By default, RAM users and RAM roles do not have permission to call the API operations of cloud services. Grant permission to a RAM user or RAM role by using a system or custom policy before calling ACK API operations. This topic describes how to grant RAM users and RAM roles access to clusters and cloud resources.
Grant permissions with a system policy
A system policy controls read and write access to global resources. If a RAM user or RAM role needs to manage all clusters in your Alibaba Cloud account, use a system policy for quick authorization. The following table lists common system policies for ACK.
System policies that grant full access contain high-risk permissions. To avoid security risks, grant these policies with caution.
An Alibaba Cloud account has full administrative permissions on all resources within the account. Alternatively, create a RAM user and grant the AdministratorAccess permission to make the user an account administrator. This administrator can manage all cloud resources in the account. For more information, see Create a RAM user as an account administrator.
-
Log on to the RAM console as a RAM administrator.
-
In the left-side navigation pane, choose .
On the Users page, find the target RAM user, and click Add Permissions in the Actions column.
Alternatively, select multiple RAM users and click Add Permissions in the lower part of the page to grant permissions to multiple RAM users at once.
In the Grant Permissions panel, grant permissions to the RAM user.
-
Configure the Resource Scope parameter.
-
Account: The authorization takes effect on the current Alibaba Cloud account.
-
Resource Group: The authorization takes effect on a specific resource group.
ImportantIf you select Resource Group for the Resource Scope parameter, make sure that the required cloud service supports resource groups. For more information, see Services that work with Resource Group. For more information about how to grant permissions on a resource group, see Control access to ECS instances with resource groups.
-
-
Configure the Principal parameter.
The principal is the RAM user to which you want to grant permissions. The current RAM user is automatically selected.
Select the system policies to attach.
Click OK.
-
-
Click Close.
Grant permissions with a custom policy
A custom policy provides fine-grained access control over cloud resources. For example, a custom policy can restrict a user's permissions on a specific cluster. Custom policies can also control permissions at the API level, which is useful for SDK-based custom development. For more information about the authorization items supported by RAM, see Authorization information.
Before creating a custom policy, familiarize yourself with the basic structure and syntax of the policy language. For more information, see Basic elements of a policy.
Step 1: Create a custom policy
Sign in to the RAM console as a RAM administrator.
In the left-side navigation pane, choose .
On the Policies page, click Create Policy.
On the Create Policy page, click the JSON Editor tab and enter the policy document.
Replace
YOUR_CLUSTER_IDwith the ID of your target cluster.{ "Statement": [ { "Action": [ "cs:Get*", "cs:List*", "cs:Describe*", "cs:ScaleCluster", "cs:DeleteCluster" ], "Effect": "Allow", "Resource": [ "acs:cs:*:*:cluster/YOUR_CLUSTER_ID" ] } ], "Version": "1" }Parameter
Description
Action
The permissions to grant. Wildcard characters (*) are supported.
Resource
Grant permissions on a single cluster
"Resource": [ "acs:cs:*:*:cluster/YOUR_CLUSTER_ID" ]Grant permissions on multiple clusters
"Resource": [ "acs:cs:*:*:cluster/YOUR_CLUSTER_ID_1", "acs:cs:*:*:cluster/YOUR_CLUSTER_ID_2" ]Grant permissions on all clusters
"Resource": [ "*" ]
On the Create Policy page, click OK.
In the Create Policy dialog box, enter a Policy Name and a Comment, and then click OK.
Step 2: Grant the custom policy
The steps for attaching a custom policy are the same as those for a system policy. When prompted to select a policy, choose the custom policy you created. For more information, see Grant permissions with a system policy.
Custom policy examples
Example 1: Grant read-only permission on a cluster
{
"Statement": [
{
"Action": [
"cs:Get*",
"cs:List*",
"cs:Describe*"
],
"Effect": "Allow",
"Resource": [
"acs:cs:*:*:cluster/YOUR_CLUSTER_ID"
]
}
],
"Version": "1"
}Example 2: Grant OSS bucket read permission
Replace YOUR_OSS_BUCKET_NAME with the name of your target OSS bucket.{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"oss:ListBuckets",
"oss:GetBucketStat",
"oss:GetBucketInfo",
"oss:GetBucketTagging",
"oss:GetBucketAcl"
],
"Resource": "acs:oss:*:*:*"
},
{
"Effect": "Allow",
"Action": [
"oss:ListObjects",
"oss:GetBucketAcl"
],
"Resource": "acs:oss:*:*:YOUR_OSS_BUCKET_NAME"
},
{
"Effect": "Allow",
"Action": [
"oss:GetObject",
"oss:GetObjectAcl"
],
"Resource": "acs:oss:*:*:YOUR_OSS_BUCKET_NAME/*"
}
]
}Example 3: Grant permissions for non-cluster-scoped APIs
Some OpenAPI operations, such as DescribeEvents, do not support cluster-specific authorization. To grant a RAM user or RAM role permissions for these operations, omit the cluster ID from the Resource field. The following table compares the original and modified RAM policies:
Before | After |
| |
Next steps
After granting RAM permissions, also configure RBAC authorization to manage Kubernetes resources within the cluster. For more information, see Use RBAC to authorize operations on resources in a cluster.
To improve security for ACK applications that access other cloud services, use RRSA to configure RAM permissions for a ServiceAccount, thereby isolating pod permissions. For more information, see Use RRSA to configure RAM permissions for a ServiceAccount and isolate pod permissions.
To implement fine-grained RAM authorization, see Implement fine-grained access control by using tags and Manually narrow down the permissions of the worker RAM role for an ACK managed cluster.
For information about how to troubleshoot authorization issues, see Authorization management FAQ.