When you activate Container Service for Kubernetes (ACK), you must assign roles to ACK. ACK assumes the roles to use other cloud services, create clusters, and save log files. The cloud services include Elastic Compute Service (ECS), Object Storage Service (OSS), File Storage NAS (NAS), and Server Load Balancer (SLB). This topic describes the permissions of the ACK roles.
Permissions of the default roles
The following table describes the roles that can be assigned to ACK.
Role | Description |
ACK assumes this role to access your resources in other cloud services when ACK manages clusters. These cloud services include ECS, Virtual Private Cloud (VPC), SLB, Auto Scaling, and Resource Orchestration Service (ROS). | |
Container Intelligent Service (CIS) assumes this role to access your resources in other cloud services such as ECS, VPC, and SLB to perform diagnostics and inspections. | |
An ACK managed cluster assumes this role to access your resources in other cloud services such as ECS, VPC, SLB, and Container Registry. | |
An ACK Serverless cluster assumes this role to access your resources in other cloud services such as ECS, VPC, SLB, and Alibaba Cloud DNS PrivateZone. | |
The audit feature of an ACK managed cluster or ACK Serverless cluster assumes this role to access your resources in Simple Log Service. | |
The network component of an ACK managed cluster or ACK Serverless cluster assumes this role to access your resources in other cloud services such as ECS and VPC. | |
The storage component of an ACK managed cluster or ACK Serverless cluster assumes this role to access your resources in other cloud services such as ECS and NAS. | |
The monitoring component of an ACK managed cluster or ACK Serverless cluster assumes this role to access your resources in other cloud services such as CloudMonitor and Simple Log Service. | |
The logging component of an ACK managed cluster or ACK Serverless cluster assumes this role to access your resources in Simple Log Service. | |
The virtual node component of an ACK Serverless cluster assumes this role to access your resources in other cloud services such as ECS, VPC, and Elastic Container Instance. | |
The Application Real-Time Monitoring Service (ARMS) component of an ACK managed cluster or ACK Serverless cluster assumes this role to access your resources in ARMS. | |
The password-free image pulling plug-in of an ACK managed cluster or ACK Serverless cluster assumes this role to access your resources in Container Registry. | |
The managed node pool controller of an ACK managed cluster assumes this role to access your node pool resources in ECS and ACK. | |
The auto scaling component of an ACK managed cluster or ACK Serverless cluster assumes this role to access your resources in Auto Scaling and ECS. | |
The disk encryption component of an ACK managed cluster or ACK Serverless cluster assumes this role to access your resources in Key Management Service (KMS). | |
The cost analysis component of an ACK managed cluster or ACK Serverless cluster assumes this role to access your resources in ECS and Elastic Container Instance and use BSS OpenAPI (BOA). | |
The network component of an ACK Lingjun managed cluster assumes this role to access your resources in Lingjun AI Computing Service. | |
The backup center component of an ACK managed cluster assumes this role to access your resources in Cloud Backup and OSS. | |
The control component of an ACK Edge cluster assumes this role to access your resources in Smart Access Gateway (SAG), VPC, and Cloud Enterprise Network (CEN). |
AliyunCSDefaultRole
ACK assumes the AliyunCSDefaultRole role to access your resources in other cloud services when ACK performs operations on clusters.
ECS-related permissions
Permission (Action) | Description |
ecs:RunInstances | Starts an ECS instance. |
ecs:RenewInstance | Renews an ECS instance. |
ecs:Create* | Creates ECS resources, such as ECS instances and disks. |
ecs:AllocatePublicIpAddress | Assigns a public IP address to an ECS instance. |
ecs:AllocateEipAddress | Assigns an elastic IP address (EIP) to an ECS instance. |
ecs:Delete* | Deletes an ECS instance. |
ecs:StartInstance | Starts ECS resources. |
ecs:StopInstance | Stops an ECS instance. |
ecs:RebootInstance | Restarts an ECS instance. |
ecs:Describe* | Queries ECS resources. |
ecs:AuthorizeSecurityGroup | Configures inbound rules for a security group. |
ecs:RevokeSecurityGroup | Revokes security group rules. |
ecs:AuthorizeSecurityGroupEgress | Configures outbound rules for a security group. |
ecs:AttachDisk | Attaches a disk to an ECS instance. |
ecs:DetachDisk | Detaches a disk from an ECS instance. |
ecs:WaitFor* | Waits for the execution of a task. |
ecs:AddTags | Adds tags. |
ecs:ReplaceSystemDisk | Replaces the system disk of an ECS instance. |
ecs:ModifyInstanceAttribute | Modifies the attributes of an ECS instance. |
ecs:JoinSecurityGroup | Adds an ECS instance to a security group. |
ecs:LeaveSecurityGroup | Removes an ECS instance from a security group. |
ecs:UnassociateEipAddress | Disassociates an EIP from an ECS instance. |
ecs:ReleaseEipAddress | Releases an EIP. |
ecs:CreateKeyPair | Creates an SSH key pair. |
ecs:ImportKeyPair | Imports the public key of a Rivest-Shamir-Adleman (RSA)-encrypted key pair that is generated by a third-party tool. |
ecs:AttachKeyPair | Binds an SSH key pair to one or more Linux instances. |
ecs:DetachKeyPair | Unbinds an SSH key pair from one or more Linux-based ECS instances. |
ecs:DeleteKeyPairs | Deletes one or more SSH key pairs. |
ecs:AttachInstanceRamRole | Attaches a Resource Access Management (RAM) role to one or more ECS instances. |
ecs:DetachInstanceRamRole | Detaches a RAM role from one or more ECS instances. |
ecs:AllocateDedicatedHosts | Creates one or more pay-as-you-go or subscription dedicated hosts. |
ecs:CreateOrder | Creates an order to purchase ECS instances. |
ecs:DeleteInstance | Releases a pay-as-you-go instance or an expired subscription instance. |
ecs:CreateDisk | Creates a pay-as-you-go or subscription data disk. |
ecs:Createvpc | Creates a VPC for an ECS instance. |
ecs:Deletevpc | Deletes a VPC that is associated with an ECS instance. |
ecs:DeleteVSwitch | Deletes a vSwitch that is associated with an ECS instance. |
ecs:ResetDisk | Rolls back a disk to a specific state by using a snapshot of the disk. |
ecs:DeleteSnapshot | Deletes a snapshot. |
ecs:AllocatePublicIpAddress | Assigns a public IP address to an ECS instance. |
ecs:CreateVSwitch | Creates a vSwitch for an ECS instance. |
ecs:DeleteSecurityGroup | Deletes a security group. |
ecs:CreateImage | Creates a custom image. |
ecs:RemoveTags | Removes tags from an ECS instance. |
ecs:ReleaseDedicatedHost | Releases a pay-as-you-go dedicated host. |
ecs:CreateInstance | Creates a subscription or pay-as-you-go ECS instance. |
ecs:RevokeSecurityGroupEgress | Deletes an outbound rule of a security group. After the rule is deleted, the access control implemented by the rule is removed. |
ecs:DeleteDisk | Deletes a pay-as-you-go data disk. |
ecs:StopInstance | Stops an instance. |
ecs:CreateSecurityGroup | Creates a security group. |
ecs:RevokeSecurityGroup | Deletes an inbound rule of a security group. After the rule is deleted, the access control implemented by the rule is removed. |
ecs:DeleteImage | Deletes a custom image. |
ecs:ModifyInstanceSpec | Changes the instance type and public bandwidth of a pay-as-you-go ECS instance. |
ecs:CreateSnapshot | Creates a snapshot for a cloud disk. |
ecs:CreateCommand | Creates a Cloud Assistant command. |
ecs:InvokeCommand | Triggers a Cloud Assistant command on one or more ECS instances. |
ecs:StopInvocation | Stops the process of a Cloud Assistant command that is running on one or more ECS instances. |
ecs:DeleteCommand | Deletes a Cloud Assistant command. |
ecs:RunCommand | Creates a Cloud Assistant command of the Shell, PowerShell, or Bat type, and runs the command on one or more ECS instances. |
ecs:DescribeInvocationResults | Queries the result of running a Cloud Assistant command on an ECS instance. |
ecs:ModifyCommand | Modifies a Cloud Assistant command. |
VPC-related permissions
