All Products
Search
Document Center

Container Service for Kubernetes:RAM authorization

Last Updated:Feb 29, 2024
Resource Access Management (RAM) is a service provided by Alibaba Cloud to manage user identities and resource access permissions. You can use RAM to prevent RAM users from sharing the AccessKey pairs of your Alibaba Cloud account. You can also use RAM to grant minimum permissions to RAM users. RAM uses policies to define permissions.
This topic describes the elements, such as Action, Resource, and Condition, which are defined by ACK. You can use the elements to create policies in RAM. The code (RamCode) in RAM that is used to indicate ACK is cs. You can grant permissions on ACK at the RESOURCE.

General structure of a policy

Policies can be stored as JSON files. The following code provides an example on the general structure of a policy:
{
  "Version": "1",
  "Statement": [
    {
      "Effect": "<Effect>",
      "Action": "<Action>",
      "Resource": "<Resource>",
      "Condition": {
        "<Condition_operator>": {
          "<Condition_key>": [
            "<Condition_value>"
          ]
        }
      }
    }
  ]
}
The following list describes the fields in the policy:
  • Effect: specifies the authorization effect. Valid values: Allow, Deny.
  • Action: specifies one or more API operations that are allowed or denied. For more information, see the Action section of this topic.
  • Resource: specifies one or more resources to which the policy applies. You can use an Alibaba Cloud Resource Name (ARN) to specify a resource. For more information, see the Resource section of this topic.
  • Condition: specifies one or more conditions that are required for the policy to take effect. This is an optional field. For more information, see the Condition section of this topic.
    • Condition_operator: specifies the conditional operators. Different types of conditions support different conditional operators. For more information, see Policy elements.
    • Condition_key: specifies the condition keys.
    • Condition_value: specifies the condition values.

