全部产品
Search
文档中心

容器服务 Kubernetes 版 ACK:ACK One服务角色策略内容

更新时间:Mar 27, 2024

服务角色是某个云服务在某些情况下,为了完成自身的某个功能,需要获取其他云服务的访问权限而提供的RAM角色。您需要为ACK One服务账号授予对应的服务角色才能正常使用ACK One功能。本文为您介绍ACK One支持的服务角色以及角色的策略内容。

授权操作

仅在第一次使用ACK One服务时需要授权,使用阿里云账号(主账号)或者RAM管理员账号(子账号)授权一次即可。

服务角色无需手动创建,您在首次使用ACK One控制台和相关功能时,控制台界面会自动弹出授权提示,您只需要按照提示操作即可完成自动授权。

重要

仅阿里云账号(主账号)或RAM管理员账号可以完成服务角色的自动授权,普通RAM用户没有授权操作的权限。如果您在操作时系统提示权限不足,请将账号切换到阿里云(主账号)或RAM管理员账号完成授权。

服务关联角色

角色名称

角色权限说明

AliyunServiceRoleForAdcp

  • ACK One在集群管控操作中使用该角色访问您在ECS、VPC、SLB等相关云服务中的资源。

  • 必须授予该角色的权限,才能正常使用ACK One功能。

AliyunAdcpServerlessKubernetesRole

  • ACK One多集群舰队和分布式工作流Argo集群需要使用该角色,访问VPC、ECS、PrivateZone、ECI、SLS等服务中的资源。

  • 必须授予该角色的权限,才能正常使用ACK One功能。

AliyunAdcpManagedMseRole

  • ACK One多集群舰队需要使用该角色访问MSE等服务中的资源。

  • 该角色权限仅在使用多集群网关功能时需要授权,未授权不影响其他功能使用。

角色策略内容

AliyunServiceRoleForAdcp

ECS相关权限

  • ecs:CreateSecurityGroup

  • ecs:CreateSecurityGroupPermissions

  • ecs:DeleteSecurityGroup

  • ecs:DescribeAccountAttributes

  • ecs:DescribeSecurityGroups

  • ecs:AuthorizeSecurityGroup

  • ecs:RevokeSecurityGroup

  • ecs:AuthorizeSecurityGroupEgress

  • ecs:RevokeSecurityGroupEgress

  • ecs:DescribeNetworkInterfaces

  • ecs:DescribeZones

VPC相关权限

  • vpc:DescribeVpcAttribute

  • vpc:DescribeVSwitchAttributes

  • vpc:AllocateEipAddress

  • vpc:AssociateEipAddress

  • vpc:UnassociateEipAddress

  • vpc:ReleaseEipAddress

  • vpc:DescribeEipAddresses

  • vpc:TagResources

  • vpc:DeletionProtection

  • vpc:DescribeRouteTableList

  • vpc:CreateRouteEntry

  • vpc:DeleteeRouteEntry

  • vpc:AcceptVpcPeerConnection

  • vpc:GetVpcPeerConnectionAttribute

  • vpc:DescribeVSwitches

  • vpc:DescribeVpcs

CEN相关权限

  • cen:DescribeCenAttachedChildInstances

  • cen:DescribeCens

SLB相关权限

  • slb:DescribeLoadBalancerAttribute

  • slb:CreateLoadBalancer

  • slb:DeleteLoadBalancer

  • slb:StartLoadBalancerListener

  • slb:StopLoadBalancerListener

  • slb:CreateLoadBalancerTCPListener

  • slb:CreateLoadBalancerHTTPListener

  • slb:DeleteLoadBalancerListener

  • slb:AddTags

  • slb:RemoveTags

  • slb:SetLoadBalancerDeleteProtection

  • slb:SetLoadBalancerModificationProtection

  • slb:DescribeZones

  • slb:CreateAccessControlList

  • slb:DescribeAccessControlLists

  • slb:AddAccessControlListEntry

  • slb:RemoveAccessControlListEntry

  • slb:SetLoadBalancerTCPListenerAttribute

服务网格相关权限

  • servicemesh:CreateServiceMesh

  • servicemesh:DeleteServiceMesh

  • servicemesh:DescribeServiceMeshDetail

  • servicemesh:DescribeServiceMeshes

  • servicemesh:DescribeServiceMeshKubeconfig

  • servicemesh:DescribeServiceMeshLogs

  • servicemesh:ModifyServiceMesh

  • servicemesh:ModifyServiceMeshName

  • servicemesh:DescribeClustersInServiceMesh

  • servicemesh:AddClusterIntoServiceMesh

  • servicemesh:RemoveClusterFromServiceMesh

  • servicemesh:UpdateMeshFeature

  • servicemesh:DescribeRegions

  • servicemesh:DescribeServiceMeshUpgradeStatus

  • servicemesh:DescribeVersions

  • servicemesh:RevokeKubeconfig

  • servicemesh:UpdateServiceMeshOwner

RAM相关权限

  • ram:CreateApplication

  • ram:ListApplications

  • ram:ListAppSecretIds

  • ram:GetApplication

  • ram:UpdateApplication

  • ram:CreateAppSecret

  • ram:GetAppSecret

  • ram:DeleteApplication

  • ram:DeleteAppSecret