Permission (Action) | Description |
vpc:Describe* | Queries VPC resources. |
vpc:AllocateEipAddress | Assigns an EIP to a VPC. |
vpc:AssociateEipAddress | Binds an EIP to a VPC. |
vpc:UnassociateEipAddress | Unbinds an EIP from a VPC. |
vpc:ReleaseEipAddress | Releases an EIP. |
vpc:CreateRouteEntry | Creates a route entry. |
vpc:DeleteRouteEntry | Deletes a route entry. |
vpc:CreateVSwitch | Creates a vSwitch. |
vpc:DeleteVSwitch | Deletes a vSwitch. |
vpc:CreateVpc | Creates a VPC. |
vpc:DeleteVpc | Deletes a VPC. |
vpc:CreateNatGateway | Creates a NAT gateway. |
vpc:DeleteNatGateway | Deletes a NAT gateway. |
vpc:CreateSnatEntry | Adds an SNAT entry to an SNAT table. |
vpc:DeleteSnatEntry | Deletes an SNAT entry. |
vpc:ModifyEipAddressAttribute | Modifies the name, description, and maximum bandwidth of an EIP. |
vpc:CreateForwardEntry | Adds a DNAT entry to a DNAT table. |
vpc:DeleteBandwidthPackage | Creates a NAT service plan. |
vpc:CreateBandwidthPackage | Deletes a NAT service plan. |
vpc:DeleteForwardEntry | Deletes a DNAT entry. |
vpc:TagResources | Creates and adds tags to the specified resources. |
vpc:DeletionProtection | Enables or disables the deletion protection feature for a VPC. |
SLB-related permissions
Permission (Action) | Description |
slb:Describe* | Queries the information about SLB instances. |
slb:CreateLoadBalancer | Creates an SLB instance. |
slb:DeleteLoadBalancer | Deletes an SLB instance. |
slb:RemoveBackendServers | Removes backend servers from an SLB instance. |
slb:StartLoadBalancerListener | Starts a listener. |
slb:StopLoadBalancerListener | Stops a listener. |
slb:CreateLoadBalancerTCPListener | Creates a TCP listener for an SLB instance. |
slb:AddBackendServers | Adds backend servers to an SLB instance. |
slb:CreateVServerGroup | Creates a vServer group and adds backend servers to the vServer group. |
slb:CreateLoadBalancerHTTPSListener | Creates an HTTPS listener for an SLB instance. |
slb:CreateLoadBalancerUDPListener | Creates a User Datagram Protocol (UDP) listener. |
slb:ModifyLoadBalancerInternetSpec | Changes the billing method of an Internet-facing SLB instance. |
slb:SetBackendServers | Configures backend servers of an SLB instance and sets weights for the backend servers. The backend servers are ECS instances. |
slb:AddVServerGroupBackendServers | Adds backend servers to a vServer group. |
slb:DeleteVServerGroup | Deletes a vServer group. |
slb:ModifyVServerGroupBackendServers | Modifies the backend servers of a vServer group. |
slb:CreateLoadBalancerHTTPListener | Creates an HTTP listener for an SLB instance. |
slb:RemoveVServerGroupBackendServers | Removes backend servers from a vServer group. |
slb:DeleteLoadBalancerListener | Deletes a listener of an SLB instance. |
slb:AddTags | Adds tags to an SLB instance. |
slb:RemoveTags | Removes tags from an SLB instance. |
slb:SetLoadBalancerDeleteProtection | Enables or disables the deletion protection feature for an SLB instance. |
DNS-related permissions
Permission (Action) | Description |
dns:Describe* | Queries DNS resources. |
dns:AddDomainRecord | Adds a DNS record. |
ApsaraDB RDS-related permissions
Permission (Action) | Description |
rds:Describe* | Queries ApsaraDB RDS resources. |
rds:ModifySecurityIps | Modifies the IP address whitelist of an ApsaraDB RDS instance. |
ROS-related permissions
Permission (Action) | Description |
ros:Describe* | Queries ROS resources. |
ros:WaitConditions | Waits for the execution of a ROS script. |
ros:AbandonStack | Stops a stack. |
ros:DeleteStack | Deletes a stack. |
ros:CreateStack | Creates a stack. |
ros:UpdateStack | Updates a stack. |
ros:ValidateTemplate | Verifies a ROS template. |
ros:DoActions | Performs actions. |
ros:InquiryStack | Queries a stack. |
ros:SetDeletionProtection | Enables or disables the deletion protection feature. |
ros:PreviewStack | Previews a stack. |
Auto Scaling-related permissions
Permission (Action) | Description |
ess:Describe* | Queries Auto Scaling resources. |
ess:CreateScalingConfiguration | Creates a scaling configuration. |
ess:EnableScalingGroup | Enables a scaling group. |
ess:ExitStandby | Switches the state of a standby ECS instance in a scaling group to Running. |
ess:DetachDBInstances | Removes one or more ApsaraDB RDS instances from a scaling group. |
ess:DetachLoadBalancers | Removes one or more SLB instances from a scaling group. |
ess:AttachInstances | Adds one or more ECS instances to a scaling group. |
ess:DeleteScalingConfiguration | Deletes a scaling configuration. |
ess:AttachLoadBalancers | Adds one or more SLB instances to a scaling group. |
ess:DetachInstances | Removes one or more ECS instances from a scaling group. |
ess:ModifyScalingRule | Modifies a scaling group rule. |
ess:RemoveInstances | Removes ECS instances from a scaling group. |
ess:ModifyScalingGroup | Modifies a scaling group. |
ess:AttachDBInstances | Adds one or more ApsaraDB RDS instances. |
ess:CreateScalingRule | Creates a scaling rule. |
ess:DeleteScalingRule | Deletes a scaling rule. |
ess:ExecuteScalingRule | Runs a scaling rule. |
ess:SetInstancesProtection | Enables or disables protection for one or more ECS instances in a scaling group. |
ess:ModifyNotificationConfiguration | Modifies a notification of auto scaling events and resource changes. |
ess:CreateNotificationConfiguration | Creates a notification of auto scaling events and resource changes. |
ess:EnterStandby | Switches the state of an ECS instance in a scaling group to Standby. |
ess:DeleteScalingGroup | Deletes a scaling group. |
ess:CreateScalingGroup | Creates a scaling group. |
ess:DeleteNotificationConfiguration | Deletes a notification of auto scaling events and resource changes. |
ess:DisableScalingGroup | Disables a scaling group. |
ModifyScalingConfiguration | Modifies a scaling configuration. |
SetGroupDeletionProtection | Enables or disables the deletion protection feature for a scaling group. |
RAM-related permissions
Permission (Action) | Description |
ram:PassRole | Authorizes a RAM user to use other cloud services. |
ram:Get* | Queries permissions on RAM resources. |
ram:List* | Lists permissions on RAM resources. |
ram:DetachPolicyFromRole | Revokes a permission from a role. |
ram:AttachPolicyToRole | Grants a permission to a role. |
ram:DeletePolicy | Deletes a policy. |
ram:DeletePolicyVersion | Deletes a policy of a version. |
ram:DeleteRole | Deletes a RAM role. |
ram:CreateRole | Creates a RAM role. |
ram:CreatePolicy | Creates a RAM policy. |
ram:CreateServiceLinkedRole | Creates permissions for service-linked roles. |
CloudMonitor-related permissions
Permission (Action) | Description |
cms:CreateMyGroups | Creates private application groups. |
cms:AddMyGroupInstances | Adds resources to a private application group. |
cms:DeleteMyGroupInstances | Deletes resources from a private application group. |
cms:DeleteMyGroups | Deletes private application groups. |
cms:GetMyGroups | Queries private application groups. |
cms:ListMyGroups | Lists private application groups. |
cms:UpdateMyGroupInstances | Updates resources in a private application group. |
cms:UpdateMyGroups | Updates private application groups. |
cms:TaskConfigCreate | Creates configurations for a monitoring task. |
cms:TACK ServerlessConfigList | Lists configurations for a monitoring task. |
Auto Scaling-related permissions
Permission (Action) | Description |
ess:CreateLifecycleHook | Creates one or more lifecycle hooks for a scaling group. |
ess:DescribeLifecycleHooks | Queries lifecycle hooks. |
ess:ModifyLifecycleHook | Modifies a lifecycle hook. |
ess:DeleteLifecycleHook | Deletes a lifecycle hook. |
ENS-related permissions
Permission (Action) | Description |
ens:Describe* | Queries the permissions on Edge Node Service (ENS) resources. |
ens:CreateInstance | Creates an ENS instance. |
ens:StartInstance | Starts an ENS instance. |
ens:StopInstance | Stops an ENS instance. |
ens:ReleasePrePaidInstance | Releases a subscription instance. |
AliyunCISDefaultRole
CIS assumes the AliyunCISDefaultRole role to access your resources in other cloud services such as ECS, VPC, and SLB to perform diagnostics and inspections.
