This topic describes how to use Terraform to assign roles to ACK when you use ACK for the first time.
Prerequisites
Terraform is installed.
Step 1: Activate ACK
You must activate corresponding services before you can create ACK clusters.
Create a working directory and a file named
main.tfin the directory.Copy the following code to the
main.tffile:Run the following command to initialize the Terraform runtime environment:
terraform initIf the following information is returned, Terraform is initialized:
Initializing the backend... Initializing provider plugins... ... Terraform has been successfully initialized! ...Run the following command to activate ACK:
terraform applyWhen the following information is returned, input
yesand press Enter to activate the service.You can apply this plan to save these new output values to the Terraform state, without changing any real infrastructure. Do you want to perform these actions? Terraform will perform the actions described above. Only 'yes' will be accepted to approve. Enter a value: yes Apply complete! Resources: 0 added, 0 changed, 0 destroyed.
Step 2: Assign roles to ACK
When you use Container Service for Kubernetes for the first time, you must assign roles to ACK with your Alibaba Cloud account.
Add the following code to the
main.tffile and run theterraform applycommand to check whether the roles are already assigned.NoteDue to the limits of Terraform, Terraform cannot automatically check whether all required roles are assigned and automatically assign the missing roles. Therefore, you need to manually query the role information and assign the roles to ACK.
// Check whether the roles are already assigned. data "alicloud_ram_roles" "roles" { policy_type = "System" } // List the roles that are assigned to ACK. output "exist_role" { value = data.alicloud_ram_roles.roles }The following information is returned:
No changes. Your infrastructure matches the configuration. Terraform has compared your real infrastructure against your configuration and found no differences, so no changes are needed. Apply complete! Resources: 0 added, 0 changed, 0 destroyed. Outputs: ... exist_role = { "id" = "1788****59" "ids" = tolist([ "3009617019****1438", "3023233020****0278", "3302003419****4675", "3178548808****5924", "3371411011****5177", "3475619590****3519", ]) "name_regex" = tostring(null) "names" = tolist([ "AliyunCASDefaultRole", "AliyunContainerRegistryDefaultRole", "AliyunCSDefaultRole", "AliyunCSKubernetesAuditRole", "AliyunCSManagedArmsRole", "AliyunCSManagedCmsRole", "AliyunCSManagedCsiRole", "AliyunCSManagedKubernetesRole", "AliyunCSManagedLogRole", "AliyunCSManagedNetworkRole", "AliyunCSManagedVKRole", "AliyunCSServerlessKubernetesRole", "AliyunServiceRoleForCSB", "AliyunServiceRoleForECI", "AliyunServiceRoleForGws", "AliyunServiceRoleForResourceDirectory", "AliyunServiceRoleForServiceMesh", ]) "output_file" = tostring(null) "policy_name" = tostring(null) "policy_type" = "System" "roles" = tolist([ { "arn" = "acs:ram::1848450434088535:role/aliyuncasdefaultrole" "assume_role_policy_document" = <<-EOT { "Statement": [{ "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": {"Service": ["cas.aliyuncs.com"]}}], "Version": "1"} EOT "create_date" = "2023-07-17T03:27:28Z" "description" = "Certificate Management Service assumes this role to access your resources in other Alibaba Cloud services by default." "document" = <<-EOT { "Statement": [{ "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": {"Service": ["cas.aliyuncs.com"]}}], "Version": "1"} EOT "id" = "300961701980****" "name" = "AliyunCASDefaultRole" "update_date" = "2023-07-17T03:27:28Z" }, { "arn" = "acs:ram::1848450434****:role/aliyuncontainerregistrydefaultrole" "assume_role_policy_document" = <<-EOT { "Statement": [{ "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": {"Service": ["cr.aliyuncs.com"]}}], "Version": "1"} "id" = "3502335964487******" "name" = "AliyunServiceRoleForServiceMesh" "update_date" = "2022-09-27T10:26:50Z" }, ]) }Replace the permission template in the
main.tfconfiguration file.NoteThis template grants permissions based on Server roles and specifies properties such as role names and policies through variables. If you need to modify role permissions, see Optional roles or Step 2: Assign roles to ACK. In the
