Create and authorize users in ACK One GitOps-Container Service for Kubernetes(ACK)-阿里云帮助中心

Create local or RAM users and configure Argo CD RBAC for application-level access control.

User types

ACK One GitOps supports multi-user team collaboration. Administrators can create or delete users and configure Argo CD RBAC permissions and Argo CD Application permissions per user. The following two user types are supported:

User type	Description	Best for
Local user	Created in Argo CD. Supports UI login and API key generation.	Small teams or automated CI/CD pipelines that don't need SSO, login history, or group-based access
RAM user or RAM role	Alibaba Cloud identity. RAM users log in through SSO—no separate credentials required.	Teams using RAM for identity management, or requiring group-based access, login history, or fine-grained permissions

Create a local user

Prerequisites

Ensure the following:

kubectl is connected to the Fleet instance with the kubeconfig from the ACK One console.
GitOps is enabled for the Fleet instance.
The Argo CD administrator password. See Access Argo CD using the Argo CD CLI.

Add a local user

Edit the argocd-cm ConfigMap.
```
kubectl edit cm argocd-cm -n argocd
```
Add the local user under the data field. This example adds a user named localuser1.
```
data:
  accounts.localuser1: login,apiKey    # Grants UI login and API key generation
  accounts.localuser1.enabled: "true"  # Enables the user
```
Each account supports two capabilities:
- login — log in to the Argo CD UI and CLI
- apiKey — generate authentication tokens for API access

Verify that the user was created.

argocd account list

Expected output:

NAME        ENABLED  CAPABILITIES
admin       true     login
localuser1  true     login,apiKey

Set a password and generate a token.

# Set a password
argocd account update-password \
  --account localuser1 \
  --current-password <admin-password> \
  --new-password <localuser1-password>

# Generate an API key token
argocd account generate-token --account localuser1
eyJhb......

Configure Argo CD RBAC permissions

Argo CD RBAC controls user and group access to resources. Policies are defined in the argocd-rbac-cm ConfigMap.

Predefined roles

To grant permissions, first assign permissions to a role, then map an SSO group or local user to the role. Custom roles are supported, and the following built-in roles are available:

Role	Permissions
`role:readonly`	Read-only (`get`) access to all Argo CD resources
`role:admin`	Full access to all Argo CD resources

Custom roles with fine-grained permissions are supported.

Policy syntax

All policies are defined in the .data.policy.csv field of argocd-rbac-cm.

Assign a permission (`p` rule):

p, <role/user/group>, <resource>, <action>, <object>

For resources within a project:

p, <role/user/group>, <resource>, <action>, <appproject>/<object>

Where:

<role/user/group> — a role name, local username, or SSO group/UID
<resource> — the Argo CD resource type
<action> — the operation to allow
<object> — the specific resource instance, or * for all

Map a user or group to a role (`g` rule):

g, <user/group>, <role>

Supported resources and actions

Argo CD supports the following resources: clusters, projects, applications, applicationsets, repositories, certificates, accounts, gpgkeys, logs, exec, and extensions.

The following actions are supported: get, create, update, delete, sync, override, and action/<api-group>/<Kind>/<action-name>.

sync, override, and action/<api-group>/<Kind>/<action-name> are valid only for the applications resource.

Grant permissions to a local user

Edit the argocd-rbac-cm ConfigMap.

kubectl edit cm argocd-rbac-cm -n argocd

Add a g rule to map the local user to a role. This example maps localuser1 to role:admin.

Map localuser1 to role:admin for full access to all Argo CD resources.
Map localuser1 to the custom role project-admin (commented out) for project-scoped access.

Important

Do not modify other existing configurations in the ConfigMap.

data:
  policy.csv: |
##  p, role:project-admin, applications, *, */*, allow
##  p, role:project-admin, projects, *, *, allow

      g, "14***01", role:admin          # Keep the current setting.
      g, localuser1, role:admin         # Map localuser1 to role:admin.
##    g, localuser1, role:project-admin # Alternative: map to a custom role.
    scopes: '[uid]'                     # Keep the current setting.

This example supports two scenarios:

Grant permissions to RAM users or RAM roles

ACK One GitOps integrates Argo CD UI and Argo CD CLI with Alibaba Cloud RAM SSO authentication by default. After you log in to the Alibaba Cloud console, you can access Argo CD UI or Argo CD CLI through SSO without re-entering credentials. Fleet instance administrators automatically receive Argo CD admin permissions. Regular RAM users require the fleet administrator to grant permissions.

For a regular RAM user, grant both:

Argo CD RBAC permissions in argocd-rbac-cm
Application-level permissions through Argo CD projects

Grant Argo CD RBAC permissions

Edit the argocd-rbac-cm ConfigMap.

kubectl edit cm argocd-rbac-cm -n argocd

Add a g rule to map the RAM user UID to a role. This example grants 27***02 the role:admin role.

data:
  policy.csv: |
##  p, role:project-admin, applications, *, */*, allow
##  p, role:project-admin, projects, *, *, allow

      g, "14***01", role:admin          # Keep the current setting.
      g, "27***02", role:admin          # Grant role:admin to RAM user 27***02.
##    g, "27***02", role:project-admin  # Alternative: map to a custom role.
    scopes: '[uid]'                     # Keep the current setting.

Grant Argo CD application permissions

Each application belongs to a project. Use projects to assign application permissions to different RAM users or roles.

Projects support these access controls:

Git repository limit — restricts allowed Git repositories for deployment
Cluster and namespace limit — restricts target clusters and namespaces for deployment
Object type limit — restricts deployable Kubernetes resource types (for example, RBAC, CRDs, DaemonSets, and NetworkPolicies)
Application-level RBAC — grants per-application permissions to RAM users or roles by binding project roles to OpenID Connect (OIDC) groups and JSON Web Tokens (JWTs)

To grant application permissions to a RAM user:

Use the RAM root account or a permission administrator account to log in to the RAM console. Click Users or Roles, open the target user or role, and copy the UID or Role ID.
Log in to the ACK One console. Choose Fleet > Multi-cluster GitOps, then click GitOps Console.
Go to Settings > Projects. Click + NEW PROJECT or open an existing project.
Click + ADD ROLE, configure the following, and click CREATE.
- GENERAL — basic role settings
- POLICY RULES — configure the application permissions
- GROUPS — enter the UID or Role ID copied in step 1, then click ADD GROUP

This example creates a role roletest that grants 27***02 read-only (get) access to all applications in the test project. After creating the role, click LOG IN VIA ALIYUN SSO to log in and verify the permissions.