All Products
Search
Document Center

Container Compute Service:Default roles of ACS

Last Updated:Oct 31, 2024

When you activate Alibaba Cloud Container Compute Service (ACS), you must assign default roles to ACS within your Alibaba Cloud account. This way, ACS can access resources in other Alibaba Cloud services, create clusters, or save logs. These Alibaba Cloud services include Virtual Private Cloud (VPC), Elastic Network Interface (ENI), File Storage NAS (NAS), and Server Load Balancer (SLB). This topic describes the permissions of the default roles of ACS.

Permissions of the default roles

The following table describes the default roles of ACS.

Role

Description

AliyunServiceRoleForAcc

This role is a service-linked role. ACS assumes this role to access your resources in other Alibaba Cloud services during cluster management, such as Container Service for Kubernetes (ACK), Elastic Compute Service (ECS), VPC, SLB, and Application Real-Time Monitoring Service (ARMS).

AliyunCCCSIPluginRole

By default, an ACS cluster assumes this role to access your resources in cloud disks or in storage services, such as NAS.

AliyunCCCCMServiceRole

By default, an ACS cluster assumes this role to access your resources in load balancing services, such as SLB and Application Load Balancer (ALB).

AliyunCCNECRole

By default, an ACS cluster assumes this role to access your resources in network services, such as VPC and ECS, and create and use an elastic IP address (EIP).

AliyunCCKubernetesAuditRole

By default, an ACS cluster assumes this role to access your resources in Simple Log Service (SLS) and collect and display Kubernetes audit logs.

AliyunCCManagedLogRole

By default, an ACS cluster assumes this role to access your resources in SLS and collect and display ACS container logs.

AliyunCCManagedArmsRole

By default, an ACS cluster assumes this role to access your resources in ARMS, collect and display various resource metrics of ACS containers, and monitor metrics for application performance.

AliyunCCCISDefaultRole

By default, an ACS cluster assumes this role to access your resources in cloud services, such as ECS, ACK, VPC, and SLB, and check the health status of Kubernetes and related components on a regular basis.

AliyunCCManagedAcrRole

By default, an ACS cluster assumes this role to access Container Registry (ACR) to obtain a pair of temporary username and password that is used to start an ACS pod.

AliyunCCForResourceProviderRole

By default, an ACS cluster assumes this role to access resources in other Alibaba Cloud services when a pod is created.

AliyunCCManagedVirtualNodeRole

By default, an ACS cluster assumes this role to access resources in other Alibaba Cloud services when a virtual node is created.

AliyunCCManagedACSBrokerRole

By default, an ACS cluster assumes this role to access resources in other Alibaba Cloud services when the O&M information of a pod is obtained.

AliyunCSDefaultRole

By default, ACS assumes this role to create, delete, or upgrade a Kubernetes cluster.

AliyunServiceRoleForAcc

This role is a service-linked role. ACS assumes this role to access your resources in other Alibaba Cloud services during cluster management, such as ACK, ECS, VPC, SLB, and ARMS.

ECS-related permissions

Permission (Action)

Description

ecs:CreateNetworkInterface

Creates an elastic network interface (ENI).

ecs:DescribeNetworkInterfaces

Queries ENIs.

ecs:AttachNetworkInterface

Attaches an ENI to a VPC-connected ECS instance.

ecs:DetachNetworkInterface

Detaches an ENI from an ECS instance.

ecs:DeleteNetworkInterface

Deletes an ENI.

ecs:DescribeInstanceAttribute

Queries the information about one or more ECS instances.

ecs:AssignPrivateIpAddresses

Assigns one or more secondary private IP addresses to an ENI.

ecs:UnassignPrivateIpAddresses

Unassigns one or more secondary private IP addresses from an ENI.

ecs:DescribeInstances

Queries the details about one or more ECS instances.

ecs:DescribeInstanceTypes

Queries the details about all instance types or a specified instance type provided by ECS.

ecs:AssignIpv6Addresses

Assigns one or more IPv6 addresses to an ENI.

ecs:UnassignIpv6Addresses

Unassigns one or more IPv6 addresses from an ENI.

ecs:ModifyNetworkInterfaceAttribute

Modifies the information about an ENI.

ecs:CreateNetworkInterfacePermission

Creates an ENI.

ecs:DeleteNetworkInterfacePermission

Deletes an ENI.

