Container Service for Kubernetes (ACK) depends on multiple Alibaba Cloud services. When a Resource Access Management (RAM) user accesses the ACK console, certain features require permissions on those dependent services. Use the table below to look up the system policy each feature needs.
This list describes only the permissions required for other cloud services that ACK depends on. You must also grant the AliyunCSFullAccess system permission or another required custom permission to a RAM user to manage ACK. For more information, see Grant Permissions to clusters and cloud Resources using RAM.
In line with the principle of least privilege, grant only read-only permissions for dependent cloud services. Grant create permissions on cloud resources only when necessary. For example, if you Select Existing VPC when creating a cluster, you only need to grant read-only permissions for the VPC.
After configuring permissions for the dependent cloud services, you must also use Role-Based Access Control (RBAC) to authorize operations on resources within the cluster. This enables the RAM user to manage the cluster's internal resources.
Feature | Dependency | System permission | Custom permission Action | Resource | Console actions |
Request Quota Increase | Quota Center | AliyunQuotasFullAccess | quotas:ListProductQuotas | * | Lists quotas for a cloud service. |
quotas:ListProductQuotaDimensions | * | Lists supported quota dimensions for a cloud service. | |||
quotas:ListProductDimensionGroups | * | Lists dimension groups of a cloud service. | |||
quotas:ListDependentQuotas | * | Lists dependencies of a target quota. | |||
quotas:CreateQuotaApplication | * | Submits an application to increase a quota. | |||
Create a cluster | Billing Management | AliyunBSSFullAccess / AliyunBSSReadOnlyAccess | bssapi:GetPayAsYouGoPrice | * | Gets product pricing information. |
Virtual Private Cloud (VPC) | AliyunVPCFullAccess / AliyunVPCReadOnlyAccess | vpc:DescribeVSwitches | * | Cluster Configurations > Network Settings > VPC > Existing | |
vpc:DescribeVpcs | * | Cluster Configurations > Network Settings > vSwitch > Existing | |||
AliyunVPCFullAccess | vpc:CreateVpc | * | Cluster Configurations > Network Settings > VPC > Create VPC | ||
vpc:CreateVSwitch | * | Cluster Configurations > Network Settings > vSwitch > Create VPC | |||
Server Load Balancer (SLB) | AliyunSLBFullAccess / AliyunSLBReadOnlyAccess | slb:DescribeLoadBalancers | * | Cluster Configurations > Network Settings > Access to API Server > SLB Source > Existing | |
slb:DescribeLoadBalancerListeners | * | ||||
AliyunSLBFullAccess | slb:CreateLoadBalancer | * | Cluster Configurations > Network Settings > Access to API Server > SLB Source > New | ||
Elastic Compute Service (ECS) | AliyunECSFullAccess / AliyunECSReadOnlyAccess | ecs:DescribeSecurityGroups | * | Cluster Configurations > Network Settings > Security Group > Select Existing Security Group | |
ecs:DescribePrice | * | Required to view pricing information when selecting an instance type under Node Pool Configurations > Instance and Image > Instance Type. | |||
ecs:DescribeImages | * | Required to select custom and Marketplace images under Node Pool Configurations > Instance and Image > Operating System. | |||
ecs:DescribeKeyPairs | * | Node Pool Configurations > Instance and Image > Logon Type > Key Pair | |||
ecs:DescribeDeploymentSets | * | Master Configurations > Deployment Set > Select a Deployment Set | |||
AliyunECSFullAccess | ecs:CreateSecurityGroup | * | Required to automatically create a basic or advanced security group in the Cluster Configurations > Network Settings > Security Group section. | ||
Key Management Service (KMS) | AliyunKMSFullAccess / AliyunKMSReadOnlyAccess | kms:ListKeys | * | Cluster Configurations > Advanced (Optional) > Secret Encryption > Select Key | |
