All Products
Search
Document Center

Container Compute Service:Grant RAM permissions to a RAM user or RAM role

Last Updated:Aug 21, 2024

By default, a Resource Access Management (RAM) user or RAM role does not have permissions to call the APIs of Alibaba Cloud services. You must authorize the RAM user or RAM role to use the APIs of Container Service for Kubernetes (ACK) and Alibaba Cloud Container Compute Service (ACS) and view clusters in the ACS console. This topic describes how to grant permissions to a RAM user or RAM role by using a system policy or custom policy.

Prerequisites

You have a basic knowledge of policy elements, structure, and syntax before you create a custom policy. For more information, see Policy elements.

System policies

Attach system policies: You can use this method to grant a RAM user or RAM role the read and write permissions on all clusters that belong to the current Alibaba Cloud account. We recommend that you use system policies to grant O&M permissions on all ACK clusters that belong to your Alibaba Cloud.

View commonly used system policies for ACS

System policy

Description

AliyunCCFullAccess

This policy provides permissions to call all API operations of ACS.

AliyunCSFullAccess

This policy provides permissions to call all API operations of ACK.

Note

This policy provides only permissions related to ACK. To manage and maintain applications deployed in ACK clusters, you need to grant Role-Based Access Control (RBAC) permissions. For more information, see Custom RBAC policies. Read and write permissions are granted on all ACK clusters, excluding ACS clusters. Proceed with caution.

AliyunVPCReadOnlyAccess

This policy provides permissions to specify a virtual private cloud (VPC) when creating a cluster.

AliyunECSReadOnlyAccess

This policy provides permissions to view the node details of a cluster.

AliyunContainerRegistryFullAccess

This policy provides permissions to manage the application images within an Alibaba Cloud account.

AliyunLogReadOnlyAccess

This policy provides permissions to select an existing Simple Log Service project to store audit logs when creating a cluster or view the configuration inspection setting of a cluster.

AliyunAHASReadOnlyAccess

This policy provides permissions to view the cluster topology.

AliyunRAMFullAccess

This policy provides permissions to globally manage authorizations within an Alibaba Cloud account.

AliyunYundunSASReadOnlyAccess

This policy provides permissions to monitor the runtime of a cluster.

AliyunARMSReadOnlyAccess

This policy provides permissions to view the status of the Managed Service for Prometheus plug-in.

AliyunKMSReadOnlyAccess

This policy provides permissions to view keys in Key Management Service (KMS) when creating an ACK Pro cluster.

AliyunESSReadOnlyAccess

This policy provides permissions to view node pools.

Attach a system policy to a RAM user or RAM role

Note

An Alibaba Cloud account has full management permissions on the resources within the account. You can create a RAM user and attach the AdministratorAccess policy to the RAM user. Then, you can use the RAM user as an account administrator to manage all cloud resources that belong to the Alibaba Cloud account. For more information, see Create an account administrator.

  1. Log on to the RAM console as a RAM administrator.

  2. In the left-side navigation pane, choose Identities > Users.

  3. On the Users page, find the required RAM user, and click Add Permissions in the Actions column.

    image

    You can also select multiple RAM users and click Add Permissions in the lower part of the page to grant permissions to the RAM users at a time.

  4. In the Grant Permission panel, grant permissions to the RAM user.

    1. Configure the Resource Scope parameter.

    2. Configure the Principal parameter.

      The principal is the RAM user to which you want to grant permissions. The current RAM user is automatically selected.

    3. Select the system policy that you want to attach.

    4. Click Grant permissions.

  5. Click Close.

Custom policies

The system policies provided by ACK are coarse-grained. If the system policies cannot meet your requirements, you can create custom policies to implement fine-grained access control for your ACK clusters. For example, if you want to control the operation permissions on a specified cluster, you must create a custom policy to meet this requirement for fine-grained management.

Step 1: Create a custom policy

  1. Log on to the RAM console as a RAM administrator.

  2. In the left-side navigation pane, choose Permissions > Policies.

  3. On the Policies page, click Create Policy.

  4. On the Create Policy page, click the JSON tab and enter the content of the policy.

    {
     "Statement": [{
         "Action": [
             "cs:Get*",
             "cs:List*",
             "cs:Describe*",
             "cs:ScaleCluster",
             "cs:DeleteCluster"
         ],
         "Effect": "Allow",
         "Resource": [
             "acs:cs:*:*:cluster/Cluster ID"
         ]
     }],
     "Version": "1"
    }

    Parameter

    Description

    Action

    The permissions that you want to grant. Wildcard characters are supported.

    Resource

    Replace Cluster ID with the actual ID of the cluster.

    • Grant permissions on one cluster

      "Resource": [
           "acs:cs:*:*:cluster/Cluster ID"
       ]
    • Grant permissions on multiple clusters

      "Resource": [
           "acs:cs:*:*:cluster/Cluster ID",
           "acs:cs:*:*:cluster/Cluster ID"
       ]
    • Grant permissions on all clusters

      "Resource": [
           "*"
       ]
  5. Click Next to edit policy information, enter the name of the policy, and click OK.

  6. Return to the Policies page, you can enter the name or description of the policy into the search box to find the policy.

Step 2: Attach the custom policy to a RAM user or RAM role

You can attach a custom policy in the same way you attach a system policy. For more information, see Attach a system policy to a RAM user or RAM role.

Examples

Authorize a RAM user or RAM role to call non-cluster-specific API operations

If you want to authorize a RAM user to call non-cluster-specific API operations, such as DescribeEvents, do not specify cluster IDs in the Resource field of the policy content.

The following code block shows the current RAM policy:

{
    "Statement": [
        {
            "Action": [
                "cs:Get*",
                "cs:List*",
                "cs:Describe*"
            ],
            "Effect": "Allow",
            "Resource": [
                "acs:cs:*:*:cluster/c2e63856bcd714197****"
            ]
        }
    ],
    "Version": "1"
}

To grant the permissions to call the DescribeEvents operation, you must add the corresponding RAM action cs:DescribeEvents to the RAM policy, as shown in the following code block:

{
    "Statement": [
        {
            "Action": [
                "cs:DescribeEvents"
            ],
            "Effect": "Allow",
            "Resource": [
              "*"
            ]
        },
        {
            "Action": [
                "cs:Get*",
                "cs:List*",
                "cs:Describe*"
            ],
            "Effect": "Allow",
            "Resource": [
                "acs:cs:*:*:cluster/c2e63856bcd714197****"
            ]
        }
    ],
    "Version": "1"
}

What to do next

  • After you complete the steps in this topic, you need to grant RBAC permissions on Kubernetes resources so that the RAM user or RAM role can manage internal resources in the cluster. For more information, see Grant RBAC permissions to a RAM user or RAM role.

  • Before you perform RBAC authorization for the RAM user or RAM role, make sure that the RAM user or RAM role has read-only permissions on the cluster that you want to manage.

    {
      "Statement": [
        {
          "Action": [
            "cs:Get*",
            "cs:List*",
            "cs:Describe*"
          ],
          "Effect": "Allow",
          "Resource": [
            "acs:cs:*:*:cluster/<yourclusterID>"
          ]
        }
      ],
      "Version": "1"
    }