ecs:DescribeNetworkInterfacePermissions

Queries an ENI.

ecs:CreateSecurityGroup

Creates a security group.

ecs:ModifySecurityGroupEgressRule

Modifies an outbound rule in a security group.

ecs:ModifySecurityGroupPolicy

Modifies the internal access control policy of a basic security group.

ecs:ModifySecurityGroupRule

Modifies an inbound rule in a security group.

ecs:DescribeSecurityGroups

Queries the basic information about security groups.

ecs:RevokeSecurityGroup

Revokes a security group rule.

ecs:RevokeSecurityGroupEgress

Deletes an outbound rule in a security group. After the rule is deleted, the access control implemented by the rule is removed.

ecs:DeleteSecurityGroup

Deletes a security group.

ecs:DescribeSecurityGroupAttribute

Queries the rules of a security group.

ecs:AuthorizeSecurityGroup

Configures an inbound rule in a security group.

ecs:AuthorizeSecurityGroupEgress

Configures an outbound rule in a security group.

VPC-related permissions

Permission (Action)

Description

vpc:DescribeVSwitches

Queries created vSwitches.

vpc:DescribeVpcs

Queries created VPCs.

vpc:DescribeVpcAttribute

Queries the configurations of a VPC.

vpc:DescribeVSwitchAttributes

Queries the configurations of a vSwitch.

ACK-related permissions

Permission (Action)

Description

cs:CreateCluster

Creates a Kubernetes cluster.

cs:CreateClusterByResourcesGroup

Creates a Kubernetes cluster that belongs to a resource group.

cs:DeleteCluster

Deletes a Kubernetes cluster.

cs:DescribeClusterDetail

Queries the details about a Kubernetes cluster.

cs:DescribeClusterUserKubeconfig

Queries the kubeconfig file of a user in a Kubernetes cluster.

cs:DescribeClusters

Queries Kubernetes clusters.

cs:DescribeClustersV1

Queries Kubernetes clusters.

cs:DescribeEvents

Queries exceptions.

cs:DescribeTaskInfo

Queries the execution details about a task by task ID.

cs:GetClusters

Queries Kubernetes clusters.

cs:ListTagResources

Queries the labels of resources in clusters by cluster IDs.

cs:ModifyCluster

Modifies the information about a cluster.

cs:ModifyClusterTags

Modifies the labels of a cluster.

cs:TagResources

Adds labels to a cluster.

cs:UntagResources

Removes labels from a cluster.

ARMS-related permissions

Permission (Action)

Description

arms:InstallManagedPrometheus

Creates a managed Prometheus instance.

arms:UnInstallManagedPrometheus

Deletes a managed Prometheus instance.

arms:GetManagedPrometheusStatus

Queries the status of a managed Prometheus instance.

SLB-related permissions

Permission (Action)

Description

slb:AddBackendServers

Adds backend servers.

slb:RemoveBackendServers

Removes backend servers.

slb:DescribeLoadBalancerAttribute

Queries the details about an SLB instance.

slb:SetLoadBalancerTCPListenerAttribute

Modifies the configurations of a TCP listener.

slb:DescribeLoadBalancers

Queries created SLB instances.

AliyunCCCSIPluginRole

By default, an ACS cluster assumes this role to access your resources in cloud disks or in storage services, such as NAS.

EBS-related permissions

Permission (Action)

Description

ebs:CreateContainerDisk

Creates a cloud disk.

ebs:DescribeContainerDisks

Queries cloud disks.

ebs:GetContainerDisk

Queries a cloud disk.

ebs:DeleteContainerDisk

Deletes a cloud disk.

ECS-related permissions

Permission (Action)

Description

ecs:AttachDisk

Attaches a cloud disk.

ecs:DetachDisk

Detaches a cloud disk.

ecs:DescribeDisks

Queries cloud disks.

ecs:CreateDisk

Creates a cloud disk.

ecs:DeleteDisk

Deletes a cloud disk.

ecs:AddTags

Adds labels to a cloud disk.

ecs:RemoveTags

Removes labels from a cloud disk.

ecs:DescribeTags

Queries available labels.

ecs:DescribeInstances

Queries the details about one or more ECS instances.

