DocsICP FilingConsole
官方文档
首页

Grant RAM permissions to a RAM user or RAM role

更新时间:
复制 MD 格式
产品详情
我的收藏

By default, RAM users and RAM roles cannot call cloud service APIs. To use APIs for Container Service for Kubernetes (ACK) and Container Compute Service (ACS) or view clusters in the ACS console, you must grant the necessary permissions.

Prerequisites

Before creating a custom policy, familiarize yourself with the basic structure and syntax of the policy language. For more information, see Policy elements.

System policies

Use system policies for quick authorization when a RAM user or RAM role needs O&M permissions on all clusters in your Alibaba Cloud account.

Common system policies for ACS

Policy name

Description

AliyunAccFullAccess

Grants full access to all Container Compute Service (ACS) APIs.

AliyunCSFullAccess

Grants full access to all Container Service for Kubernetes (ACK) APIs.

Note

This system policy includes only RAM permissions for ACK. If you need to manage applications in an ACK cluster, you must also grant RBAC permissions. For more information, see Custom RBAC policies. This policy grants read and write permissions on all ACK clusters, excluding ACS-type clusters. Grant these permissions with caution.

AliyunVPCReadOnlyAccess

Allows selecting a Virtual Private Cloud (VPC) when you create a cluster.

AliyunECSReadOnlyAccess

Allows viewing cluster node details.

AliyunContainerRegistryFullAccess

Grants permissions to manage container images in your Alibaba Cloud account.

AliyunLogReadOnlyAccess

Allows selecting an existing Log Service project to store audit logs or view the configuration inspection of a cluster.

AliyunAHASReadOnlyAccess

Allows viewing the cluster topology by using Application High Availability Service (AHAS).

AliyunRAMFullAccess

Grants permissions to manage authorizations across your Alibaba Cloud account.

AliyunYundunSASReadOnlyAccess

Allows viewing runtime security monitoring for a cluster by using Security Center.

AliyunARMSReadOnlyAccess

Allows viewing the monitoring status of the Prometheus plug-in for a cluster by using Application Real-Time Monitoring Service (ARMS).

AliyunKMSReadOnlyAccess

Allows viewing keys in Key Management Service (KMS) when you create an ACK Pro cluster.

AliyunESSReadOnlyAccess

Allows viewing node pool operations by using Auto Scaling.

Attach a system policy

Note

An Alibaba Cloud account has full management permissions on all its resources. You can also create a RAM user and attach the AdministratorAccess policy to allow the RAM user to function as an account administrator. This administrator can manage all cloud resources in the account. For more information, see Create a RAM user as an account administrator.

  1. Log on to the RAM console as a RAM administrator.

  2. In the left-side navigation pane, choose Identities > Users.

  3. On the Users page, find the required RAM user, and click Add Permissions in the Actions column.

    image

    You can also select multiple RAM users and click Add Permissions in the lower part of the page to grant permissions to the RAM users at a time.

  4. In the Grant Permission panel, select a policy and complete the authorization.

    1. Configure the Resource Scope parameter.

      • Account: The authorization takes effect on the current Alibaba Cloud account.

      • Resource Group: The authorization takes effect on a specific resource group.

        Important

        If you select Resource Group for the Resource Scope parameter, make sure that the required cloud service supports resource groups. For more information, see Services that work with Resource Group. For more information about how to grant permissions on a resource group, see Use resource groups to manage ECS access.

    2. Configure the Principal parameter.

      The principal is the RAM user to which you want to grant permissions. The current RAM user is automatically selected.

    3. Select the system policy to attach.

    4. Click OK, then click Close to complete the authorization.

Custom policies

ACK provides coarse-grained system policies. If these do not meet your security requirements, create a custom policy. For example, custom policies are required for fine-grained access control, such as managing permissions for a specific cluster.

Step 1: Create a custom policy

  1. Log on to the RAM console as a RAM administrator.

  2. In the left-side navigation pane, choose Permissions > Policies.

  3. On the Policies page, click Create Policy.

    image

  4. On the Create Policy page, click the JSON tab and paste the following policy document.

    {
 "Statement": [{
     "Action": [
         "cs:Get*",
         "cs:List*",
         "cs:Describe*",
         "cs:ScaleCluster",
         "cs:DeleteCluster"
     ],
     "Effect": "Allow",
     "Resource": [
         "acs:cs:*:*:cluster/<cluster_id>"
     ]
 }],
 "Version": "1"
}

    Parameter

    Description

    Action

    The permissions to grant. All actions support wildcards.

    Resource

    You can configure this parameter in one of the following ways. Replace <cluster_id> with your cluster ID, for example, cae93341766c843479ae986b3305xxxxx.

    • Grant permissions on a single cluster

      "Resource": [
     "acs:cs:*:*:cluster/<cluster_id>"
 ]

    • Grant permissions on multiple clusters

      "Resource": [
     "acs:cs:*:*:cluster/<cluster_id_1>",
     "acs:cs:*:*:cluster/<cluster_id_2>"
 ]

    • Grant permissions on all clusters

      "Resource": [
     "*"
 ]

  5. After you paste the policy content, click OK. In the dialog box that appears, enter a policy name and click OK.

  6. Return to the Policies page and search by the policy name or description to verify its creation.

Step 2: Attach the custom policy

The procedure to attach a custom policy is the same as for a system policy. During the selection step, choose the custom policy you created. For more information, see Attach a system policy.

Example

Grant permissions for API operations that do not support cluster-level authorization

Some API operations, such as DescribeEvents, do not support cluster-level authorization. To grant a RAM user or RAM role permissions for these API operations, do not specify a cluster ID in the Resource element.

For example, consider the following RAM policy:

{
    "Statement": [
        {
            "Action": [
                "cs:Get*",
                "cs:List*",
                "cs:Describe*"
            ],
            "Effect": "Allow",
            "Resource": [
                "acs:cs:*:*:cluster/<cluster_id>"
            ]
        }
    ],
    "Version": "1"
}

To grant permissions for the DescribeEvents API operation, which does not support cluster-level authorization, add a new statement. This statement must contain the cs:DescribeEvents action and specify a wildcard resource (*). The modified policy is as follows:

{
    "Statement": [
        {
            "Action": [
                "cs:DescribeEvents"
            ],
            "Effect": "Allow",
            "Resource": [
              "*"
            ]
        },
        {
            "Action": [
                "cs:Get*",
                "cs:List*",
                "cs:Describe*"
            ],
            "Effect": "Allow",
            "Resource": [
                "acs:cs:*:*:cluster/<cluster_id>"
            ]
        }
    ],
    "Version": "1"
}

Next steps

  • After granting RAM permissions, you must also configure Role-Based Access Control (RBAC) permissions to manage Kubernetes resources within the cluster. For more information, see Grant RBAC permissions to a RAM user or RAM role.

  • Before granting RBAC permissions, ensure the RAM user or RAM role has read-only RAM permissions for the target cluster. The following policy is an example:

    {
  "Statement": [
    {
      "Action": [
        "cs:Get*",
        "cs:List*",
        "cs:Describe*"
      ],
      "Effect": "Allow",
      "Resource": [
        "acs:cs:*:*:cluster/<cluster_id>"
      ]
    }
  ],
  "Version": "1"
}
Previous:Authorization best practicesNext:Create a custom RBAC role