Beginning August 18, 2021, Container Service for Kubernetes (ACK) implements enhanced authentication when Resource Access Management (RAM) users and roles make API calls. To prevent authentication errors due to unauthorized API calls, you must check the RAM policies that are attached to the RAM users and roles within your Alibaba Cloud account and add the required permissions based on your needs.

Impact

After enhanced authentication is used, if a RAM user or role attempts to perform an unauthorized operation, the ACK console or API returns an error message that contains the following content: RAM policy Forbidden or STSToken policy Forbidden. The RAM action that is required to perform the operation is also included in the error message.

The following error message contains a RAM action named cs:DescribeEvents:
RAM policy Forbidden for action cs:DescribeEvents
The following table lists API operations and the RAM actions that are required to call the API operations. If your RAM user or role is unauthorized to call the API operations in the following table, log on to the RAM console and grant the required permissions to the RAM user or role.
OperationRAM ActionDescription
DescribeEventscs:DescribeEventsQueries user events
StartAlertcs:StartAlertEnables an alert rule
StopAlertcs:StopAlertDisables an alert rule
DeleteAlertContactcs:DeleteAlertContactDeletes an alert contact
DeleteAlertContactGroupcs:DeleteAlertContactGroupDeletes an alert contact group
OpenAckServicecs:OpenAckServiceActivates ACK
DescribeClusterResourcescs:DescribeClusterResourcesQueries all resources in a cluster by cluster ID
DescribeUserQuotacs:DescribeUserQuotaQueries resource quotas
DescribeClustersV1cs:DescribeClustersV1Queries the details about all clusters
DescribeExternalAgentcs:DescribeExternalAgentQueries a cluster registration proxy by cluster ID
DescribeKubernetesVersionMetadatacs:DescribeKubernetesVersionMetadataQueries the supported Kubernetes versions
DescribeClusterAddonUpgradeStatuscs:DescribeClusterAddonUpgradeStatusQueries the upgrade progress of cluster add-ons
DescribeClusterscs:DescribeClustersQueries all clusters within the account, including Kubernetes clusters and Swarm clusters
DescribeClusterNamespacescs:DescribeClusterNamespacesQueries the namespaces in a cluster
ModifyClustercs:ModifyClusterModifies the cluster configurations by cluster ID
MigrateClustercs:MigrateClusterMigrates a cluster
UpdateK8sClusterUserConfigExpirecs:UpdateK8sClusterUserConfigExpireUpdates the expiration time of custom configurations
DescribeClusterNodescs:DescribeClusterNodesQueries the details about all nodes in a cluster by cluster ID
DescribeClusterAttachScriptscs:DescribeClusterAttachScriptsQueries the script that is used to add instances to a cluster
GetUpgradeStatuscs:GetUpgradeStatusQueries the upgrade progress of a cluster by cluster ID
UpgradeClustercs:UpgradeClusterUpgrades a cluster by cluster ID
PauseClusterUpgradecs:PauseClusterUpgradePauses the upgrade of a cluster
CancelClusterUpgradecs:CancelClusterUpgradeCancels the upgrade of a cluster
CreateTemplatecs:CreateTemplateCreates an orchestration template
DescribeTemplatescs:DescribeTemplatesQueries the details about all orchestration templates
DescribeTemplateAttributecs:DescribeTemplateAttributeQueries the details about an orchestration template by template ID
UpdateTemplatecs:UpdateTemplateUpdates an orchestration template by template ID
DeleteTemplatecs:DeleteTemplateDeletes an orchestration template by template ID
CreateKubernetesTriggercs:CreateKubernetesTriggerCreates a trigger for an application
GetKubernetesTriggercs:GetKubernetesTriggerQueries the triggers of an application by application name
DeleteKubernetesTriggercs:DeleteKubernetesTriggerDeletes a trigger by trigger ID
InstallClusterAddonscs:InstallClusterAddonsInstalls components in a cluster
DescribeAddonscs:DescribeAddonsQueries the details about all supported components
DescribeClusterAddonsUpgradeStatuscs:DescribeClusterAddonsUpgradeStatusQueries the upgrade progress of a component by component name
DescribeClusterAddonsVersioncs:DescribeClusterAddonsVersionQueries the details about all components in a cluster by cluster ID
ModifyClusterConfigurationcs:ModifyClusterConfigurationApplies only to managed clusters
UpgradeClusterAddonscs:UpgradeClusterAddonsUpgrades a component to a specified version by component name
PauseComponentUpgradecs:PauseComponentUpgradePauses the upgrade of a component
ResumeComponentUpgradecs:ResumeComponentUpgradeResumes the upgrade of a component
CancelComponentUpgradecs:CancelComponentUpgradeCancels the upgrade of a component
UnInstallClusterAddonscs:UnInstallClusterAddonsUninstalls a component by component name
CreateAutoscalingConfigcs:CreateAutoscalingConfigConfigures auto scaling