NAS-related permissions

Permission (Action)

Description

nas:CreateFileSystem

Creates a file system.

nas:CreateMountTarget

Creates a mount target in a file system.

nas:DeleteFileSystem

Deletes a file system.

nas:DeleteMountTarget

Deletes a mount target in a file system.

nas:DescribeFileSystems

Queries the information about a file system.

nas:DescribeMountTargets

Queries a mount target in a file system.

nas:ModifyFileSystem

Modifies the description of a file system.

nas:ModifyMountTarget

Modifies the description of a mount target in a file system.

nas:AddTags

Adds labels to a file system.

nas:DescribeTags

Queries available labels.

nas:RemoveTags

Removes labels from a file system.

nas:EnableRecycleBin

Enables the recycle bin feature for a file system.

nas:GetRecycleBinAttribute

Queries the recycle bin configurations of a General-purpose NAS file system.

nas:SetDirQuota

Creates a directory quota for a file system.

nas:DescribeDirQuotas

Queries the directory quotas of a file system.

AliyunCCCCMServiceRole

By default, an ACS cluster assumes this role to create and use load balancing services, such as SLB and ALB, by using the ACS Cloud Controller Manager (CCM) plug-in.

SLB-related permissions

Permission (Action)

Description

slb:AddBackendServers

Adds backend servers.

slb:AddTags

Adds labels to an SLB instance.

slb:AddVServerGroupBackendServers

Adds backend servers.

slb:CreateLoadBalancer

Creates an SLB instance.

slb:CreateLoadBalancerHTTPListener

Creates an HTTP listener for an SLB instance.

slb:CreateLoadBalancerHTTPSListener

Creates an HTTPS listener for an SLB instance.

slb:CreateLoadBalancerTCPListener

Creates a TCP listener for an SLB instance.

slb:CreateLoadBalancerUDPListener

Creates a UDP listener for an SLB instance.

slb:CreateVServerGroup

Creates a vServer group and adds backend servers to the vServer group.

slb:DeleteLoadBalancer

Deletes a pay-as-you-go SLB instance.

slb:DeleteLoadBalancerListener

Deletes a listener of an SLB instance.

slb:DeleteVServerGroup

Deletes a vServer group.

slb:DescribeLoadBalancerAttribute

Queries the details about an SLB instance.

slb:DescribeLoadBalancerHTTPListenerAttribute

Queries the configurations of an HTTP listener.

slb:DescribeLoadBalancerHTTPSListenerAttribute

Queries the configurations of an HTTPS listener.

slb:DescribeLoadBalancerListeners

Queries the listeners of an SLB instance.

slb:DescribeLoadBalancerTCPListenerAttribute

Queries the configurations of a TCP listener.

slb:DescribeLoadBalancerUDPListenerAttribute

Queries the configurations of a UDP listener.

slb:DescribeLoadBalancers

Queries created SLB instances.

slb:DescribeTags

Queries available labels.

slb:DescribeVServerGroupAttribute

Queries the details about a vServer group.

slb:DescribeVServerGroups

Queries vServer groups.

slb:ModifyLoadBalancerInstanceSpec

Modifies the specifications of an SLB instance.

slb:ModifyLoadBalancerInternetSpec

Modifies the billing method of an Internet-facing SLB instance.

slb:ModifyVServerGroupBackendServers

Replaces the backend servers in a vServer group.

slb:RemoveBackendServers

Removes backend servers.

slb:RemoveTags

Removes labels from an SLB instance.

slb:RemoveVServerGroupBackendServers

Removes backend servers from a vServer group.

slb:SetLoadBalancerDeleteProtection

Enables or disables deletion protection for an SLB instance.

slb:SetLoadBalancerHTTPListenerAttribute

Modifies the configurations of an HTTP listener.

slb:SetLoadBalancerHTTPSListenerAttribute

Modifies the configurations of an HTTPS listener.

slb:SetLoadBalancerModificationProtection

Modifies the configuration of the configuration read-only mode for an SLB instance.

slb:SetLoadBalancerName

Changes the name of an SLB instance.

slb:SetLoadBalancerTCPListenerAttribute

Modifies the configurations of a TCP listener.

slb:SetLoadBalancerUDPListenerAttribute

Modifies the configurations of a UDP listener.

slb:SetVServerGroupAttribute

Modifies the configurations of a vServer group.

slb:StartLoadBalancerListener

Starts a listener.

slb:StopLoadBalancerListener

Stops a listener.