Action

ACK defines the values that you can use in the Action element of a policy statement. The following table describes the values.
  • Operation: the value that you can use in the Action element to specify the operation on a resource.
  • API operation: the API operation that you can call to perform the operation.
  • Access level: the access level of each operation. The levels are read, write, and list.
  • Resource type: the type of the resource on which you can authorize the RAM user or the RAM role to perform the operation. Take note of the following items:
    • The required resource types are displayed in bold characters.
    • If the permissions cannot be granted at the resource level, All Resources is used in the Resource type column of the operation.
  • Condition key: the condition keys that are defined by the Alibaba Cloud service. The Condition key column does not list the common condition keys that are defined by Alibaba Cloud. For more information about the common condition keys, see Generic Condition Keyword.
  • Associated operation: other operations that the RAM user or the RAM role must have permissions to perform to complete the operation. To complete the operation, the RAM user or the RAM role must have the permissions to perform the associated operations.
ActionsAPI operationAccess levelResource typeCondition keyAssociated operation
cs:AttachInstancesToNodePoolAttachInstancesToNodePoolWrite
Cluster
acs:cs:{#regionId}:{#accountId}:cluster/{#ClusterId}
NoneNone
cs:CancelClusterUpgradeCancelClusterUpgradeWrite
Cluster
acs:cs:{#regionId}:{#accountId}:cluster/{#ClusterId}
NoneNone
cs:CancelTaskCancelTaskWrite
All Resources
*
NoneNone
cs:CreateAutoscalingConfigCreateAutoscalingConfigWrite
Cluster
acs:cs:{#regionId}:{#accountId}:cluster/{#ClusterId}
NoneNone
cs:CreateClusterCreateClusterWrite
Cluster
acs:cs:{#regionId}:{#accountId}:cluster/*
cs:ClusterType
cs:ClusterSpec
cs:ClusterProfile
cs:EnableSecretEncryption
cs:EnableApiServerEip
cs:EnableAddonLogtailDs
cs:EnableCoreControlPlaneComponentsLog
None
cs:CreateClusterNodePoolCreateClusterNodePoolWrite
Cluster
acs:cs:{#regionId}:{#accountId}:cluster/{#ClusterId}
NoneNone
cs:CreateTemplateCreateTemplateWrite
All Resources
*
NoneNone
cs:CreateTriggerCreateTriggerRead
All Resources
*
NoneNone
cs:DeleteClusterDeleteClusterWrite
Cluster
acs:cs:{#regionId}:{#accountId}:cluster/{#ClusterId}
NoneNone
cs:DeleteClusterNodepoolDeleteClusterNodepoolWrite
Cluster
acs:cs:{#regionId}:{#accountId}:cluster/{#ClusterId}
NoneNone
cs:DeleteClusterNodesDeleteClusterNodesWrite
Cluster
acs:cs:{#regionId}:{#accountId}:cluster/{#ClusterId}
NoneNone
cs:DeletePolicyInstanceDeletePolicyInstanceRead
Cluster
acs:cs:{#regionId}:{#accountId}:cluster/{#ClusterId}
NoneNone
cs:DeleteTemplateDeleteTemplateWrite
All Resources
*
NoneNone
cs:DeleteTriggerDeleteTriggerRead
All Resources
*
NoneNone
cs:DeployPolicyInstanceDeployPolicyInstanceRead
Cluster
acs:cs:{#regionId}:{#accountId}:cluster/{#ClusterId}
NoneNone
cs:DescribeAddonsDescribeAddonsRead
All Resources
*
NoneNone
cs:DescribeClusterAddonInstanceDescribeClusterAddonInstanceRead
Cluster
acs:cs:{#regionId}:{#accountId}:cluster/{#ClusterId}
NoneNone
cs:DescribeClusterAddonMetadataDescribeClusterAddonMetadataRead
Cluster
acs:cs:{#regionId}:{#accountId}:cluster/{#ClusterId}
NoneNone
cs:DescribeClusterAddonsUpgradeStatusDescribeClusterAddonsUpgradeStatusRead
Cluster
acs:cs:{#regionId}:{#accountId}:cluster/{#ClusterId}
NoneNone
cs:DescribeClusterAttachScriptsDescribeClusterAttachScriptsRead
Cluster
acs:cs:{#regionId}:{#accountId}:cluster/{#ClusterId}
NoneNone
cs:DescribeClusterDetailDescribeClusterDetailRead
Cluster
acs:cs:{#regionId}:{#accountId}:cluster/{#ClusterId}
NoneNone
cs:DescribeClusterEventsDescribeClusterEventsRead
Cluster
acs:cs:{#regionId}:{#accountId}:cluster/{#ClusterId}
NoneNone
cs:DescribeClusterLogsDescribeClusterLogsRead
Cluster
acs:cs:{#regionId}:{#accountId}:cluster/{#ClusterId}
NoneNone
cs:DescribeClusterNodePoolDetailDescribeClusterNodePoolDetailRead
Cluster
acs:cs:{#regionId}:{#accountId}:cluster/{#ClusterId}
NoneNone
cs:DescribeClusterNodePoolsDescribeClusterNodePoolsRead
Cluster
acs:cs:{#regionId}:{#accountId}:cluster/{#ClusterId}
NoneNone
cs:DescribeClusterNodesDescribeClusterNodesRead
Cluster
acs:cs:{#regionId}:{#accountId}:cluster/{#ClusterId}
NoneNone
cs:DescribeClusterResourcesDescribeClusterResourcesRead
Cluster
acs:cs:{#regionId}:{#accountId}:cluster/{#ClusterId}
NoneNone
cs:DescribeClusterTasksDescribeClusterTasksRead
Cluster
