ack-ram-tool is a command-line tool provided by Container Service for Kubernetes (ACK) that helps you manage RAM and Role-Based Access Control (RBAC) permissions across your ACK clusters. When a user leaves your organization or no longer needs cluster access, use ack-ram-tool to scan for their RBAC bindings and clean them up — including revoking their kubeconfig — before stale permissions become a security liability.
Prerequisites
Before you begin, ensure that you have:
Step 1: Install ack-ram-tool
-
Download the ack-ram-tool client for your OS and architecture.
-
Grant execute permissions to the binary:
chmod +x ./ack-ram-tool
see Credentials
-
Move the binary to a directory in your PATH:
mkdir -p $HOME/bin && cp ./ack-ram-tool $HOME/bin/ack-ram-tool && export PATH=$HOME/bin:$PATH
-
(Optional) Make the PATH change persistent:
echo 'export PATH=$HOME/bin:$PATH' >> ~/.bash_profile
-
Verify the installation. The command returns the client version.
ack-ram-tool version
Step 2: Configure Alibaba Cloud credentials
RAM users and CloudSSO users can configure credentials using one of the following methods.
If credential-related environment variables are present, ack-ram-tool uses them by default. To ignore them, add the --ignore-env-credentials flag to any ack-ram-tool command. For a full list of supported environment variables, see Credentials.
RAM user
ack-ram-tool uses locally configured Alibaba Cloud credentials to authenticate with RAM. For setup instructions, see Alibaba Cloud CLI.
CloudSSO user
Use acs-sso, the CLI tool provided by CloudSSO, to log in and obtain credentials. For more information, see Use the CLI to log on to CloudSSO and access Alibaba Cloud resources.
The Alibaba Cloud CLI supports an external credential mode that calls an external command to retrieve credentials dynamically. Run the following command to configure automated CloudSSO login on your local machine:
aliyun configure --mode External --profile sso
The interactive prompts look like this:
Configuring profile 'sso' in 'External' authenticate mode...
Process Command [acs-sso login --profile sso]:
Default Region Id [cn-shanghai]:
Default Output Format [json]: json (Only support json)
Default Language [zh|en] en:
Saving profile[sso] ...Done.
Configure Done!!!
..............888888888888888888888 ........=8888888888888888888D=..............
...........88888888888888888888888 ..........D8888888888888888888888I...........
.........,8888888888888ZI: ...........................=Z88D8888888888D..........
.........+88888888 ..........................................88888888D..........
.........+88888888 .......Welcome to use Alibaba Cloud.......O8888888D..........
.........+88888888 ............. ************* ..............O8888888D..........
.........+88888888 .... Command Line Interface(Reloaded) ....O8888888D..........
.........+88888888...........................................88888888D..........
..........D888888888888DO+. ..........................?ND888888888888D..........
...........O8888888888888888888888...........D8888888888888888888888=...........
............ .:D8888888888888888888.........78888888888888888888O ..............
Step 3: Configure permissions for credentials
ack-ram-tool requires both RAM permissions and cluster RBAC permissions.
-
Grant the following RAM policy to the RAM user. For instructions, see Manage RAM user permissions.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cs:*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ram:ListUsers",
"ram:ListRoles"
],
"Resource": "*"
}
]
}
-
Grant RBAC administrator permission to the RAM user for the cluster:
-
Log on to the ACK console. In the left navigation pane, click ACK consoleAuthorizations.
-
On the Authorizations page, click the RAM User tab, find the target RAM user, and then click Modify Permissions in the Actions column.
-
On the Permission Management page, click Add Permissions, select the target Cluster and Namespace, set Permission Management to Administrator, and then click Submit.
Step 4: Scan RBAC bindings
Use ack-ram-tool rbac scan-user-permissions to identify which RAM users and RAM roles still have RBAC bindings in your cluster. The scan output includes a UID column — copy the UID of the user whose permissions you want to remove, then use it in Step 5.
The output columns are: UID, UserType, UserName, and Binding.
| UserType |
Description |
| RamRole |
RAM role |
| RamUser |
RAM user |
| Root |
Alibaba Cloud account |
Scan deleted users (default)
By default, the scan returns only deleted RAM users and RAM roles.
ack-ram-tool rbac scan-user-permissions -c <cluster ID>
Expected output:
2023-12-12T15:34:37+08:00 INFO start to scan users and bindings for cluster c401890df511a4362bf24bece4da****
2023-12-12T15:34:43+08:00 WARN by default, only deleted users are included. Use the --all-users flag to include all users
UID UserType UserName Binding
30086537005566**** (deleted) RamRole ClusterRoleBinding/-/30086537005566****-clusterrolebinding
24320678733226**** (deleted) RamUser ClusterRoleBinding/-/24320678733226****-clusterrolebinding
Scan all users and roles
Add --all-users to include active RAM users and RAM roles in the results.
