All Products
Search

This Product

    Container Service for Kubernetes:Service-linked role for ACK One and the permissions of the role

    Document Center

    Container Service for Kubernetes:Service-linked role for ACK One and the permissions of the role

    Last Updated:Apr 22, 2024

    An Alibaba Cloud service may need to access other Alibaba Cloud services to implement specific features. In this case, the Alibaba Cloud service must assume a service-linked role to access other Alibaba Cloud services. A service-linked role is a Resource Access Management (RAM) role. To use all features provided by Distributed Cloud Container Platform for Kubernetes (ACK One), you must assign the required service-linked role to ACK One. This topic introduces the service-linked role for ACK One and describes the permissions of the role.

    How to assign the service-linked role

    If this is the first time you use ACK One, you need to complete authorization with an Alibaba Cloud account or RAM account administrator.

    You do not need to manually create service-linked roles. During the first time you use the ACK One console and relevant features, the console prompts you to complete the authorization first. You need only to follow the on-screen instructions to complete the authorization.

    Important

    Only Alibaba Cloud accounts and RAM account administrators can complete service-linked role authorization. Regular RAM users are not allowed to perform this operation. If the system prompts that you do not have the permissions, use an Alibaba Cloud account or RAM account administrator.

    Service-linked role for ACK One

    Role name

    Permission

    AliyunServiceRoleForAdcp

    • ACK One can assume this role to access your cloud resources during cluster management, such as resources in Elastic Compute Service (ECS), Virtual Private Cloud (VPC), and Server Load Balancer (SLB).

    • To use features provided by ACK One, this role is required.

    AliyunAdcpServerlessKubernetesRole

    • Fleet instances and Kubernetes clusters for distributed Argo workflows of ACK One assume this role to access cloud resources in VPC, ECS, Alibaba Cloud DNS PrivateZone, Elastic Container Instance, and Simple Log Service.

    • To use features provided by ACK One, this role is required.

    AliyunAdcpManagedMseRole

    • Fleet instances of ACK One assume this role to access resources in Microservices Engine (MSE).

    • This role is required when you use multi-cluster gateways. This role does not affect the use of other features.

