All Products
Search
Document Center

Container Service for Kubernetes:Activate ACK and assign roles to ACK

Last Updated:Sep 14, 2024

This topic describes how to use Terraform to assign roles to ACK when you use ACK for the first time.

Prerequisites

Terraform is installed.

Step 1: Activate ACK

You must activate corresponding services before you can create ACK clusters.

  1. Create a working directory and a file named main.tf in the directory.

  2. Copy the following code to the main.tf file:

    View the content of the main.tf file

    provider "alicloud" {   
    }
    
    // Activate ACK. 
    data "alicloud_ack_service" "open" {
        enable = "On"
        type   = "propayasgo"
    }
  3. Run the following command to initialize the Terraform runtime environment:

    terraform init

    If the following information is returned, Terraform is initialized:

    Initializing the backend...
    Initializing provider plugins...
    ...
    Terraform has been successfully initialized!
    ...
  4. Run the following command to activate ACK:

    terraform apply

    When the following information is returned, input yes and press Enter to activate the service.

    You can apply this plan to save these new output values to the Terraform state, without changing any real infrastructure.
    
    Do you want to perform these actions?
      Terraform will perform the actions described above.
      Only 'yes' will be accepted to approve.
    
      Enter a value: yes
    
    
    Apply complete! Resources: 0 added, 0 changed, 0 destroyed.

Step 2: Assign roles to ACK

When you use Container Service for Kubernetes for the first time, you must assign roles to ACK with your Alibaba Cloud account.

  1. Add the following code to the main.tf file and run the terraform apply command to check whether the roles are already assigned.

    Note

    Due to the limits of Terraform, Terraform cannot automatically check whether all required roles are assigned and automatically assign the missing roles. Therefore, you need to manually query the role information and assign the roles to ACK.

    // Check whether the roles are already assigned. 
    data "alicloud_ram_roles" "roles" {
        policy_type = "System"
    }
    
    // List the roles that are assigned to ACK. 
    output "exist_role" {
      value = data.alicloud_ram_roles.roles
    }

    The following information is returned:

    No changes. Your infrastructure matches the configuration.
    
    Terraform has compared your real infrastructure against your configuration and found no differences, so no changes are needed.
    
    Apply complete! Resources: 0 added, 0 changed, 0 destroyed.
    
    Outputs:
    ...
    exist_role = {
      "id" = "1788****59"
      "ids" = tolist([
        "3009617019****1438",
        "3023233020****0278",
        "3302003419****4675",
        "3178548808****5924",
        "3371411011****5177",
        "3475619590****3519",
      ])
      "name_regex" = tostring(null)
      "names" = tolist([
        "AliyunCASDefaultRole",
        "AliyunContainerRegistryDefaultRole",
        "AliyunCSDefaultRole",
        "AliyunCSKubernetesAuditRole",
        "AliyunCSManagedArmsRole",
        "AliyunCSManagedCmsRole",
        "AliyunCSManagedCsiRole",
        "AliyunCSManagedKubernetesRole",
        "AliyunCSManagedLogRole",
        "AliyunCSManagedNetworkRole",
        "AliyunCSManagedVKRole",
        "AliyunCSServerlessKubernetesRole",
        "AliyunServiceRoleForCSB",
        "AliyunServiceRoleForECI",
        "AliyunServiceRoleForGws",
        "AliyunServiceRoleForResourceDirectory",
        "AliyunServiceRoleForServiceMesh",
      ])
      "output_file" = tostring(null)
      "policy_name" = tostring(null)
      "policy_type" = "System"
      "roles" = tolist([
        {
          "arn" = "acs:ram::1848450434088535:role/aliyuncasdefaultrole"
          "assume_role_policy_document" = <<-EOT
          {
              "Statement": [{
                      "Action": "sts:AssumeRole",
                      "Effect": "Allow",
                      "Principal": {"Service": ["cas.aliyuncs.com"]}}],
              "Version": "1"}
          EOT
          "create_date" = "2023-07-17T03:27:28Z"
          "description" = "Certificate Management Service assumes this role to access your resources in other Alibaba Cloud services by default."
          "document" = <<-EOT
          {
              "Statement": [{
                      "Action": "sts:AssumeRole",
                      "Effect": "Allow",
                      "Principal": {"Service": ["cas.aliyuncs.com"]}}],
              "Version": "1"}
          EOT
          "id" = "300961701980****"
          "name" = "AliyunCASDefaultRole"
          "update_date" = "2023-07-17T03:27:28Z"
        },
        {
          "arn" = "acs:ram::1848450434****:role/aliyuncontainerregistrydefaultrole"
          "assume_role_policy_document" = <<-EOT
          {
              "Statement": [{
                      "Action": "sts:AssumeRole",
                      "Effect": "Allow",
                      "Principal": {"Service": ["cr.aliyuncs.com"]}}],
              "Version": "1"}
          "id" = "3502335964487******"
          "name" = "AliyunServiceRoleForServiceMesh"
          "update_date" = "2022-09-27T10:26:50Z"
        },
      ])
    }
  2. Replace the permission template in the main.tf configuration file.