ECS-related permissions
Permission (Action) | Description |
ecs:DescribeInstances | Queries the details about one or more ECS instances. |
ecs:DescribeInstanceStatus | Queries the status information about one or more ECS instances. |
ecs:DescribeInstanceTypes | Queries the instance types provided by ECS. |
ecs:DescribeInstanceTypeFamilies | Queries the instance families provided by ECS. |
ecs:DescribeInstanceAttribute | Queries the details of an ECS instance. |
ecs:CreateDiagnosticReport | Creates a resource diagnostic report. |
ecs:DescribeDiagnosticReports | Queries resource diagnostic reports. |
ecs:DescribeDiagnosticReportAttributes | Queries the details of a resource diagnostic report. |
ecs:DescribeDiagnosticMetricSets | Queries diagnostic metric sets. |
ecs:DescribeDiagnosticMetrics | Queries diagnostic metrics. |
ecs:DescribeSecurityGroupAttribute | Queries the rules of a security group. |
ecs:DescribeSecurityGroups | Queries the basic information about security groups. |
ecs:DescribeSecurityGroupReferences | Checks whether a security group is referenced by the rules of other security groups. |
ecs:DescribeBandwidthLimitation | Queries bandwidth resources. |
ecs:DescribeCloudAssistantStatus | Queries whether Cloud Assistant Agent is installed on one or more ECS instances. |
ecs:DescribeCommands | Queries the Cloud Assistant commands that you created. |
ecs:DescribeInvocationResults | Queries the execution results of one or more Cloud Assistant commands on ECS instances. |
ecs:DescribeNetworkInterfaces | Queries elastic network interfaces (ENIs). |
ecs:CreateCommand | Creates a Cloud Assistant command. |
ecs:InvokeCommand | Triggers a Cloud Assistant command on one or more ECS instances. |
ecs:StopInvocation | Stops the process of a Cloud Assistant command that is running on one or more ECS instances. |
ecs:RunCommand | Runs a shell, PowerShell, or batch command on ECS instances. |
VPC-related permissions
Permission (Action) | Description |
vpc:DescribeVpcs | Queries the VPCs that you have created. |
vpc:DescribeVpcAttribute | Queries the configurations of a VPC. |
vpc:DescribeVSwitches | Queries the vSwitches that you have created. |
vpc:DescribeVSwitchAttributes | Queries the detailed information about a vSwitch. |
vpc:DescribeRouteTableList | Queries route tables. |
vpc:DescribeRouteEntryList | Queries route entries. |
vpc:DescribeNatGateways | Queries NAT gateways that meet specific conditions in a region. |
vpc:DescribeEipAddresses | Queries the elastic IP addresses (EIPs) that you have created in a region. |
vpc:DescribeRouteTables | Queries information about route tables. |
vpc:DescribeSnatTableEntries | Queries the SNAT entries that you have created. |
vpc:DescribeNetworkAcls | Queries network access control lists (ACLs). |
vpc:DescribeNetworkAclAttributes | Queries the details about a network ACL. |
SLB-related permissions
Permission (Action) | Description |
slb:DescribeLoadBalancers | Queries the SLB instances that you have created. |
slb:DescribeLoadBalancerAttribute | Queries the details about an SLB instance. |
slb:DescribeVServerGroups | Queries vServer groups. |
slb:DescribeVServerGroupAttribute | Queries the details about a vServer group. |
slb:DescribeLoadBalancerTCPListenerAttribute | Queries the configurations of a TCP listener. |
slb:DescribeLoadBalancerUDPListenerAttribute | Queries the configurations of a UDP listener. |
slb:DescribeAccessControlLists | Queries the network ACLs that you have created. |
slb:DescribeAccessControlListAttribute | Queries the configurations of a network ACL. |
slb:DescribeLoadBalancerListeners | Queries the listeners of an SLB instance. |
slb:DescribeHealthStatus | Queries the health status of a backend server. |
Simple Log Service-related permissions
Permission (Action) | Description |
sls:GetLogStore | Queries the details about a Logstore. |
ACK-related permissions
Permission (Action) | Description |
cs:DescribeClusterDetail | Queries the details about an ACK cluster. |
cs:DescribeClusterResources | Queries all resources in an ACK cluster. |
cs:DescribeTasks | Queries the tasks in an ACK cluster. |
cs:DescribeTaskInfo | Queries the task information about an ACK cluster. |
cs:DescribeClusterNodePools | Queries the information about all node pools in an ACK cluster. |
cs:DescribeNodePoolVuls | Queries node pool vulnerabilities in an ACK cluster. |
cs:DescribeClusterAddonsUpgradeStatus | Queries the update progress of multiple components. |
Elastic Container Instance-related permissions
Permission (Action) | Description |
eci:DescribeContainerGroups | Queries the information about multiple pods. |
eci:RunCommand | Executes shell scripts on an elastic container instance. |
eci:DescribeCommandResult | Queries the execution result of a command. |
eci:ListUsage | Queries the privileges and quotas that you have in a region. |
CloudMonitor-related permissions
Permission (Action) | Description |
cms:DescribeMetricData | Queries the monitoring data of an Alibaba Cloud service collected within a period of time. |
cms:DescribeMetricLast | Queries the latest monitoring data of a metric. |
cms:DescribeMetricMetaList | Queries the descriptions of metrics that are supported by CloudMonitor. |
cms:DescribeMetricTop | Queries the sorted monitoring data of an Alibaba Cloud service. |
cms:QueryMetricMeta | Queries the metrics that are supported by CloudMonitor. |
cms:QueryMetricTop | Queries the monitoring data of an Alibaba Cloud service. |
cms:ListMetricMeta | Queries the metadata of metrics. |
cms:ListMetricMetaProject | Queries the meta projects of metrics. |
cms:QueryMetricData | Queries the monitoring data of Alibaba Cloud services. |
cms:QueryMetricLast | Queries the latest monitoring data of monitoring metrics. |
cms:DescribeMetricList | Queries the monitoring data of a metric of an Alibaba Cloud service. |
cms:QueryMetricList | Queries the descriptions of metrics supported by CloudMonitor. |
cms:MetricMeta | Queries the metrics that are supported by CloudMonitor. |
cms:DescribeAlertLogList | Queries the most recent alerts. |
cms:DescribeSystemEventAttribute | Queries the details about a system event. |
cms:GetMetricStreamMeta | Queries the description of a CloudMonitor metric. |
Quota Center-related permissions
Permission (Action) | Description |
quotas:ListProducts | Queries the Alibaba Cloud services that support Quota Center. |
quotas:ListProductQuotas | Queries the quotas of an Alibaba Cloud service. |
quotas:ListProductQuotaDimensions | Queries the quota dimensions that are supported by an Alibaba Cloud service. |
quotas:GetProductQuota | Queries the details about a quota. |
quotas:GetProductQuotaDimension | Queries the details about a quota dimension that is supported by an Alibaba Cloud service. |
RAM-related permissions
Permission (Action) | Description |
ram:ListPoliciesForRole | Queries the policies that are attached to a RAM role. |
GRACE-related permissions
Permission (Action) | Description |
grace:GetFile | Queries the information about the analysis file provided by the Application Troubleshooting Platform (ATP). |
grace:AnalyzeFile | Analyzes files on ATP. |
grace:UploadFileByOSS | Uploads files to ATP by using Object Storage Service (OSS). |
grace:UploadFileByURL | Uploads files to ATP by specifying URLs. |
AliyunCSManagedKubernetesRole
An ACK managed cluster assumes the AliyunCSManagedKubernetesRole role to access your resources in other cloud services.
