All Products
Search
Document Center

Container Service for Kubernetes:Service-linked role for ACK One and the permissions of the role

最終更新日:Apr 22, 2024

An Alibaba Cloud service may need to access other Alibaba Cloud services to implement specific features. In this case, the Alibaba Cloud service must assume a service-linked role to access other Alibaba Cloud services. A service-linked role is a Resource Access Management (RAM) role. To use all features provided by Distributed Cloud Container Platform for Kubernetes (ACK One), you must assign the required service-linked role to ACK One. This topic introduces the service-linked role for ACK One and describes the permissions of the role.

How to assign the service-linked role

If this is the first time you use ACK One, you need to complete authorization with an Alibaba Cloud account or RAM account administrator.

You do not need to manually create service-linked roles. During the first time you use the ACK One console and relevant features, the console prompts you to complete the authorization first. You need only to follow the on-screen instructions to complete the authorization.

Important

Only Alibaba Cloud accounts and RAM account administrators can complete service-linked role authorization. Regular RAM users are not allowed to perform this operation. If the system prompts that you do not have the permissions, use an Alibaba Cloud account or RAM account administrator.

Service-linked role for ACK One

Role name

Permission

AliyunServiceRoleForAdcp

  • ACK One can assume this role to access your cloud resources during cluster management, such as resources in Elastic Compute Service (ECS), Virtual Private Cloud (VPC), and Server Load Balancer (SLB).

  • To use features provided by ACK One, this role is required.

AliyunAdcpServerlessKubernetesRole

  • Fleet instances and Kubernetes clusters for distributed Argo workflows of ACK One assume this role to access cloud resources in VPC, ECS, Alibaba Cloud DNS PrivateZone, Elastic Container Instance, and Simple Log Service.

  • To use features provided by ACK One, this role is required.

AliyunAdcpManagedMseRole

  • Fleet instances of ACK One assume this role to access resources in Microservices Engine (MSE).

  • This role is required when you use multi-cluster gateways. This role does not affect the use of other features.