  • ram:CreateApplication

  • ram:ListApplications

  • ram:ListAppSecretIds

  • ram:CreateServiceLinkedRole

ARMS相关权限

  • arms:InstallManagedPrometheus

  • arms:UninstallManagedPrometheus

AliyunAdcpServerlessKubernetesRole

VPC相关权限

  • vpc:DescribeVSwitches

  • vpc:DescribeVpcs

  • vpc:AssociateEipAddress

  • vpc:DescribeEipAddresses

  • vpc:AllocateEipAddress

  • vpc:ReleaseEipAddress

  • vpc:AddCommonBandwidthPackageIp

  • vpc:RemoveCommonBandwidthPackageIp

ECS 相关权限

  • ecs:DescribeSecurityGroups

  • ecs:CreateNetworkInterface

  • ecs:CreateNetworkInterfacePermission

  • ecs:DescribeNetworkInterfaces

  • ecs:AttachNetworkInterface

  • ecs:DetachNetworkInterface

  • ecs:DeleteNetworkInterface

  • ecs:DeleteNetworkInterfacePermission

ARMS相关权限

  • arms:GetManagedPrometheusStatus

  • arms:InstallManagedPrometheus

  • arms:UninstallManagedPrometheus

云解析相关权限

  • pvtz:AddZone

  • pvtz:DeleteZone

  • pvtz:DescribeZones

  • pvtz:DescribeZoneInfo

  • pvtz:BindZoneVpc

  • pvtz:AddZoneRecord

  • pvtz:DeleteZoneRecord

  • pvtz:DeleteZoneRecordsByRR

  • pvtz:DescribeZoneRecordsByRR

  • pvtz:DescribeZoneRecords

ECI相关权限

  • eci:CreateContainerGroup

  • eci:DeleteContainerGroup

  • eci:DescribeContainerGroups

  • eci:DescribeContainerGroupStatus

  • eci:DescribeContainerGroupEvents

  • eci:DescribeContainerLog

  • eci:UpdateContainerGroup

  • eci:UpdateContainerGroupByTemplate

  • eci:CreateContainerGroupFromTemplate

  • eci:RestartContainerGroup

  • eci:ExportContainerGroupTemplate

  • eci:DescribeContainerGroupMetric

  • eci:DescribeMultiContainerGroupMetric

  • eci:ResizeContainerGroupVolume

  • eci:ExecContainerCommand

  • eci:CreateImageCache

  • eci:DescribeImageCaches

  • eci:DeleteImageCache

日志服务相关权限

  • log:CreateProject

  • log:GetProject

  • log:DeleteProject

  • log:CreateLogStore

  • log:GetLogStore

  • log:UpdateLogStore

  • log:DeleteLogStore

  • log:CreateConfig

  • log:UpdateConfig

  • log:GetConfig

  • log:DeleteConfig

  • log:CreateMachineGroup

  • log:UpdateMachineGroup

  • log:GetMachineGroup

  • log:DeleteMachineGroup

  • log:ApplyConfigToGroup

  • log:GetAppliedMachineGroups

  • log:GetAppliedConfigs

  • log:RemoveConfigFromMachineGroup

  • log:CreateIndex

  • log:GetIndex

  • log:UpdateIndex

  • log:DeleteIndex

  • log:CreateSavedSearch

  • log:GetSavedSearch

  • log:UpdateSavedSearch

  • log:DeleteSavedSearch

  • log:CreateDashboard

  • log:GetDashboard

  • log:UpdateDashboard

  • log:DeleteDashboard

  • log:CreateJob

  • log:GetJob

  • log:DeleteJob

  • log:PostLogStoreLogs

  • log:UpdateJob

RAM相关权限

ram:CreateServiceLinkedRole

AliyunAdcpManagedMseRole

MSE相关权限

  • mse:AddBlackWhiteList

  • mse:AddGateway

  • mse:AddServiceSource

  • mse:CreateApplication

  • mse:DeleteGateway

  • mse:DeleteServiceSource

  • mse:GetBlackWhiteList

  • mse:GetGateway

  • mse:GetGatewayDetail

  • mse:GetGatewayOption

  • mse:ListServiceSource

  • mse:ListTagResources

  • mse:ModifyLosslessRule

  • mse:TagResources

  • mse:UntagResources

  • mse:UpdateBlackWhiteList

  • mse:UpdateGatewayOption

  • mse:UpdateServiceSource

日志服务相关权限

  • log:CloseProductDataCollection

  • log:OpenProductDataCollection

  • log:GetProductDataCollection

RAM相关权限

ram:CreateServiceLinkedRole

相关文档