    Permissions of the service-linked role

    AliyunServiceRoleForAdcp

    ECS-related permissions

    • ecs:CreateSecurityGroup

    • ecs:CreateSecurityGroupPermissions

    • ecs:DeleteSecurityGroup

    • ecs:DescribeAccountAttributes

    • ecs:DescribeSecurityGroups

    • ecs:AuthorizeSecurityGroup

    • ecs:RevokeSecurityGroup

    • ecs:AuthorizeSecurityGroupEgress

    • ecs:RevokeSecurityGroupEgress

    • ecs:DescribeNetworkInterfaces

    • ecs:DescribeZones

    VPC-related permissions

    • vpc:DescribeVpcAttribute

    • vpc:DescribeVSwitchAttributes

    • vpc:AllocateEipAddress

    • vpc:AssociateEipAddress

    • vpc:UnassociateEipAddress

    • vpc:ReleaseEipAddress

    • vpc:DescribeEipAddresses

    • vpc:TagResources

    • vpc:DeletionProtection

    • vpc:DescribeRouteTableList

    • vpc:CreateRouteEntry

    • vpc:DeleteeRouteEntry

    • vpc:AcceptVpcPeerConnection

    • vpc:GetVpcPeerConnectionAttribute

    • vpc:DescribeVSwitches

    • vpc:DescribeVpcs

    CEN-related permissions

    • cen:DescribeCenAttachedChildInstances

    • cen:DescribeCens

    SLB-related permissions

    • slb:DescribeLoadBalancerAttribute

    • slb:CreateLoadBalancer

    • slb:DeleteLoadBalancer

    • slb:StartLoadBalancerListener

    • slb:StopLoadBalancerListener

    • slb:CreateLoadBalancerTCPListener

    • slb:CreateLoadBalancerHTTPListener

    • slb:DeleteLoadBalancerListener

    • slb:AddTags

    • slb:RemoveTags

    • slb:SetLoadBalancerDeleteProtection

    • slb:SetLoadBalancerModificationProtection

    • slb:DescribeZones

    • slb:CreateAccessControlList

    • slb:DescribeAccessControlLists

    • slb:AddAccessControlListEntry

    • slb:RemoveAccessControlListEntry

    • slb:SetLoadBalancerTCPListenerAttribute

    ASM-related permissions

    • servicemesh:CreateServiceMesh

    • servicemesh:DeleteServiceMesh

    • servicemesh:DescribeServiceMeshDetail

    • servicemesh:DescribeServiceMeshes

    • servicemesh:DescribeServiceMeshKubeconfig

    • servicemesh:DescribeServiceMeshLogs

    • servicemesh:ModifyServiceMesh

    • servicemesh:ModifyServiceMeshName

    • servicemesh:DescribeClustersInServiceMesh

    • servicemesh:AddClusterIntoServiceMesh

    • servicemesh:RemoveClusterFromServiceMesh

    • servicemesh:UpdateMeshFeature

    • servicemesh:DescribeRegions

    • servicemesh:DescribeServiceMeshUpgradeStatus

    • servicemesh:DescribeVersions

    • servicemesh:RevokeKubeconfig

    • servicemesh:UpdateServiceMeshOwner

    RAM-related Permissions

    • ram:CreateApplication

    • ram:ListApplications

    • ram:ListAppSecretIds

    • ram:GetApplication

    • ram:UpdateApplication

    • ram:CreateAppSecret

    • ram:GetAppSecret

    • ram:DeleteApplication

    • ram:DeleteAppSecret

    • ram:CreateApplication

    • ram:ListApplications

    • ram:ListAppSecretIds

    • ram:CreateServiceLinkedRole

    ARMS-related Permissions

    • arms:InstallManagedPrometheus

    • arms:UninstallManagedPrometheus

    AliyunAdcpServerlessKubernetesRole

    VPC-related permissions

    • vpc:DescribeVSwitches

    • vpc:DescribeVpcs

    • vpc:AssociateEipAddress

    • vpc:DescribeEipAddresses

    • vpc:AllocateEipAddress

    • vpc:ReleaseEipAddress

    • vpc:AddCommonBandwidthPackageIp

    • vpc:RemoveCommonBandwidthPackageIp

    ECS-related permissions

    • ecs:DescribeSecurityGroups

    • ecs:CreateNetworkInterface

    • ecs:CreateNetworkInterfacePermission

    • ecs:DescribeNetworkInterfaces

    • ecs:AttachNetworkInterface

    • ecs:DetachNetworkInterface

    • ecs:DeleteNetworkInterface

    • ecs:DeleteNetworkInterfacePermission

    ARMS-related permissions

    • arms:GetManagedPrometheusStatus

    • arms:InstallManagedPrometheus

    • arms:UninstallManagedPrometheus

    Alibaba Cloud DNS PrivateZone-related permissions

    • pvtz:AddZone

    • pvtz:DeleteZone

    • pvtz:DescribeZones

    • pvtz:DescribeZoneInfo

    • pvtz:BindZoneVpc

    • pvtz:AddZoneRecord

    • pvtz:DeleteZoneRecord

    • pvtz:DeleteZoneRecordsByRR

    • pvtz:DescribeZoneRecordsByRR

    • pvtz:DescribeZoneRecords

    Elastic Container Instance-related permissions

    • eci:CreateContainerGroup

    • eci:DeleteContainerGroup

    • eci:DescribeContainerGroups

    • eci:DescribeContainerGroupStatus

    • eci:DescribeContainerGroupEvents

    • eci:DescribeContainerLog

    • eci:UpdateContainerGroup

    • eci:UpdateContainerGroupByTemplate

    • eci:CreateContainerGroupFromTemplate

    • eci:RestartContainerGroup

    • eci:ExportContainerGroupTemplate

    • eci:DescribeContainerGroupMetric

    • eci:DescribeMultiContainerGroupMetric

    • eci:ResizeContainerGroupVolume

    • eci:ExecContainerCommand

    • eci:CreateImageCache

    • eci:DescribeImageCaches

    • eci:DeleteImageCache

    Simple Log Service-related permissions

    • log:CreateProject

    • log:GetProject

    • log:DeleteProject

    • log:CreateLogStore

    • log:GetLogStore

    • log:UpdateLogStore

    • log:DeleteLogStore

    • log:CreateConfig

    • log:UpdateConfig

    • log:GetConfig

    • log:DeleteConfig

    • log:CreateMachineGroup

    • log:UpdateMachineGroup

    • log:GetMachineGroup

    • log:DeleteMachineGroup

    • log:ApplyConfigToGroup

    • log:GetAppliedMachineGroups

    • log:GetAppliedConfigs

    • log:RemoveConfigFromMachineGroup

    • log:CreateIndex

    • log:GetIndex

    • log:UpdateIndex

    • log:DeleteIndex

    • log:CreateSavedSearch

    • log:GetSavedSearch

    • log:UpdateSavedSearch

    • log:DeleteSavedSearch

    • log:CreateDashboard

    • log:GetDashboard

    • log:UpdateDashboard

    • log:DeleteDashboard

    • log:CreateJob

    • log:GetJob

    • log:DeleteJob

    • log:PostLogStoreLogs

    • log:UpdateJob

    RAM-related Permissions

    ram:CreateServiceLinkedRole

    AliyunAdcpManagedMseRole

    MSE-related permissions

    • mse:AddBlackWhiteList

    • mse:AddGateway

    • mse:AddServiceSource

    • mse:CreateApplication

    • mse:DeleteGateway

    • mse:DeleteServiceSource

    • mse:GetBlackWhiteList

    • mse:GetGateway

    • mse:GetGatewayDetail

    • mse:GetGatewayOption

    • mse:ListServiceSource

    • mse:ListTagResources

    • mse:ModifyLosslessRule

    • mse:TagResources

    • mse:UntagResources

    • mse:UpdateBlackWhiteList

    • mse:UpdateGatewayOption

    • mse:UpdateServiceSource

    Simple Log Service-related permissions

    • log:CloseProductDataCollection

    • log:OpenProductDataCollection

    • log:GetProductDataCollection

    RAM-related permissions

    ram:CreateServiceLinkedRole

    References