ALB-related permissions

Permission (Action)

Description

alb:AddServersToServerGroup

Adds backend servers to a server group.

alb:AssociateAdditionalCertificatesWithListener

Associates additional certificates with a listener.

alb:CreateListener

Creates an HTTP, HTTPS, or QUIC listener in a region.

alb:CreateLoadBalancer

Creates an ALB instance in a region.

alb:CreateRule

Creates a forwarding rule for a listener.

alb:CreateRules

Creates multiple forwarding rules.

alb:CreateServerGroup

Creates a server group in a region.

alb:DeleteListener

Deletes a listener.

alb:DeleteLoadBalancer

Deletes an ALB instance.

alb:DeleteRule

Deletes a forwarding rule.

alb:DeleteRules

Deletes multiple forwarding rules from a listener at a time.

alb:DeleteServerGroup

Deletes a server group.

alb:DescribeZones

Queries zones in a region.

alb:DisableDeletionProtection

Disables deletion protection for an ALB instance.

alb:DisableLoadBalancerAccessLog

Disables the access log feature for an ALB instance.

alb:DissociateAdditionalCertificatesFromListener

Disassociates additional certificates from a listener.

alb:EnableDeletionProtection

Enables deletion protection for a resource.

alb:EnableLoadBalancerAccessLog

Enables the access log feature for an ALB instance.

alb:GetListenerAttribute

Queries the details about a listener.

alb:GetLoadBalancerAttribute

Queries the details about an ALB instance.

alb:ListListenerCertificates

Queries the certificates that are associated with a listener, including additional certificates and the default certificate.

alb:ListListeners

Queries the listeners in a region.

alb:ListLoadBalancers

Queries ALB instances in a region.

alb:ListRules

Queries the forwarding rules in a region.

alb:ListServerGroupServers

Queries servers in a server group.

alb:ListServerGroups

Queries server groups in a region.

alb:RemoveServersFromServerGroup

Removes backend servers from a server group.

alb:ReplaceServersInServerGroup

Replaces the backend servers in a server group.

alb:TagResources

Adds labels to resources.

alb:UnTagResources

Removes labels from resources.

alb:UpdateListenerAttribute

Updates the configurations of a listener, such as the name and the default action.

alb:UpdateLoadBalancerAttribute

Updates the attributes of an ALB instance, such as the name and the configuration read-only mode.

alb:UpdateLoadBalancerEdition

Changes the edition of an ALB instance.

alb:UpdateRuleAttribute

Updates the configurations of a forwarding rule, such as the conditions, actions, and name.

alb:UpdateRulesAttribute

Updates the configurations of multiple forwarding rules.

alb:UpdateServerGroupAttribute

Updates the configurations of a server group, such as the configurations of health checks, session persistence, server group name, scheduling algorithms, and protocols.

alb:DescribeZones

Queries zones in a region.

alb:CreateAcl

Creates an access control list (ACL) in a region.

alb:DeleteAcl

Deletes an ACL.

alb:ListAcls

Queries ACLs in a region.

alb:AddEntriesToAcl

Adds IP address entries to an ACL.

alb:AssociateAclsWithListener

Associates ACLs with a listener.

alb:ListAclEntries

Queries the entries of an ACL.

alb:RemoveEntriesFromAcl

Removes the entries from an ACL.

alb:DissociateAclsFromListener

Disassociates ACLs from a listener.

alb:EnableLoadBalancerIpv6Internet

Changes the private IPv6 address of a dual-stack ALB instance to a public IPv6 address.

alb:DisableLoadBalancerIpv6Internet

Changes the public IPv6 address of a dual-stack ALB instance to a private IPv6 address.

ECS-related permissions

Permission (Action)

Description

ecs:DescribeNetworkInterfaces

Queries the details about one or more ENIs.

VPC-related permissions

Permission (Action)

Description

vpc:DescribeVSwitches

Queries the information about available vSwitches that are used for an internal network.

vpc:DescribeVpcs

Queries created VPCs.

RAM-related permissions

Permission (Action)

Description

ram:CreateServiceLinkedRole

Creates a service-linked role.

AliyunCCNECRole

By default, an ACS cluster assumes this role to access your resources in network services, such as VPC and ECS, and create and use an EIP.