Auto Scaling (ESS) | AliyunESSFullAccess / AliyunESSReadOnlyAccess | ess:DescribePatternTypes | * | Node Pool Configurations > Instance Configuration Mode > Specify Instance Attributes | |
ApsaraDB RDS | AliyunRDSFullAccess / AliyunRDSReadOnlyAccess | rds:DescribeDBInstances | * | Node Pool Configurations > Advanced Options (Optional) > RDS Whitelist > Select RDS Instance | |
Application Load Balancer (ALB) | AliyunALBFullAccess / AliyunALBReadOnlyAccess | alb:ListLoadBalancers | * | Component Configuration > Ingress > ALB Ingress > Existing | |
AliyunALBFullAccess | alb:CreateLoadBalancer | * | Component Configuration > Ingress > ALB Ingress > Create Tags | ||
Microservices Engine (MSE) | AliyunMSEFullAccess / AliyunMSEReadOnlyAccess | mse:ListGateway | * | Component Configurations > Ingress > MSE Ingress > Existing | |
AliyunMSEFullAccess | mse:AddGateway | * | Component Configurations > Ingress > MSE Ingress > New | ||
Simple Log Service (SLS) | AliyunLogFullAccess / AliyunLogReadOnlyAccess | log:ListProject | * |
| |
AliyunLogFullAccess | log:CreateProject | * |
| ||
Cluster Information > Basic Information | Virtual Private Cloud (VPC) | AliyunVPCFullAccess / AliyunVPCReadOnlyAccess | vpc:DescribeVSwitches | * | Lists available vSwitches that can be assigned to the control plane. |
vpc:DescribeEipAddresses | * | Lists EIPs that can replace the public endpoint of the API Server. | |||
Key Management Service (KMS) | AliyunKMSFullAccess / AliyunKMSReadOnlyAccess | kms:ListKeys | * | Lists available keys to enable secret encryption. | |
Cluster Information > Cluster Monitoring | Application Real-Time Monitoring Service (ARMS) | AliyunARMSFullAccess / AliyunARMSReadOnlyAccess | arms:ListDashboards | * | Lists Grafana dashboards for a cluster. |
Cluster Management in Cloud Shell | Cloud Shell | AliyunCloudShellFullAccess | cloudshell:CreateEnvironment | * | Creates a Cloud Shell instance. |
cloudshell:AttachStorage | * | ||||
cloudshell:DetachStorage | * | ||||
cloudshell:CreateSession | * | ||||
cloudshell:DownloadFile | * | Uploads and downloads files. | |||
cloudshell:UploadFile | * | ||||
Apsara File Storage NAS (NAS) | AliyunNASFullAccess | nas:DescribeFileSystems | * | Creates and binds an Apsara File Storage NAS file system. | |
nas:CreateFileSystem | * | ||||
nas:DescribeAccessRules | * | ||||
Node Pools > Create Node Pool | Elastic Compute Service (ECS) | AliyunECSFullAccess / AliyunECSReadOnlyAccess | ecs:DescribeImages | * | Required to select custom and Marketplace images when choosing an operating system. |
ecs:DescribePrice | * | Gets latest prices of ECS resources. | |||
Node Pools > Create or Edit | Virtual Private Cloud (VPC) | AliyunVPCFullAccess / AliyunVPCReadOnlyAccess | vpc:DescribeVpcs | * | Lists VPCs. |
Node Pools > Logon Mode | Elastic Compute Service (ECS) | AliyunECSFullAccess / AliyunECSReadOnlyAccess | ecs:DescribeKeyPairs | * | Lists key pairs. |
Node Pools > Add Existing Node | ecs:DescribeInstances | * | Lists available instances to add. | ||
ecs:DescribeSecurityGroups | * | Lists security groups. | |||
Node Pools > Details > Scaling Activities | Auto Scaling (ESS) | AliyunESSFullAccess / AliyunESSReadOnlyAccess | ess:DescribeScalingActivities | * | Describes scaling activities. |
ess:DescribeScalingActivityDetail | * | Describes details of a scaling activity. | |||
ess:DescribeLifecycleActions | * | Describes details of lifecycle actions for scaling activities. | |||
CloudOps Orchestration Service (OOS) | AliyunOOSFullAccess / AliyunOOSReadOnlyAccess | oos:ListExecutions | * | Lists execution information. | |
Workloads > Create from Image | Container Registry (ACR) | AliyunContainerRegistryFullAccess / AliyunContainerRegistryReadOnlyAccess | cr:ListInstance | * | Lists ACR instances. |
cr:ListInstanceDomain | * | Gets information about ACR instances. | |||
