Default and optional authorization service roles for ACK-Container Service for Kubernetes(ACK)-阿里云帮助中心

ACK requires RAM roles to access cloud services on your behalf for cluster management and logging.

ACK uses two categories of roles:

Quick authorization roles: 13 roles assigned via RAM Quick Authorization on first use, covering cluster management, networking, storage, monitoring and logging, and diagnostics.
Optional roles: 9 roles you assign for features such as auto scaling, backup, or edge computing.

Quick authorization roles

These roles are assigned to ACK through RAM Quick Authorization on first use.

Cluster management roles

Role	Description	Policy details
AliyunCSDefaultRole	ACK assumes this role to access your resources in other services during cluster management. These include Elastic Compute Service (ECS), Virtual Private Cloud (VPC), Server Load Balancer (SLB), Resource Orchestration Service (ROS), and Auto Scaling.	AliyunCSDefaultRolePolicy
AliyunCSManagedKubernetesRole	An ACK managed cluster or ACK Edge cluster assumes this role to access services such as ECS, VPC, SLB, and Container Registry.	AliyunCSManagedKubernetesRolePolicy
AliyunCSServerlessKubernetesRole	An ACK Edge cluster or ACK Serverless cluster assumes this role to access your resources in services such as ECS, VPC, SLB, and Private Zone.	AliyunCSServerlessKubernetesRolePolicy

Networking role

Role	Description	Policy details
AliyunCSManagedNetworkRole	The network add-on of an ACK managed cluster, ACK Edge cluster, or ACK Serverless cluster assumes this role to access your resources in services such as ECS and VPC.	AliyunCSManagedNetworkRolePolicy

Storage roles

Role	Description	Policy details
AliyunCSManagedCsiRole	The storage add-on of an ACK managed cluster, ACK Edge cluster, or ACK Serverless cluster assumes this role to access your resources in services such as ECS, NAS, and OSS.	AliyunCSManagedCsiRolePolicy
AliyunCSManagedCsiProvisionerRole	The storage add-on (csi-provisioner) of an ACK managed cluster, ACK Edge cluster, or ACK Serverless cluster assumes this role to access your resources in ECS, NAS, and OSS.	AliyunCSManagedCsiProvisionerRolePolicy
AliyunCSManagedCsiPluginRole	The CSI storage add-on of an ACK managed cluster, ACK Edge cluster, or ACK Serverless cluster assumes this role to access your resources in ECS.	AliyunCSManagedCsiPluginRolePolicy

Monitoring and logging roles

Role	Description	Policy details
AliyunCSKubernetesAuditRole	The audit feature of an ACK managed cluster, ACK Edge cluster, or ACK Serverless cluster assumes this role to access your resources in Simple Log Service (SLS).	AliyunCSKubernetesAuditRolePolicy
AliyunCSManagedCmsRole	The monitoring add-on of an ACK managed cluster, ACK Edge cluster, or ACK Serverless cluster assumes this role to access your resources in services such as CloudMonitor and SLS.	AliyunCSManagedCmsRolePolicy
AliyunCSManagedLogRole	The log add-on of an ACK managed cluster, ACK Edge cluster, or ACK Serverless cluster assumes this role to access your resources in SLS.	AliyunCSManagedLogRolePolicy
AliyunCSManagedArmsRole	The Application Real-Time Monitoring Service (ARMS) add-on of an ACK managed cluster, ACK Edge cluster, or ACK Serverless cluster assumes this role to access your resources in ARMS.	AliyunCSManagedArmsRolePolicy

Diagnostics role

Role	Description	Policy details
AliyunCISDefaultRole	ACK Container Intelligence Service assumes this role to access your resources in services such as ECS, VPC, and SLB for diagnostics and inspection.	AliyunCISDefaultRolePolicy

Optional roles

Important

To assign optional roles, you must use an Alibaba Cloud account or a RAM user with administrator permissions.

Role	Description	Policy details
AliyunCSManagedAcrRole	The credential-free image pulling add-on of an ACK managed cluster, ACK Edge cluster, or ACK Serverless cluster assumes this role to access your resources in Container Registry.	AliyunCSManagedAcrRolePolicy
AliyunCSManagedNlcRole	The node lifecycle controller of an ACK managed cluster or ACK Edge cluster assumes this role to access your node pool resources in ECS and ACK.	AliyunCSManagedNlcRolePolicy
AliyunCSManagedAutoScalerRole	The auto scaling add-on of an ACK managed cluster, ACK Edge cluster, or ACK Serverless cluster assumes this role to access your resources in Auto Scaling and ECS.	AliyunCSManagedAutoScalerRolePolicy
AliyunCSManagedSecurityRole	The disk encryption add-on and the credential management add-on of an ACK managed cluster, ACK Edge cluster, or ACK Serverless cluster assume this role to access your resources in Key Management Service (KMS).	AliyunCSManagedSecurityRolePolicy
AliyunCSManagedCostRole	The cost analysis add-on of an ACK managed cluster, ACK Edge cluster, or ACK Serverless cluster assumes this role to access your resources in Billing Management API, ECS, and ECI.	AliyunCSManagedCostRolePolicy
AliyunCSManagedNimitzRole	The network add-on of an ACK Lingjun cluster assumes this role to access your resources in Lingjun AI Computing Service.	AliyunCSManagedNimitzRolePolicy
AliyunCSManagedBackupRestoreRole	The backup center add-on of an ACK managed cluster, ACK Edge cluster, or ACK Serverless cluster assumes this role to access your resources in Cloud Backup Service and OSS.	AliyunCSManagedBackupRestoreRolePolicy
AliyunCSManagedEdgeRole	The control add-on of an ACK Edge cluster assumes this role to access your resources in Smart Access Gateway (SAG), VPC, and Cloud Enterprise Network (CEN).	AliyunCSManagedEdgeRolePolicy
AliyunOOSLifecycleHook4CSRole	CloudOps Orchestration Service (OOS) assumes this role to access your resources in ACK, ECS, and PolarDB.	See the following inline policy.

AliyunOOSLifecycleHook4CSRole inline policy

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "cs:DeleteClusterNodes",
                "cs:DescribeClusterNodes",
                "cs:DescribeTaskInfo"
            ],
            "Resource": [
                "*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "ess:CompleteLifecycleAction"
            ],
            "Resource": [
                "*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "polardb:DescribeDBClusterAccessWhitelist",
                "polardb:ModifyDBClusterAccessWhitelist"
            ],
            "Resource": [
                "*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "ecs:DescribeInstances"
            ],
            "Resource": [
                "*"
            ],
            "Effect": "Allow"
        }
    ]
}