All Products
Search

This Product

    Container Service for Kubernetes:Use resource groups for fine-grained access control

    Document Center

    Container Service for Kubernetes:Use resource groups for fine-grained access control

    Last Updated:Jan 27, 2026

    You can use Resource Group to manage Container Service for Kubernetes (ACK) resources as a collection and apply Resource Access Management (RAM) policies that authorize actions only on resources within a specific group. This lets you enforce the principle of least privilege (PoLP) in your Alibaba Cloud account.

    Note

    You can scope permissions to a resource group only for supported resource types and actions. For unsupported actions, any resource group scope in a policy is ignored, and permissions must be granted at the account level instead.

    How it works

    Resource groups organize your resources by project or environment. Once resources are grouped, you can attach a RAM policy to an identity (such as a RAM user, user group, or role) that scopes its permissions exclusively to that group. For more information, see Resource grouping and authorization.

    This approach provides two key benefits:

    • Fine-grained access control: Instead of granting account-wide permissions, you can limit an identity's access to only the resources within a specific group. This helps isolate project-specific workloads and reduce the risk of unintended access.

    • Simplified management: When new resources are added to a resource group, RAM identities with permissions scoped to that group automatically gain access. You do not need to update RAM policies each time a new resource is created.

    Grant resource group-level permissions to a RAM user

    This section demonstrates how to grant a RAM user permission to access only the resources of Container Service for Kubernetes (ACK) within a specific resource group.

    1. Prerequisites

    2. Grant permissions

    You can grant resource group-level permissions from either the Resource Management console or the RAM console.

    Resource Management console

    • Log on to the Resource Management console.

    • On the Resource Group page, find the target resource group and click Manage Permission in the Actions column.

    • On the Permissions tab, click Grant Permission.

    • In the Grant Permission panel, configure the principal and access policy.

    • Click Grant permissions.

    For more information, see Grant permissions on resource groups to a RAM identity.

    RAM console

    • Log on to the RAM console using an Alibaba Cloud account or a RAM administrator account.

    • In the navigation pane on the left, choose Identities > Users. On the Users page, find the target RAM user and click Add Permissions in the Actions column.

    • In the Grant Permission panel, add permissions for the RAM user.

      • Resource Scope: Select Resource Group.

      • Principal: Select an existing RAM user or the RAM user created in the previous step.

      • Policy: Select a System Policy or a Custom Policy. For more information, see Create a custom permission policy.

    • Click OK.

    For more information, see Grant permissions to a RAM user.

    Supported resources

    The following resources from Container Service for Kubernetes (ACK) support resource group-level authorization:

    Alibaba Cloud service

    Service code

    Resource type

    Container Service for Kubernetes (ACK)

    cs

    cluster : cluster
    Note

    To request support for resource types not listed here, submit feedback via Resource Management console.

    image

    Unsupported actions

    The following actions of Container Service for Kubernetes (ACK) do not support resource group-level authorization:

    Action

    Description

    cs:CreateClusterOverviewReport

    -

    cs:CreateClusterReport

    -

    cs:CreateDiagnose

    -

    cs:CreateEdgeMachine

    -

    cs:CreateKubernetesTrigger

    You can call the CreateKubernetesTrigger operation to create a trigger for an application.

    cs:CreateQuickDiagnose

    -

    cs:CreateReportTaskRule

    -

    cs:CreateResourcesSystemTags

    -

    cs:CreateSessionMessage

    -

    cs:CreateTriggerHook

    -

    cs:DeleteEdgeMachine

    -

    cs:DeleteKubeConfigRecycleItem

    -

    cs:DeleteKubernetesTrigger

    You can call the DeleteKubernetesTrigger operation to delete an application trigger by trigger ID

    cs:DeleteReportTaskRule

    -

    cs:DeployApplication

    -

    cs:DescribeClusterAddonVersions

    -

    cs:DescribeClusters

    -

    cs:DescribeClustersV1

    -

    cs:DescribeEdgeMachineActiveProcess

    -

    cs:DescribeEdgeMachineModels

    -

    cs:DescribeEdgeMachineTunnelConfigDetail

    -

    cs:DescribeEdgeMachines

    -

    cs:DescribeEventsForRegion

    Queries all events in a specified region.

