Alibaba Cloud Service Mesh (ASM) supports both Alibaba Cloud Resource Access Management (RAM) and Role-based Access Control (RBAC) authorization systems. This topic introduces the two authorization systems and describes how to use them in ASM.

RAM authorization

In ASM, you can use RAM authorization to manage the access control of RAM users on ASM instances. For example, you can grant RAM users the permissions to create, modify, and delete ASM instances and to add clusters to ASM instances. For more information, see Customize RAM policies.

RBAC authorization

To authorize a RAM user to use ASM instances that are created by an Alibaba Cloud account, you must use the Alibaba Cloud account to grant required permissions to the RAM user and to assign required Role-based Access Control (RBAC) role to the RAM user. In ASM, you can use RBAC authorization of Kubernetes to manage the access control on resources in Kubernetes clusters. For more information, see Authorization overview.
Note You can use only Alibaba Cloud accounts to assign Role-based Access Control (RBAC) roles to RAM users.

The following table describes the preset RBAC roles that you can assign to RAM users within your Alibaba Cloud account in the ASM console.

Role RBAC permissions on cluster resources
Mesh administrator Has the read and write permissions on all resources in all namespaces.
Restricted user Has the read-only permissions on resources visible in the ASM console in all or specific namespaces.
Unauthorized Has no read or write permission on resources in all namespaces.

Authorization procedure

The authorization procedure includes RAM authorization and RBAC authorization.

  1. Create RAM users in the RAM console. For more information, see Create a RAM user.
  2. Customize RAM policies. For more information, see Customize RAM policies.
  3. Attach RAM policies to RAM users as required. For more information, see Grant permissions to a RAM user.
  4. Use your Alibaba Cloud account to assign required RBAC roles to RAM users so that you can authorize the RAM users to use ASM instances that are created by the Alibaba Cloud account.
    In ASM, you can use RBAC authorization of Kubernetes to manage the access control on resources in Kubernetes clusters. For more information, see Assign RBAC roles to RAM users.
  5. Grant mesh audit permissions to RAM users. For more information, see Grant mesh audit permissions to RAM users.