When you activate Alibaba Cloud Container Compute Service (ACS), you must assign default roles to ACS within your Alibaba Cloud account. This way, ACS can access resources in other Alibaba Cloud services, create clusters, or save logs. These Alibaba Cloud services include Virtual Private Cloud (VPC), Elastic Network Interface (ENI), File Storage NAS (NAS), and Server Load Balancer (SLB). This topic describes the permissions of the default roles of ACS.
Permissions of the default roles
The following table describes the default roles of ACS.
Role | Description |
AliyunServiceRoleForAcc | This role is a service-linked role. ACS assumes this role to access your resources in other Alibaba Cloud services during cluster management, such as Container Service for Kubernetes (ACK), Elastic Compute Service (ECS), VPC, SLB, and Application Real-Time Monitoring Service (ARMS). |
AliyunCCCSIPluginRole | By default, an ACS cluster assumes this role to access your resources in cloud disks or in storage services, such as NAS. |
AliyunCCCCMServiceRole | By default, an ACS cluster assumes this role to access your resources in load balancing services, such as SLB and Application Load Balancer (ALB). |
AliyunCCNECRole | By default, an ACS cluster assumes this role to access your resources in network services, such as VPC and ECS, and create and use an elastic IP address (EIP). |
AliyunCCKubernetesAuditRole | By default, an ACS cluster assumes this role to access your resources in Simple Log Service (SLS) and collect and display Kubernetes audit logs. |
AliyunCCManagedLogRole | By default, an ACS cluster assumes this role to access your resources in SLS and collect and display ACS container logs. |
AliyunCCManagedArmsRole | By default, an ACS cluster assumes this role to access your resources in ARMS, collect and display various resource metrics of ACS containers, and monitor metrics for application performance. |
AliyunCCCISDefaultRole | By default, an ACS cluster assumes this role to access your resources in cloud services, such as ECS, ACK, VPC, and SLB, and check the health status of Kubernetes and related components on a regular basis. |
AliyunCCManagedAcrRole | By default, an ACS cluster assumes this role to access Container Registry (ACR) to obtain a pair of temporary username and password that is used to start an ACS pod. |
AliyunCCForResourceProviderRole | By default, an ACS cluster assumes this role to access resources in other Alibaba Cloud services when a pod is created. |
AliyunCCManagedVirtualNodeRole | By default, an ACS cluster assumes this role to access resources in other Alibaba Cloud services when a virtual node is created. |
AliyunCCManagedACSBrokerRole | By default, an ACS cluster assumes this role to access resources in other Alibaba Cloud services when the O&M information of a pod is obtained. |
AliyunCSDefaultRole | By default, ACS assumes this role to create, delete, or upgrade a Kubernetes cluster. |
AliyunServiceRoleForAcc
This role is a service-linked role. ACS assumes this role to access your resources in other Alibaba Cloud services during cluster management, such as ACK, ECS, VPC, SLB, and ARMS.
ECS-related permissions
Permission (Action) | Description |
ecs:CreateNetworkInterface | Creates an elastic network interface (ENI). |
ecs:DescribeNetworkInterfaces | Queries ENIs. |
ecs:AttachNetworkInterface | Attaches an ENI to a VPC-connected ECS instance. |
ecs:DetachNetworkInterface | Detaches an ENI from an ECS instance. |
ecs:DeleteNetworkInterface | Deletes an ENI. |
ecs:DescribeInstanceAttribute | Queries the information about one or more ECS instances. |
ecs:AssignPrivateIpAddresses | Assigns one or more secondary private IP addresses to an ENI. |
ecs:UnassignPrivateIpAddresses | Unassigns one or more secondary private IP addresses from an ENI. |
ecs:DescribeInstances | Queries the details about one or more ECS instances. |
ecs:DescribeInstanceTypes | Queries the details about all instance types or a specified instance type provided by ECS. |
ecs:AssignIpv6Addresses | Assigns one or more IPv6 addresses to an ENI. |
ecs:UnassignIpv6Addresses | Unassigns one or more IPv6 addresses from an ENI. |
ecs:ModifyNetworkInterfaceAttribute | Modifies the information about an ENI. |
ecs:CreateNetworkInterfacePermission | Creates an ENI. |
ecs:DeleteNetworkInterfacePermission | Deletes an ENI. |
ecs:DescribeNetworkInterfacePermissions | Queries an ENI. |
ecs:CreateSecurityGroup | Creates a security group. |
ecs:ModifySecurityGroupEgressRule | Modifies an outbound rule in a security group. |
ecs:ModifySecurityGroupPolicy | Modifies the internal access control policy of a basic security group. |
ecs:ModifySecurityGroupRule | Modifies an inbound rule in a security group. |
