The Container Service for Kubernetes (ACK) console can call the CheckServiceRole API operation to check whether a Resource Access Management (RAM) user or RAM role is authorized to access the dependent services of ACK clusters or components. We recommend that you use an Alibaba Cloud account to grant permissions to the RAM user or RAM role at the earliest opportunity in case a CheckServiceRole authentication failure occurs when you use the RAM role or RAM role to access the ACK console.
Impact
You are affected if you use a RAM user or RAM role to log on to the ACK console and the RAM user or RAM role has the following permissions:
A cluster is specified in the
resourcefield in the RAM policy that is attached to the RAM user or RAM role. This indicates that you can use the RAM user or RAM role to call the API operations that are specified in thecsfield of the RAM policy only in the specified cluster.The setting of the
csfield in the attached RAM policy grants the RAM user or RAM role the permissions to call all the API operations of ACK to manage the clusters in the specified resource group. The resource group manages only specific clusters that belong to the Alibaba Cloud account.
The CheckServiceRole API operation requires permissions to access global cs resources. When you use a RAM user or RAM role to log on to the ACK console to create clusters or manage node pools, the status code StatusForbidden is still displayed, indicating that a cs:CheckServiceRole authentication failure occurs due to insufficient permissions.
Modify the RAM policy
If the preceding issue occurs, contact the permission administrator to add the following content to the RAM policy attached to the RAM user or RAM role. For more information, see Modify the document and description of a custom policy.
{
"Statement": [
{
"Action": [
"cs:CheckServiceRole"
],
"Effect": "Allow",
"Resource": [
"*"
]
}
],
"Version": "1"
}