    Note

    This template grants permissions based on Server roles and specifies properties such as role names and policies through variables. If you need to modify role permissions, see Optional roles or Step 2: Assign roles to ACK. In the default section of the template, you can add or remove role configurations as needed to make sure that permissions are neither duplicated nor omitted.

    provider "alicloud" {
    }
    
    // Create a role. 
    resource "alicloud_ram_role" "role" {
      for_each    = { for r in var.roles : r.name => r }
      name        = each.value.name
      document    = each.value.policy_document
      description = each.value.description
      force       = true
    }
    
    // Attach a RAM policy to the role. 
    resource "alicloud_ram_role_policy_attachment" "attach" {
      for_each    = { for r in var.roles : r.name => r }
      policy_name = each.value.policy_name
      policy_type = "System"
      role_name   = each.value.name
      depends_on  = [alicloud_ram_role.role]
    }
    
    // View the roles required by ACK. 
    variable "roles" {
      type = list(object({
        name            = string
        policy_document = string
        description     = string
        policy_name     = string
      }))
      default = [
        {
          name            = "AliyunCSManagedLogRole"
          policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
          description     = "The logging component of ACK clusters assumes this role to access your resources in other Alibaba Cloud services."
          policy_name     = "AliyunCSManagedLogRolePolicy"
        },
        {
          name            = "AliyunCSManagedCmsRole"
          policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
          description     = "The CMS component of ACK clusters assumes this role to access your resources in other Alibaba Cloud services."
          policy_name     = "AliyunCSManagedCmsRolePolicy"
        },
        {
          name            = "AliyunCSManagedCsiRole"
          policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
          description     = "The volume plug-in of ACK clusters assumes this role to access your resources in other Alibaba Cloud services."
          policy_name     = "AliyunCSManagedCsiRolePolicy"
        },
        {
          name            = "AliyunCSManagedVKRole"
          policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
          description     = "The VK component of ACK Serverless clusters assumes this role to access your resources in other Alibaba Cloud services."
          policy_name     = "AliyunCSManagedVKRolePolicy"
        },
        {
          name            = "AliyunCSClusterRole"
          policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
          description     = "ACK assumes this role to access your resources in other Alibaba Cloud services in order to run applications."
          policy_name     = "AliyunCSClusterRolePolicy"
        },
        {
          name            = "AliyunCSServerlessKubernetesRole"
          policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
          description     = "ACK Serverless assumes this role to access your resources in other Alibaba Cloud services by default."
          policy_name     = "AliyunCSServerlessKubernetesRolePolicy"
        },
        {
          name            = "AliyunCSKubernetesAuditRole"
          policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
          description     = "The auditing feature of ACK assumes this role to access your resources in other Alibaba Cloud services."
          policy_name     = "AliyunCSKubernetesAuditRolePolicy"
        },
        {
          name            = "AliyunCSManagedNetworkRole"
          policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
          description     = "The network plug-in of ACK clusters assumes this role to access your resources in other Alibaba Cloud services."
          policy_name     = "AliyunCSManagedNetworkRolePolicy"
        },
        {
          name            = "AliyunCSDefaultRole"
          policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
          description     = "ACK assumes this role to access your resources in other Alibaba Cloud services when managing ACK clusters by default."
          policy_name     = "AliyunCSDefaultRolePolicy"
        },
        {
          name            = "AliyunCSManagedKubernetesRole"
          policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
          description     = "ACK Managed assumes this role to access your resources in other Alibaba Cloud services by default."
          policy_name     = "AliyunCSManagedKubernetesRolePolicy"
        },
        {
          name            = "AliyunCSManagedArmsRole"
          policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
          description     = "The ARMS plug-in of ACK clusters assumes this role to access your resources in other Alibaba Cloud services."
          policy_name     = "AliyunCSManagedArmsRolePolicy"
        },
        {
          name            = "AliyunCISDefaultRole"
          policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
          description     = "Container Intelligence Service assumes this role to access your resources in other Alibaba Cloud services."
          policy_name     = "AliyunCISDefaultRolePolicy"
        },
        {
          name            = "AliyunOOSLifecycleHook4CSRole"
          policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"oos.aliyuncs.com\"]}}],\"Version\":\"1\"}"
          description     = "Operation Orchestration Service (OOS) assumes this role to access your resources in other Alibaba Cloud services. ACK relies on OOS to scale node pools."
          policy_name     = "AliyunOOSLifecycleHook4CSRolePolicy"
        }
      ]
    }
  3. Run the following command to initialize the Terraform runtime environment:

    terraform init

    If the following information is returned, Terraform is initialized.

    Initializing the backend...
    Initializing provider plugins...
    ...
    Terraform has created a lock file .terraform.lock.hcl to record the provider selections it made above. Include this file in your version control repository so that Terraform can guarantee to make the same selections by default when you run "terraform init" in the future.
    Terraform has been successfully initialized!
    ...
  4. Run the terraform apply command to assign the roles to ACK:

    When the following information is returned, input yes and press Enter to complete the authorization.

    .....
    Do you want to perform these actions?  
     Terraform will perform the actions described above.  
     Only 'yes' will be accepted to approve.  Enter a value:
  1. Run the following command to query the assigned roles:

    terraform show

    The following output indicates that all required roles are assigned:

    data "alicloud_ram_roles" "roles" {
      ...
      "names"       = [
        "AliyunCISDefaultRole",
        "AliyunCSClusterRole",
        "AliyunCSDefaultRole",
        ...
      ]
      ...
    }

Server roles

AliyunCSManagedLogRole

  • Notes: The logging component of an ACK managed cluster or ACK Serverless cluster assumes this role to access your resources in SLS.

  • Authorization code:

    {
      "name": "AliyunCSManagedLogRole",
      "policy_document": {
        "Statement": [
          {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Principal": {
              "Service": ["cs.aliyuncs.com"]
            }
          }
        ],
        "Version": "1"
      },
      "description": "The logging component of ACK clusters assumes this role to access your resources in other Alibaba Cloud services.",
      "policy_name": "AliyunCSManagedLogRolePolicy"
    }
    

AliyunCSManagedCmsRole

  • Notes: The monitoring component of an ACK managed cluster or ACK Serverless cluster assumes this role to access your resources in CMS and SLS.

  • Authorization code:

    {
      "name": "AliyunCSManagedCmsRole",
      "policy_document": {
        "Statement": [
          {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Principal": {
              "Service": ["cs.aliyuncs.com"]
            }
          }
        ],
        "Version": "1"
      },
      "description": "The CMS component of ACK clusters assumes this role to access your resources in other Alibaba Cloud services.",
      "policy_name": "AliyunCSManagedCmsRolePolicy"
    }

AliyunCSManagedCsiRole

  • Notes: The storage component of an ACK managed cluster or ACK Serverless cluster assumes this role to access your resources in ECS and NAS.