ecs:DescribeSecurityGroups | Queries the basic information about security groups. |
ecs:RevokeSecurityGroup | Revokes a security group rule. |
ecs:RevokeSecurityGroupEgress | Deletes an outbound rule in a security group. After the rule is deleted, the access control implemented by the rule is removed. |
ecs:DeleteSecurityGroup | Deletes a security group. |
ecs:DescribeSecurityGroupAttribute | Queries the rules of a security group. |
ecs:AuthorizeSecurityGroup | Configures an inbound rule in a security group. |
ecs:AuthorizeSecurityGroupEgress | Configures an outbound rule in a security group. |
VPC-related permissions
Permission (Action) | Description |
vpc:DescribeVSwitches | Queries created vSwitches. |
vpc:DescribeVpcs | Queries created VPCs. |
vpc:DescribeVpcAttribute | Queries the configurations of a VPC. |
vpc:DescribeVSwitchAttributes | Queries the configurations of a vSwitch. |
ACK-related permissions
Permission (Action) | Description |
cs:CreateCluster | Creates a Kubernetes cluster. |
cs:CreateClusterByResourcesGroup | Creates a Kubernetes cluster that belongs to a resource group. |
cs:DeleteCluster | Deletes a Kubernetes cluster. |
cs:DescribeClusterDetail | Queries the details about a Kubernetes cluster. |
cs:DescribeClusterUserKubeconfig | Queries the kubeconfig file of a user in a Kubernetes cluster. |
cs:DescribeClusters | Queries Kubernetes clusters. |
cs:DescribeClustersV1 | Queries Kubernetes clusters. |
cs:DescribeEvents | Queries exceptions. |
cs:DescribeTaskInfo | Queries the execution details about a task by task ID. |
cs:GetClusters | Queries Kubernetes clusters. |
cs:ListTagResources | Queries the labels of resources in clusters by cluster IDs. |
cs:ModifyCluster | Modifies the information about a cluster. |
cs:ModifyClusterTags | Modifies the labels of a cluster. |
cs:TagResources | Adds labels to a cluster. |
cs:UntagResources | Removes labels from a cluster. |
ARMS-related permissions
Permission (Action) | Description |
arms:InstallManagedPrometheus | Creates a managed Prometheus instance. |
arms:UnInstallManagedPrometheus | Deletes a managed Prometheus instance. |
arms:GetManagedPrometheusStatus | Queries the status of a managed Prometheus instance. |
SLB-related permissions
Permission (Action) | Description |
slb:AddBackendServers | Adds backend servers. |
slb:RemoveBackendServers | Removes backend servers. |
slb:DescribeLoadBalancerAttribute | Queries the details about an SLB instance. |
slb:SetLoadBalancerTCPListenerAttribute | Modifies the configurations of a TCP listener. |
slb:DescribeLoadBalancers | Queries created SLB instances. |
AliyunCCCSIPluginRole
By default, an ACS cluster assumes this role to access your resources in cloud disks or in storage services, such as NAS.
EBS-related permissions
Permission (Action) | Description |
ebs:CreateContainerDisk | Creates a cloud disk. |
ebs:DescribeContainerDisks | Queries cloud disks. |
ebs:GetContainerDisk | Queries a cloud disk. |
ebs:DeleteContainerDisk | Deletes a cloud disk. |
ECS-related permissions
Permission (Action) | Description |
ecs:AttachDisk | Attaches a cloud disk. |
ecs:DetachDisk | Detaches a cloud disk. |
ecs:DescribeDisks | Queries cloud disks. |
ecs:CreateDisk | Creates a cloud disk. |
ecs:DeleteDisk | Deletes a cloud disk. |
ecs:AddTags | Adds labels to a cloud disk. |
ecs:RemoveTags | Removes labels from a cloud disk. |
ecs:DescribeTags | Queries available labels. |
ecs:DescribeInstances | Queries the details about one or more ECS instances. |
NAS-related permissions
Permission (Action) | Description |
nas:CreateFileSystem | Creates a file system. |
nas:CreateMountTarget | Creates a mount target in a file system. |
nas:DeleteFileSystem | Deletes a file system. |
nas:DeleteMountTarget | Deletes a mount target in a file system. |
nas:DescribeFileSystems | Queries the information about a file system. |
nas:DescribeMountTargets | Queries a mount target in a file system. |
nas:ModifyFileSystem | Modifies the description of a file system. |
nas:ModifyMountTarget | Modifies the description of a mount target in a file system. |
nas:AddTags | Adds labels to a file system. |
nas:DescribeTags | Queries available labels. |
nas:RemoveTags | Removes labels from a file system. |
nas:EnableRecycleBin | Enables the recycle bin feature for a file system. |
nas:GetRecycleBinAttribute | Queries the recycle bin configurations of a General-purpose NAS file system. |
nas:SetDirQuota | Creates a directory quota for a file system. |
nas:DescribeDirQuotas | Queries the directory quotas of a file system. |
AliyunCCCCMServiceRole
By default, an ACS cluster assumes this role to create and use load balancing services, such as SLB and ALB, by using the ACS Cloud Controller Manager (CCM) plug-in.