VPC-related permissions

Permission (Action)

Description

vpc:DescribeVSwitches

Queries the information about available vSwitches that are used for an internal network.

vpc:AllocateEipAddress

Applies for an EIP.

vpc:AllocateEipAddressPro

Applies for a specified EIP.

vpc:DescribeEipAddresses

Queries created EIPs in a region.

vpc:AssociateEipAddress

Associates an EIP with an instance that resides in the same region as the EIP.

vpc:UnassociateEipAddress

Disassociates an EIP from a cloud resource.

vpc:ReleaseEipAddress

Releases an EIP.

vpc:ModifyEipAddressAttribute

Modifies the name, description, and maximum bandwidth of an EIP.

vpc:AddCommonBandwidthPackageIp

Associates an EIP with an EIP bandwidth plan.

vpc:RemoveCommonBandwidthPackageIp

Disassociates an EIP from an EIP bandwidth plan.

vpc:TagResources

Creates and adds labels to resources.

ECS-related permissions

Permission (Action)

Description

ecs:DescribeNetworkInterfaces

Queries the details about one or more ENIs.

AliyunCCKubernetesAuditRole

By default, an ACS cluster assumes this role to access your resources in SLS and collect and display Kubernetes audit logs.

Permission (Action)

Description

log:CreateProject

Creates a project.

log:GetProject

Queries a project by project name.

log:DeleteProject

Deletes a project.

log:CreateLogStore

Creates a Logstore in a project.

log:GetLogStore

Queries the attributes of a Logstore.

log:UpdateLogStore

Updates the attributes of a Logstore.

log:DeleteLogStore

Deletes a Logstore.

log:CreateConfig

Creates a Logtail configuration.

log:UpdateConfig

Updates a Logtail configuration.

log:GetConfig

Queries the details about a Logtail configuration.

log:DeleteConfig

Deletes a Logtail configuration.

log:CreateMachineGroup

Creates a machine group to apply Logtail configurations.

log:UpdateMachineGroup

Updates a machine group.

log:GetMachineGroup

Queries the information about a machine group.

log:DeleteMachineGroup

Deletes a machine group.

log:ApplyConfigToGroup

Applies a Logtail configuration file to a machine group.

log:GetAppliedMachineGroups

Queries the machines to which a Logtail configuration is applied.

log:GetAppliedConfigs

Queries the Logtail configurations that are applied to a machine group.

log:RemoveConfigFromMachineGroup

Removes Logtail configurations from a machine group.

log:CreateIndex

Creates indexes for a Logstore.

log:GetIndex

Queries indexes of a Logstore.

log:UpdateIndex

Updates indexes of a Logstore.

log:DeleteIndex

Removes indexes from a Logstore.

log:CreateSavedSearch

Creates a saved search.

log:GetSavedSearch

Queries a saved search.

log:UpdateSavedSearch

Updates a saved search.

log:DeleteSavedSearch

Deletes a saved search.

log:CreateDashboard

Creates a dashboard.

log:GetDashboard

Queries a dashboard.

log:UpdateDashboard

Updates a dashboard.

log:DeleteDashboard

Deletes a dashboard.

log:CreateJob

Creates a task, such as an alert task or a subscription task.

log:GetJob

Queries a task.

log:DeleteJob

Deletes a task.

log:UpdateJob

Updates a task.

log:PostLogStoreLogs

Writes logs to a Logstore.

AliyunCCManagedLogRole

By default, an ACS cluster assumes this role to collect and display Kubernetes audit logs by using SLS.

SLS-related permissions

Permission (Action)

Description

log:CreateProject

Creates a project.

log:GetProject

Queries a project by project name.

log:DeleteProject

Deletes a project.

log:CreateLogStore

Creates a Logstore in a project.

log:GetLogStore

Queries the attributes of a Logstore.

log:UpdateLogStore

Updates the attributes of a Logstore.

log:DeleteLogStore

Deletes a Logstore.

log:CreateConfig

Creates a Logtail configuration.

log:UpdateConfig

Updates a Logtail configuration.

log:GetConfig

Queries the details about a Logtail configuration.

log:DeleteConfig

Deletes a Logtail configuration.

log:CreateMachineGroup

Creates a machine group to apply Logtail configurations.

log:UpdateMachineGroup

Updates a machine group.

log:GetMachineGroup

Queries the information about a machine group.

log:DeleteMachineGroup

Deletes a machine group.

log:ApplyConfigToGroup

Applies a Logtail configuration file to a machine group.

log:GetAppliedMachineGroups

Queries the machines to which a Logtail configuration is applied.

log:GetAppliedConfigs

Queries the Logtail configurations that are applied to a machine group.