    cs:DescribeImages

    -

    cs:DescribeKubernetesTemplates

    -

    cs:DescribeMetaClusterInnerKubeconfig

    -

    cs:DescribeNodePoolNodePools

    -

    cs:DescribeRegionImages

    -

    cs:DescribeUserCapability

    -

    cs:EdgeClusterAddEdgeMachine

    -

    cs:GetAIDiagnosisResult

    -

    cs:GetAddonTemplateDifference

    -

    cs:GetClusterBasicInfo

    -

    cs:GetClusterCheckResult

    -

    cs:GetClusterComponent

    -

    cs:GetClusterReportSummary

    -

    cs:GetClusterServices

    -

    cs:GetDiagnosisCheckItem

    -

    cs:GetServiceQuota

    -

    cs:GetUserClusterResource

    -

    cs:GetUserInstanceResource

    -

    cs:ListClusterComponent

    -

    cs:ListClusterImage

    -

    cs:ListClusterReportSummary

    -

    cs:ListDeprecatedAPI

    -

    cs:ListDiagnosisResult

    -

    cs:ListReportTaskRule

    -

    cs:ListServiceQuotas

    -

    cs:ListUsers

    -

    cs:ModifyServiceQuota

    -

    cs:OpenAckService

    When using Container Service for Kubernetes (ACK) for the first time, you must call the OpenAckService operation to activate the service.

    cs:QueryUserClusterResource

    -

    cs:RegisterUser

    -

    cs:RestoreMultiKubeConfigRecycleItems

    -

    cs:RevokeMetaClusterInnerKubeconfig

    -

    cs:RevokeTriggerHook

    -

    cs:TagResources

    You can add labels in key-value pairs to clusters. This allows cluster developers or O\\\&M engineers to classify and manage clusters in a more flexible manner. This also meets the requirements for monitoring, cost analysis, and tenant isolation. You can call the TagResources operation to add labels to a cluster.

    cs:UnTagResources

    -

    cs:UntagResources

    If you no longer need the labels (key-value pairs) of a cluster, you can call the UntagResources operation to delete the labels.

    cs:UpdateCrossRegionCertForOps

    -

    cs:UpdateCrossRegionCerts

    -

    cs:UpdateCrossRegionPermissions

    -

    cs:UpdateUserPermissions

    In a Container Service for Kubernetes (ACK) cluster, non-cluster creators, Resource Access Management (RAM) users, and RAM roles do not have any Role-Based Access Control (RBAC) permissions in the cluster by default. You can call this operation to specify the resources that can be accessed, permission scope, and predefined roles. This helps you better manage the access control on resources in ACK clusters.

    For these actions, you must create a custom policy with the scope set to Account.

    image.pngCustomize the following policy examples to suit your needs:

    • Allow read-only access

      {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "cs:DescribeClusterAddonVersions",
        "cs:DescribeClusters",
        "cs:DescribeClustersV1",
        "cs:DescribeEdgeMachineActiveProcess",
        "cs:DescribeEdgeMachineModels",
        "cs:DescribeEdgeMachineTunnelConfigDetail",
        "cs:DescribeEdgeMachines",
        "cs:DescribeEventsForRegion",
        "cs:DescribeImages",
        "cs:DescribeKubernetesTemplates",
        "cs:DescribeMetaClusterInnerKubeconfig",
        "cs:DescribeNodePoolNodePools",
        "cs:DescribeRegionImages",
        "cs:DescribeUserCapability",
        "cs:GetAIDiagnosisResult",
        "cs:GetAddonTemplateDifference",
        "cs:GetClusterBasicInfo",
        "cs:GetClusterCheckResult",
        "cs:GetClusterComponent",
        "cs:GetClusterReportSummary",
        "cs:GetClusterServices",
        "cs:GetDiagnosisCheckItem",
        "cs:GetServiceQuota",
        "cs:GetUserClusterResource",
        "cs:GetUserInstanceResource",
        "cs:ListClusterComponent",
        "cs:ListClusterImage",
        "cs:ListClusterReportSummary",
        "cs:ListDeprecatedAPI",
        "cs:ListDiagnosisResult",
        "cs:ListReportTaskRule",
        "cs:ListServiceQuotas",
        "cs:ListUsers",
        "cs:QueryUserClusterResource"
      ],
      "Resource": "*"
    }
  ]
}