SLB-related permissions
Permission (Action) | Description |
slb:AddBackendServers | Adds backend servers. |
slb:AddTags | Adds labels to an SLB instance. |
slb:AddVServerGroupBackendServers | Adds backend servers. |
slb:CreateLoadBalancer | Creates an SLB instance. |
slb:CreateLoadBalancerHTTPListener | Creates an HTTP listener for an SLB instance. |
slb:CreateLoadBalancerHTTPSListener | Creates an HTTPS listener for an SLB instance. |
slb:CreateLoadBalancerTCPListener | Creates a TCP listener for an SLB instance. |
slb:CreateLoadBalancerUDPListener | Creates a UDP listener for an SLB instance. |
slb:CreateVServerGroup | Creates a vServer group and adds backend servers to the vServer group. |
slb:DeleteLoadBalancer | Deletes a pay-as-you-go SLB instance. |
slb:DeleteLoadBalancerListener | Deletes a listener of an SLB instance. |
slb:DeleteVServerGroup | Deletes a vServer group. |
slb:DescribeLoadBalancerAttribute | Queries the details about an SLB instance. |
slb:DescribeLoadBalancerHTTPListenerAttribute | Queries the configurations of an HTTP listener. |
slb:DescribeLoadBalancerHTTPSListenerAttribute | Queries the configurations of an HTTPS listener. |
slb:DescribeLoadBalancerListeners | Queries the listeners of an SLB instance. |
slb:DescribeLoadBalancerTCPListenerAttribute | Queries the configurations of a TCP listener. |
slb:DescribeLoadBalancerUDPListenerAttribute | Queries the configurations of a UDP listener. |
slb:DescribeLoadBalancers | Queries created SLB instances. |
slb:DescribeTags | Queries available labels. |
slb:DescribeVServerGroupAttribute | Queries the details about a vServer group. |
slb:DescribeVServerGroups | Queries vServer groups. |
slb:ModifyLoadBalancerInstanceSpec | Modifies the specifications of an SLB instance. |
slb:ModifyLoadBalancerInternetSpec | Modifies the billing method of an Internet-facing SLB instance. |
slb:ModifyVServerGroupBackendServers | Replaces the backend servers in a vServer group. |
slb:RemoveBackendServers | Removes backend servers. |
slb:RemoveTags | Removes labels from an SLB instance. |
slb:RemoveVServerGroupBackendServers | Removes backend servers from a vServer group. |
slb:SetLoadBalancerDeleteProtection | Enables or disables deletion protection for an SLB instance. |
slb:SetLoadBalancerHTTPListenerAttribute | Modifies the configurations of an HTTP listener. |
slb:SetLoadBalancerHTTPSListenerAttribute | Modifies the configurations of an HTTPS listener. |
slb:SetLoadBalancerModificationProtection | Modifies the configuration of the configuration read-only mode for an SLB instance. |
slb:SetLoadBalancerName | Changes the name of an SLB instance. |
slb:SetLoadBalancerTCPListenerAttribute | Modifies the configurations of a TCP listener. |
slb:SetLoadBalancerUDPListenerAttribute | Modifies the configurations of a UDP listener. |
slb:SetVServerGroupAttribute | Modifies the configurations of a vServer group. |
slb:StartLoadBalancerListener | Starts a listener. |
slb:StopLoadBalancerListener | Stops a listener. |
ALB-related permissions
Permission (Action) | Description |
alb:AddServersToServerGroup | Adds backend servers to a server group. |
alb:AssociateAdditionalCertificatesWithListener | Associates additional certificates with a listener. |
alb:CreateListener | Creates an HTTP, HTTPS, or QUIC listener in a region. |
alb:CreateLoadBalancer | Creates an ALB instance in a region. |
alb:CreateRule | Creates a forwarding rule for a listener. |
alb:CreateRules | Creates multiple forwarding rules. |
alb:CreateServerGroup | Creates a server group in a region. |
alb:DeleteListener | Deletes a listener. |
alb:DeleteLoadBalancer | Deletes an ALB instance. |
