Updates the role-based access control (RBAC) permissions of a Resource Access Management (RAM) user or RAM role. By default, you do not have the RBAC permissions on a Container Service for Kubernetes (ACK) cluster if you are not the cluster owner or you are not using an Alibaba Cloud account. You can call this operation to specify the resources that can be accessed, permission scope, and predefined roles. This helps you better manage the access control on resources in ACK clusters.
Operation description
Precautions:
- If you use a Resource Access Management (RAM) user to call the operation, make sure that the RAM user has the permissions to modify the permissions of other RAM users or RAM roles. Otherwise, the
StatusForbidden
orForbiddenGrantPermissions
error code is returned after you call the operation. For more information, see Use a RAM user to grant RBAC permissions to other RAM users. - If you update full permissions, the existing permissions of the RAM user or RAM role on the cluster are overwritten. You must specify all the permissions that you want to grant to the RAM user or RAM role in the request parameters when you call the operation.
Debugging
Authorization information
The following table shows the authorization information corresponding to the API. The authorization information can be used in the Action
policy element to grant a RAM user or RAM role the permissions to call this API operation. Description:
- Operation: the value that you can use in the Action element to specify the operation on a resource.
- Access level: the access level of each operation. The levels are read, write, and list.
- Resource type: the type of the resource on which you can authorize the RAM user or the RAM role to perform the operation. Take note of the following items:
- The required resource types are displayed in bold characters.
- If the permissions cannot be granted at the resource level,
All Resources
is used in the Resource type column of the operation.
- Condition Key: the condition key that is defined by the cloud service.
- Associated operation: other operations that the RAM user or the RAM role must have permissions to perform to complete the operation. To complete the operation, the RAM user or the RAM role must have the permissions to perform the associated operations.
Operation | Access level | Resource type | Condition key | Associated operation |
---|---|---|---|---|
cs:GrantPermission | update | *All Resources * |
| none |
Request syntax
POST /permissions/users/{uid} HTTP/1.1
Request parameters
Parameter | Type | Required | Description | Example |
---|---|---|---|---|
uid | string | Yes | The ID of the RAM user or RAM role whose permissions you want to update. | 2367**** |
body | array<object> | No | The request parameters. | |
object | No | |||
cluster | string | Yes | The ID of the cluster on which you want to grant permissions to the RAM role or RAM role.
| c796c60*** |
is_custom | boolean | No | Specifies whether to assign a custom role to the RAM user or RAM role. If you want to assign a custom role to the RAM user or RAM role, set | false |
role_name | string | Yes | The predefined role. Valid values:
| ops |
role_type | string | Yes | The authorization type. Valid values:
| cluster |
namespace | string | No | The namespace that you want to authorize the RAM user or RAM role to manage. This parameter is required only if you set role_type to namespace. | test |
is_ram_role | boolean | No | Specifies whether to use a RAM role to grant permissions. | false |
Response parameters
Examples
Sample success responses
JSON
format
{}
Error codes
For a list of error codes, visit the Service error codes.
Change history
Change time | Summary of changes | Operation |
---|---|---|
2024-01-09 | The internal configuration of the API is changed, but the call is not affected | View Change Details |