ECS-related permissions
Permission (Action) | Description |
ecs:Describe* | Queries ECS resources. |
ecs:CreateRouteEntry | Creates a route entry. |
ecs:DeleteRouteEntry | Deletes a route entry. |
ecs:CreateNetworkInterface | Creates an ENI. |
ecs:DeleteNetworkInterface | Deletes an ENI. |
ecs:CreateNetworkInterfacePermission | Creates ENI permissions. |
ecs:DeleteNetworkInterfacePermission | Revokes ENI permissions. |
ecs:ModifyInstanceAttribute | Modifies the attributes of an ECS instance. |
ecs:AttachKeyPair | Binds an SSH key pair to one or more ECS instances that run the Linux operating system. |
ecs:StopInstance | Stops an instance. |
ecs:StartInstance | Starts an instance. |
ecs:ReplaceSystemDisk | Replaces the system disk or the operating system of an ECS instance. |
SLB-related permissions
Permission (Action) | Description |
slb:Describe* | Queries SLB resources. |
slb:CreateLoadBalancer | Creates an SLB instance. |
slb:DeleteLoadBalancer | Deletes an SLB instance. |
slb:ModifyLoadBalancerInternetSpec | Changes the billing method of an Internet-facing SLB instance. |
slb:RemoveBackendServers | Removes backend servers. |
slb:AddBackendServers | Adds backend servers. |
slb:RemoveTags | Removes tags from an SLB instance. |
slb:AddTags | Adds tags to an SLB instance. |
slb:StopLoadBalancerListener | Stops a listener. |
slb:StartLoadBalancerListener | Starts a listener. |
slb:SetLoadBalancerHTTPListenerAttribute | Modifies the configurations of an HTTP listener. |
slb:SetLoadBalancerHTTPSListenerAttribute | Modifies the configurations of an HTTPS listener. |
slb:SetLoadBalancerTCPListenerAttribute | Modifies the configurations of a TCP listener. |
slb:SetLoadBalancerUDPListenerAttribute | Modifies the configurations of a UDP listener. |
slb:CreateLoadBalancerHTTPSListener | Creates an HTTPS listener for an SLB instance. |
slb:CreateLoadBalancerHTTPListener | Creates an HTTP listener for an SLB instance. |
slb:CreateLoadBalancerTCPListener | Creates a TCP listener for an SLB instance. |
slb:CreateLoadBalancerUDPListener | Creates a UDP listener. |
slb:DeleteLoadBalancerListener | Deletes a listener of an SLB instance. |
slb:CreateVServerGroup | Adds backend servers to a vServer group. |
slb:DescribeVServerGroups | Queries vServer groups. |
slb:DeleteVServerGroup | Deletes a vServer group. |
slb:SetVServerGroupAttribute | Modifies the configurations of a vServer group. |
slb:DescribeVServerGroupAttribute | Queries the details of a vServer group. |
slb:ModifyVServerGroupBackendServers | Modifies the backend servers of a vServer group. |
slb:AddVServerGroupBackendServers | Adds backend servers to a vServer group. |
slb:ModifyLoadBalancerInstanceSpec | Modifies the specifications of an SLB instance. |
slb:ModifyLoadBalancerInternetSpec | Changes the billing method of an Internet-facing SLB instance. |
slb:RemoveVServerGroupBackendServers | Removes backend servers from a vServer group. |
VPC-related permissions
Permission (Action) | Description |
vpc:Describe* | Queries VPC resources. |
vpc:DeleteRouteEntry | Deletes a custom route. |
vpc:CreateRouteEntry | Creates a custom route. |
Container Registry-related permissions
Permission (Action) | Description |
cr:Get* | Queries Container Registry-related resources. |
cr:List* | Queries image repositories. |
cr:PullRepository | Pulls an image. |
AliyunCSServerlessKubernetesRole
An ACK Serverless cluster assumes the AliyunCSServerlessKubernetesRole role to access your resources in other cloud services.
VPC-related permissions
Permission (Action) | Description |
DescribeVSwitches | Queries existing vSwitches. |
DescribeVpcs | Queries existing VPCs. |
AssociateEipAddress | Associates an EIP with an instance that resides in the same region as the EIP. |
DescribeEipAddresses | Queries existing EIPs in a region. |
AllocateEipAddress | Applies for an EIP. |
ReleaseEipAddress | Releases an EIP. |
AddCommonBandwidthPackageIp | Associates an EIP with an EIP bandwidth plan. |
RemoveCommonBandwidthPackageIp | Disassociates an EIP from an EIP bandwidth plan. |
ECS-related permissions
Permission (Action) | Description |
DescribeSecurityGroups | Queries the basic information about security groups. |
CreateNetworkInterface | Creates an ENI. |
CreateNetworkInterfacePermission | Creates ENI permissions. |
DescribeNetworkInterfaces | Queries ENIs. |
AttachNetworkInterface | Binds an ENI to a VPC-connected ECS instance. |
DetachNetworkInterface | Unbinds an ENI from an ECS instance. |
DeleteNetworkInterface | Deletes an ENI. |
DeleteNetworkInterfacePermission | Revokes ENI permissions. |
SLB-related permissions
Permission (Action) | Description |
slb:Describe* | Queries SLB resources. |
slb:CreateLoadBalancer | Creates an SLB instance. |
slb:DeleteLoadBalancer | Deletes a pay-as-you-go SLB instance. |
slb:RemoveBackendServers | Removes backend servers. |
slb:StartLoadBalancerListener | Starts a listener. |
slb:StopLoadBalancerListener | Stops a listener. |
slb:DeleteLoadBalancerListener | Deletes a listener of an SLB instance. |
slb:CreateLoadBalancerTCPListener | Creates a TCP listener for an SLB instance. |
slb:AddBackendServers* | Adds backend servers. |
slb:UploadServerCertificate | Uploads a server certificate. |
slb:CreateLoadBalancerHTTPListener | Creates an HTTP listener for an SLB instance. |
slb:CreateLoadBalancerHTTPSListener | Creates an HTTPS listener for an SLB instance. |
slb:CreateLoadBalancerUDPListener | Creates a UDP listener. |
slb:ModifyLoadBalancerInternetSpec | Changes the billing method of an Internet-facing CLB instance. |
slb:CreateRules | Adds forwarding rules to an HTTP or HTTPS listener. |
slb:DeleteRules | Deletes a forwarding rule. |
slb:SetRule | Modifies the forwarding rule of a vServer group. |
slb:CreateVServerGroup | Adds backend servers to a vServer group. |
slb:SetVServerGroupAttribute | Modifies the configurations of a vServer group. |
slb:AddVServerGroupBackendServers | Adds backend servers to a vServer group. |
slb:RemoveVServerGroupBackendServers | Removes backend servers from a vServer group. |
slb:ModifyVServerGroupBackendServers | Modifies the backend servers of a vServer group. |
slb:DeleteVServerGroup | Deletes a vServer group. |
slb:SetLoadBalancerTCPListenerAttribute | Modifies the configurations of a TCP listener. |
slb:SetLoadBalancerHTTPListenerAttribute | Modifies the configurations of an HTTP listener. |
slb:SetLoadBalancerHTTPSListenerAttribute | Modifies the configurations of an HTTPS listener. |
slb:AddTags | Adds tags to an SLB instance. |
Alibaba Cloud DNS PrivateZone-related permissions
Permission (Action) | Description |