alb:DeleteRule | Deletes a forwarding rule. |
alb:DeleteRules | Deletes multiple forwarding rules from a listener at a time. |
alb:DeleteServerGroup | Deletes a server group. |
alb:DescribeZones | Queries zones in a region. |
alb:DisableDeletionProtection | Disables deletion protection for an ALB instance. |
alb:DisableLoadBalancerAccessLog | Disables the access log feature for an ALB instance. |
alb:DissociateAdditionalCertificatesFromListener | Disassociates additional certificates from a listener. |
alb:EnableDeletionProtection | Enables deletion protection for a resource. |
alb:EnableLoadBalancerAccessLog | Enables the access log feature for an ALB instance. |
alb:GetListenerAttribute | Queries the details about a listener. |
alb:GetLoadBalancerAttribute | Queries the details about an ALB instance. |
alb:ListListenerCertificates | Queries the certificates that are associated with a listener, including additional certificates and the default certificate. |
alb:ListListeners | Queries the listeners in a region. |
alb:ListLoadBalancers | Queries ALB instances in a region. |
alb:ListRules | Queries the forwarding rules in a region. |
alb:ListServerGroupServers | Queries servers in a server group. |
alb:ListServerGroups | Queries server groups in a region. |
alb:RemoveServersFromServerGroup | Removes backend servers from a server group. |
alb:ReplaceServersInServerGroup | Replaces the backend servers in a server group. |
alb:TagResources | Adds labels to resources. |
alb:UnTagResources | Removes labels from resources. |
alb:UpdateListenerAttribute | Updates the configurations of a listener, such as the name and the default action. |
alb:UpdateLoadBalancerAttribute | Updates the attributes of an ALB instance, such as the name and the configuration read-only mode. |
alb:UpdateLoadBalancerEdition | Changes the edition of an ALB instance. |
alb:UpdateRuleAttribute | Updates the configurations of a forwarding rule, such as the conditions, actions, and name. |
alb:UpdateRulesAttribute | Updates the configurations of multiple forwarding rules. |
alb:UpdateServerGroupAttribute | Updates the configurations of a server group, such as the configurations of health checks, session persistence, server group name, scheduling algorithms, and protocols. |
alb:DescribeZones | Queries zones in a region. |
alb:CreateAcl | Creates an access control list (ACL) in a region. |
alb:DeleteAcl | Deletes an ACL. |
alb:ListAcls | Queries ACLs in a region. |
alb:AddEntriesToAcl | Adds IP address entries to an ACL. |
alb:AssociateAclsWithListener | Associates ACLs with a listener. |
alb:ListAclEntries | Queries the entries of an ACL. |
alb:RemoveEntriesFromAcl | Removes the entries from an ACL. |
alb:DissociateAclsFromListener | Disassociates ACLs from a listener. |
alb:EnableLoadBalancerIpv6Internet | Changes the private IPv6 address of a dual-stack ALB instance to a public IPv6 address. |
alb:DisableLoadBalancerIpv6Internet | Changes the public IPv6 address of a dual-stack ALB instance to a private IPv6 address. |
ECS-related permissions
Permission (Action) | Description |
ecs:DescribeNetworkInterfaces | Queries the details about one or more ENIs. |
VPC-related permissions
Permission (Action) | Description |
vpc:DescribeVSwitches | Queries the information about available vSwitches that are used for an internal network. |
vpc:DescribeVpcs | Queries created VPCs. |
RAM-related permissions
Permission (Action) | Description |
ram:CreateServiceLinkedRole | Creates a service-linked role. |
AliyunCCNECRole
By default, an ACS cluster assumes this role to access your resources in network services, such as VPC and ECS, and create and use an EIP.