acs:cs:{#regionId}:{#accountId}:cluster/{#cluster_id}
NoneNone
cs:DescribeClusterUserKubeconfigDescribeClusterUserKubeconfigRead
Cluster
acs:cs:{#regionId}:{#accountId}:cluster/{#ClusterId}
cs:KubeConfigDurationMinutes
None
cs:DescribeClusterVulsDescribeClusterVulsRead
Cluster
acs:cs:{#regionId}:{#accountId}:cluster/{#ClusterId}
NoneNone
cs:DescribeEventsDescribeEventsRead
All Resources
*
NoneNone
cs:DescribeKubernetesVersionMetadataDescribeKubernetesVersionMetadataRead
All Resources
*
NoneNone
cs:DescribeNodePoolVulsDescribeNodePoolVulsRead
Cluster
acs:cs:{#regionId}:{#accountId}:cluster/{#cluster_id}
NoneNone
cs:DescribePoliciesDescribePoliciesRead
All Resources
*
NoneNone
cs:DescribePolicyDetailsDescribePolicyDetailsRead
All Resources
*
NoneNone
cs:DescribePolicyGovernanceInClusterDescribePolicyGovernanceInClusterRead
Cluster
acs:cs:{#regionId}:{#accountId}:cluster/{#ClusterId}
NoneNone
cs:DescribePolicyInstancesDescribePolicyInstancesRead
Cluster
acs:cs:{#regionId}:{#accountId}:cluster/{#ClusterId}
NoneNone
cs:DescribePolicyInstancesStatusDescribePolicyInstancesStatusRead
Cluster
acs:cs:{#regionId}:{#accountId}:cluster/{#ClusterId}
NoneNone
cs:DescribeTaskInfoDescribeTaskInfoRead
All Resources
*
NoneNone
cs:DescribeTemplateAttributeDescribeTemplateAttributeRead
All Resources
*
NoneNone
cs:DescribeTemplatesDescribeTemplatesRead
All Resources
*
NoneNone
cs:DescribeTriggerDescribeTriggerRead
Cluster
acs:cs:{#regionId}:{#accountId}:cluster/{#ClusterId}
NoneNone
cs:FixNodePoolVulsFixNodePoolVulsWrite
Cluster
acs:cs:{#regionId}:{#accountId}:cluster/{#cluster_id}
NoneNone
cs:GetUpgradeStatusGetUpgradeStatusRead
Cluster
acs:cs:{#regionId}:{#accountId}:cluster/{#ClusterId}
NoneNone
cs:GetUserPermissionsDescribeUserPermissionRead
All Resources
*
NoneNone
cs:GrantPermissionGrantPermissionsWrite
All Resources
*
NoneNone
cs:InstallClusterAddonsInstallClusterAddonsWrite
Cluster
acs:cs:{#regionId}:{#accountId}:cluster/{#ClusterId}
NoneNone
cs:ListTagResourcesListTagResourcesRead
All Resources
*
NoneNone
cs:MigrateClusterMigrateClusterWrite
Cluster
acs:cs:{#regionId}:{#accountId}:cluster/{#ClusterId}
NoneNone
cs:ModifyClusterModifyClusterWrite
Cluster
acs:cs:{#regionId}:{#accountId}:cluster/{#ClusterId}
cs:EnableApiServerEip
cs:ApiServerEipId
None
cs:ModifyClusterAddonModifyClusterAddonRead
Cluster
acs:cs:{#regionId}:{#accountId}:cluster/{#ClusterId}
cs:AddonName
None
cs:ModifyClusterNodePoolModifyClusterNodePoolWrite
Cluster
acs:cs:{#regionId}:{#accountId}:cluster/{#ClusterId}
NoneNone
cs:ModifyClusterTagsModifyClusterTagsWrite
Cluster
acs:cs:{#regionId}:{#accountId}:cluster/{#ClusterId}
NoneNone
cs:ModifyNodePoolNodeConfigModifyNodePoolNodeConfigWrite
Cluster
acs:cs:{#regionId}:{#accountId}:cluster/{#ClusterId}
NoneNone
cs:ModifyPolicyInstanceModifyPolicyInstanceRead
Cluster
acs:cs:{#regionId}:{#accountId}:cluster/{#ClusterId}
NoneNone
cs:OpenAckServiceOpenAckServiceWrite
All Resources
*
NoneNone
cs:PauseClusterUpgradePauseClusterUpgradeWrite
Cluster
acs:cs:{#regionId}:{#accountId}:cluster/{#ClusterId}
NoneNone
cs:PauseTaskPauseTaskWrite
All Resources
*
NoneNone
cs:Queryk8sComponentsUpdateVersionDescribeClusterAddonsVersionRead
Cluster
acs:cs:{#regionId}:{#accountId}:cluster/{#ClusterId}
NoneNone
cs:RemoveNodePoolNodesRemoveNodePoolNodesWrite
Cluster
acs:cs:{#regionId}:{#accountId}:cluster/{#ClusterId}
NoneNone
cs:RepairClusterNodePoolRepairClusterNodePoolWrite
Cluster
acs:cs:{#regionId}:{#accountId}:cluster/{#cluster_id}
NoneNone
cs:ResumeTaskResumeTaskWrite
All Resources
*
NoneNone
cs:ResumeUpgradeClusterResumeUpgradeClusterWrite
Cluster
acs:cs:{#regionId}:{#accountId}:cluster/{#ClusterId}
NoneNone
cs:ScaleClusterNodePoolScaleClusterNodePoolWrite
Cluster
acs:cs:{#regionId}:{#accountId}:cluster/{#ClusterId}
NoneNone
cs:ScanClusterVulsScanClusterVulsWrite
All Resources
*
NoneNone
cs:TagResourcesTagResourcesWrite
All Resources
*
NoneNone
cs:UnInstallClusterAddonsUnInstallClusterAddonsWrite
Cluster
acs:cs:{#regionId}:{#accountId}:cluster/{#ClusterId}
cs:EnableAddonLogtailDs
None
cs:UntagResourcesUntagResourcesWrite
All Resources
*
NoneNone
cs:UpdateK8sClusterUserConfigExpireUpdateK8sClusterUserConfigExpireWrite
Cluster
acs:cs:{#regionId}:{#accountId}:cluster/{#ClusterId}
NoneNone
cs:UpdateTemplateUpdateTemplateWrite
All Resources
*
NoneNone
cs:UpgradeClusterUpgradeClusterWrite
Cluster
acs:cs:{#regionId}:{#accountId}:cluster/{#ClusterId}
NoneNone
cs:UpgradeK8sComponentsUpgradeClusterAddonsWrite
Cluster
acs:cs:{#regionId}:{#accountId}:cluster/{#ClusterId}
NoneNone

