Grant the sub-accounts the corresponding permissions before using the sub-accounts to log on to the Container Service console and perform the operations.
Log on to the RAM console.
Click Users in the left-side navigation pane.
Click Create User in the upper-right corner.
Enter the username of the sub-account and then click OK.
On the User Management page, click Manage at the right of the created sub-account.
Click Enable Console Logon in the Web Console Logon Management section.
Enter the logon password in the appeared dialog box and click OK.
On the User Management page, click Authorize at the right of the created sub-account.
Select the authorization policy and click to add the policy to the Selected Authorization Policy Name.
You can use the following system default authorization policies:
- AliyunCSFullAccess: Provides full access to Container Service.
- AliyunCSReadOnlyAccess: Provides read-only access to Container Service.
You can also create custom authorization policies as per your needs and grant the policies to the sub-accounts. For more information, see Create custom authorization policies.
Log on to the Container Service console with a sub-account.
If you have granted the AliyunCSDefaultRole and AliyunCSClusterRole roles to the main account, you can use the sub-account directly to log on to the Container Service console and perform the operations.
If you have not granted the AliyunCSDefaultRole or AliyunCSClusterRole roles to the main account before, click Confirm Authorization Policy in the appeared Cloud Resource Access Authorization page.
Then, refresh the Container Service console to perform the operations.