VPC-related permissions
Permission (Action) | Description |
vpc:DescribeVSwitches | Queries the information about available vSwitches that are used for an internal network. |
vpc:AllocateEipAddress | Applies for an EIP. |
vpc:AllocateEipAddressPro | Applies for a specified EIP. |
vpc:DescribeEipAddresses | Queries created EIPs in a region. |
vpc:AssociateEipAddress | Associates an EIP with an instance that resides in the same region as the EIP. |
vpc:UnassociateEipAddress | Disassociates an EIP from a cloud resource. |
vpc:ReleaseEipAddress | Releases an EIP. |
vpc:ModifyEipAddressAttribute | Modifies the name, description, and maximum bandwidth of an EIP. |
vpc:AddCommonBandwidthPackageIp | Associates an EIP with an EIP bandwidth plan. |
vpc:RemoveCommonBandwidthPackageIp | Disassociates an EIP from an EIP bandwidth plan. |
vpc:TagResources | Creates and adds labels to resources. |
ECS-related permissions
Permission (Action) | Description |
ecs:DescribeNetworkInterfaces | Queries the details about one or more ENIs. |
AliyunCCKubernetesAuditRole
By default, an ACS cluster assumes this role to access your resources in SLS and collect and display Kubernetes audit logs.
Permission (Action) | Description |
log:CreateProject | Creates a project. |
log:GetProject | Queries a project by project name. |
log:DeleteProject | Deletes a project. |
log:CreateLogStore | Creates a Logstore in a project. |
log:GetLogStore | Queries the attributes of a Logstore. |
log:UpdateLogStore | Updates the attributes of a Logstore. |
log:DeleteLogStore | Deletes a Logstore. |
log:CreateConfig | Creates a Logtail configuration. |
log:UpdateConfig | Updates a Logtail configuration. |
log:GetConfig | Queries the details about a Logtail configuration. |
log:DeleteConfig | Deletes a Logtail configuration. |
log:CreateMachineGroup | Creates a machine group to apply Logtail configurations. |
log:UpdateMachineGroup | Updates a machine group. |
log:GetMachineGroup | Queries the information about a machine group. |
log:DeleteMachineGroup | Deletes a machine group. |
log:ApplyConfigToGroup | Applies a Logtail configuration file to a machine group. |
log:GetAppliedMachineGroups | Queries the machines to which a Logtail configuration is applied. |
log:GetAppliedConfigs | Queries the Logtail configurations that are applied to a machine group. |
log:RemoveConfigFromMachineGroup | Removes Logtail configurations from a machine group. |
log:CreateIndex | Creates indexes for a Logstore. |
log:GetIndex | Queries indexes of a Logstore. |
log:UpdateIndex | Updates indexes of a Logstore. |
log:DeleteIndex | Removes indexes from a Logstore. |
log:CreateSavedSearch | Creates a saved search. |
log:GetSavedSearch | Queries a saved search. |
log:UpdateSavedSearch | Updates a saved search. |
log:DeleteSavedSearch | Deletes a saved search. |
log:CreateDashboard | Creates a dashboard. |
log:GetDashboard | Queries a dashboard. |
log:UpdateDashboard | Updates a dashboard. |
log:DeleteDashboard | Deletes a dashboard. |
log:CreateJob | Creates a task, such as an alert task or a subscription task. |
log:GetJob | Queries a task. |
log:DeleteJob | Deletes a task. |
log:UpdateJob | Updates a task. |
log:PostLogStoreLogs | Writes logs to a Logstore. |
AliyunCCManagedLogRole
By default, an ACS cluster assumes this role to collect and display Kubernetes audit logs by using SLS.