AddZone | Creates a private zone. |
DeleteZone | Deletes a private zone. |
DescribeZones | Queries private zones. |
DescribeZoneInfo | Queries the information about a private zone. |
BindZoneVpc | Binds a private zone to or unbinds a private zone from a VPC. |
AddZoneRecord | Adds a DNS record to a private zone. |
DeleteZoneRecord | Deletes a DNS record. |
DescribeZoneRecords | Queries DNS records. |
Container Registry-related permissions
Permission (Action) | Description |
Get* | Queries Container Registry-related resources. |
List* | Queries image repositories. |
PullRepository | Pulls an image. |
Elastic Container Instance-related permissions
Permission (Action) | Description |
CreateContainerGroup | Creates a pod. |
DeleteContainerGroup | Deletes a pod. |
DescribeContainerGroups | Queries the information about pods. |
DescribeContainerLog | Queries the logs of a pod. |
UpdateContainerGroup | Updates an elastic container instance. |
UpdateContainerGroupByTemplate | Updates an elastic container instance by using a template. |
CreateContainerGroupFromTemplate | Creates an elastic container instance by using a template. |
RestartContainerGroup | Restarts an elastic container instance. |
ExportContainerGroupTemplate | Exports an elastic container instance template. |
DescribeContainerGroupMetric | Queries the monitoring data of an elastic container instance. |
DescribeMultiContainerGroupMetric | Queries the monitoring data of multiple pods. |
ExecContainerCommand | Runs a command on a container. |
CreateImageCache | Creates an image cache. |
DescribeImageCaches | Queries the information about image caches. |
DeleteImageCache | Deletes an image cache. |
RAM-related permissions
Permission (Action) | Description |
ram:PassRole | Accesses the Alibaba Cloud CodePipeline console. |
OSS-related permissions
Permission (Action) | Description |
oss:GetObject | Queries a file or folder. |
oss:GetObjectMeta | Queries the metadata information of an object. |
Function Compute-related permissions
Permission (Action) | Description |
fc:CreateService | Creates a service. |
fc:ListServices | Queries services. |
fc:GetService | Queries a service. |
fc:UpdateService | Updates a service. |
fc:DeleteService | Deletes a service. |
fc:CreateFunction | Creates a function. |
fc:ListFunctions | Queries the functions of a service. |
fc:GetFunction | Queries the configurations of a function. |
fc:GetFunctionCode | Queries the code of a function. |
fc:UpdateFunction | Updates the configurations and code of a function. |
fc:DeleteFunction | Deletes a function. |
fc:CreateTrigger | Creates a function trigger. |
fc:ListTriggers | Queries the triggers of a function. |
fc:GetTrigger | Queries a trigger. |
fc:UpdateTrigger | Updates the configurations of a trigger. |
fc:DeleteTrigger | Deletes the triggers of a function. |
fc:PublishServiceVersion | Releases a Function Compute version. |
fc:ListServiceVersions | Lists Function Compute versions. |
fc:DeleteServiceVersion | Deletes a Function Compute version. |
fc:CreateAlias | Creates an alias and binds the alia to a customer master key (CMK). |
fc:ListAliases | Queries all aliases of the current Alibaba Cloud account in the current region. |
fc:GetAlias | Queries the information about an alias. |
fc:UpdateAlias | Binds an alias to a different CMK. |
fc:DeleteAlias | Deletes an alias. |
AliyunCSKubernetesAuditRole
The auditing feature of ACK assumes the AliyunCSKubernetesAuditRole role to access your resources in other cloud services.
Permission (Action) | Description |
log:CreateProject | Creates a project. |
log:GetProject | Queries a project by project name. |
log:DeleteProject | Deletes a project. |
log:CreateLogStore | Creates a Logstore in a project. |
log:GetLogStore | Queries the attributes of a Logstore. |
log:UpdateLogStore | Updates the attributes of a Logstore. |
log:DeleteLogStore | Deletes a Logstore. |
log:CreateConfig | Creates a Logtail configuration. |
log:UpdateConfig | Updates a Logtail configuration. |
log:GetConfig | Queries the details of a Logtail configuration. |
log:DeleteConfig | Deletes a Logtail configuration. |
log:CreateMachineGroup | Creates a machine group to apply Logtail configurations. |
log:UpdateMachineGroup | Updates a machine group. |
log:GetMachineGroup | Queries the information about a machine group. |
log:DeleteMachineGroup | Deletes a machine group. |
log:ApplyConfigToGroup | Applies a Logtail configuration file to a machine group. |
log:GetAppliedMachineGroups | Lists the machines to which a Logtail configuration is applied in a machine group. |
log:GetAppliedConfigs | Lists the Logtail configurations that are applied to a machine group. |
log:RemoveConfigFromMachineGroup | Removes Logtail configurations from a machine group. |
log:CreateIndex | Creates indexes for a Logstore. |
log:GetIndex | Queries indexes of a Logstore. |
log:UpdateIndex | Updates indexes of a Logstore. |
log:DeleteIndex | Removes indexes from a Logstore. |
log:CreateSavedSearch | Creates a saved search. |
log:GetSavedSearch | Queries a saved search. |
log:UpdateSavedSearch | Updates a saved search. |
log:DeleteSavedSearch | Deletes a saved search. |
log:CreateDashboard | Creates a dashboard. |
log:GetDashboard | Queries a dashboard. |
log:UpdateDashboard | Updates a dashboard. |
log:DeleteDashboard | Deletes a dashboard. |
log:CreateJob | Creates a task, such as an alert task or a subscription task. |
log:GetJob | Queries a task. |
log:DeleteJob | Deletes a task. |
log:UpdateJob | Updates a task. |
log:PostLogStoreLogs | Writes logs to a Logstore. |
AliyunCSManagedNetworkRole
The network component of an ACK cluster assumes the AliyunCSManagedNetworkRole role to access your resources in other cloud services.
Permission (Action) | Description |
ecs:CreateNetworkInterface | Creates an ENI. |
ecs:DescribeNetworkInterfaces | Queries ENIs. |
ecs:AttachNetworkInterface | Attaches an ENI to a VPC-connected ECS instance. |
ecs:DetachNetworkInterface | Detaches an ENI from an ECS instance. |
ecs:DeleteNetworkInterface | Deletes an ENI. |
ecs:DescribeInstanceAttribute | Queries the information about one or more ECS instances. |
ecs:AssignPrivateIpAddresses | Assigns one or more secondary private IP addresses to an ENI. |
ecs:UnassignPrivateIpAddresses | Unassigns one or more secondary private IP addresses from an ENI. |
ecs:DescribeInstances | Queries the details of one or more ECS instances. |
vpc:DescribeVSwitches | Queries the details of one or more vSwitches. |
AliyunCSManagedCsiRole
The volume plug-in of an ACK cluster assumes the AliyunCSManagedCsiRole role to access your resources in other cloud services.