Permissions of the service-linked role

AliyunServiceRoleForAdcp

ECS-related permissions

  • ecs:CreateSecurityGroup

  • ecs:CreateSecurityGroupPermissions

  • ecs:DeleteSecurityGroup

  • ecs:DescribeAccountAttributes

  • ecs:DescribeSecurityGroups

  • ecs:AuthorizeSecurityGroup

  • ecs:RevokeSecurityGroup

  • ecs:AuthorizeSecurityGroupEgress

  • ecs:RevokeSecurityGroupEgress

  • ecs:DescribeNetworkInterfaces

  • ecs:DescribeZones

VPC-related permissions

  • vpc:DescribeVpcAttribute

  • vpc:DescribeVSwitchAttributes

  • vpc:AllocateEipAddress

  • vpc:AssociateEipAddress

  • vpc:UnassociateEipAddress

  • vpc:ReleaseEipAddress

  • vpc:DescribeEipAddresses

  • vpc:TagResources

  • vpc:DeletionProtection

  • vpc:DescribeRouteTableList

  • vpc:CreateRouteEntry

  • vpc:DeleteeRouteEntry

  • vpc:AcceptVpcPeerConnection

  • vpc:GetVpcPeerConnectionAttribute

  • vpc:DescribeVSwitches

  • vpc:DescribeVpcs

CEN-related permissions

  • cen:DescribeCenAttachedChildInstances

  • cen:DescribeCens

SLB-related permissions

  • slb:DescribeLoadBalancerAttribute

  • slb:CreateLoadBalancer

  • slb:DeleteLoadBalancer

  • slb:StartLoadBalancerListener

  • slb:StopLoadBalancerListener

  • slb:CreateLoadBalancerTCPListener

  • slb:CreateLoadBalancerHTTPListener

  • slb:DeleteLoadBalancerListener

  • slb:AddTags

  • slb:RemoveTags

  • slb:SetLoadBalancerDeleteProtection

  • slb:SetLoadBalancerModificationProtection

  • slb:DescribeZones

  • slb:CreateAccessControlList

  • slb:DescribeAccessControlLists

  • slb:AddAccessControlListEntry

  • slb:RemoveAccessControlListEntry

  • slb:SetLoadBalancerTCPListenerAttribute

ASM-related permissions

  • servicemesh:CreateServiceMesh

  • servicemesh:DeleteServiceMesh

  • servicemesh:DescribeServiceMeshDetail

  • servicemesh:DescribeServiceMeshes

  • servicemesh:DescribeServiceMeshKubeconfig

  • servicemesh:DescribeServiceMeshLogs

  • servicemesh:ModifyServiceMesh

  • servicemesh:ModifyServiceMeshName

  • servicemesh:DescribeClustersInServiceMesh

  • servicemesh:AddClusterIntoServiceMesh

  • servicemesh:RemoveClusterFromServiceMesh

  • servicemesh:UpdateMeshFeature

  • servicemesh:DescribeRegions

  • servicemesh:DescribeServiceMeshUpgradeStatus

  • servicemesh:DescribeVersions

  • servicemesh:RevokeKubeconfig

  • servicemesh:UpdateServiceMeshOwner

RAM-related Permissions

  • ram:CreateApplication

  • ram:ListApplications

  • ram:ListAppSecretIds

  • ram:GetApplication

  • ram:UpdateApplication

  • ram:CreateAppSecret

  • ram:GetAppSecret

  • ram:DeleteApplication

  • ram:DeleteAppSecret

  • ram:CreateApplication

  • ram:ListApplications

  • ram:ListAppSecretIds

  • ram:CreateServiceLinkedRole

ARMS-related Permissions

  • arms:InstallManagedPrometheus

  • arms:UninstallManagedPrometheus

AliyunAdcpServerlessKubernetesRole

VPC-related permissions

  • vpc:DescribeVSwitches

  • vpc:DescribeVpcs

  • vpc:AssociateEipAddress

  • vpc:DescribeEipAddresses

  • vpc:AllocateEipAddress

  • vpc:ReleaseEipAddress

  • vpc:AddCommonBandwidthPackageIp

  • vpc:RemoveCommonBandwidthPackageIp

ECS-related permissions

  • ecs:DescribeSecurityGroups

  • ecs:CreateNetworkInterface

  • ecs:CreateNetworkInterfacePermission

  • ecs:DescribeNetworkInterfaces

  • ecs:AttachNetworkInterface

  • ecs:DetachNetworkInterface

  • ecs:DeleteNetworkInterface

  • ecs:DeleteNetworkInterfacePermission

ARMS-related permissions

  • arms:GetManagedPrometheusStatus

  • arms:InstallManagedPrometheus

  • arms:UninstallManagedPrometheus

Alibaba Cloud DNS PrivateZone-related permissions

  • pvtz:AddZone

  • pvtz:DeleteZone

  • pvtz:DescribeZones

  • pvtz:DescribeZoneInfo

  • pvtz:BindZoneVpc

  • pvtz:AddZoneRecord

  • pvtz:DeleteZoneRecord

  • pvtz:DeleteZoneRecordsByRR

  • pvtz:DescribeZoneRecordsByRR

  • pvtz:DescribeZoneRecords

Elastic Container Instance-related permissions

  • eci:CreateContainerGroup

  • eci:DeleteContainerGroup

  • eci:DescribeContainerGroups

  • eci:DescribeContainerGroupStatus

  • eci:DescribeContainerGroupEvents

  • eci:DescribeContainerLog

  • eci:UpdateContainerGroup

  • eci:UpdateContainerGroupByTemplate

  • eci:CreateContainerGroupFromTemplate

  • eci:RestartContainerGroup

  • eci:ExportContainerGroupTemplate

  • eci:DescribeContainerGroupMetric

  • eci:DescribeMultiContainerGroupMetric

  • eci:ResizeContainerGroupVolume

  • eci:ExecContainerCommand

  • eci:CreateImageCache

  • eci:DescribeImageCaches

  • eci:DeleteImageCache

Simple Log Service-related permissions

  • log:CreateProject

  • log:GetProject

  • log:DeleteProject

  • log:CreateLogStore

  • log:GetLogStore

  • log:UpdateLogStore

  • log:DeleteLogStore

  • log:CreateConfig

  • log:UpdateConfig

  • log:GetConfig

  • log:DeleteConfig

  • log:CreateMachineGroup

  • log:UpdateMachineGroup

  • log:GetMachineGroup

  • log:DeleteMachineGroup

  • log:ApplyConfigToGroup

  • log:GetAppliedMachineGroups

  • log:GetAppliedConfigs

  • log:RemoveConfigFromMachineGroup

  • log:CreateIndex

  • log:GetIndex

  • log:UpdateIndex

  • log:DeleteIndex

  • log:CreateSavedSearch

  • log:GetSavedSearch

  • log:UpdateSavedSearch

  • log:DeleteSavedSearch

  • log:CreateDashboard

  • log:GetDashboard

  • log:UpdateDashboard

  • log:DeleteDashboard

  • log:CreateJob

  • log:GetJob

  • log:DeleteJob

  • log:PostLogStoreLogs

  • log:UpdateJob

RAM-related Permissions

ram:CreateServiceLinkedRole

AliyunAdcpManagedMseRole

MSE-related permissions

  • mse:AddBlackWhiteList

  • mse:AddGateway

  • mse:AddServiceSource

  • mse:CreateApplication

  • mse:DeleteGateway

  • mse:DeleteServiceSource

  • mse:GetBlackWhiteList

  • mse:GetGateway

  • mse:GetGatewayDetail

  • mse:GetGatewayOption

  • mse:ListServiceSource

  • mse:ListTagResources

  • mse:ModifyLosslessRule

  • mse:TagResources

  • mse:UntagResources

  • mse:UpdateBlackWhiteList

  • mse:UpdateGatewayOption

  • mse:UpdateServiceSource

Simple Log Service-related permissions

  • log:CloseProductDataCollection

  • log:OpenProductDataCollection

  • log:GetProductDataCollection

RAM-related permissions

ram:CreateServiceLinkedRole

References