SLS-related permissions
Permission (Action) | Description |
log:CreateProject | Creates a project. |
log:GetProject | Queries a project by project name. |
log:DeleteProject | Deletes a project. |
log:CreateLogStore | Creates a Logstore in a project. |
log:GetLogStore | Queries the attributes of a Logstore. |
log:UpdateLogStore | Updates the attributes of a Logstore. |
log:DeleteLogStore | Deletes a Logstore. |
log:CreateConfig | Creates a Logtail configuration. |
log:UpdateConfig | Updates a Logtail configuration. |
log:GetConfig | Queries the details about a Logtail configuration. |
log:DeleteConfig | Deletes a Logtail configuration. |
log:CreateMachineGroup | Creates a machine group to apply Logtail configurations. |
log:UpdateMachineGroup | Updates a machine group. |
log:GetMachineGroup | Queries the information about a machine group. |
log:DeleteMachineGroup | Deletes a machine group. |
log:ApplyConfigToGroup | Applies a Logtail configuration file to a machine group. |
log:GetAppliedMachineGroups | Queries the machines to which a Logtail configuration is applied. |
log:GetAppliedConfigs | Queries the Logtail configurations that are applied to a machine group. |
log:RemoveConfigFromMachineGroup | Removes Logtail configurations from a machine group. |
log:CreateIndex | Creates indexes for a Logstore. |
log:GetIndex | Queries indexes of a Logstore. |
log:UpdateIndex | Updates indexes of a Logstore. |
log:DeleteIndex | Removes indexes from a Logstore. |
log:CreateSavedSearch | Creates a saved search. |
log:GetSavedSearch | Queries a saved search. |
log:UpdateSavedSearch | Updates a saved search. |
log:DeleteSavedSearch | Deletes a saved search. |
log:CreateDashboard | Creates a dashboard. |
log:GetDashboard | Queries a dashboard. |
log:UpdateDashboard | Updates a dashboard. |
log:DeleteDashboard | Deletes a dashboard. |
log:CreateJob | Creates a task, such as an alert task or a subscription task. |
log:GetJob | Queries a task. |
log:DeleteJob | Deletes a task. |
log:UpdateJob | Updates a task. |
log:PostLogStoreLogs | Writes logs to a Logstore. |
log:CreateSortedSubStore | Creates a sorted sub-Logstore. |
log:GetSortedSubStore | Queries a sorted sub-Logstore. |
log:ListSortedSubStore | Lists sorted sub-Logstores. |
log:UpdateSortedSubStore | Updates a sorted sub-Logstore. |
log:DeleteSortedSubStore | Deletes a sorted sub-Logstore. |
log:CreateApp | Creates applications, such as Cost Manager and Log Audit Service. |
log:UpdateApp | Updates applications, such as Cost Manager and Log Audit Service. |
log:GetApp | Queries applications, such as Cost Manager and Log Audit Service. |
log:DeleteApp | Deletes applications, such as Cost Manager and Log Audit Service. |
cs:DescribeTemplates | Queries container templates. |
cs:DescribeTemplateAttribute | Queries the attributes of a container template. |
ACK-related permissions
Permission (Action) | Description |
cs:UpdateContactGroup | Updates an alert contact group. |
cs:DescribeTemplates | Queries all orchestration templates. |
cs:DescribeTemplateAttribute | Queries the details about an orchestration template. |
AliyunCCManagedArmsRole
By default, an ACS cluster assumes this role to access your resources in ARMS, collect and display various resource metrics of ACS containers, and monitor metrics for application performance.
ARMS-related permissions
Permission (Action) | Description |
arms:CreateApp | Creates an application monitoring task. |
arms:DeleteApp | Deletes an application monitoring task. |
arms:ConfigAgentLabel | Modifies the labels of the application monitoring agent. |
arms:GetAssumeRoleCredentials | Queries the key that is required for a RAM user to assume a RAM role during application monitoring. |
arms:CreateProm | Creates a monitoring task based on Managed Service for Prometheus. |
arms:SearchEvents | Queries alert events. |
arms:SearchAlarmHistories | Queries the alert sending history. |
arms:SearchAlertRules | Queries alert rules. |
arms:GetAlertRules | Obtains alert rules. |
arms:CreateAlertRules | Creates alert rules. |
arms:UpdateAlertRules | Updates alert rules. |
arms:StartAlertRule | Enables an alert rule. |
arms:StopAlertRule | Disables an alert rule. |
arms:CreateContact | Creates an alert contact. |
arms:SearchContact | Queries an alert contact. |
arms:UpdateContact | Updates an alert contact. |
arms:CreateContactGroup | Creates an alert contact group. |
arms:SearchContactGroup | Queries an alert contact group. |
arms:UpdateContactGroup | Updates an alert contact group. |
xtrace-related permissions
Permission (Action) | Description |
xtrace:GetToken |
AliyunCCCISDefaultRole
By default, an ACS cluster assumes this role to access your resources in cloud services, such as ECS, ACK, VPC, and SLB, and check the health status of Kubernetes and related components on a regular basis.
