All Products
Search
Document Center

Container Compute Service:Use RRSA to authorize different pods to access different cloud services

Last Updated:Aug 21, 2024

You can use the RAM Roles for Service Accounts (RRSA) feature to enforce access control on different pods that are deployed in a cluster. This implements fine-grained API permission control on pods and reduces security risks. This topic describes how to use RRSA.

Background information

An application deployed in a Kubernetes cluster can use a Security Token Service (STS) token generated for the RAM role assumed the application pod to call the API operations of cloud services. Alibaba Cloud Container Compute Service (ACS) supports the RRSA feature. In multi-tenant scenarios, you can use the RRSA feature to authorize different pods to access different cloud services. You can use the RRSA feature in ACS clusters to control the validity period of STS tokens.

image

The following steps show how an application accesses a cloud resource when RRSA is used to enforce access control:

  1. The tenant deploys a pod that has the feature of service account token volume projection enabled.

    Note

    The ACS cluster has the feature of service account token volume projection enabled by default.

  2. The ACS cluster creates a service account OpenID Connect (OIDC) token file and mounts the token file to the pod.

  3. The application in the pod uses the OIDC token file to call the AssumeRoleWithOIDC API operation of STS and obtain the STS token that is used to assume a RAM role.

    Note

    To enable the application to perform these operations, you must first modify the configuration of the RAM role to authorize the service account used by the pod to assume the specified RAM role. For more information, see AssumeRoleWithOIDC.

  4. The application in the pod uses the STS token to assume the specified RAM role and then calls the API of the relevant cloud service.

Enable RRSA

  1. Log on to the ACS console. In the left-side navigation pane, click Clusters.

  2. On the Clusters page, click the ID of the cluster that you want to manage or click Details in the Actions column of the cluster.

  3. On the cluster details page, click the Basic Information tab. In the Cluster Information section, click Enable RRSA for RRSA OIDC.

  4. In the Enable RRSA message, click Confirm.

    In the Basic Information section, if the cluster status changes from Updating to Running, the RRSA feature is enabled for the cluster and the URL and Alibaba Cloud Resource Name (ARN) of the OIDC provider are displayed next to RRSA OIDC.

After RRSA is enabled, ACS performs the following operations in the background:

  • Automatically creates an OIDC issuer that is dedicated to the cluster. The OIDC issuer is managed by ACS. For more information, see OIDC Issuer.

  • Creates an OIDC provider within your account. The OIDC provider uses the OIDC issuer. The OIDC provider is named acs-rrsa-<cluster_id>. <cluster_id> indicates the ID of your cluster. For more information, see Manage an OIDC IdP.

Work with RRSA

After you enable RRSA for your cluster, perform the following steps to enable the applications in the cluster to obtain STS tokens through RRSA. The STS tokens are used to call the APIs of specific cloud services.

Examples

In this example, an application is created and RRSA is enabled for the cluster to allow the application to perform the following operations: assuming a specified RAM role and then calling an API operation to query clusters that belong to the current Alibaba Cloud account.

Sample configurations

  • Namespace: rrsa-demo

  • Service account: demo-sa

  • RAM role: demo-role-for-rrsa

Procedure

Note

If you want to use an existing RAM role, you must grant the required permissions to the RAM role. For more information, see Use an existing RAM role and grant the required permissions to the RAM role.

  1. Create a RAM role named demo-role-for-rrsa.

    1. Log on to the RAM console with your Alibaba Cloud account.

    2. In the left-side navigation pane, choose Identities > Roles. On the Roles page, click Create Role.

    3. In the Create Role panel, select IdP for Select Trusted Entity and click Next.

    4. On the Configure Role wizard page, set the following parameters and click OK.

      The following table describes the parameters that are configured in this example.

      Parameter

      Description

      RAM Role Name

      The name of the RAM role. In this example, demo-role-for-rrsa is used.

      Note

      Optional. The description of the RAM role.

      IdP Type

      The type of the identity provider (IdP). Select OIDC.

      Select IdP

      acs-rrsa-<cluster_id>. <cluster_id> indicates the ID of your cluster.

      Conditions

      • oidc:iss: Use the default value.

      • oidc:aud: Select sts.aliyuncs.com.

      • oidc:sub: Set the condition operator to StringEquals and enter a value in the system:serviceaccount:<namespace>:<serviceAccountName> format.

        • <namespace>: the namespace of the application.

        • <serviceAccountName>: Specify the name of the service account.

        In this example, enter system:serviceaccount:rrsa-demo:demo-sa.

  2. Attach the AliyunCSReadOnlyAccess policy to the RAM role created in Step 2 to grant the required permissions to the application. For more information, see Grant permissions to a RAM role.

  3. Deploy an application. For more information about the SDK demos, see Demos of Alibaba Cloud SDKs that support OIDC token authentication of RRSA.

