When you use Alibaba Cloud Container Compute Service (ACS) for the first time, you must activate the service and grant a specific role permission to access your cloud resources. Only after this role is properly authorized can ACS call related services—such as ECS, OSS, NAS, CPFS, and SLB—and perform operations like creating clusters and saving logs. This topic describes how to activate ACS, authorize the required roles, and activate related Alibaba Cloud services.
Step 1: Activate Container Compute Service (ACS)
Log on to the ACS console. On your first visit, you are redirected to the activation guide page.
Click Activate. On the new page, click Create service-linked role, then click Buy Now.
After completing the activation steps, click Next on the activation guide page to proceed to the Role Authorization step.
Step 2: Role Authorization
Before using ACS, you must grant a specific role permission to access your cloud resources.
Both Alibaba Cloud accounts (root accounts) and RAM users with administrative permissions can authorize the system default roles.
Click Authorize Now. At the bottom of the RAM Quick Authorization page, click Authorize.
To create clusters running Kubernetes version 1.33.3-aliyun.1 or later: Due to product optimization in ACS, use the new resource access authorization to authorize roles for Container Service for Kubernetes.
To create clusters running Kubernetes version 1.32 or earlier: Use the original resource access authorization to authorize roles.
After completing the authorization, click Close. If the authorization status shows Service role authorized, the authorization succeeded.
For best practices on RAM authorization for ACS, see Authorization best practices.
Click Next, then click Log on to Console to complete the activation guide.
Step 3: Activate related cloud services
ACS features depend on or integrate with other cloud resources. You must activate these related services.
Only Alibaba Cloud accounts (root accounts) can activate cloud services. RAM users cannot activate cloud services.
Use your Alibaba Cloud account (root account) to log on to the Alibaba Cloud website and activate the following services as needed.
Required: Services that ACS clusters strongly depend on. You must activate them.
Recommended: Common dependencies for cluster creation and application management. We recommend activating them.
Optional: Services you can activate based on your architecture and O&M requirements.
Product name | Activation link | Type | Description |
ACK container service | Required | Create and manage ACK Kubernetes clusters of the ACS type. | |
VPC | Required | Build cluster network environments and routing rules. | |
SLB (Server Load Balancer) | Required | Create load balancers for clusters. | |
NAT Gateway | Recommended | Enable public network access and pull public images for clusters. | |
ACR (Container Registry) | Recommended | Securely host cloud-native assets and manage their full lifecycle. | |
Simple Log Service (SLS) | Recommended | Collect and retrieve logs from ACS cluster components and applications. | |
CMS (Cloud Monitor) service | Recommendations | Monitor the status of cluster nodes and running applications. | |
ARMS Prometheus | Recommendations | Monitor and alert on ACS clusters using Prometheus. | |
NAS file storage | Optional | Provide file storage for cluster application data using NAS. | |
CPFS file storage | Optional | Provide file storage for cluster application data using CPFS. | |
PrivateZone | Optional | Enable domain name access for ACS applications using private DNS. |
Default roles for Container Compute Service
Role | Description |
AliyunServiceRoleForAcc | This service-linked role lets ACS access your resources in services such as ACK, ECS, VPC, SLB, and ARMS during cluster management operations. |
AliyunCCCSIPluginRole | ACS clusters use this role by default to access storage resources such as disks and NAS. |
AliyunCCCCMServiceRole | ACS clusters use this role by default to access load balancing resources such as SLB and ALB. |
AliyunCCNECRole | ACS clusters use this role by default to access network-related services such as VPC and ECS, and to create and use EIPs. |
AliyunCCKubernetesAuditRole | ACS clusters use this role by default to access SLS resources and collect and display Kubernetes audit logs. |
AliyunCCManagedLogRole | ACS clusters use this role by default to access SLS resources and collect and display container logs. |
AliyunCCManagedArmsRole | ACS clusters use this role by default to access ARMS monitoring resources and collect and display container resource metrics and application performance metrics. |
AliyunCCCISDefaultRole | ACS clusters use this role by default to access cloud services such as ECS, ACK, VPC, and SLB, and to periodically check the health of Kubernetes and its components. |
AliyunCCManagedAcrRole | ACS clusters use this role by default to access ACR and obtain temporary credentials to start pods. |
AliyunCCForResourceProviderRole | ACS clusters use this role by default to access cloud resources such as SLB, VPC, and vSwitch when creating container instances. |
AliyunCCManagedVirtualNodeRole | ACS clusters use this role by default to access cloud resources such as PrivateZone and VPC when creating virtual nodes. |
AliyunCCManagedACSBrokerRole | ACS clusters use this role by default to access cloud resources when reporting container instance status and other O&M information. |
AliyunCSDefaultRole | Grants Managed Kubernetes permission to access your cloud resources. |
AliyunCSManagedKubernetesRole | Grants Managed Kubernetes permission to access resources in other cloud services. |
References
For more information about ACS, see Product introduction.
You can quickly deploy and monitor applications in ACS clusters. For details, see Quickly build a generative conversational application using ACS computing power, Quickly use ACS with kubectl, and Deploy a stateless application using the Nginx image supported by ACS.