ECS-related permissions
Permission (Action) | Description |
ecs:DescribeInstances | Queries the details about one or more ECS instances. |
ecs:DescribeInstanceStatus | Queries the status information of multiple ECS instances. |
ecs:DescribeInstanceTypes | Queries the details about all instance types or a specified instance type provided by ECS. |
ecs:DescribeInstanceTypeFamilies | Queries the instance families provided by ECS. |
ecs:DescribeInstanceAttribute | Queries the details about an ECS instance. |
ecs:DescribeDiagnosticReports | Queries resource diagnostic reports. |
ecs:DescribeDiagnosticReportAttributes | Queries the details about a resource diagnostic report. |
ecs:DescribeDiagnosticMetricSets | Queries diagnostic metric sets. |
ecs:DescribeDiagnosticMetrics | Queries diagnostic metrics. |
ecs:DescribeSecurityGroupAttribute | Queries the rules of a security group. |
ecs:DescribeSecurityGroups | Queries the basic information about security groups. |
ecs:DescribeSecurityGroupReferences | Checks whether a security group is referenced by other security groups. |
ecs:DescribeBandwidthLimitation | Queries the maximum public bandwidth that is available for purchase, upgrade, or downgrade when different instance types are involved. |
ecs:DescribeCloudAssistantStatus | Queries whether Cloud Assistant Agent is installed on one or more ECS instances. If Cloud Assistant Agent is installed, the system queries the total number of Cloud Assistant commands that have been run, the number of Cloud Assistant commands that are being run, and the time when Cloud Assistant commands were last run. |
ecs:DescribeCommands | Queries the Cloud Assistant commands that you created or the common Cloud Assistant commands that Alibaba Cloud provides. |
ecs:DescribeInvocationResults | Queries the result of running one or more Cloud Assistant commands on an ECS instance. |
ecs:CreateCommand | Creates a Cloud Assistant command. |
ecs:InvokeCommand | Triggers a Cloud Assistant command on one or more ECS instances. |
ecs:StopInvocation | Stops the process of a Cloud Assistant command that is running on one or more ECS instances. |
ecs:CreateDiagnosticReport | Creates a resource diagnostic report. Generates a diagnostic report for the diagnostic metric set specified by the MetricSetId parameter. |
ecs:DescribeNetworkInterfaces | Queries the details about one or more ENIs. |
ecs:RunCommand | Runs a shell, PowerShell, or batch script on one or more ECS instances. |
VPC-related permissions
Permission (Action) | Description |
vpc:DescribeVpcs | Queries created VPCs. |
vpc:DescribeVpcAttribute | Queries the configurations of a VPC. |
vpc:DescribeVSwitches | Queries the information about available vSwitches that are used for an internal network. |
vpc:DescribeVSwitchAttributes | Queries the configurations of a vSwitch. |
vpc:DescribeRouteTableList | Queries route tables. |
vpc:DescribeRouteEntryList | Queries route entries. |
vpc:DescribeNatGateways | Queries NAT gateways that meet specific conditions in a region. |
vpc:DescribeRouteTables | Queries route tables. |
vpc:DescribeSnatTableEntries | Queries the details about a network ACL. |
vpc:DescribeNetworkAcls | Queries network ACLs. |
vpc:DescribeNetworkAclAttributes | Queries the details about a network ACL. |
vpc:DescribeEipAddresses | Queries created EIPs in a region. |
SLB-related permissions
Permission (Action) | Description |
slb:DescribeLoadBalancers | Queries created SLB instances. |
slb:DescribeLoadBalancerAttribute | Queries the details about an SLB instance. |
slb:DescribeVServerGroups | Queries vServer groups. |
slb:DescribeVServerGroupAttribute | Queries the details about a vServer group. |
slb:DescribeLoadBalancerTCPListenerAttribute | Queries the configurations of a TCP listener. |
slb:DescribeLoadBalancerUDPListenerAttribute | Queries the configurations of a UDP listener. |
slb:DescribeAccessControlLists | Queries created network ACLs. |
slb:DescribeAccessControlListAttribute | Queries the configurations of a network ACL. |
slb:DescribeLoadBalancerListeners | Queries the listeners of an SLB instance. |
slb:DescribeHealthStatus | Queries the health status of backend servers. |
SLS-related permissions
Permission (Action) | Description |
sls:GetLogStore | Queries the details about a Logstore. |
ATP-related permissions
Permission (Action) | Description |
grace:GetFile | Queries the information about a file. |
grace:AnalyzeFile | Analyzes a file. |
grace:UploadFileByOSS | Uploads files by using Object Storage Service (OSS). |
grace:UploadFileByURL | Uploads files by specifying URLs. |
CloudMonitor-related permissions
Permission (Action) | Description |