log:RemoveConfigFromMachineGroup

Removes Logtail configurations from a machine group.

log:CreateIndex

Creates indexes for a Logstore.

log:GetIndex

Queries indexes of a Logstore.

log:UpdateIndex

Updates indexes of a Logstore.

log:DeleteIndex

Removes indexes from a Logstore.

log:CreateSavedSearch

Creates a saved search.

log:GetSavedSearch

Queries a saved search.

log:UpdateSavedSearch

Updates a saved search.

log:DeleteSavedSearch

Deletes a saved search.

log:CreateDashboard

Creates a dashboard.

log:GetDashboard

Queries a dashboard.

log:UpdateDashboard

Updates a dashboard.

log:DeleteDashboard

Deletes a dashboard.

log:CreateJob

Creates a task, such as an alert task or a subscription task.

log:GetJob

Queries a task.

log:DeleteJob

Deletes a task.

log:UpdateJob

Updates a task.

log:PostLogStoreLogs

Writes logs to a Logstore.

log:CreateSortedSubStore

Creates a sorted sub-Logstore.

log:GetSortedSubStore

Queries a sorted sub-Logstore.

log:ListSortedSubStore

Lists sorted sub-Logstores.

log:UpdateSortedSubStore

Updates a sorted sub-Logstore.

log:DeleteSortedSubStore

Deletes a sorted sub-Logstore.

log:CreateApp

Creates applications, such as Cost Manager and Log Audit Service.

log:UpdateApp

Updates applications, such as Cost Manager and Log Audit Service.

log:GetApp

Queries applications, such as Cost Manager and Log Audit Service.

log:DeleteApp

Deletes applications, such as Cost Manager and Log Audit Service.

cs:DescribeTemplates

Queries container templates.

cs:DescribeTemplateAttribute

Queries the attributes of a container template.

ACK-related permissions

Permission (Action)

Description

cs:UpdateContactGroup

Updates an alert contact group.

cs:DescribeTemplates

Queries all orchestration templates.

cs:DescribeTemplateAttribute

Queries the details about an orchestration template.

AliyunCCManagedArmsRole

By default, an ACS cluster assumes this role to access your resources in ARMS, collect and display various resource metrics of ACS containers, and monitor metrics for application performance.

ARMS-related permissions

Permission (Action)

Description

arms:CreateApp

Creates an application monitoring task.

arms:DeleteApp

Deletes an application monitoring task.

arms:ConfigAgentLabel

Modifies the labels of the application monitoring agent.

arms:GetAssumeRoleCredentials

Queries the key that is required for a RAM user to assume a RAM role during application monitoring.

arms:CreateProm

Creates a monitoring task based on Managed Service for Prometheus.

arms:SearchEvents

Queries alert events.

arms:SearchAlarmHistories

Queries the alert sending history.

arms:SearchAlertRules

Queries alert rules.

arms:GetAlertRules

Obtains alert rules.

arms:CreateAlertRules

Creates alert rules.

arms:UpdateAlertRules

Updates alert rules.

arms:StartAlertRule

Enables an alert rule.

arms:StopAlertRule

Disables an alert rule.

arms:CreateContact

Creates an alert contact.

arms:SearchContact

Queries an alert contact.

arms:UpdateContact

Updates an alert contact.

arms:CreateContactGroup

Creates an alert contact group.

arms:SearchContactGroup

Queries an alert contact group.

arms:UpdateContactGroup

Updates an alert contact group.

xtrace-related permissions

Permission (Action)

Description

xtrace:GetToken

AliyunCCCISDefaultRole

By default, an ACS cluster assumes this role to access your resources in cloud services, such as ECS, ACK, VPC, and SLB, and check the health status of Kubernetes and related components on a regular basis.