ECS-related permissions
Permission (Action) | Description |
ecs:AttachDisk | Attaches a pay-as-you-go data disk or a system disk to an ECS instance. |
ecs:DetachDisk | Detaches a pay-as-you-go disk from an ECS instance. |
ecs:DescribeDisks | Queries one or more cloud disks and local disks that you have created. |
ecs:CreateDisk | Creates a pay-as-you-go or subscription data disk. |
ecs:ResizeDisk | Resizes a cloud disk. You can resize a system disk or a data disk. |
ecs:CreateSnapshot | Creates a snapshot for a cloud disk. |
ecs:DeleteSnapshot | Deletes a snapshot. If you want to cancel a snapshot that is being created, this action can be performed to delete snapshots. This way, the specified snapshot is canceled. |
ecs:CreateAutoSnapshotPolicy | Creates an automatic snapshot policy. |
ecs:ApplyAutoSnapshotPolicy | Enables an automatic snapshot policy for one or more cloud disks. |
ecs:CancelAutoSnapshotPolicy | Disables an automatic snapshot policy for one or more cloud disks. |
ecs:DeleteAutoSnapshotPolicy | Deletes an automatic snapshot policy. |
ecs:DescribeAutoSnapshotPolicyEX | Queries automatic snapshot policies that you have created. |
ecs:ModifyAutoSnapshotPolicyEx | Modifies an automatic snapshot policy. |
ecs:AddTags | Attaches tags to an ECS instance. |
ecs:DescribeTags | Queries tags. |
ecs:DescribeSnapshots | Queries all the snapshots of an ECS instance or a disk. |
ecs:ListTagResources | Queries the tags that are added to one or more ECS resources. |
ecs:TagResources | Creates and adds tags to the specified ECS resources. |
ecs:UntagResources | Removes tags from the specified ECS resources and deletes the tags. |
ecs:ModifyDiskSpec | Upgrades the performance level of an Enterprise SSD (ESSD). |
ecs:CreateSnapshot | Creates a snapshot for a cloud disk. |
ecs:DeleteDisk | Deletes a pay-as-you-go data disk. |
ecs:DescribeInstanceAttribute | Queries all attributes of an ECS instance. |
ecs:DescribeInstances | Queries the details of one or more ECS instances. |
NAS-related permissions
Permission (Action) | Description |
nas:DescribeFileSystems | Queries the information about file systems. |
nas:DescribeMountTargets | Queries the information about mount targets. |
nas:AddTags | Adds one or more tags to a file system or overwrites one or more tags of a file system |
nas:DescribeTags | Queries the existing tags. |
nas:RemoveTags | Removes one or more tags from a file system. |
nas:CreateFileSystem | Creates a file system. |
nas:DeleteFileSystem | Deletes a file system. |
nas:DescribeFileSystems | Queries the information about file systems. |
nas:ModifyFileSystem | Modifies the description of a file system. |
nas:CreateMountTarget | Creates a mount target. |
nas:DeleteMountTarget | Deletes a mount target. |
nas:DescribeMountTargets | Queries the information about mount targets. |
nas:ModifyMountTarget | Modifies a mount target. |
AliyunCSManagedCmsRole
The CloudMonitor component of an ACK cluster assumes the AliyunCSManagedCmsRole role to access your resources in other cloud services.
Permission (Action) | Description |
cms:DescribeMonitorGroups | Queries application groups. |
cms:DescribeMonitorGroupInstances | Queries the resources in an application group. |
cms:CreateMonitorGroup | Creates an application group. |
cms:DeleteMonitorGroup | Deletes an application group. |
cms:ModifyMonitorGroupInstances | Modifies the instances that are added to an application group. |
cms:CreateMonitorGroupInstances | Adds instances to an application group. |
cms:DeleteMonitorGroupInstances | Deletes instances from an application group. |
cms:TaskConfigCreate | Creates configurations for a monitoring task. |
cms:TaskConfigList | Lists configurations for a monitoring task. |
cms:DescribeMetricList | Queries the monitoring data on a time series metric of CloudMonitor in the specified period of time. |
cs:DescribeMonitorToken | Queries the token that is required to use the CloudMonitor component. |
ahas:GetSentinelAppSumMetric | Queries the metrics that are monitored by the AHAS Sentinel application. |
log:GetLogStoreLogs | Queries logs in a Logstore. |
slb:DescribeMetricList | Queries the monitoring data on a time series metric of SLB in the specified period of time. |
sls:GetLogs | Queries logs in a Logstore of a project in Simple Log Service. |
sls:PutLogs | Updates logs in a Logstore of a project in Simple Log Service. |
AliyunCSManagedLogRole
The logging component of an ACK cluster assumes the AliyunCSManagedLogRole role to access your resources in other cloud services.
Permission (Action) | Description |
log:CreateProject | Creates a project. |
log:GetProject | Queries a project by project name. |
log:DeleteProject | Deletes a project. |
log:CreateLogStore | Creates a Logstore in a project. |
log:GetLogStore | Queries the attributes of a Logstore. |
log:UpdateLogStore | Updates the attributes of a Logstore. |
log:DeleteLogStore | Deletes a Logstore. |
log:CreateConfig | Creates a Logtail configuration. |
log:UpdateConfig | Updates a Logtail configuration. |
log:GetConfig | Queries the details of a Logtail configuration. |
log:DeleteConfig | Deletes a Logtail configuration. |
log:CreateMachineGroup | Creates a machine group to apply Logtail configurations. |
log:UpdateMachineGroup | Updates a machine group. |
log:GetMachineGroup | Queries the information about a machine group. |
log:DeleteMachineGroup | Deletes a machine group. |
log:ApplyConfigToGroup | Applies a Logtail configuration file to a machine group. |
log:GetAppliedMachineGroups | Lists the machines to which a Logtail configuration is applied in a machine group. |
log:GetAppliedConfigs | Lists the Logtail configurations that are applied to a machine group. |
log:RemoveConfigFromMachineGroup | Removes Logtail configurations from a machine group. |
log:CreateIndex | Creates indexes for a Logstore. |
log:GetIndex | Queries indexes of a Logstore. |
log:UpdateIndex | Updates indexes of a Logstore. |
log:DeleteIndex | Removes indexes from a Logstore. |
log:CreateSavedSearch | Creates a saved search. |
log:GetSavedSearch | Queries a saved search. |
log:UpdateSavedSearch | Updates a saved search. |
log:DeleteSavedSearch | Deletes a saved search. |
log:CreateDashboard | Creates a dashboard. |
log:GetDashboard | Queries a dashboard. |
log:UpdateDashboard | Updates a dashboard. |
log:DeleteDashboard | Deletes a dashboard. |
log:CreateJob | Creates a task, such as an alert task or a subscription task. |
log:GetJob | Queries a task. |
log:DeleteJob | Deletes a task. |
log:UpdateJob | Updates a task. |
log:PostLogStoreLogs | Writes logs to a Logstore. |
log:CreateSortedSubStore | Creates a sorted sub-Logstore. |
log:GetSortedSubStore | Queries a sorted sub-Logstore. |
log:ListSortedSubStore | Lists sorted sub-Logstores. |
log:UpdateSortedSubStore | Updates a sorted sub-Logstore. |
log:DeleteSortedSubStore | Deletes a sorted sub-Logstore. |
log:CreateApp | Creates Simple Log Service applications such as Cost Manager and Log Audit Service. |
log:UpdateApp | Updates Simple Log Service applications such as Cost Manager and Log Audit Service. |
log:GetApp | Queries Simple Log Service applications such as Cost Manager and Log Audit Service. |
log:DeleteApp | Deletes Simple Log Service applications such as Cost Manager and Log Audit Service. |
cs:DescribeTemplates | Queries container templates. |
cs:DescribeTemplateAttribute | Queries the attributes of a container template. |
AliyunCSManagedVKRole
The Virtual Node component of an ACK cluster assumes the AliyunCSManagedVKRole role to access your resources in other cloud services.
