You can use Alibaba Cloud Service Mesh (ASM) as a RAM user. This topic describes how to use ASM as a RAM user.

Step 1. Create a RAM user

  1. Log on to the Resource Access Management (RAM) console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, choose Identities > Users.
  3. On the Users page, click Create User.
  4. On the Create User page, set the Logon Name and Display Name parameters.
  5. In the Access Mode section, select Console Access.
  6. Click OK.

Step 2: Grant permissions to a RAM user

Note In ASM, you can use RAM roles and the service-linked role of ASM to authorize ASM to access other cloud services. For example, you authorize ASM to enable access for Istio Pilot by creating Server Load Balancer (SLB) instances. Before you use ASM instances, you must create a RAM role or the service-linked role for ASM. For more information, see the documentation of ASM. If you want to authorize a RAM user to create the service-linked role for ASM, you must grant required permissions to the RAM user. For more information, see the "Precautions" section of the Manage the service-linked role for ASM topic.
  • To enable a RAM user to create ASM instances, you must use your Alibaba Cloud account to grant required permissions to the RAM user.
    1. Customize RAM policies. For more information, see Customize RAM policies.
    2. Attach the RAM policies to the RAM user.
      1. Log on to the RAM console by using your Alibaba Cloud account.
      2. In the left-side navigation pane, choose Identities > Users.
      3. On the Users page, find the RAM user that you want to authorize in the User Logon Name/Display Name column.
      4. Click Add Permissions. In the Add Permissions panel, the Principal field is automatically filled in.
      5. In the Authorization Policy Name column, click the RAM policies that you want to attach to the RAM user.
        Note In the box on the right, you can click the cross sign (×) next to a RAM policy to remove the selected RAM policy.
      6. Click OK. Then, click Complete.
        Note For more information about RAM authorization methods, see Grant permissions to a RAM user.
  • To authorize a RAM user to use ASM instances that are created by an Alibaba Cloud account, you must use the Alibaba Cloud account to grant required permissions to the RAM user and to assign required Role-based Access Control (RBAC) role to the RAM user. For more information, see Authorization procedure.
    Notice To add Container Service for Kubernetes (ACK) clusters to ASM instances, a RAM user must have the access permissions on all namespaces of the ACK clusters to be added. In addition, the RAM user must have been assigned the predefined RBAC administrator role or the custom cluster-admin role. If the RAM user does not have the access permissions or is not assigned the required roles, you can use your Alibaba Cloud account to perform authorization. For more information, see Assign RBAC roles to RAM users.

Step 3: Log on to the ASM console as a RAM user

  • If the service-linked role feature is enabled for your Alibaba Cloud account, ASM prompts you to create the service-linked role for ASM after you log on to the ASM console by using a RAM user that belongs to the Alibaba Cloud account. For more information, see Manage the service-linked role for ASM.
  • If the service-linked role feature is disabled for your Alibaba Cloud account and the AliyunServiceMeshDefaultRole RAM role is not attached to your Alibaba Cloud account, you must log on to the ASM console by using your Alibaba Cloud account to complete authorization.
    1. Log on to the ASM console by using your Alibaba Cloud account.
    2. On the page on which The service is unauthorized appears, click Authorize in RAM.
    3. On the Cloud Resource Access Authorization page, click Confirm Authorization Policy.