ECS-related permissions

Permission (Action)

Description

ecs:DescribeInstances

Queries the details about one or more ECS instances.

ecs:DescribeInstanceStatus

Queries the status information of multiple ECS instances.

ecs:DescribeInstanceTypes

Queries the details about all instance types or a specified instance type provided by ECS.

ecs:DescribeInstanceTypeFamilies

Queries the instance families provided by ECS.

ecs:DescribeInstanceAttribute

Queries the details about an ECS instance.

ecs:DescribeDiagnosticReports

Queries resource diagnostic reports.

ecs:DescribeDiagnosticReportAttributes

Queries the details about a resource diagnostic report.

ecs:DescribeDiagnosticMetricSets

Queries diagnostic metric sets.

ecs:DescribeDiagnosticMetrics

Queries diagnostic metrics.

ecs:DescribeSecurityGroupAttribute

Queries the rules of a security group.

ecs:DescribeSecurityGroups

Queries the basic information about security groups.

ecs:DescribeSecurityGroupReferences

Checks whether a security group is referenced by other security groups.

ecs:DescribeBandwidthLimitation

Queries the maximum public bandwidth that is available for purchase, upgrade, or downgrade when different instance types are involved.

ecs:DescribeCloudAssistantStatus

Queries whether Cloud Assistant Agent is installed on one or more ECS instances. If Cloud Assistant Agent is installed, the system queries the total number of Cloud Assistant commands that have been run, the number of Cloud Assistant commands that are being run, and the time when Cloud Assistant commands were last run.

ecs:DescribeCommands

Queries the Cloud Assistant commands that you created or the common Cloud Assistant commands that Alibaba Cloud provides.

ecs:DescribeInvocationResults

Queries the result of running one or more Cloud Assistant commands on an ECS instance.

ecs:CreateCommand

Creates a Cloud Assistant command.

ecs:InvokeCommand

Triggers a Cloud Assistant command on one or more ECS instances.

ecs:StopInvocation

Stops the process of a Cloud Assistant command that is running on one or more ECS instances.

ecs:CreateDiagnosticReport

Creates a resource diagnostic report. Generates a diagnostic report for the diagnostic metric set specified by the MetricSetId parameter.

ecs:DescribeNetworkInterfaces

Queries the details about one or more ENIs.

ecs:RunCommand

Runs a shell, PowerShell, or batch script on one or more ECS instances.

VPC-related permissions

Permission (Action)

Description

vpc:DescribeVpcs

Queries created VPCs.

vpc:DescribeVpcAttribute

Queries the configurations of a VPC.

vpc:DescribeVSwitches

Queries the information about available vSwitches that are used for an internal network.

vpc:DescribeVSwitchAttributes

Queries the configurations of a vSwitch.

vpc:DescribeRouteTableList

Queries route tables.

vpc:DescribeRouteEntryList

Queries route entries.

vpc:DescribeNatGateways

Queries NAT gateways that meet specific conditions in a region.

vpc:DescribeRouteTables

Queries route tables.

vpc:DescribeSnatTableEntries

Queries the details about a network ACL.

vpc:DescribeNetworkAcls

Queries network ACLs.

vpc:DescribeNetworkAclAttributes

Queries the details about a network ACL.

vpc:DescribeEipAddresses

Queries created EIPs in a region.

SLB-related permissions

Permission (Action)

Description

slb:DescribeLoadBalancers

Queries created SLB instances.

slb:DescribeLoadBalancerAttribute

Queries the details about an SLB instance.

slb:DescribeVServerGroups

Queries vServer groups.

slb:DescribeVServerGroupAttribute

Queries the details about a vServer group.

slb:DescribeLoadBalancerTCPListenerAttribute

Queries the configurations of a TCP listener.

slb:DescribeLoadBalancerUDPListenerAttribute

Queries the configurations of a UDP listener.

slb:DescribeAccessControlLists

Queries created network ACLs.

slb:DescribeAccessControlListAttribute

Queries the configurations of a network ACL.

slb:DescribeLoadBalancerListeners

Queries the listeners of an SLB instance.

slb:DescribeHealthStatus

Queries the health status of backend servers.

SLS-related permissions

Permission (Action)

Description

sls:GetLogStore

Queries the details about a Logstore.

ATP-related permissions

Permission (Action)

Description

grace:GetFile

Queries the information about a file.

grace:AnalyzeFile

Analyzes a file.

grace:UploadFileByOSS

Uploads files by using Object Storage Service (OSS).

grace:UploadFileByURL

Uploads files by specifying URLs.

