Use Terraform to activate ACK Edge and grant default roles for the first time

更新时间:
复制 MD 格式

The first time you use an ACK Edge cluster, you must grant it the default system roles. These roles allow the ACK Edge cluster to access other Alibaba Cloud services, such as ECS, OSS, NAS, and SLB, create resources, and save logs. This topic describes how to use Terraform to grant these default roles to Container Service.

Prerequisites

  • ACK is activated. If not already active, see Activate ACK via Terraform.

  • Your Alibaba Cloud account must have full permissions on all resources. If the credentials of your Alibaba Cloud account are leaked, you may face significant security risks. We recommend that you use a Resource Access Management (RAM) user and create an AccessKey for the RAM user. For more information, see Create a RAM user and Create an AccessKey.

  • Attach the following least privilege policy to the RAM user that you use to run Terraform commands. This policy grants the RAM user permissions to manage the resources in this example. For more information, see Manage RAM user permissions.

    This access policy allows the RAM user to create, view, and delete VPCs, vSwitches, security groups, and ACK clusters.

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "vpc:CreateVpc",
                    "vpc:CreateVSwitch",
                    "vpc:DescribeVpcAttribute",
                    "vpc:DescribeRouteTableList",
                    "vpc:DescribeVSwitchAttributes",
                    "ecs:CreateSecurityGroup",
                    "ecs:ModifySecurityGroupPolicy",
                    "ecs:DescribeSecurityGroups",
                    "ecs:DescribeSecurityGroupAttribute",
                    "ecs:ListTagResources",
                    "cs:CreateCluster",
                    "cs:DescribeTaskInfo",
                    "cs:DescribeClusterDetail",
                    "vpc:DeleteVpc",
                    "vpc:DeleteVSwitch",
                    "cs:DeleteCluster",
                    "ecs:DeleteSecurityGroup"
                ],
                "Resource": "*"
            }
        ]
    }
  • Prepare a Terraform environment. You can use one of the following methods to run Terraform.

    • Use Terraform in Terraform Explorer: Alibaba Cloud provides an online environment to run Terraform. You do not need to install Terraform. You can log on to use and try Terraform online. This method is suitable for scenarios where you want to try and debug Terraform quickly and conveniently at no cost.

    • Cloud Shell: Alibaba Cloud Cloud Shell has Terraform components pre-installed and identity credentials configured. You can run Terraform commands directly in Cloud Shell. This method is suitable for scenarios where you want to access and use Terraform quickly and conveniently at a low cost.

    • Install and configure Terraform on your local machine: This method is suitable for scenarios with poor network connectivity or when you need a custom development environment.

    Important

    Make sure that your Terraform version is 0.12.28 or later. You can run the terraform --version command to check the version.

Step 1: Create an ACK Edge cluster

ACK Edge is a commercial service. Before you can create an ACK Edge cluster, you must activate the service.

  1. Create a working directory, and then create a configuration file named main.tf in the directory.

  2. Copy the following code to the main.tf file.

    Click to view the main.tf file used in this topic

    provider "alicloud" {   
    }
    
    // Activate ACK Edge.
    data "alicloud_ack_service" "open" {
        enable = "On"
        type   = "edgepayasgo"
    }
  3. Run the following command to initialize the Terraform runtime environment.

    terraform init

    The following output indicates that the initialization is successful.

    Initializing the backend...
    Initializing provider plugins...
    ...
    Terraform has been successfully initialized!
    ...
  4. Run the following command to activate ACK Edge.

    terraform apply

    The following output indicates that the service is activated.

    data.alicloud_ack_service.open: Refreshing state...
    
    Apply complete! Resources: 0 added, 0 changed, 0 destroyed.

Step 2: Grant roles

When you use an ACK Edge cluster for the first time, you must grant the default system roles to the service account.

  1. Add the following code to the main.tf file.

    Note

    Terraform cannot automatically detect whether a role exists. You must manually query for role information and then grant the required roles to your account.

    // Check if the role exists.
    data "alicloud_ram_roles" "roles" {
        policy_type = "System"
    }
    
    // List the roles that are fully granted to the account.
    output "exist_role" {
      value = data.alicloud_ram_roles.roles
    }

    Run the following command to query the roles that are granted to your account.

    terraform apply

    The following output is returned.

    No changes. Your infrastructure matches the configuration.
    
    Terraform has compared your real infrastructure against your configuration and found no differences, so no changes are needed.
    
    Apply complete! Resources: 0 added, 0 changed, 0 destroyed.
    
    Outputs:
    ...
    exist_role = {
      "id" = "1788****59"
      "ids" = tolist([
        "3009617019****1438",
        "3023233020****0278",
        "3302003419****4675",
        "3178548808****5924",
        "3371411011****5177",
        "3475619590****3519",
      ])
      "name_regex" = tostring(null)
      "names" = tolist([
        "AliyunCASDefaultRole",
        "AliyunContainerRegistryDefaultRole",
        "AliyunCSDefaultRole",
        "AliyunCSKubernetesAuditRole",
        "AliyunCSManagedArmsRole",
        "AliyunCSManagedCmsRole",
        "AliyunCSManagedCsiRole",
        "AliyunCSManagedKubernetesRole",
        "AliyunCSManagedLogRole",
        "AliyunCSManagedNetworkRole",
        "AliyunCSServerlessKubernetesRole",
        "AliyunServiceRoleForCSB",
        "AliyunServiceRoleForECI",
        "AliyunServiceRoleForGws",
        "AliyunServiceRoleForResourceDirectory",
        "AliyunServiceRoleForServiceMesh",
      ])
      "output_file" = tostring(null)
      "policy_name" = tostring(null)
      "policy_type" = "System"
      "roles" = tolist([
        {
          "arn" = "acs:ram::1848450434088535:role/aliyuncasdefaultrole"
          "assume_role_policy_document" = <<-EOT
          {
              "Statement": [{
                      "Action": "sts:AssumeRole",
                      "Effect": "Allow",
                      "Principal": {"Service": ["cas.aliyuncs.com"]}}],
              "Version": "1"}
          EOT
          "create_date" = "2023-07-17T03:27:28Z"
          "description" = "Alibaba Cloud Certificate Service (CAS) uses this role by default to access your resources in other cloud products."
          "document" = <<-EOT
          {
              "Statement": [{
                      "Action": "sts:AssumeRole",
                      "Effect": "Allow",
                      "Principal": {"Service": ["cas.aliyuncs.com"]}}],
              "Version": "1"}
          EOT
          "id" = "300961701980****"
          "name" = "AliyunCASDefaultRole"
          "update_date" = "2023-07-17T03:27:28Z"
        },
        {
          "arn" = "acs:ram::1848450434****:role/aliyuncontainerregistrydefaultrole"
          "assume_role_policy_document" = <<-EOT
          {
              "Statement": [{
                      "Action": "sts:AssumeRole",
                      "Effect": "Allow",
                      "Principal": {"Service": ["cr.aliyuncs.com"]}}],
              "Version": "1"}
          "id" = "3502335964487******"
          "name" = "AliyunServiceRoleForServiceMesh"
          "update_date" = "2022-09-27T10:26:50Z"
        },
      ])
    }
  2. In the main.tf file, replace the content with the following authorization template.

    Note

    This template grants permissions based on service roles and uses variables to specify properties such as the name and policy for each role. To adjust role authorizations, see Optional roles and the roles that you queried in Step 2: Grant roles. In the default = [] section of the template, you can add or delete roles as needed. This helps prevent duplicate or missed authorizations.

    Click to view details of all roles

    provider "alicloud" {
    }
    
    // Create roles.
    resource "alicloud_ram_role" "role" {
      for_each    = { for r in var.roles : r.name => r }
      name        = each.value.name
      document    = each.value.policy_document
      description = each.value.description
      force       = true
    }
    
    // Attach system policies to the roles.
    resource "alicloud_ram_role_policy_attachment" "attach" {
      for_each    = { for r in var.roles : r.name => r }
      policy_name = each.value.policy_name
      policy_type = "System"
      role_name   = each.value.name
      depends_on  = [alicloud_ram_role.role]
    }
    