VPC-related permissions
Permission (Action) | Description |
vpc:DescribeVSwitches | Queries existing vSwitches. |
vpc:DescribeVpcs | Queries existing VPCs. |
vpc:AssociateEipAddress | Associates an EIP with an instance that resides in the same region as the EIP. |
vpc:DescribeEipAddresses | Queries existing EIPs in a region. |
vpc:AllocateEipAddress | Applies for an EIP. |
vpc:ReleaseEipAddress | Releases an EIP. |
ECS-related permissions
Permission (Action) | Description |
ecs:DescribeSecurityGroups | Queries the basic information about security groups. |
ecs:CreateNetworkInterface | Creates an ENI. |
ecs:CreateNetworkInterfacePermission | Creates ENI permissions. |
ecs:DescribeNetworkInterfaces | Queries ENIs. |
ecs:AttachNetworkInterface | Binds an ENI to a VPC-connected ECS instance. |
ecs:DetachNetworkInterface | Unbinds an ENI from an ECS instance. |
ecs:DeleteNetworkInterface | Deletes an ENI. |
ecs:DeleteNetworkInterfacePermission | Revokes ENI permissions. |
Alibaba Cloud DNS PrivateZone-related permissions
Permission (Action) | Description |
pvtz:AddZone | Creates a private zone. |
pvtz:DeleteZone | Deletes a private zone. |
pvtz:DescribeZones | Queries private zones. |
pvtz:DescribeZoneInfo | Queries the information about a private zone. |
pvtz:BindZoneVpc | Binds a private zone to or unbinds a private zone from a VPC. |
pvtz:AddZoneRecord | Adds a DNS record to a private zone. |
pvtz:DeleteZoneRecord | Deletes a DNS record. |
pvtz:DescribeZoneRecords | Queries DNS records. |
Elastic Container Instance-related permissions
Permission (Action) | Description |
eci:CreateContainerGroup | Creates a pod. |
eci:DeleteContainerGroup | Deletes a pod. |
eci:DescribeContainerGroups | Queries the information about pods. |
eci:DescribeContainerLog | Queries the logs of a pod. |
eci:UpdateContainerGroup | Updates a pod. |
eci:UpdateContainerGroupByTemplate | Updates an elastic container instance by using a template. |
eci:CreateContainerGroupFromTemplate | Creates an elastic container instance by using a template. |
eci:RestartContainerGroup | Restarts an elastic container instance. |
eci:ExportContainerGroupTemplate | Exports an elastic container instance template. |
eci:DescribeContainerGroupMetric | Queries the monitoring data of an elastic container instance. |
eci:DescribeMultiContainerGroupMetric | Queries the monitoring data of multiple pods. |
eci:ExecContainerCommand | Runs a command on a container. |
eci:CreateImageCache | Creates an image cache. |
eci:DescribeImageCaches | Queries the information about image caches. |
eci:DeleteImageCache | Deletes an image cache. |
AliyunCSManagedArmsRole
The ARMS monitoring agent of an ACK cluster assumes the AliyunCSManagedArmsRole role to access your resources in other cloud services.
Permission (Action) | Description |
arms:CreateApp | Creates an application monitoring task. |
arms:DeleteApp | Deletes an application monitoring task. |
arms:ConfigAgentLabel | Modifies the tags of the application monitoring agent. |
arms:GetAssumeRoleCredentials | Queries the key that is required for a RAM user to assume a RAM role during application monitoring. |
arms:CreateProm | Creates a monitoring task based on Managed Service for Prometheus. |
arms:SearchEvents | Queries alert events. |
arms:SearchAlarmHistories | Queries the alert sending history. |
arms:SearchAlertRules | Queries alert rules. |
arms:GetAlertRules | Obtains alert rules. |
arms:CreateAlertRules | Creates alert rules. |
arms:UpdateAlertRules | Updates alert rules. |
arms:StartAlertRule | Enables an alert rule. |
arms:StopAlertRule | Disables an alert rule. |
arms:CreateContact | Creates an alert contact. |
arms:SearchContact | Queries an alert contact. |
arms:UpdateContact | Updates an alert contact. |
arms:CreateContactGroup | Creates an alert contact group. |
arms:SearchContactGroup | Queries an alert contact group. |
arms:UpdateContactGroup | Updates an alert contact group. |
AliyunCSManagedAcrRole
The password-free image pulling plug-in of an ACK managed cluster or ACK Serverless cluster assumes this role to access your resources in Container Registry.
Permission (Action) | Description |
cr:GetAuthorizationToken | Obtains a temporary account and password that are used to log on to a Container Registry instance. |
cr:ListInstanceEndpoint | Queries endpoints of an instance. |
cr:PullRepository | Pulls an image. |
AliyunCSManagedNlcRole
The managed node pool controller of an ACK managed cluster assumes this role to access your node pool resources in ECS and ACK.
ECS-related permissions
Permission (Action) | Description |
ecs:ModifyInstanceAttribute | Modifies the information about an ECS instance, such as the password, name, description, hostname, security group, and user data. If the instance is a burstable instance, you can also change the performance mode of the instance. |
ecs:AttachKeyPair | Binds an SSH key pair to one or more ECS instances that run the Linux operating system. |
ecs:StopInstance | Stops an ECS instance that is in the Running state. After the action is performed, the state of the instance changes to Stopping and then to Stopped. |
ecs:StartInstance | Starts an ECS instance. After the action is performed, the state of the ECS instance changes to Starting. |
ecs:DescribeInvocations | Queries the execution list and status of Cloud Assistant commands. |
ecs:DescribeInstanceAttribute | Queries the attributes of an ECS instance, such as the instance ID and description. |
ecs:DescribeInstances | Queries the details of one or more ECS instances. |
ecs:DeleteInstance | Releases a pay-as-you-go instance or an expired subscription instance. |
ecs:RunCommand | Runs a Cloud Assistant command of the Shell, PowerShell, or Bat type on one or more ECS instances. |
ecs:DescribeInvocationResults | Queries the result of running one or more Cloud Assistant commands on an ECS instance. |
ecs:ReplaceSystemDisk | Replaces the system disk or the operating system of an ECS instance. If the system disk is replaced, the original cloud disk is released, and the ID of the new cloud disk is used. |
ecs:DescribeUserData | Queries the user data of an ECS instance. |
Auto Scaling-related permissions
Permission | Description |
ess:DescribeScalingGroups | Queries scaling groups. |
ess:DescribeScalingConfigurations | Queries scaling configurations. |
ACK-related permissions
Permission (Action) | Description |
cs:RepairClusterNodePool | Fixes the issues on the specified nodes in a managed node pool. |
cs:DescribeClusterNodePoolDetail | Queries the details of a node pool in a cluster by node pool ID. |
cs:DescribeTaskInfo | Queries the execution details of a task by task ID. |
cs:FixNodePoolVuls | Automatically fixes node pool vulnerabilities in a cluster. |
cs:DescribeTaskInfo | Queries the execution details of a task by task ID. |
cs:CancelTask | Cancels a task. |
cs:PauseTask | Pauses a task. |
cs:ResumeTask | Resumes a task. |
cs:DescribeNodePoolVuls | Queries node pool vulnerabilities in a cluster. |
AliyunCSManagedAutoScalerRole
The auto scaling component of an ACK managed cluster or ACK Serverless cluster assumes this role to access your resources in Auto Scaling and ECS.
Auto Scaling-related permissions
Permission (Action) | Description |
ess:DescribeScalingGroups | Queries scaling groups. |
ess:DescribeScalingInstances | Queries information about the ECS instances in a scaling group. |
ess:DescribeScalingActivities | Queries scaling activities. |
ess:DescribeScalingConfigurations | Queries scaling configurations. |
ess:DescribeScalingRules | Queries information about the scaling rules in a scaling group. |
ess:DescribeScheduledTasks | Queries scheduled tasks. |
ess:DescribeLifecycleHooks | Queries lifecycle hooks. |
ess:DescribeNotificationConfigurations | Queries notifications that you create for auto scaling events and resource changes. |
ess:DescribeNotificationTypes | Queries the types of notifications for auto scaling events and resource changes. |
ess:DescribeRegions | Queries the regions in which Auto Scaling is available. |
ess:CreateScalingRule | Creates a scaling rule. |
ess:ModifyScalingGroup | Modifies a scaling group. |
ess:RemoveInstances | Deletes one or more ECS instances or elastic container instances from a scaling group. |
ess:ExecuteScalingRule | Runs a scaling rule. |
ess:ModifyScalingRule | Modifies a scaling rule. |
ess:DeleteScalingRule | Deletes a scaling rule. |
ess:DetachInstances | Removes one or more ECS instances or elastic container instances from a scaling group. |
ess:CompleteLifecycleAction | Takes a scaling activity out of the wait state in advance. |
ess:ScaleWithAdjustment | Scales instances in a scaling group based on the specified scaling rule. |
ECS-related permissions
Permission (Action) | Description |
ecs:DescribeInstanceTypes | Queries all instance types of ECS instances or the instance type of an ECS instance. |
ecs:DescribeImages | Queries available operating system images. |
ACK-related permissions
Permission (Action) | Description |
cs:DeleteClusterNodes | Removes the specified nodes from a cluster by node name. |
cs:DescribeClusterNodes | Queries the details of all nodes in a cluster by cluster ID |
VPC-related permissions
Permission (Action) | Description |
vpc:DescribeVSwitches | Queries the information about available vSwitches that are used in an internal network. |
AliyunCSManagedSecurityRole
The disk encryption component of an ACK managed cluster or ACK Serverless cluster assumes this role to access your resources in KMS.