cr:ListRepository | * | Lists ACR image repositories. | |||
cr:ListArtifactTag | * | Lists ACR image tags. | |||
Applications > Knative > Monitoring Dashboards | Application Real-Time Monitoring Service (ARMS) | AliyunARMSFullAccess / AliyunARMSReadOnlyAccess | arms:InstallAddon | * | Installs an add-on. |
Inspections and Diagnostics > Cluster Inspections and Diagnostics | Resource Access Management (RAM) | AliyunRAMFullAccess / AliyunRAMReadOnlyAccess | ram:GetRole | acs:ram:*:*:role/aliyuncisdefaultrole | Gets the AliyunCISDefaultRole, which is required for fault diagnosis and cluster inspections. |
Inspections and Diagnostics > Cluster Check > Logs | Simple Log Service (SLS) | AliyunLogFullAccess | log:GetDashboard | * | Gets and displays logs. |
log:ListDashboard | * | ||||
log:ListLogStores | * | ||||
log:ListSavedSearch | * | ||||
log:GetLogStoreLogs | * | ||||
log:GetSavedSearch | * | Gets information about log events. | |||
log:GetIndex | * | Required for query statements. | |||
log:UpdateIndex | * | ||||
log:GetLogStore | * | ||||
log:CreateDashboardSharing | * | Creates password-free shares. | |||
Operations > Log Center > Control Plane Component Logs | AliyunLogFullAccess / AliyunLogReadOnlyAccess / AliyunLogReadOnlyAccess | log:ListProject | * | Lists projects that contain logs. | |
Operations > Log Center > Network Component Logs | AliyunLogFullAccess | log:GetProjectLogs | * | Required to manage ALB Ingress logs. | |
log:GetResourceRecord | * | ||||
log:CreateResourceRecord | * | ||||
log:UpdateResourceRecord | * | ||||
Security > Security Monitoring | Security Center | AliyunYundunSASFullAccess | yundun-sas:DescribeVersionConfig | * | Describes purchased Security Center edition. |
yundun-sas:GetClusterSuspEventStatistics | * | Gets security alert statistics. | |||
yundun-sas:DescribeClusterVulStatistics | * | Gets statistics on vulnerability risks. | |||
yundun-sas:GetClusterCheckItemWarningStatistics | * | Gets statistics on baseline risks. | |||
yundun-sas:GetInterceptionSummary | * | Gets summary statistics for container firewall alerts. | |||
yundun-sas:ListGroups | * | Lists server groups. | |||
yundun-sas:ListAccountsInResourceDirectory | * | Required for security alert operations. | |||
yundun-sas:DescribeMonitorAccounts | * | ||||
yundun-sas:DescribeSuspEvents | * | ||||
yundun-sas:DescribeGroupedVul | * | Required for vulnerability risk management. | |||
yundun-sas:DescribeVulExportInfo | * | ||||
yundun-sas:ExportVul | * | ||||
yundun-aegis:DescribeVulNumStatistics | * | ||||
yundun-sas:DescribeGroupedInstances | * | ||||
yundun-sas:DescribeFixUsedCount | * | ||||
yundun-sas:DescribeServiceLinkedRoleStatus | * | ||||
yundun-sas:DescribeVulConfig | * | ||||
yundun-sas:DescribeVulList | * | ||||
yundun-sas:DescribeRiskType | * | Required for baseline risk management. | |||
yundun-sas:ListCheckItemWarningSummary | * | ||||
yundun-sas:ListInterceptionHistory | * | ||||
yundun-sas:ListClusterInterceptionConfig | * | ||||
yundun-sas:GetAssetDetailByUuid | * | ||||
yundun-sas:ListPluginForUuid | * | ||||
yundun-sas:ValidateHcWarnings | * | ||||
yundun-sas:DescribeCheckWarningMachines | * | ||||
yundun-sas:IgnoreCheckItems | * | ||||
yundun-sas:ListCheckItemWarningMachine | * | Required for container firewall alert operations. | |||
Volumes > Create CNFS File System | Object Storage Service (OSS) | AliyunOSSFullAccess / AliyunOSSReadOnlyAccess | oss:ListBucketsByRegion | * | Required to select an OSS Bucket when the file system type is set to OSS. |
Application backup | oss:ListBucketsByRegion | * | Create a backup vault > Select an OSS Bucket | ||
Authorizations > RAM Users | Resource Access Management (RAM) | AliyunRAMFullAccess / AliyunRAMReadOnlyAccess | ram:ListUserBasicInfos | * | Lists basic information for all RAM users. |
Authorizations > RAM Role | ram:ListRoles | * | Lists all RAM roles. |