    // Required roles.
    variable "roles" {
      type = list(object({
        name            = string
        policy_document = string
        description     = string
        policy_name     = string
      }))
      default = [
        {
          name            = "AliyunCSManagedLogRole"
          policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
          description     = "The log component of the cluster uses this role to access your resources in other cloud products."
          policy_name     = "AliyunCSManagedLogRolePolicy"
        },
        {
          name            = "AliyunCSManagedCmsRole"
          policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
          description     = "The CMS component of the cluster uses this role to access your resources in other cloud products."
          policy_name     = "AliyunCSManagedCmsRolePolicy"
        },
        {
          name            = "AliyunCSManagedCsiRole"
          policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
          description     = "The storage plugin of the cluster uses this role to access your resources in other cloud products."
          policy_name     = "AliyunCSManagedCsiRolePolicy"
        },
        {
          name            = "AliyunCSServerlessKubernetesRole"
          policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
          description     = "The cluster uses this role by default to access your resources in other cloud products."
          policy_name     = "AliyunCSServerlessKubernetesRolePolicy"
        },
        {
          name            = "AliyunCSKubernetesAuditRole"
          policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
          description     = "The cluster audit feature uses this role to access your resources in other cloud products."
          policy_name     = "AliyunCSKubernetesAuditRolePolicy"
        },
        {
          name            = "AliyunCSManagedNetworkRole"
          policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
          description     = "The network component of the cluster uses this role to access your resources in other cloud products."
          policy_name     = "AliyunCSManagedNetworkRolePolicy"
        },
        {
          name            = "AliyunCSDefaultRole"
          policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
          description     = "The cluster uses this role by default during operations to access your resources in other cloud products."
          policy_name     = "AliyunCSDefaultRolePolicy"
        },
        {
          name            = "AliyunCSManagedKubernetesRole"
          policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
          description     = "The cluster uses this role by default to access your resources in other cloud products."
          policy_name     = "AliyunCSManagedKubernetesRolePolicy"
        },
        {
          name            = "AliyunCSManagedArmsRole"
          policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
          description     = "The ARMS plugin of the cluster uses this role to access your resources in other cloud products."
          policy_name     = "AliyunCSManagedArmsRolePolicy"
        },
        {
          name            = "AliyunCSManagedEdgeRole"
          policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
          description     = "The control plane component of the cluster uses this role to access your resources in Smart Access Gateway, VPC, and Cloud Enterprise Network (CEN)."
          policy_name     = "AliyunCSManagedEdgeRolePolicy"
        },
        {
          name            = "AliyunOOSLifecycleHook4CSRole"
          policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"oos.aliyuncs.com\"]}}],\"Version\":\"1\"}"
          description     = "CloudOps Orchestration Service (OOS) uses this role to access your resources in services such as clusters, ECS, and PolarDB."
          policy_name     = "AliyunOOSLifecycleHook4CSRolePolicy"
        }
      ]
    }
  3. Run the following command to initialize the Terraform runtime environment.

    terraform init

    The following output indicates that the initialization is successful.

    Initializing the backend...
    Initializing provider plugins...
    ...
    Terraform has created a lock file .terraform.lock.hcl to record the providerselections it made above. Include this file in your version control repositoryso that Terraform can guarantee to make the same selections by default whenyou run "terraform init" in the future.
    Terraform has been successfully initialized!
    ...
  4. Run the following command to grant the roles to your account.

    terraform apply

    The system displays the following information. To grant the authorization, enter yes and press Enter.

    Do you want to perform these actions?
      Terraform will perform the actions described above.
      Only 'yes' will be accepted to approve.
    
      Enter a value: yes
    
    alicloud_ram_role_policy_attachment.attach["AliyunCSManagedEdgeRole"]: Creating...
    alicloud_ram_role_policy_attachment.attach["AliyunCSManagedEdgeRole"]: Creation complete after 0s [id=role:AliyunCSManagedEdgeRolePolicy:System:AliyunCSManagedEdgeRole]
    ...
  5. Run the following command to view the existing roles.

    terraform show

    The output lists all roles that are granted to the account. This indicates that the role authorization is complete.

    # alicloud_ram_role.role["AliyunCSManagedEdgeRole"]:
    resource "alicloud_ram_role" "role" {
        arn                  = "acs:ram::10051XXXXXX30:role/aliyuncsmanagededgerole"
        description          = "The control plane component of the cluster uses this role to access your resources in Smart Access Gateway, VPC, and Cloud Enterprise Network (CEN)."
    ......
    }
    
    # alicloud_ram_role_policy_attachment.attach["AliyunCSManagedEdgeRole"]:
    resource "alicloud_ram_role_policy_attachment" "attach" {
        id          = "role:AliyunCSManagedEdgeRolePolicy:System:AliyunCSManagedEdgeRole"
        policy_name = "AliyunCSManagedEdgeRolePolicy"
        policy_type = "System"
        role_name   = "AliyunCSManagedEdgeRole"
    .....
    }

Service roles

AliyunCSManagedLogRole

  • Description:

    The log component of ACK managed clusters, ACK Edge clusters, and ACK serverless clusters uses this role to access your resources in Simple Log Service (SLS).

  • Authorization code:

    {
      name            = "AliyunCSManagedLogRole"
      policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
      description     = "The log component of the cluster uses this role to access your resources in other cloud products."
      policy_name     = "AliyunCSManagedLogRolePolicy"
    }

AliyunCSManagedCmsRole

  • Description:

    The monitoring component of ACK managed clusters, ACK Edge clusters, and ACK serverless clusters uses this role to access your resources in CloudMonitor (CMS) and SLS.

  • Authorization code:

    {
      name            = "AliyunCSManagedCmsRole"
      policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
      description     = "The CMS component of the cluster uses this role to access your resources in other cloud products."
      policy_name     = "AliyunCSManagedCmsRolePolicy"
    }

AliyunCSManagedCsiRole

  • Description:

    The storage component of ACK managed clusters, ACK Edge clusters, and ACK serverless clusters uses this role to access your resources in services such as ECS, NAS, and OSS.

  • Authorization code:

    {
      name            = "AliyunCSManagedCsiRole"
      policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
      description     = "The storage plugin of the cluster uses this role to access your resources in other cloud products."
      policy_name     = "AliyunCSManagedCsiRolePolicy"
    }

AliyunCSServerlessKubernetesRole

  • Description:

    ACK Edge clusters and ACK serverless clusters use this role to access your resources in services such as ECS, VPC, SLB, and PrivateZone.

  • Authorization code:

    {
      name            = "AliyunCSServerlessKubernetesRole"
      policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
      description     = "The cluster uses this role by default to access your resources in other cloud products."
      policy_name     = "AliyunCSServerlessKubernetesRolePolicy"
    }

AliyunCSKubernetesAuditRole

  • Description:

    The audit feature component of ACK managed clusters, ACK Edge clusters, and ACK serverless clusters uses this role to access your resources in SLS.

  • Authorization code:

    {
      name            = "AliyunCSKubernetesAuditRole"
      policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
      description     = "The cluster audit feature uses this role to access your resources in other cloud products."
      policy_name     = "AliyunCSKubernetesAuditRolePolicy"
    }

AliyunCSManagedNetworkRole

  • Description:

    The network component of ACK managed clusters, ACK Edge clusters, and ACK serverless clusters uses this role to access your resources in ECS and VPC.

  • Authorization code:

    {
      name            = "AliyunCSManagedNetworkRole"
      policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
      description     = "The network component of the cluster uses this role to access your resources in other cloud products."
      policy_name     = "AliyunCSManagedNetworkRolePolicy"
    }

AliyunCSDefaultRole

  • Description:

    Container Service for Kubernetes uses this role during control plane operations to access your resources in services such as ECS, VPC, SLB, ROS, and ESS.

  • Authorization code:

    {
      name            = "AliyunCSDefaultRole"
      policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
      description     = "The cluster uses this role by default during operations to access your resources in other cloud products."
      policy_name     = "AliyunCSDefaultRolePolicy"
    }

AliyunCSManagedKubernetesRole

  • Description:

    ACK managed clusters and ACK Edge clusters use this role to access your resources in services such as ECS, VPC, SLB, and Container Registry (ACR).

  • Authorization code:

    {
      name            = "AliyunCSManagedKubernetesRole"
      policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
      description     = "The cluster uses this role by default to access your resources in other cloud products."
      policy_name     = "AliyunCSManagedKubernetesRolePolicy"
    }

AliyunCSManagedArmsRole

  • Description:

    The Application Real-Time Monitoring Service (ARMS) component of ACK managed clusters, ACK Edge clusters, and ACK serverless clusters uses this role to access your resources in ARMS.

  • Authorization code:

    {
      name            = "AliyunCSManagedArmsRole"
      policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
      description     = "The ARMS plugin of the cluster uses this role to access your resources in other cloud products."
      policy_name     = "AliyunCSManagedArmsRolePolicy"
    }

Optional roles

AliyunCISDefaultRole

  • Description:

    The ACK Container Intelligence Service (CIS) uses this role to access your resources in services such as ECS, VPC, and SLB to provide features such as diagnostics and inspection.

  • Authorization code:

    {
      name            = "AliyunCISDefaultRole"
      policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
      description     = "Container Service (CS) Intelligence uses this role to access your resources in other cloud products."
      policy_name     = "AliyunCISDefaultRolePolicy"
    }

AliyunCSManagedAcrRole

  • Description:

    The passwordless image pulling component of ACK managed clusters, ACK Edge clusters, and ACK serverless clusters uses this role to access your resources in ACR.

  • Authorization code:

    {
      name            = "AliyunCSManagedAcrRole"
      policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
      description     = "The passwordless image pulling plugin of the cluster uses this role to access your resources in the ACR service."
      policy_name     = "AliyunCSManagedAcrRolePolicy"
    }

AliyunCSManagedNlcRole

  • Description:

    The node lifecycle controller of ACK managed clusters and ACK Edge clusters uses this role to access your ECS and ACK node pool resources.

  • Authorization code:

    {
      name            = "AliyunCSManagedNlcRole"
      policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
      description     = "The control component of the managed node pool of the cluster uses this role to access your ECS and ACK node pool resources."
      policy_name     = "AliyunCSManagedNlcRolePolicy"
    }

AliyunCSManagedAutoScalerRole

  • Description:

    The Auto Scaling component of ACK managed clusters, ACK Edge clusters, and ACK serverless clusters uses this role to access your resources in ESS and ECS.

  • Authorization code:

    {
      name            = "AliyunCSManagedAutoScalerRole"
      policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
      description     = "The Auto Scaling component of the cluster uses this role to access your resources in other cloud products."
      policy_name     = "AliyunCSManagedAutoScalerRolePolicy"
    }

AliyunCSManagedSecurityRole

  • Description:

    The component for encryption at rest and credential management of ACK managed clusters, ACK Edge clusters, and ACK serverless clusters uses this role to access your resources in Key Management Service (KMS).

  • Authorization code:

    {
      name            = "AliyunCSManagedSecurityRole"
      policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
      description     = "The encryption at rest plugin of the cluster uses this role to access your resources in the KMS service."
      policy_name     = "AliyunCSManagedSecurityRolePolicy"
    }

AliyunCSManagedCostRole

  • Description:

    The cost analysis component of ACK managed clusters, ACK Edge clusters, and ACK serverless clusters uses this role to access your resources in the billing management API, ECS, and ECI.

  • Authorization code:

    {
      name            = "AliyunCSManagedCostRole"
      policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
      description     = "The cost analysis component of the cluster uses this role to access your resources in the billing management API, ECS, and ECI services."
      policy_name     = "AliyunCSManagedCostRolePolicy"
    }

AliyunCSManagedNimitzRole

  • Description:

    The control plane component of ACK Edge clusters uses this role to access your resources in Smart Access Gateway, VPC, and Cloud Enterprise Network (CEN).

  • Authorization code:

    {
      name            = "AliyunCSManagedNimitzRole"
      policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
      description     = "The network component of ACK LINGJUN clusters uses this role to access your resources in the Intelligent Computing LINGJUN service."
      policy_name     = "AliyunCSManagedNimitzRolePolicy"
    }

AliyunCSManagedBackupRestoreRole

  • Description:

    The backup center service component of ACK managed clusters, ACK Edge clusters, and ACK serverless clusters uses this role to access your resources in Cloud Backup and OSS.

  • Authorization code:

    {
      name            = "AliyunCSManagedBackupRestoreRole"
      policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
      description     = "The backup center component of the cluster uses this role to access your resources in the Cloud Backup and OSS services."
      policy_name     = "AliyunCSManagedBackupRestoreRolePolicy"
    }

AliyunCSManagedEdgeRole

  • Description:

    The control plane component of ACK Edge clusters uses this role to access your resources in Smart Access Gateway, VPC, and Cloud Enterprise Network (CEN).

  • Authorization code:

    {
      name            = "AliyunCSManagedEdgeRole"
      policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
      description     = "The control plane component of ACK Edge clusters uses this role to access your resources in Smart Access Gateway, VPC, and Cloud Enterprise Network (CEN)."
      policy_name     = "AliyunCSManagedEdgeRolePolicy"
    }

AliyunCSManagedCsiProvisionerRole

  • Description:

    The storage component (the csi-provisioner managed component) of ACK managed clusters, ACK Edge clusters, and ACK serverless clusters uses this role to access your resources in services such as ECS, NAS, and OSS.

    Authorization code:

    {
      name            = "AliyunCSManagedCsiProvisionerRole"
      policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
      description     = "The storage component (new csi-provisioner component) of ACK managed clusters, ACK Edge clusters, and ACK serverless clusters uses this role to access your resources in the ECS, NAS, and OSS services."
      policy_name     = "AliyunCSManagedCsiProvisionerRolePolicy"
    }

AliyunOOSLifecycleHook4CSRole

  • Description:

    CloudOps Orchestration Service (OOS) uses this role to access your resources in services such as Container Service for Kubernetes, ECS, and PolarDB.

  • Authorization code:

    {
      name            = "AliyunOOSLifecycleHook4CSRole"
      policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"oos.aliyuncs.com\"]}}],\"Version\":\"1\"}"
      description     = "Node pool scaling depends on the OOS service. OOS uses this role to access your resources in other cloud products."
      policy_name     = "AliyunOOSLifecycleHook4CSRolePolicy"
    }