Modify a RAM policy

The following example shows how to modify the RAM policy that is attached to a RAM user or role. For more information about RAM authorization, see Create a custom RAM policy.

Scenario 1: A RAM user can perform only the cs:Get* action on a cluster and requires permissions on all read-only operations related to the cluster

The following code block shows the RAM policy when a RAM user can perform only the cs:Get* action on a cluster:
{
    "Statement": [
        {
            "Action": "cs:Get*",
            "Effect": "Allow",
            "Resource": [
                "acs:cs:*:*:cluster/c2e63856bcd714197****"
            ]
        }
    ],
    "Version": "1"
}
If the RAM user requires permissions on all read-only operations related to the cluster, modify the RAM policy as shown in the following code block:
{
    "Statement": [
        {
            "Action": [
                "cs:Get*",
                "cs:List*",
                "cs:Describe*"
            ],
            "Effect": "Allow",
            "Resource": [
                "acs:cs:*:*:cluster/c2e63856bcd714197****"
            ]
        }
    ],
    "Version": "1"
}
Note The cs:Get* action does not include all read-only operations. To grant the RAM user permissions on all read-only operations, you must add the cs:List* and cs:Describe* actions to the RAM policy.

Scenario 2: Grant a RAM user the permissions on an individual operation related to a cluster

To grant a RAM user the permissions on an individual operation related to a cluster, you need only to add the RAM action that corresponds to the operation in the RAM policy.

The following code block shows the current RAM policy:
{
    "Statement": [
        {
            "Action": [
                "cs:Get*",
                "cs:List*",
                "cs:Describe*"
            ],
            "Effect": "Allow",
            "Resource": [
                "acs:cs:*:*:cluster/c2e63856bcd714197****"
            ]
        }
    ],
    "Version": "1"
}
To grand the permissions on the ModifyCluster operation, you must add the corresponding RAM action cs:ModifyCluster to the RAM policy, as shown in the following code block:
{
    "Statement": [
        {
            "Action": [
                "cs:Get*",
                "cs:List*",
                "cs:Describe*",
                "cs:ModifyCluster"
            ],
            "Effect": "Allow",
            "Resource": [
                "acs:cs:*:*:cluster/c2e63856bcd714197****"
            ]
        }
    ],
    "Version": "1"
}

Scenario 3: Grant a RAM user permissions on operations that are not specific to individual clusters

Some API operations are not specific to individual clusters, such as CreateCluster, DescribeClusters, and DescribeEvents. To grant a RAM user permissions on these operations, you must not specify cluster IDs in the Resource section.

The following code block shows the current RAM policy:
{
    "Statement": [
        {
            "Action": [
                "cs:Get*",
                "cs:List*",
                "cs:Describe*"
            ],
            "Effect": "Allow",
            "Resource": [
                "acs:cs:*:*:cluster/c2e63856bcd714197****"
            ]
        }
    ],
    "Version": "1"
}
To grant the permissions on the DescribeEvents operation, you must add the corresponding RAM action cs:DescribeEvents to the RAM policy, as shown in the following code block:
{
    "Statement": [
        {
            "Action": [
                "cs:DescribeEvents"
            ],
            "Effect": "Allow",
            "Resource": [
              "*"
            ]
        },
        {
            "Action": [
                "cs:Get*",
                "cs:List*",
                "cs:Describe*"
            ],
            "Effect": "Allow",
            "Resource": [
                "acs:cs:*:*:cluster/c2e63856bcd714197****"
            ]
        }
    ],
    "Version": "1"
}