  • Authorization code:

    {
      "name": "AliyunCSManagedCsiRole",
      "policy_document": {
        "Statement": [
          {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Principal": {
              "Service": ["cs.aliyuncs.com"]
            }
          }
        ],
        "Version": "1"
      },
      "description": "The volume plug-in of ACK clusters assumes this role to access your resources in other Alibaba Cloud services.",
      "policy_name": "AliyunCSManagedCsiRolePolicy"
    }

AliyunCSManagedVKRole

  • Notes: The Virtual Node component of an ACK Serverless cluster assumes this role to access your resources in other cloud services such as ECS, VPC, and ECI.

  • Authorization code:

    {
      "name": "AliyunCSManagedVKRole",
      "policy_document": {
        "Statement": [
          {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Principal": {
              "Service": ["cs.aliyuncs.com"]
            }
          }
        ],
        "Version": "1"
      },
      "description": "The VK component of ACK Serverless clusters assumes this role to access your resources in other Alibaba Cloud services.",
      "policy_name": "AliyunCSManagedVKRolePolicy"
    }

AliyunCSServerlessKubernetesRole

  • Notes: An ACK Serverless cluster assumes this role to access your resources in other cloud services such as ECS, VPC, SLB, and PVTZ.

  • Authorization code:

    {
      "name": "AliyunCSServerlessKubernetesRole"
      "policy_document": {
        "Statement": [
          {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Principal": {
              "Service": ["cs.aliyuncs.com"]
            }
          }
        ],
        "Version": "1"
      },
      "description": "An ACK Serverless cluster assumes this role to access your resources in other Alibaba Cloud services by default."
      "policy_name": "AliyunCSServerlessKubernetesRolePolicy"
    }

AliyunCSKubernetesAuditRole

  • Notes: The auditing feature of an ACK managed cluster or ACK Serverless cluster assumes this role to access your resources in SLS.

  • Authorization code:

    {
      "name": "AliyunCSKubernetesAuditRole",
      "policy_document": {
        "Statement": [
          {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Principal": {
              "Service": ["cs.aliyuncs.com"]
            }
          }
        ],
        "Version": "1"
      },
      "description": "The auditing feature of ACK assumes this role to access your resources in other Alibaba Cloud services.",
      "policy_name": "AliyunCSKubernetesAuditRolePolicy"
    }

AliyunCSManagedNetworkRole

  • Notes: The network component of an ACK managed cluster or ACK Serverless cluster assumes this role to access your resources in ECS and VPC.

  • Authorization code:

    {
      "name": "AliyunCSManagedNetworkRole",
      "policy_document": {
        "Statement": [
          {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Principal": {
              "Service": ["cs.aliyuncs.com"]
            }
          }
        ],
        "Version": "1"
      },
      "description": "The network plug-in of ACK clusters assumes this role to access your resources in other Alibaba Cloud services.",
      "policy_name": "AliyunCSManagedNetworkRolePolicy"
    }

AliyunCSDefaultRole

  • Notes: ACK assumes this role to access your resources in other cloud services such as ECS, VPC, SLB, ROS, and ESS when ACK performs cluster management.

  • Authorization code:

    {
      "name": "AliyunCSDefaultRole",
      "policy_document": {
        "Statement": [
          {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Principal": {
              "Service": ["cs.aliyuncs.com"]
            }
          }
        ],
        "Version": "1"
      },
      "description": "ACK assumes this role to access your resources in other Alibaba Cloud services when managing ACK clusters by default.",
      "policy_name": "AliyunCSDefaultRolePolicy"
    }

AliyunCSManagedKubernetesRole

  • Notes: An ACK managed cluster assumes this role to access your resources in other cloud services such as ECS, VPC, SLB, and ACR.