defaultsection of the template, you can add or remove role configurations as needed to make sure that permissions are neither duplicated nor omitted.provider "alicloud" { } // Create a role. resource "alicloud_ram_role" "role" { for_each = { for r in var.roles : r.name => r } name = each.value.name document = each.value.policy_document description = each.value.description force = true } // Attach a RAM policy to the role. resource "alicloud_ram_role_policy_attachment" "attach" { for_each = { for r in var.roles : r.name => r } policy_name = each.value.policy_name policy_type = "System" role_name = each.value.name depends_on = [alicloud_ram_role.role] } // View the roles required by ACK. variable "roles" { type = list(object({ name = string policy_document = string description = string policy_name = string })) default = [ { name = "AliyunCSManagedLogRole" policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "The logging component of ACK clusters assumes this role to access your resources in other Alibaba Cloud services." policy_name = "AliyunCSManagedLogRolePolicy" }, { name = "AliyunCSManagedCmsRole" policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "The CMS component of ACK clusters assumes this role to access your resources in other Alibaba Cloud services." policy_name = "AliyunCSManagedCmsRolePolicy" }, { name = "AliyunCSManagedCsiRole" policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "The volume plug-in of ACK clusters assumes this role to access your resources in other Alibaba Cloud services." policy_name = "AliyunCSManagedCsiRolePolicy" }, { name = "AliyunCSManagedVKRole" policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "The VK component of ACK Serverless clusters assumes this role to access your resources in other Alibaba Cloud services." policy_name = "AliyunCSManagedVKRolePolicy" }, { name = "AliyunCSClusterRole" policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "ACK assumes this role to access your resources in other Alibaba Cloud services in order to run applications." policy_name = "AliyunCSClusterRolePolicy" }, { name = "AliyunCSServerlessKubernetesRole" policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "ACK Serverless assumes this role to access your resources in other Alibaba Cloud services by default." policy_name = "AliyunCSServerlessKubernetesRolePolicy" }, { name = "AliyunCSKubernetesAuditRole" policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "The auditing feature of ACK assumes this role to access your resources in other Alibaba Cloud services." policy_name = "AliyunCSKubernetesAuditRolePolicy" }, { name = "AliyunCSManagedNetworkRole" policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "The network plug-in of ACK clusters assumes this role to access your resources in other Alibaba Cloud services." policy_name = "AliyunCSManagedNetworkRolePolicy" }, { name = "AliyunCSDefaultRole" policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "ACK assumes this role to access your resources in other Alibaba Cloud services when managing ACK clusters by default." policy_name = "AliyunCSDefaultRolePolicy" }, { name = "AliyunCSManagedKubernetesRole" policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "ACK Managed assumes this role to access your resources in other Alibaba Cloud services by default." policy_name = "AliyunCSManagedKubernetesRolePolicy" }, { name = "AliyunCSManagedArmsRole" policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "The ARMS plug-in of ACK clusters assumes this role to access your resources in other Alibaba Cloud services." policy_name = "AliyunCSManagedArmsRolePolicy" }, { name = "AliyunCISDefaultRole" policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "Container Intelligence Service assumes this role to access your resources in other Alibaba Cloud services." policy_name = "AliyunCISDefaultRolePolicy" }, { name = "AliyunOOSLifecycleHook4CSRole" policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"oos.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "Operation Orchestration Service (OOS) assumes this role to access your resources in other Alibaba Cloud services. ACK relies on OOS to scale node pools." policy_name = "AliyunOOSLifecycleHook4CSRolePolicy" } ] }Run the following command to initialize the Terraform runtime environment:
terraform initIf the following information is returned, Terraform is initialized.