KMS-related permissions
Permission (Action) | Description |
kms:GetSecretValue | Queries a secret. |
kms:ListSecrets | Queries all secrets that are created by the current user in the current region. |
kms:ListKeys | Queries the IDs of all CMKs of the current Alibaba Cloud account in the current region. |
kms:ListSecretVersionIds | Queries all versions of a secret. |
kms:ListAliasesByKeyId | Queries all aliases that are bound to a CMK. |
kms:SetDeletionProtection | Enables or disables the deletion protection feature for a CMK. |
kms:DescribeKey | Queries the details of a CMK. |
kms:Encrypt | Encrypts plaintext by using a symmetric CMK. |
kms:Decrypt | Decrypts the ciphertext that is specified by using CiphertextBlob. |
AliyunCSManagedCostRole
The cost analysis component of an ACK managed cluster or ACK Serverless cluster assumes this role to access your resources in ECS and Elastic Container Instance and use BOA.
BOA-related permissions
Permission (Action) | Description |
bssapi:QueryInstanceBill | Queries the billing information of instances or billable items in a billing cycle. This action is updated to DescribeInstanceBill. This action can be performed to query up to 50,000 data rows. |
bssapi:DescribeInstanceBill | Queries the billing information of instances or billable items in a billing cycle. |
ECS-related permissions
Permission (Action) | Description |
ecs:DescribeDisks | Queries one or more Elastic Block Storage (EBS) devices that you have created. The EBS devices include cloud disks and local disks. |
ecs:DescribeSpotPriceHistory | Queries the price history of a preemptible instance in the previous 30 days. |
ecs:DescribeInstances | Queries the details of one or more ECS instances. |
ecs:DescribePrice | Queries the most recent prices of ECS resources. |
Elastic Container Instance-related permissions
Permission (Action) | Description |
eci: DescribeContainerGroupPrice | Queries the price of an elastic container instance. |
AliyunCSManagedNimitzRole
The network component of an ACK Lingjun managed cluster assumes this role to access your resources in Lingjun AI Computing Service.
eflo-related permissions
Permission | Description |
eflo:ListNetworkInterfaces | Queries Lingjun network interfaces (LNIs). |
eflo:GetNetworkInterface | Queries information about an LNI. |
eflo:AssignPrivateIpAddress | Applies for a private secondary IP address for the current LNI. You can also perform this action to assign a secondary Media Access Control (MAC) address to the current LNI. |
eflo:UnAssignPrivateIpAddress | Deletes an assigned secondary private IP address. |
eflo:UpdateNetworkInterfacePrivateMac | Changes the MAC address of an LNI. |
AliyunCSManagedBackupRestoreRole
The backup center component of an ACK managed cluster assumes this role to access your resources in Cloud Backup and OSS.
Cloud Backup-related permissions
Permission (Action) | Description |
hbr:CreateVault | Creates a backup vault. |
hbr:CreateBackupJob | Creates a manual backup task. |
hbr:DescribeVaults | Queries one or more backup vaults that meet the specified conditions. |
hbr:DescribeBackupJobs2 | Queries one or more backup tasks that meet the specified conditions. |
hbr:DescribeRestoreJobs | Queries a restoration task. |
hbr:SearchHistoricalSnapshots | Queries one or more historical backup snapshots that meet the specified conditions. |
hbr:CreateRestoreJob | Creates a restoration task. |
hbr:AddContainerCluster | Registers a Kubernetes cluster. |
hbr:DescribeContainerCluster | Queries one or more Kubernetes clusters that meet the specified conditions. |
hbr:DescribeRestoreJobs2 | Queries one or more restore tasks that meet the specified conditions. |
OSS-related permissions
Permissions | Description |
oss:PutObject | Uploads an object. |
oss:IsObjectExist | Checks whether an object exists. |
oss:ListObjects | Queries the information about all objects in a bucket. |
oss:GetObject | Queries an object. |
oss:DeleteObject | Deletes an object. |
oss:GetBucket | Queries the information about a bucket. |
AliyunCSManagedEdgeRole
The management component of an ACK Edge cluster assumes this role to access your resources in other cloud services such as SLB, VPC, and ENS.
SLB-related permissions
Permission (Action) | Description |
slb:CreateLoadBalancer | Creates an SLB instance. |
slb:DeleteLoadBalancer | Deletes an SLB instance. |
slb:DescribeLoadBalancers | Queries existing SLB instances. |
slb:DescribeLoadBalancerAttribute | Queries the details of an SLB instance. |
slb:CreateAccessControlList | Creates an access control list (ACL). |
slb:DeleteAccessControlList | Deletes an ACL. |
slb:AddAccessControlListEntry | Adds IP entries to an ACL. |
slb:RemoveAccessControlListEntry | Removes IP entries from an ACL. |
slb:DescribeAccessControlListAttribute | Queries the configurations of an ACL. |
slb:DescribeAccessControlLists | Queries existing ACLs. |
slb:TagResources | Adds tags to resources. |
VPC-related permissions
Permission (Action) | Description |
vpc:AllocateEipAddress | Assigns an EIP to a VPC. |
vpc:AssociateEipAddress | Binds an EIP to a VPC. |
vpc:UnassociateEipAddress | Unbinds an EIP from a VPC. |
vpc:ReleaseEipAddress | Releases an EIP. |
vpc:DescribeEipAddresses | Queries the configurations of an EIP. |
vpc:DescribeVpcs | Queries created VPCs. |
vpc:DescribeRouteEntryList | Queries routes. |
ENS-related permissions
Permission (Action) | Description |
ens:CreateLoadBalancer | Creates an SLB instance. |
ens:ReleaseInstance | Releases an SLB instance. |
ens:SetLoadBalancerStatus | Modifies the state of an SLB instance. |
ens:ModifyLoadBalancerAttribute | Modifies the information about an SLB instance. |
ens:SetBackendServers | Specifies weights for backend servers. |
ens:AddBackendServers | Adds backend servers. |
ens:RemoveBackendServers | Removes backend servers. |
ens:CreateLoadBalancerUDPListener | Creates a UDP listener. |
ens:SetLoadBalancerUDPListenerAttribute | Modifies the configurations of a UDP listener. |
ens:CreateLoadBalancerTCPListener | Creates a TCP listener. |
ens:SetLoadBalancerTCPListenerAttribute | Modifies the configurations of a TCP listener. |
ens:StartLoadBalancerListener | Starts a listener. |
ens:StopLoadBalancerListener | Stops a listener. |
ens:DeleteLoadBalancerListener | Deletes a listener. |
ens:CreateLoadBalancerHTTPListener | Creates an HTTP listener. |
ens:SetLoadBalancerHTTPListenerAttribute | Modifies the configurations of an HTTP listener. |
ens:CreateLoadBalancerHTTPSListener | Creates an HTTPS listener. |
ens:SetLoadBalancerHTTPSListenerAttribute | Modifies the configurations of an HTTPS listener. |
ens:CreateEipInstance | Create an EIP. |
ens:ModifyEnsEipAddressAttribute | Modifies the name and description of an EIP. |
ens:AssociateEnsEipAddress | Associates an EIP with an instance that resides in the same region as the EIP. |
ens:UnAssociateEnsEipAddress | Disassociates an EIP from a cloud resource. |
ens:DescribeNetworks | Queries VPCs. |
ens:DescribeInstances | Queries the details of one or more instances. |
ens:DescribeLoadBalancers | Queries existing SLB instances. |
ens:DescribeLoadBalancerAttribute | Queries the details of an SLB instance. |
ens:DescribeLoadBalancerUDPListenerAttribute | Queries the configurations of a UDP listener. |
ens:DescribeLoadBalancerTCPListenerAttribute | Queries the configurations of a TCP listener. |
ens:DescribeLoadBalancerHTTPListenerAttribute | Queries the configurations of an HTTP listener. |
ens:DescribeLoadBalancerHTTPSListenerAttribute | Queries the configurations of an HTTPS listener. |
ens:DescribeEnsEipAddresses | Queries existing EIPs. |