CloudMonitor-related permissions

Permission (Action)

Description

cms:DescribeMetricData

Queries the monitoring data of a metric for a cloud service.

cms:DescribeMetricLast

Queries the latest monitoring data of a metric.

cms:DescribeMetricMetaList

Queries the details about metrics that are supported in CloudMonitor.

cms:DescribeMetricTop

Queries the latest monitoring data of a metric for a cloud service and then queries the sorted monitoring data of the metric.

cms:QueryMetricMeta

Queries the descriptions of time series metrics that are supported in CloudMonitor.

cms:QueryMetricTop

Queries the top metrics.

cms:ListMetricMeta

Lists data source metrics.

cms:QueryMetricData

Queries the monitoring data of a time series metric of CloudMonitor in the specified period of time.

cms:QueryMetricLast

Queries the latest monitoring data of a metric.

cms:DescribeMetricList

Queries the monitoring data of a metric of an Alibaba Cloud service.

cms:QueryMetricList

Queries the monitoring data of instances or clusters of a specific service within a period.

cms:DescribeAlertLogList

Queries the alert logs within the last year.

cms:DescribeSystemEventAttribute

Queries the details about a system event.

ACK-related permissions

Permission (Action)

Description

cs:DescribeClusterDetail

Queries the details about a cluster by cluster ID.

cs:DescribeClusterResources

Queries all resources in a cluster by cluster ID.

cs:DescribeTaskInfo

Queries the execution details about a task by task ID.

cs:DescribeClusterAddonsUpgradeStatus

Queries the update progress of a component by component name.

Resource Quota-related permissions

Permission (Action)

Description

quotas:ListProducts

Queries the Alibaba Cloud services that are supported by Quota Center.

quotas:ListProductQuotas

Queries the quotas of an Alibaba Cloud service.

quotas:ListProductQuotaDimensions

Queries the quota dimensions that are supported by an Alibaba Cloud service.

quotas:GetProductQuota

Queries the details about a quota.

quotas:GetProductQuotaDimension

Queries the details about a quota dimension that is supported by an Alibaba Cloud service.

RAM-related permissions

Permission (Action)

Description

ram:CreateServiceLinkedRole

Creates a service-linked role.

AliyunCCManagedAcrRole

By default, an ACS cluster assumes this role to access ACR to obtain a pair of temporary username and password that is used to start an ACS pod.

CR-related permissions

Permission (Action)

Description

cr:GetAuthorizationToken

Queries a pair of temporary username and password that is used to log on to a Container Registry instance.

cr:ListInstanceEndpoint

Queries the endpoints of an instance.

AliyunCCForResourceProviderRole

By default, an ACS cluster assumes this role to access resources in other Alibaba Cloud services when a pod is created.

ECS-related permissions

Permission (Action)

Description

ecs:CreateNetworkInterfacePermission

Creates an ENI.

ecs:DeleteNetworkInterfacePermission

Deletes an ENI.

ecs:CreateNetworkInterface

Creates an ENI.

ecs:DeleteNetworkInterface

Deletes an ENI.

ecs:DescribeSecurityGroups

Queries the basic information about security groups.

ecs:DescribeNetworkInterfaces

Queries ENIs.

ecs:CreateDisk

Creates a cloud disk.

ecs:DescribeDisks

Queries cloud disks.

ecs:AttachDisk

Attaches a cloud disk.

ecs:DetachDisk

Detaches a cloud disk.

VPC-related permissions

Permission (Action)

Description

vpc:DescribeVSwitches

Queries created vSwitches.

vpc:DescribeVpcs

Queries created VPCs.

vpc:AllocateEipAddress

Applies for an EIP.

vpc:AssociateEipAddress

Associates an EIP with an instance that resides in the same region as the EIP.

vpc:UnassociateEipAddress

Disassociates an EIP from a cloud resource.

vpc:ReleaseEipAddress

Releases an EIP.

AliyunCCManagedVirtualNodeRole

By default, an ACS cluster assumes this role to access resources in other Alibaba Cloud services when a virtual node is created.

PVTZ-related permissions

Permission (Action)

Description

pvtz:AddZone

Adds a zone.

pvtz:DeleteZone

Deletes a zone.

pvtz:DescribeZones

Queries zones.

pvtz:BindZoneVpc

Associates a zone with a VPC.

pvtz:AddZoneRecord

Adds a DNS record.

pvtz:DeleteZoneRecord

Deletes a DNS record.

pvtz:DescribeZoneRecords

Queries DNS records.

VPC-related permissions

Permission (Action)

Description

vpc:DescribeVSwitches

Queries created vSwitches.

AliyunCSDefaultRole

This role is a service-linked role of ACK. By default, ACS assumes this role to create, delete, or upgrade a Kubernetes cluster.

For more information about the service-linked role, see AliyunCSDefaultRole.