    1. Create a file named demo.yaml based on the following requirements:

      View sample code

      ---
      apiVersion: v1
      kind: Namespace
      metadata:
        name: rrsa-demo
      ---
      apiVersion: v1
      kind: ServiceAccount
      metadata:
        name: demo-sa
        namespace: rrsa-demo
      ---
      apiVersion: v1
      kind: Pod
      metadata:
        name: demo
        namespace: rrsa-demo
      spec:
        containers:
        - args:
          - rrsa
          - demo
          env:
          - name: ALIBABA_CLOUD_ROLE_ARN
            value: <role_arn>
          - name: ALIBABA_CLOUD_OIDC_PROVIDER_ARN
            value: <oid_provider_arn>
          - name: ALIBABA_CLOUD_OIDC_TOKEN_FILE
            value: /var/run/secrets/ack.alibabacloud.com/rrsa-tokens/token
          image: registry.cn-hangzhou.aliyuncs.com/acs/ack-ram-tool:1.0.0
          imagePullPolicy: Always
          name: demo
          volumeMounts:
          - mountPath: /var/run/secrets/ack.alibabacloud.com/rrsa-tokens
            name: rrsa-oidc-token
            readOnly: true
        restartPolicy: OnFailure
        serviceAccount: demo-sa
        serviceAccountName: demo-sa
        volumes:
        - name: rrsa-oidc-token
          projected:
            defaultMode: 420
            sources:
            - serviceAccountToken:
                audience: sts.aliyuncs.com
                expirationSeconds: 3600
                path: token
      Important

      Modify the following fields in the preceding template:

      • Replace <oid_provider_arn> with the ARN of the OIDC provider used by the cluster. You can obtain the ARN on the Basic Information tab of the Cluster Information page in the ACS console.

      • Replace <role_arn> with the ARN of the RAM role that is used by the application. You can obtain the ARN on the Roles page in the RAM console.

      • The value of the audience parameter must be set to sts.aliyuncs.com.

      • Set expirationSeconds to a value from 600 to 43200. Unit: seconds. If you specify a value larger than 43200, the validity period of the OIDC token is still 43,200 seconds (12 hours).

      After you redeploy the application based on the modified template, the application can use the OIDC token file, the RAM role ARN, and the OIDC provider ARN that you specified in the template to call the AssumeRoleWithOIDC operation of STS and obtain the STS token that is used to assume a specific RAM role. This way, the application can call the APIs of different cloud services. The OIDC token file is specified in the ALIBABA_CLOUD_OIDC_TOKEN_FILE environment variable, the RAM role ARN is specified in the ALIBABA_CLOUD_ROLE_ARN environment variable, and the OIDC provider ARN is specified in the ALIBABA_CLOUD_OIDC_PROVIDER_ARN environment variable. For more information about the RRSA SDK demos used by the application, see Alibaba Cloud SDKs that support the OIDC token authentication of RRSA. For more information, see AssumeRoleWithOIDC.

    2. Run the following command to deploy the application:

      kubectl apply -f demo.yaml
  4. Run the following command to print the log of the application:

    kubectl -n rrsa-demo logs demo

    A list of clusters are displayed in the output:

    cluster id: cf***, cluster name: foo*
    cluster id: c8***, cluster name: bar*
    cluster id: c4***, cluster name: foob*
  5. Optional: Detach the AliyunCSReadOnlyAccess system policy from the RAM role. For more information, see Remove permissions from a RAM role.

    Wait 30 seconds and run the following command to print the log of the application again:

    kubectl -n rrsa-demo logs demo

    The following error message indicates that the application does not have the required permissions:

       StatusCode: 403
       Code: StatusForbidden
       Message: code: 403, STSToken policy Forbidden for action cs:DescribeClusters request id: E78A2E2D-***
       Data: {"accessDeniedDetail":{"AuthAction":"cs:DescribeClusters","AuthPrincipalDisplayName":"demo-role-for-rrsa:ack-ram-tool","AuthPrincipalOwnerId":"11***","AuthPrincipalType":"AssumedRoleUser","NoPermissionType":"ImplicitDeny","PolicyType":"ResourceGroupLevelIdentityBasedPolicy"},"code":"StatusForbidden","message":"STSToken policy Forbidden for action cs:DescribeClusters","requestId":"E78A2E2D-***","status":403,"statusCode":403}

Use an existing RAM role and grant the required permissions to the RAM role

If you want the application to use an existing RAM role, you must modify the trust policy of the RAM role based on the following template. This way, the application can use the service account to assume the RAM role and obtain an STS token. For more information, see Edit the trust policy of a RAM role.

Example of the Statement configurations:

{
  "Action": "sts:AssumeRole",
  "Condition": {
    "StringEquals": {
      "oidc:aud": "sts.aliyuncs.com",
      "oidc:iss": "<oidc_issuer_url>",
      "oidc:sub": "system:serviceaccount:<namespace>:<service_account>"
    }
  },
  "Effect": "Allow",
  "Principal": {
    "Federated": [
      "<oidc_provider_arn>"
    ]
  }
}
Important

Modify the following fields in the Statement configurations:

  • Replace <oidc_issuer_url> with the URL of the OIDC provider used by the cluster. You can obtain the URL on the Basic Information tab of the Cluster Information page in the ACS console.

  • Replace <oidc_provider_arn> with the ARN of the OIDC provider used by the cluster. You can obtain the ARN on the Basic Information tab of the Cluster Information page in the ACS console.

  • Replace <namespace> with the namespace of the application.

  • Replace <service_account> with the service account used by the application.

Demos of Alibaba Cloud SDKs that support OIDC token authentication of RRSA

Some Alibaba Cloud SDKs allow applications to call the APIs of specific cloud services by using the OIDC tokens of RRSA. The following table describes the supported SDK versions and demos.

Programming language

Supported SDK version

Demo

Go

Alibaba Cloud Credentials for Go 1.2.6 and later

SDK demos for Go

Java

Alibaba Cloud Credentials for Java 0.2.10 and later

SDK demos for Java

Python 3

Alibaba Cloud Credentials for Python 0.3.1 and later

SDK demos for Python 3

Node.js and TypeScript

Alibaba Cloud Credentials for TypeScript/Node.js 2.2.6 and later

SDK demos for Node.js and TypeScript

References