By default, a Resource Access Management (RAM) user or RAM role does not have permissions to call the APIs of Alibaba Cloud services. You must authorize the RAM user or RAM role to use the APIs of Container Service for Kubernetes (ACK) and Alibaba Cloud Container Compute Service (ACS) and view clusters in the ACS console. This topic describes how to grant permissions to a RAM user or RAM role by using a system policy or custom policy.
Prerequisites
You have a basic knowledge of policy elements, structure, and syntax before you create a custom policy. For more information, see Policy elements.
System policies
Attach system policies: You can use this method to grant a RAM user or RAM role the read and write permissions on all clusters that belong to the current Alibaba Cloud account. We recommend that you use system policies to grant O&M permissions on all ACK clusters that belong to your Alibaba Cloud.
Attach a system policy to a RAM user or RAM role
An Alibaba Cloud account has full management permissions on the resources within the account. You can create a RAM user and attach the AdministratorAccess policy to the RAM user. Then, you can use the RAM user as an account administrator to manage all cloud resources that belong to the Alibaba Cloud account. For more information, see Create an account administrator.
Log on to the RAM console as a RAM administrator.
In the left-side navigation pane, choose .
On the Users page, find the required RAM user, and click Add Permissions in the Actions column.
You can also select multiple RAM users and click Add Permissions in the lower part of the page to grant permissions to the RAM users at a time.
In the Grant Permission panel, grant permissions to the RAM user.
Configure the Resource Scope parameter.
Account: The authorization takes effect on the current Alibaba Cloud account.
ResourceGroup: The authorization takes effect on a specific resource group.
ImportantIf you select Resource Group for the Resource Scope parameter, make sure that the required cloud service supports resource groups. For more information, see Services that work with Resource Group. For more information about how to grant permissions on a resource group, see Use a resource group to grant a RAM user the permissions to manage a specific ECS instance.
Configure the Principal parameter.
The principal is the RAM user to which you want to grant permissions. The current RAM user is automatically selected.
Select the system policy that you want to attach.
Click Grant permissions.
Click Close.
Custom policies
The system policies provided by ACK are coarse-grained. If the system policies cannot meet your requirements, you can create custom policies to implement fine-grained access control for your ACK clusters. For example, if you want to control the operation permissions on a specified cluster, you must create a custom policy to meet this requirement for fine-grained management.
Step 1: Create a custom policy
Log on to the RAM console as a RAM administrator.
In the left-side navigation pane, choose .
On the Policies page, click Create Policy.
On the Create Policy page, click the JSON tab and enter the content of the policy.
{ "Statement": [{ "Action": [ "cs:Get*", "cs:List*", "cs:Describe*", "cs:ScaleCluster", "cs:DeleteCluster" ], "Effect": "Allow", "Resource": [ "acs:cs:*:*:cluster/Cluster ID" ] }], "Version": "1" }Parameter
Description
Action
The permissions that you want to grant. Wildcard characters are supported.
Resource
Replace
Cluster IDwith the actual ID of the cluster.Grant permissions on one cluster
"Resource": [ "acs:cs:*:*:cluster/Cluster ID" ]Grant permissions on multiple clusters
"Resource": [ "acs:cs:*:*:cluster/Cluster ID", "acs:cs:*:*:cluster/Cluster ID" ]Grant permissions on all clusters
"Resource": [ "*" ]
Click Next to edit policy information, enter the name of the policy, and click OK.
Return to the Policies page, you can enter the name or description of the policy into the search box to find the policy.
Step 2: Attach the custom policy to a RAM user or RAM role
You can attach a custom policy in the same way you attach a system policy. For more information, see Attach a system policy to a RAM user or RAM role.
Examples
Authorize a RAM user or RAM role to call non-cluster-specific API operations
If you want to authorize a RAM user to call non-cluster-specific API operations, such as DescribeEvents, do not specify cluster IDs in the Resource field of the policy content.
The following code block shows the current RAM policy:
{
"Statement": [
{
"Action": [
"cs:Get*",
"cs:List*",
"cs:Describe*"
],
"Effect": "Allow",
"Resource": [
"acs:cs:*:*:cluster/c2e63856bcd714197****"
]
}
],
"Version": "1"
}To grant the permissions to call the DescribeEvents operation, you must add the corresponding RAM action cs:DescribeEvents to the RAM policy, as shown in the following code block:
{
"Statement": [
{
"Action": [
"cs:DescribeEvents"
],
"Effect": "Allow",
"Resource": [
"*"
]
},
{
"Action": [
"cs:Get*",
"cs:List*",
"cs:Describe*"
],
"Effect": "Allow",
"Resource": [
"acs:cs:*:*:cluster/c2e63856bcd714197****"
]
}
],
"Version": "1"
}What to do next
After you complete the steps in this topic, you need to grant RBAC permissions on Kubernetes resources so that the RAM user or RAM role can manage internal resources in the cluster. For more information, see Grant RBAC permissions to a RAM user or RAM role.
Before you perform RBAC authorization for the RAM user or RAM role, make sure that the RAM user or RAM role has read-only permissions on the cluster that you want to manage.
{ "Statement": [ { "Action": [ "cs:Get*", "cs:List*", "cs:Describe*" ], "Effect": "Allow", "Resource": [ "acs:cs:*:*:cluster/<yourclusterID>" ] } ], "Version": "1" }