ack-ram-tool rbac scan-user-permissions --all-users -c <cluster ID>
Expected output:
2023-12-12T15:36:00+08:00 INFO Start to scan users and bindings for cluster c401890df511a4362bf24bece4da6****
UID UserType UserName Binding
30032484611590**** (deleted) RamRole ClusterRoleBinding/-/30032484611590****-clusterrolebinding
20492499986425**** (deleted) RamUser ClusterRoleBinding/-/20492499986425****-clusterrolebinding
27203272572548**** RamUser scan ClusterRoleBinding/-/27203272572548****-clusterrolebinding
113802571552**** Root ClusterRoleBinding/-/113802571552****-cluster-admin-clusterrolebinding
29068913515444**** RamUser test-ack-ram-check ClusterRoleBinding/-/29068913515444****-clusterrolebinding
Scan all clusters
Replace the cluster ID with all to scan every cluster in your Alibaba Cloud account.
ack-ram-tool rbac scan-user-permissions -c all
Expected output:
2023-12-12T16:44:55+08:00 INFO start to scan users and bindings for all clusters
2023-12-12T16:44:55+08:00 INFO start to get all clusters, users and roles
2023-12-12T16:44:58+08:00 INFO ---- c401890df511a4362bf24bece4da6**** (test-pro111323223) ----
2023-12-12T16:44:58+08:00 INFO [c401890df511a4362bf24bece4da6****] start to scan bindings for cluster c401890df511a4362bf24bece4da6****
2023-12-12T16:45:00+08:00 WARN [c401890df511a4362bf24bece4da6****] by default, only deleted users are included. Use the --all-users flag to include all users
ClusterId: c401890df511a4362bf24bece4da6****
UID UserType UserName Binding
30086537005566**** (deleted) RamRole ClusterRoleBinding/-/30086537005566****-clusterrolebinding
20492499986425**** (deleted) RamUser ClusterRoleBinding/-/20492499986425****-clusterrolebinding
2023-12-12T16:45:00+08:00 INFO ---- c137a979dec21472c8279c903cfc**** (test-pro) ----
2023-12-12T16:45:00+08:00 INFO [c137a979dec21472c8279c903cfce****] start to scan bindings for cluster c137a979dec21472c8279c903cfce****
2023-12-12T16:45:01+08:00 WARN [c137a979dec21472c8279c903cfce****] by default, only deleted users are included. Use the --all-users flag to include all users
ClusterId: c137a979dec21472c8279c903cfce****
UID UserType UserName Binding
30086537005566**** (deleted) RamRole ClusterRoleBinding/-/30086537005566****-clusterrolebinding
24320678733226**** (deleted) RamUser ClusterRoleBinding/-/24320678733226****-clusterrolebinding
Step 5: Clean up permissions
Use ack-ram-tool rbac cleanup-user-permissions to remove RBAC bindings for a specific RAM user or RAM role and revoke their kubeconfig. Provide the <UID> from the Step 4 scan output.
Important
-
If the log contains this user has been active in the past 7 days, the target user accessed the cluster within the last seven days. Proceed with caution.
-
Before deleting any binding, ack-ram-tool backs up its original JSON file to a folder in the current directory named after the cluster ID.
Clean up permissions in a single cluster
ack-ram-tool rbac cleanup-user-permissions -c <cluster ID> -u <UID>
Expected output:
Details
2023-12-12T18:17:10+08:00 INFO start to scan users and bindings
2023-12-12T18:17:15+08:00 WARN we will clean up RBAC bindings as follows:
UID UserType UserName Binding
25908395708943**** RamUser ack-admin ClusterRoleBinding/-/25908395708943****-clusterrolebinding
2023-12-12T18:17:15+08:00 WARN we will clean up kubeconfig permissions for users as follows:
UID: 25908395708943****
2023-12-12T18:17:15+08:00 INFO start to check cluster audit log for user 25908395708943****
2023-12-12T18:17:16+08:00 WARN this user has been active in the past 7 days, and the last activity time was: 2023-12-12T10:27:56+08:00. You will find the relevant audit log details below:
sls project: k8s-log-c137a979dec21472c8279c903cfce****
sls logstore: audit-c137a979dec21472c8279c903cfce****
last activity: 2023-12-12T10:27:56+08:00 (auditID: 8f6f1483-77f3-44b3-85cb-f23d1a76e****)
? Are you sure you want to clean up these bindings and permissions? Yes
2023-12-12T18:17:37+08:00 INFO start to backup binding ClusterRoleBinding/-/25908395708943****-clusterrolebinding
2023-12-12T18:17:38+08:00 INFO the origin binding ClusterRoleBinding/-/25908395708943****-clusterrolebinding have been backed up to file c137a979dec21472c8279c903cfce****/ClusterRoleBinding--25908395708943****-clusterrolebinding.json
