services in self-managed resource groups, or use services deployed in those groups.
To delete the role:
Log on to the RAM console.
In the left-side navigation pane, choose Identities > Roles.
On the Roles page, search for
AliyunServiceRoleForPaiEasManageCustomerClusters.In the Actions column, click Delete Role.
In the Delete Role dialog box, enter the role name to confirm, then click Delete Role.