cms:DescribeMetricData | Queries the monitoring data of a metric for a cloud service. |
cms:DescribeMetricLast | Queries the latest monitoring data of a metric. |
cms:DescribeMetricMetaList | Queries the details about metrics that are supported in CloudMonitor. |
cms:DescribeMetricTop | Queries the latest monitoring data of a metric for a cloud service and then queries the sorted monitoring data of the metric. |
cms:QueryMetricMeta | Queries the descriptions of time series metrics that are supported in CloudMonitor. |
cms:QueryMetricTop | Queries the top metrics. |
cms:ListMetricMeta | Lists data source metrics. |
cms:QueryMetricData | Queries the monitoring data of a time series metric of CloudMonitor in the specified period of time. |
cms:QueryMetricLast | Queries the latest monitoring data of a metric. |
cms:DescribeMetricList | Queries the monitoring data of a metric of an Alibaba Cloud service. |
cms:QueryMetricList | Queries the monitoring data of instances or clusters of a specific service within a period. |
cms:DescribeAlertLogList | Queries the alert logs within the last year. |
cms:DescribeSystemEventAttribute | Queries the details about a system event. |
ACK-related permissions
Permission (Action) | Description |
cs:DescribeClusterDetail | Queries the details about a cluster by cluster ID. |
cs:DescribeClusterResources | Queries all resources in a cluster by cluster ID. |
cs:DescribeTaskInfo | Queries the execution details about a task by task ID. |
cs:DescribeClusterAddonsUpgradeStatus | Queries the update progress of a component by component name. |
Resource Quota-related permissions
Permission (Action) | Description |
quotas:ListProducts | Queries the Alibaba Cloud services that are supported by Quota Center. |
quotas:ListProductQuotas | Queries the quotas of an Alibaba Cloud service. |
quotas:ListProductQuotaDimensions | Queries the quota dimensions that are supported by an Alibaba Cloud service. |
quotas:GetProductQuota | Queries the details about a quota. |
quotas:GetProductQuotaDimension | Queries the details about a quota dimension that is supported by an Alibaba Cloud service. |
RAM-related permissions
Permission (Action) | Description |
ram:CreateServiceLinkedRole | Creates a service-linked role. |
AliyunCCManagedAcrRole
By default, an ACS cluster assumes this role to access ACR to obtain a pair of temporary username and password that is used to start an ACS pod.
CR-related permissions
Permission (Action) | Description |
cr:GetAuthorizationToken | Queries a pair of temporary username and password that is used to log on to a Container Registry instance. |
cr:ListInstanceEndpoint | Queries the endpoints of an instance. |
AliyunCCForResourceProviderRole
By default, an ACS cluster assumes this role to access resources in other Alibaba Cloud services when a pod is created.
ECS-related permissions
Permission (Action) | Description |
ecs:CreateNetworkInterfacePermission | Creates an ENI. |
ecs:DeleteNetworkInterfacePermission | Deletes an ENI. |
ecs:CreateNetworkInterface | Creates an ENI. |
ecs:DeleteNetworkInterface | Deletes an ENI. |
ecs:DescribeSecurityGroups | Queries the basic information about security groups. |
ecs:DescribeNetworkInterfaces | Queries ENIs. |
ecs:CreateDisk | Creates a cloud disk. |
ecs:DescribeDisks | Queries cloud disks. |
ecs:AttachDisk | Attaches a cloud disk. |
ecs:DetachDisk | Detaches a cloud disk. |
VPC-related permissions
Permission (Action) | Description |
vpc:DescribeVSwitches | Queries created vSwitches. |
vpc:DescribeVpcs | Queries created VPCs. |
vpc:AllocateEipAddress | Applies for an EIP. |
vpc:AssociateEipAddress | Associates an EIP with an instance that resides in the same region as the EIP. |
vpc:UnassociateEipAddress | Disassociates an EIP from a cloud resource. |
vpc:ReleaseEipAddress | Releases an EIP. |
AliyunCCManagedVirtualNodeRole
By default, an ACS cluster assumes this role to access resources in other Alibaba Cloud services when a virtual node is created.
PVTZ-related permissions
Permission (Action) | Description |
pvtz:AddZone | Adds a zone. |
pvtz:DeleteZone | Deletes a zone. |
pvtz:DescribeZones | Queries zones. |
pvtz:BindZoneVpc | Associates a zone with a VPC. |
pvtz:AddZoneRecord | Adds a DNS record. |
pvtz:DeleteZoneRecord | Deletes a DNS record. |
pvtz:DescribeZoneRecords | Queries DNS records. |
VPC-related permissions
Permission (Action) | Description |
vpc:DescribeVSwitches | Queries created vSwitches. |
AliyunCSDefaultRole
This role is a service-linked role of ACK. By default, ACS assumes this role to create, delete, or upgrade a Kubernetes cluster.
For more information about the service-linked role, see AliyunCSDefaultRole.