All Products
Search
Document Center

Container Service for Kubernetes:GrantPermissions

Last Updated:Apr 04, 2026

By default, a RAM user or RAM role has no RBAC permissions in a cluster they did not create, unless granted permissions at the all-clusters scope. Call the GrantPermissions operation to update the RBAC permissions for a RAM user or RAM role. This operation lets you configure accessible resources, permission scopes, and predefined roles to manage cluster access control.

Operation description

  • If you call this operation as a RAM user, you must have permission to modify the cluster permissions of other RAM users or RAM roles. Otherwise, the API call fails and returns the StatusForbidden or ForbiddenGrantPermissions error code. For more information, see Authorize a RAM user to manage the RBAC permissions of other RAM users.

  • This operation overwrites all existing cluster permissions for the specified RAM user or RAM role. Your request must include the complete set of permissions you want to grant.

Try it now

Try this API in OpenAPI Explorer, no manual signing needed. Successful calls auto-generate SDK code matching your parameters. Download it with built-in credential security for local usage.

Test

RAM authorization

The table below describes the authorization required to call this API. You can define it in a Resource Access Management (RAM) policy. The table's columns are detailed below:

  • Action: The actions can be used in the Action element of RAM permission policy statements to grant permissions to perform the operation.

  • API: The API that you can call to perform the action.

  • Access level: The predefined level of access granted for each API. Valid values: create, list, get, update, and delete.

  • Resource type: The type of the resource that supports authorization to perform the action. It indicates if the action supports resource-level permission. The specified resource must be compatible with the action. Otherwise, the policy will be ineffective.

    • For APIs with resource-level permissions, required resource types are marked with an asterisk (*). Specify the corresponding Alibaba Cloud Resource Name (ARN) in the Resource element of the policy.

    • For APIs without resource-level permissions, it is shown as All Resources. Use an asterisk (*) in the Resource element of the policy.

  • Condition key: The condition keys defined by the service. The key allows for granular control, applying to either actions alone or actions associated with specific resources. In addition to service-specific condition keys, Alibaba Cloud provides a set of common condition keys applicable across all RAM-supported services.

  • Dependent action: The dependent actions required to run the action. To complete the action, the RAM user or the RAM role must have the permissions to perform all dependent actions.

Action

Access level

Resource type

Condition key

Dependent action

cs:GrantPermission

update

*All Resource

*

None None

Request syntax

POST /permissions/users/{uid} HTTP/1.1

Path Parameters

Parameter

Type

Required

Description

Example

uid

string

Yes

The ID of the RAM user or RAM role.

2367****

Request parameters

Parameter

Type

Required

Description

Example

body

array<object>

No

The request body parameters.

object

No

The authorization details.

cluster

string

Yes

The ID of the target cluster.

  • If you set the role_type parameter to all-clusters, set this parameter to an empty string.

c796c60***

is_custom

boolean

No

Set to true if role_name specifies a custom ClusterRole.

false

role_name

string

Yes

The name of the role to grant. Valid values:

  • admin: The administrator role.

  • admin-view: The read-only administrator role.

  • ops: The operations role.

  • dev: The developer role.

  • restricted: The restricted role.

  • The name of a custom ClusterRole.

Important
  • The admin, admin-view, and ops roles cannot be granted at the namespace scope.

  • The admin-view role is not currently supported for the all-clusters scope.

Valid values:

  • ops :

    ops

  • dev :

    dev

  • restricted :

    restricted

  • admin-view :

    admin-view

  • admin :

    admin

ops

role_type

string

Yes

The authorization scope. Valid values:

  • cluster: Grants permissions at the cluster scope.

  • namespace: Grants permissions at the namespace scope.

  • all-clusters: Grants permissions at the all-clusters scope.

cluster

namespace

string

No

The name of the namespace. This parameter is required only when role_type is set to namespace.

test

is_ram_role

boolean

No

Set to true if you are granting permissions to a RAM role.

false

Response elements

Element

Type

Description

Example

None defined.

Examples

Success response

JSON format

{}

Error codes

See Error Codes for a complete list.

Release notes

See Release Notes for a complete list.