  • Authorization code:

    {
      "name": "AliyunCSManagedKubernetesRole",
      "policy_document": {
        "Statement": [
          {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Principal": {
              "Service": ["cs.aliyuncs.com"]
            }
          }
        ],
        "Version": "1"
      },
      "description": "An ACK Managed cluster assumes this role to access your resources in other Alibaba Cloud services by default.",
      "policy_name": "AliyunCSManagedKubernetesRolePolicy"
    }

AliyunCSManagedArmsRole

  • Notes: The application monitoring component of an ACK managed cluster or ACK Serverless cluster assumes this role to access your resources in Application Real-Time Monitoring Service (ARMS).

  • Authorization code:

    {
      "name": "AliyunCSManagedArmsRole",
      "policy_document": {
        "Statement": [
          {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Principal": {
              "Service": ["cs.aliyuncs.com"]
            }
          }
        ],
        "Version": "1"
      },
      "description": "The ARMS plug-in of ACK clusters assumes this role to access your resources in other Alibaba Cloud services.",
      "policy_name": "AliyunCSManagedArmsRolePolicy"
    }

AliyunCSClusterRole

  • Notes: Container Service (CS) assumes this role during application runtime to access your resources in other cloud products. It is used to attach policies to the CS cluster roles.

  • Authorization code:

    {
      "name": "AliyunCSClusterRole",
      "policy_document": {
        "Statement": [
          {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Principal": {
              "Service": ["cs.aliyuncs.com"]
            }
          }
        ],
        "Version": "1"
      },
      "description": "ACK assumes this role during application runtime to access your resources in other cloud products.",
      "policy_name": "AliyunCSClusterRolePolicy"
    }

Optional roles

AliyunCISDefaultRole

  • Notes: ACK Container Intelligence Service (CIS) assumes this role to access your resources in other cloud services such as ECS, VPC, and SLB to perform diagnostics and inspections.

  • Authorization code:

    {
      "name": "AliyunCISDefaultRole",
      "policy_document": {
        "Statement": [
          {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Principal": {
              "Service": ["cs.aliyuncs.com"]
            }
          }
        ],
        "Version": "1"
      },
      "description": "Container Intelligence Service assumes this role to access your resources in other Alibaba Cloud services.",
      "policy_name": "AliyunCISDefaultRolePolicy"
    }

AliyunCSManagedAcrRole

  • Notes: The aliyun-acr-credential-helper component of an ACK managed cluster or ACK Serverless cluster assumes this role to pull images from Container Registry.

  • Authorization code:

    {
      "name": "AliyunCSManagedAcrRole",
      "policy_document": {
        "Statement": [
          {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Principal": {
              "Service": ["cs.aliyuncs.com"]
            }
          }
        ],
        "Version": "1"
      },
      "description": "The aliyun-acr-credential-helper component of an ACK managed cluster or ACK Serverless cluster assumes this role to pull images from Container Registry.",
      "policy_name": "AliyunCSManagedAcrRolePolicy"
    }

AliyunCSManagedNlcRole

  • Notes: The managed node pool controller of an ACK managed cluster assumes this role to access your node pool resources in ECS and ACK.

  • Authorization code:

    {
      "name": "AliyunCSManagedNlcRole",
      "policy_document": {
        "Statement": [
          {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Principal": {
              "Service": ["cs.aliyuncs.com"]
            }
          }
        ],
        "Version": "1"
      },
      "description": "The managed node pool controller of an ACK managed cluster assumes this role to access your node pool resources in ECS and ACK.",
      "policy_name": "AliyunCSManagedNlcRolePolicy"
    }

AliyunCSManagedAutoScalerRole

  • Notes: The auto scaling component of an ACK managed cluster or ACK Serverless cluster assumes this role to access your resources in ESS and ECS.

  • Authorization code:

    {
      "name": "AliyunCSManagedAutoScalerRole",
      "policy_document": {
        "Statement": [
          {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Principal": {
              "Service": ["cs.aliyuncs.com"]
            }
          }
        ],
        "Version": "1"
      },
      "description": "The auto scaling component of an ACK cluster assumes this role to access your resources in other cloud products.",
      "policy_name": "AliyunCSManagedAutoScalerRolePolicy"
    }

AliyunCSManagedSecurityRole

  • Notes: The disk encryption component of an ACK managed cluster or ACK Serverless cluster assumes this role to access your resources in Key Management Service (KMS).

  • Authorization code:

    {
      "name": "AliyunCSManagedSecurityRole",
      "policy_document": {
        "Statement": [
          {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Principal": {
              "Service": ["cs.aliyuncs.com"]
            }
          }
        ],
        "Version": "1"
      },
      "description": "The disk encryption component of an ACK managed cluster or ACK Serverless cluster assumes this role to access your resources in KMS.",
      "policy_name": "AliyunCSManagedSecurityRolePolicy"
    }

AliyunCSManagedCostRole

  • Notes: The cost analysis component of an ACK managed cluster or ACK Serverless cluster assumes this role to access your resources in other cloud services such as Bill Management (BSS) API, ECS, and Elastic Container Instance (ECI).

  • Authorization code:

    {
      "name": "AliyunCSManagedCostRole",
      "policy_document": {
        "Statement": [
          {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Principal": {
              "Service": ["cs.aliyuncs.com"]
            }
          }
        ],
        "Version": "1"
      },
      "description": "The cost analysis component of an ACK managed cluster or ACK Serverless cluster assumes this role to access your resources in other cloud services such as Bill Management (BSS) API, ECS, and ECI.",
      "policy_name": "AliyunCSManagedCostRolePolicy"
    }

AliyunCSManagedNimitzRole

  • Notes: The network component of an ACK Lingjun managed cluster assumes this role to access your resources in Lingjun AI Computing Service.

  • Authorization code:

    {
      "name": "AliyunCSManagedNimitzRole",
      "policy_document": {
        "Statement": [
          {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Principal": {
              "Service": ["cs.aliyuncs.com"]
            }
          }
        ],
        "Version": "1"
      },
      "description": "The network component of an ACK Lingjun managed cluster assumes this role to access your resources in Lingjun AI Computing Service.",
      "policy_name": "AliyunCSManagedNimitzRolePolicy"
    }

AliyunCSManagedBackupRestoreRole

  • Notes: The backup center component of an ACK managed cluster assumes this role to access your resources in Cloud Backup and OSS.

  • Authorization code:

    {
      "name": "AliyunCSManagedBackupRestoreRole",
      "policy_document": {
        "Statement": [
          {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Principal": {
              "Service": ["cs.aliyuncs.com"]
            }
          }
        ],
        "Version": "1"
      },
      "description": "The backup center component of an ACK managed cluster assumes this role to access your resources in Cloud Backup and OSS.",
      "policy_name": "AliyunCSManagedBackupRestoreRolePolicy"
    }

AliyunCSManagedEdgeRole

  • Notes: The control component of an ACK Edge cluster assumes this role to access your resources in Smart Access Gateway (SAG), VPC, and Cloud Enterprise Network (CEN).

  • Authorization code:

    {
      "name": "AliyunCSManagedEdgeRole",
      "policy_document": {
        "Statement": [
          {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Principal": {
              "Service": ["cs.aliyuncs.com"]
            }
          }
        ],
        "Version": "1"
      },
      "description": "The control component of an ACK Edge cluster assumes this role to access your resources in Smart Access Gateway (SAG), VPC, and Cloud Enterprise Network (CEN).",
      "policy_name": "AliyunCSManagedEdgeRolePolicy"
    }

AliyunOOSLifecycleHook4CSRole

  • Notes: Operation Orchestration Service (OOS) assumes this role to access your resources in other Alibaba Cloud services. ACK relies on OOS to scale node pools.

  • Authorization code:

    {
      "name": "AliyunOOSLifecycleHook4CSRole",
      "policy_document": {
        "Statement": [
          {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Principal": {
              "Service": ["oos.aliyuncs.com"]
            }
          }
        ],
        "Version": "1"
      },
      "description": "Operation Orchestration Service (OOS) uses this role to access your resources in other Alibaba Cloud services. ACK relies on OOS to scale node pools.",
      "policy_name": "AliyunOOSLifecycleHook4CSRolePolicy"
    }