Resource

ACK defines the values that you can use in the Resource. You can attach the policy to a RAM user or a RAM role so that the RAM user or the RAM role can perform a specific operation on a specific resource. The ARN is the unique identifier of the resource on Alibaba Cloud. Take note of the following items:
  • {#}indicates a variable. {#} must be replaced with an actual value. For example, {#ramcode} must be replaced with the actual code of an Alibaba Cloud service in RAM.
  • An asterisk (*) is used as a wildcard. Examples:
    • {#resourceType} is set to *, all resources are specified.
    • {#regionId} is set to *, all regions are specified.
    • {#accountId} is set to *, all Alibaba Cloud accounts are specified.
Resource typeARN
Clusteracs:{#ramcode}:{#regionId}:{#accountId}:cluster/{#ClusterId}

Condition

ACK defines the values that you can use in the Condition element of a policy statement. The following table describes the values. The following table describes the service-specific condition keys. The common condition keys that are defined by Alibaba Cloud also apply to ACK. For more information about the common condition keys, see Generic Condition Keyword.
The data type determines the conditional operators that you can use to compare the value in a request with the value in a policy statement. You must use conditional operators that are supported by the data type. Otherwise, you cannot compare the value in the request with the value in the policy statement. In this case, the authorization is invalid. For more information about the conditional operators that are supported by each data type, see Policy elements.
Condition keyDescriptionData type
cs:ClusterTypeString
cs:ClusterSpecString
cs:ClusterProfileString
cs:EnableSecretEncryptionBoolean
cs:EnableApiServerEipBoolean
cs:ApiServerEipIdString
cs:KubeConfigDurationMinutesNumeric
cs:AddonNameString
cs:EnableAddonLogtailDsBoolean
cs:EnableCoreControlPlaneComponentsLogBoolean

What to do next

You can create a custom policy and attach the policy to a RAM user, RAM user group, or RAM role. For more information, see the following topics: