Alibaba Cloud Service Mesh (ASM) supports both Alibaba Cloud Resource Access Management (RAM) and Role-based Access Control (RBAC) authorization systems. This topic introduces the two authorization systems and describes how to use them in ASM.
In ASM, you can use RAM authorization to manage the access control of RAM users on ASM instances. For example, you can grant RAM users the permissions to create, modify, and delete ASM instances and to add clusters to ASM instances. For more information, see Customize RAM policies.
The following table describes the preset RBAC roles that you can assign to RAM users within your Alibaba Cloud account in the ASM console.
|Role||RBAC permissions on cluster resources|
|Mesh administrator||Has the read and write permissions on all resources in all namespaces.|
|Restricted user||Has the read-only permissions on resources visible in the ASM console in all or specific namespaces.|
|Unauthorized||Has no read or write permission on resources in all namespaces.|
The authorization procedure includes RAM authorization and RBAC authorization.
- Create RAM users in the RAM console. For more information, see Create a RAM user.
- Customize RAM policies. For more information, see Customize RAM policies.
- Attach RAM policies to RAM users as required. For more information, see Grant permissions to a RAM user.
- Use your Alibaba Cloud account to assign required RBAC roles to RAM users so that
you can authorize the RAM users to use ASM instances that are created by the Alibaba
Cloud account. In ASM, you can use RBAC authorization of Kubernetes to manage the access control on resources in Kubernetes clusters. For more information, see Assign RBAC roles to RAM users.
- Grant mesh audit permissions to RAM users. For more information, see Grant mesh audit permissions to RAM users.