Initializing the backend... Initializing provider plugins... ... Terraform has created a lock file .terraform.lock.hcl to record the provider selections it made above. Include this file in your version control repository so that Terraform can guarantee to make the same selections by default when you run "terraform init" in the future. Terraform has been successfully initialized! ...Run the
terraform applycommand to assign the roles to ACK:When the following information is returned, input
yesand press Enter to complete the authorization...... Do you want to perform these actions? Terraform will perform the actions described above. Only 'yes' will be accepted to approve. Enter a value:
Run the following command to query the assigned roles:
terraform showThe following output indicates that all required roles are assigned:
data "alicloud_ram_roles" "roles" { ... "names" = [ "AliyunCISDefaultRole", "AliyunCSClusterRole", "AliyunCSDefaultRole", ... ] ... }
Server roles
AliyunCSManagedLogRole
Notes: The logging component of an ACK managed cluster or ACK Serverless cluster assumes this role to access your resources in SLS.
Authorization code:
{ "name": "AliyunCSManagedLogRole", "policy_document": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": ["cs.aliyuncs.com"] } } ], "Version": "1" }, "description": "The logging component of ACK clusters assumes this role to access your resources in other Alibaba Cloud services.", "policy_name": "AliyunCSManagedLogRolePolicy" }
AliyunCSManagedCmsRole
Notes: The monitoring component of an ACK managed cluster or ACK Serverless cluster assumes this role to access your resources in CMS and SLS.
Authorization code:
{ "name": "AliyunCSManagedCmsRole", "policy_document": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": ["cs.aliyuncs.com"] } } ], "Version": "1" }, "description": "The CMS component of ACK clusters assumes this role to access your resources in other Alibaba Cloud services.", "policy_name": "AliyunCSManagedCmsRolePolicy" }
AliyunCSManagedCsiRole
Notes: The storage component of an ACK managed cluster or ACK Serverless cluster assumes this role to access your resources in ECS and NAS.
Authorization code:
{ "name": "AliyunCSManagedCsiRole", "policy_document": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": ["cs.aliyuncs.com"] } } ], "Version": "1" }, "description": "The volume plug-in of ACK clusters assumes this role to access your resources in other Alibaba Cloud services.", "policy_name": "AliyunCSManagedCsiRolePolicy" }
AliyunCSManagedVKRole
Notes: The Virtual Node component of an ACK Serverless cluster assumes this role to access your resources in other cloud services such as ECS, VPC, and ECI.
Authorization code:
{ "name": "AliyunCSManagedVKRole", "policy_document": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": ["cs.aliyuncs.com"] } } ], "Version": "1" }, "description": "The VK component of ACK Serverless clusters assumes this role to access your resources in other Alibaba Cloud services.", "policy_name": "AliyunCSManagedVKRolePolicy" }
AliyunCSServerlessKubernetesRole
Notes: An ACK Serverless cluster assumes this role to access your resources in other cloud services such as ECS, VPC, SLB, and PVTZ.
Authorization code:
{ "name": "AliyunCSServerlessKubernetesRole" "policy_document": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": ["cs.aliyuncs.com"] } } ], "Version": "1" }, "description": "An ACK Serverless cluster assumes this role to access your resources in other Alibaba Cloud services by default." "policy_name": "AliyunCSServerlessKubernetesRolePolicy" }
AliyunCSKubernetesAuditRole
Notes: The auditing feature of an ACK managed cluster or ACK Serverless cluster assumes this role to access your resources in SLS.
Authorization code:
{ "name": "AliyunCSKubernetesAuditRole", "policy_document": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": ["cs.aliyuncs.com"] } } ], "Version": "1" }, "description": "The auditing feature of ACK assumes this role to access your resources in other Alibaba Cloud services.", "policy_name": "AliyunCSKubernetesAuditRolePolicy" }
AliyunCSManagedNetworkRole
Notes: The network component of an ACK managed cluster or ACK Serverless cluster assumes this role to access your resources in ECS and VPC.
Authorization code:
{ "name": "AliyunCSManagedNetworkRole", "policy_document": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": ["cs.aliyuncs.com"] } } ], "Version": "1" }, "description": "The network plug-in of ACK clusters assumes this role to access your resources in other Alibaba Cloud services.", "policy_name": "AliyunCSManagedNetworkRolePolicy" }
AliyunCSDefaultRole
Notes: ACK assumes this role to access your resources in other cloud services such as ECS, VPC, SLB, ROS, and ESS when ACK performs cluster management.
Authorization code:
{ "name": "AliyunCSDefaultRole", "policy_document": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": ["cs.aliyuncs.com"] } } ], "Version": "1" }, "description": "ACK assumes this role to access your resources in other Alibaba Cloud services when managing ACK clusters by default.", "policy_name": "AliyunCSDefaultRolePolicy" }
AliyunCSManagedKubernetesRole
Notes: An ACK managed cluster assumes this role to access your resources in other cloud services such as ECS, VPC, SLB, and ACR.
Authorization code:
{ "name": "AliyunCSManagedKubernetesRole", "policy_document": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": ["cs.aliyuncs.com"] } } ], "Version": "1" }, "description": "An ACK Managed cluster assumes this role to access your resources in other Alibaba Cloud services by default.", "policy_name": "AliyunCSManagedKubernetesRolePolicy" }
AliyunCSManagedArmsRole
Notes: The application monitoring component of an ACK managed cluster or ACK Serverless cluster assumes this role to access your resources in Application Real-Time Monitoring Service (ARMS).
Authorization code:
{ "name": "AliyunCSManagedArmsRole", "policy_document": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": ["cs.aliyuncs.com"] } } ], "Version": "1" }, "description": "The ARMS plug-in of ACK clusters assumes this role to access your resources in other Alibaba Cloud services.", "policy_name": "AliyunCSManagedArmsRolePolicy" }
AliyunCSClusterRole
Notes: Container Service (CS) assumes this role during application runtime to access your resources in other cloud products. It is used to attach policies to the CS cluster roles.
Authorization code:
{ "name": "AliyunCSClusterRole", "policy_document": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": ["cs.aliyuncs.com"] } } ], "Version": "1" }, "description": "ACK assumes this role during application runtime to access your resources in other cloud products.", "policy_name": "AliyunCSClusterRolePolicy" }
Optional roles
AliyunCISDefaultRole
Notes: ACK Container Intelligence Service (CIS) assumes this role to access your resources in other cloud services such as ECS, VPC, and SLB to perform diagnostics and inspections.
Authorization code:
{ "name": "AliyunCISDefaultRole", "policy_document": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": ["cs.aliyuncs.com"] } } ], "Version": "1" }, "description": "Container Intelligence Service assumes this role to access your resources in other Alibaba Cloud services.", "policy_name": "AliyunCISDefaultRolePolicy" }
AliyunCSManagedAcrRole
Notes: The aliyun-acr-credential-helper component of an ACK managed cluster or ACK Serverless cluster assumes this role to pull images from Container Registry.
Authorization code:
{ "name": "AliyunCSManagedAcrRole", "policy_document": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": ["cs.aliyuncs.com"] } } ], "Version": "1" }, "description": "The aliyun-acr-credential-helper component of an ACK managed cluster or ACK Serverless cluster assumes this role to pull images from Container Registry.", "policy_name": "AliyunCSManagedAcrRolePolicy" }
AliyunCSManagedNlcRole
Notes: The managed node pool controller of an ACK managed cluster assumes this role to access your node pool resources in ECS and ACK.
Authorization code:
{ "name": "AliyunCSManagedNlcRole", "policy_document": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": ["cs.aliyuncs.com"] } } ], "Version": "1" }, "description": "The managed node pool controller of an ACK managed cluster assumes this role to access your node pool resources in ECS and ACK.", "policy_name": "AliyunCSManagedNlcRolePolicy" }
AliyunCSManagedAutoScalerRole
Notes: The auto scaling component of an ACK managed cluster or ACK Serverless cluster assumes this role to access your resources in ESS and ECS.
Authorization code:
{ "name": "AliyunCSManagedAutoScalerRole", "policy_document": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": ["cs.aliyuncs.com"] } } ], "Version": "1" }, "description": "The auto scaling component of an ACK cluster assumes this role to access your resources in other cloud products.", "policy_name": "AliyunCSManagedAutoScalerRolePolicy" }
AliyunCSManagedSecurityRole
Notes: The disk encryption component of an ACK managed cluster or ACK Serverless cluster assumes this role to access your resources in Key Management Service (KMS).
Authorization code:
{ "name": "AliyunCSManagedSecurityRole", "policy_document": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": ["cs.aliyuncs.com"] } } ], "Version": "1" }, "description": "The disk encryption component of an ACK managed cluster or ACK Serverless cluster assumes this role to access your resources in KMS.", "policy_name": "AliyunCSManagedSecurityRolePolicy" }
AliyunCSManagedCostRole
Notes: The cost analysis component of an ACK managed cluster or ACK Serverless cluster assumes this role to access your resources in other cloud services such as Bill Management (BSS) API, ECS, and Elastic Container Instance (ECI).
Authorization code:
{ "name": "AliyunCSManagedCostRole", "policy_document": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": ["cs.aliyuncs.com"] } } ], "Version": "1" }, "description": "The cost analysis component of an ACK managed cluster or ACK Serverless cluster assumes this role to access your resources in other cloud services such as Bill Management (BSS) API, ECS, and ECI.", "policy_name": "AliyunCSManagedCostRolePolicy" }
AliyunCSManagedNimitzRole
Notes: The network component of an ACK Lingjun managed cluster assumes this role to access your resources in Lingjun AI Computing Service.
Authorization code:
{ "name": "AliyunCSManagedNimitzRole", "policy_document": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": ["cs.aliyuncs.com"] } } ], "Version": "1" }, "description": "The network component of an ACK Lingjun managed cluster assumes this role to access your resources in Lingjun AI Computing Service.", "policy_name": "AliyunCSManagedNimitzRolePolicy" }
AliyunCSManagedBackupRestoreRole
Notes: The backup center component of an ACK managed cluster assumes this role to access your resources in Cloud Backup and OSS.
Authorization code:
{ "name": "AliyunCSManagedBackupRestoreRole", "policy_document": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": ["cs.aliyuncs.com"] } } ], "Version": "1" }, "description": "The backup center component of an ACK managed cluster assumes this role to access your resources in Cloud Backup and OSS.", "policy_name": "AliyunCSManagedBackupRestoreRolePolicy" }
AliyunCSManagedEdgeRole
Notes: The control component of an ACK Edge cluster assumes this role to access your resources in Smart Access Gateway (SAG), VPC, and Cloud Enterprise Network (CEN).
Authorization code:
{ "name": "AliyunCSManagedEdgeRole", "policy_document": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": ["cs.aliyuncs.com"] } } ], "Version": "1" }, "description": "The control component of an ACK Edge cluster assumes this role to access your resources in Smart Access Gateway (SAG), VPC, and Cloud Enterprise Network (CEN).", "policy_name": "AliyunCSManagedEdgeRolePolicy" }
AliyunOOSLifecycleHook4CSRole
Notes: Operation Orchestration Service (OOS) assumes this role to access your resources in other Alibaba Cloud services. ACK relies on OOS to scale node pools.
Authorization code:
{ "name": "AliyunOOSLifecycleHook4CSRole", "policy_document": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": ["oos.aliyuncs.com"] } } ], "Version": "1" }, "description": "Operation Orchestration Service (OOS) uses this role to access your resources in other Alibaba Cloud services. ACK relies on OOS to scale node pools.", "policy_name": "AliyunOOSLifecycleHook4CSRolePolicy" }