CCM role authorization

The SOFAStack cluster network plugin, Cloud Controller Manager (CCM), requires authorization to access cloud resources to provide services such as load balancing and unified ingress traffic management. During the precheck for creating a cluster, the system checks if the AliyunSofaCafeCCMRole role is available to the current user. If the role is not found, follow the steps below to grant the required permissions.

Procedure

1. Go to the AliyunSofaCafeCCMRole role management page.

2. On the Trust Policy tab, click Edit Trust Policy.

3. In the Statement section, add the following content.

    {
        "Action": "sts:AssumeRole",
        "Effect": "Allow",
        "Principal": {
            "RAM": [
                "acs:ram::user_account_ID:root"
            ]
        }
    },

   Note

   The user_account_ID can be found in the ARN of the AliyunSofaCafeCCMRole role. For example, for the role acs:ram::1688168816881688:role/aliyunsofacafeccmrole, replace user_account_ID with 1688168816881688.

4. When finished, click Save Trust Policy.

The following figure shows a modified trust policy. The added content is highlighted in red.