    • Allow full access

      {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "cs:CreateClusterOverviewReport",
        "cs:CreateClusterReport",
        "cs:CreateDiagnose",
        "cs:CreateEdgeMachine",
        "cs:CreateKubernetesTrigger",
        "cs:CreateQuickDiagnose",
        "cs:CreateReportTaskRule",
        "cs:CreateResourcesSystemTags",
        "cs:CreateSessionMessage",
        "cs:CreateTriggerHook",
        "cs:DeleteEdgeMachine",
        "cs:DeleteKubeConfigRecycleItem",
        "cs:DeleteKubernetesTrigger",
        "cs:DeleteReportTaskRule",
        "cs:DeployApplication",
        "cs:DescribeClusterAddonVersions",
        "cs:DescribeClusters",
        "cs:DescribeClustersV1",
        "cs:DescribeEdgeMachineActiveProcess",
        "cs:DescribeEdgeMachineModels",
        "cs:DescribeEdgeMachineTunnelConfigDetail",
        "cs:DescribeEdgeMachines",
        "cs:DescribeEventsForRegion",
        "cs:DescribeImages",
        "cs:DescribeKubernetesTemplates",
        "cs:DescribeMetaClusterInnerKubeconfig",
        "cs:DescribeNodePoolNodePools",
        "cs:DescribeRegionImages",
        "cs:DescribeUserCapability",
        "cs:EdgeClusterAddEdgeMachine",
        "cs:GetAIDiagnosisResult",
        "cs:GetAddonTemplateDifference",
        "cs:GetClusterBasicInfo",
        "cs:GetClusterCheckResult",
        "cs:GetClusterComponent",
        "cs:GetClusterReportSummary",
        "cs:GetClusterServices",
        "cs:GetDiagnosisCheckItem",
        "cs:GetServiceQuota",
        "cs:GetUserClusterResource",
        "cs:GetUserInstanceResource",
        "cs:ListClusterComponent",
        "cs:ListClusterImage",
        "cs:ListClusterReportSummary",
        "cs:ListDeprecatedAPI",
        "cs:ListDiagnosisResult",
        "cs:ListReportTaskRule",
        "cs:ListServiceQuotas",
        "cs:ListUsers",
        "cs:ModifyServiceQuota",
        "cs:OpenAckService",
        "cs:QueryUserClusterResource",
        "cs:RegisterUser",
        "cs:RestoreMultiKubeConfigRecycleItems",
        "cs:RevokeMetaClusterInnerKubeconfig",
        "cs:RevokeTriggerHook",
        "cs:TagResources",
        "cs:UnTagResources",
        "cs:UntagResources",
        "cs:UpdateCrossRegionCertForOps",
        "cs:UpdateCrossRegionCerts",
        "cs:UpdateCrossRegionPermissions",
        "cs:UpdateUserPermissions"
      ],
      "Resource": "*"
    }
  ]
}
    Important

    Granting account-level permissions allows access to all relevant resources in the account. Always follow PoLP.

    FAQ

    How do I find which resource group a resource belongs to?

    • Method 1: From the service console

      • Navigate to the service console where the resource was created. On the resource's details page, you can typically find the resource group listed in the basic information section.

    • Method 2: From the Resource Management console

      • Log on to the Resource Management console.

      • Choose Resource Center > Resource Search.

      • In the left pane, select the account that owns the target resource (the default is Current Account).

      • Use filter conditions to find your resource.

      • The Resource Group column shows which group the resource belongs to.

    How do I view all resources in a specific resource group?

    • Method 1:

      • Log on to the Resource Management console.

      • Choose Resource Center > Resource Search.

      • In the left pane, under the account that owns the resources (the default is Current Account), click the name of the desired resource group.

      • In the right pane, select the cloud service from the Select resource types drop-down list.

      • All resources in that group will be displayed.

    • Method 2:

      • Log on to the Resource Management console.

      • Choose Resource Group > Resource Group.

      • Find the desired resource group and click Manage Resource in the Actions column.

      • On the resource management page, select the cloud service from the Service drop-down list.

      • All resources in that group will be displayed.

    How do I move multiple resources to a different resource group in batch?

    1. Log on to the Resource Management console.

    2. Choose Resource Group > Resource Group.

    3. Find the desired resource group and click Manage Resource in the Actions column.

    4. On the resource management page, use filter conditions to find the resources you want to move.

    5. Select the checkbox for each resource.

    6. At the bottom of the page, click Transfer.

    7. In the dialog box, select the destination resource group and click Confirm.