Updates the role-based access control (RBAC) permissions of a Resource Access Management (RAM) user or RAM role. By default, you do not have the RBAC permissions on a Container Service for Kubernetes (ACK) cluster if you are not the cluster owner or you are not using an Alibaba Cloud account. You can call this operation to specify the resources that can be accessed, permission scope, and predefined roles. This helps you better manage the access control on resources in ACK clusters.
Operation description
Precautions:
- You can update the permissions of a RAM user or RAM role on a cluster by using full update or incremental update. If you use full update, the existing permissions of the RAM user or RAM role on the cluster are overwritten. You must specify all the permissions that you want to grant to the RAM user or RAM role in the request parameters when you call the operation. If you use incremental update, you can grant permissions to or revoke permissions from the RAM user or RAM role on the cluster. In this case, only the permissions that you specify in the request parameters when you call the operation are granted or revoked, other permissions of the RAM user or RAM role on the cluster are not affected.
Debugging
Authorization information
The following table shows the authorization information corresponding to the API. The authorization information can be used in the Action policy element to grant a RAM user or RAM role the permissions to call this API operation. Description:
- Operation: the value that you can use in the Action element to specify the operation on a resource.
- Access level: the access level of each operation. The levels are read, write, and list.
- Resource type: the type of the resource on which you can authorize the RAM user or the RAM role to perform the operation. Take note of the following items:
- The required resource types are displayed in bold characters.
- If the permissions cannot be granted at the resource level,
All Resourcesis used in the Resource type column of the operation.
- Condition Key: the condition key that is defined by the cloud service.
- Associated operation: other operations that the RAM user or the RAM role must have permissions to perform to complete the operation. To complete the operation, the RAM user or the RAM role must have the permissions to perform the associated operations.
| Operation | Access level | Resource type | Condition key | Associated operation |
|---|---|---|---|---|
| cs:UpdateUserPermissions | none |
|
| none |
Request syntax
POST /permissions/users/{uid}/update HTTP/1.1
Request parameters
| Parameter | Type | Required | Description | Example |
|---|---|---|---|---|
| uid | string | No | The ID of the RAM user or RAM role whose permissions you want to update. | 2367**** |
| body | array<object> | No | The request body. | |
| object | No | |||
| cluster | string | No | The ID of the cluster on which you want to grant permissions to the RAM role or RAM role.
| c796c60*** |
| is_custom | boolean | No | Specifies whether to assign a custom role to the RAM user or RAM role. If you want to assign a custom role to the RAM user or RAM role, set | false |
| role_name | string | No | The predefined role. Valid values:
| ops |
| role_type | string | No | The authorization type. Valid values:
| cluster |
| namespace | string | No | The namespace that you want to authorize the RAM user or RAM role to manage. This parameter is required only if you set role_type to namespace. | test |
| is_ram_role | boolean | No | Specifies whether to use a RAM role to grant permissions. | false |
| mode | string | No | The authorization method. Valid values:
Default value: | apply |
Response parameters
Examples
Sample success responses
JSONformat
{}Error codes
For a list of error codes, visit the Service error codes.
Change history
| Change time | Summary of changes | Operation |
|---|