2023-12-12T18:17:38+08:00 INFO start to clean up kubeconfig permissions for uid 25908395708943****
2023-12-12T18:17:38+08:00 INFO finished clean up kubeconfig permissions for uid 25908395708943****
2023-12-12T18:17:38+08:00 INFO all bindings and permissions have been cleaned up
Clean up permissions in all clusters
ack-ram-tool rbac cleanup-user-permissions -c all -u <UID>
Expected output:
Details
2023-12-12T19:28:23+08:00 INFO start to scan users and bindings for all clusters
2023-12-12T19:28:23+08:00 INFO start to get all clusters, users and roles
2023-12-12T19:28:24+08:00 INFO ---- c401890df511a4362bf24bece4da6**** (test-pro111323223) ----
2023-12-12T19:28:24+08:00 INFO [c401890df511a4362bf24bece4da6****] start to clean up bindings and permissions for cluster c401890df511a4362bf24bece4da6****
2023-12-12T19:28:24+08:00 INFO [c401890df511a4362bf24bece4da6****] start to scan users and bindings
2023-12-12T19:28:25+08:00 WARN [c401890df511a4362bf24bece4da6****] we will clean up RBAC bindings as follows:
UID UserType UserName Binding
25908395708943**** RamUser ack-admin ClusterRoleBinding/-/25908395708943****-clusterrolebinding
2023-12-12T19:28:25+08:00 WARN [c401890df511a4362bf24bece4da6****] we will clean up kubeconfig permissions for users as follows:
UID: 259083957089437690
2023-12-12T19:28:25+08:00 INFO [c401890df511a4362bf24bece4da6****] start to check cluster audit log for user 25908395708943****
2023-12-12T19:28:25+08:00 WARN [c401890df511a4362bf24bece4da6****] this user has been active in the past 7 days, and the last activity time was: 2023-12-12T10:27:56+08:00. You will find the relevant audit log details below:
sls project: k8s-log-c401890df511a4362bf24bece4da****
sls logstore: audit-c401890df511a4362bf24bece4da6****
last activity: 2023-12-12T10:27:56+08:00 (auditID: 8f6f1483-77f3-44b3-85cb-f23d1a76****)
? Are you sure you want to clean up these bindings and permissions? Yes
2023-12-12T19:28:49+08:00 INFO [c401890df511a4362bf24bece4da6****] start to backup binding ClusterRoleBinding/-/25908395708943**** -clusterrolebinding
2023-12-12T19:28:49+08:00 INFO [c401890df511a4362bf24bece4da6****] the origin binding ClusterRoleBinding/-/25908395708943****-clusterrolebinding have been backed up to file c401890df511a4362bf24bece4da6**** /ClusterRoleBinding--259083957089437XXX-clusterrolebinding.json
2023-12-12T19:28:49+08:00 INFO [c401890df511a4362bf24bece4da6****] start to clean up kubeconfig permissions for uid 25908395708943****
2023-12-12T19:28:49+08:00 INFO [c401890df511a4362bf24bece4da6****] finished clean up kubeconfig permissions for uid 25908395708943****
2023-12-12T19:28:49+08:00 INFO [c401890df511a4362bf24bece4da6****] all bindings and permissions have been cleaned up
2023-12-12T19:28:49+08:00 INFO ---- c137a979dec21472c8279c903cfce**** (test-pro) ----
2023-12-12T19:28:49+08:00 INFO [c137a979dec21472c8279c903cfce****] start to clean up bindings and permissions for cluster c137a979dec21472c8279c903cfce****
2023-12-12T19:28:49+08:00 INFO [c137a979dec21472c8279c903cfce****] start to scan users and bindings
2023-12-12T19:28:51+08:00 WARN [c137a979dec21472c8279c903cfce****] we will clean up RBAC bindings as follows:
UID UserType UserName Binding
25908395708943**** RamUser ack-admin ClusterRoleBinding/-/25908395708943**** -clusterrolebinding
2023-12-12T19:28:51+08:00 WARN [c137a979dec21472c8279c903cfce****] we will clean up kubeconfig permissions for users as follows:
UID: 25908395708943****
2023-12-12T19:28:51+08:00 INFO [c137a979dec21472c8279c903cfce****] start to check cluster audit log for user 25908395708943****
2023-12-12T19:28:51+08:00 WARN [c137a979dec21472c8279c903cfce****] this user has been active in the past 7 days, and the last activity time was: 2023-12-12T17:55:50+08:00. You will find the relevant audit log details below:
sls project: k8s-log-c137a979dec21472c8279c903cfce****
sls logstore: audit-c137a979dec21472c8279c903cfce****
last activity: 2023-12-12T17:55:50+08:00 (auditID: 8f6f1483-77f3-44b3-85cb-f23d1a76****)
? Are you sure you want to clean up these bindings and permissions? Yes
2023-12-12T19:28:52+08:00 INFO [c137a979dec21472c8279c903cfce****] start to backup binding ClusterRoleBinding/-/25908395708943****-clusterrolebinding
2023-12-12T19:28:52+08:00 INFO [c137a979dec21472c8279c903cfce****] the origin binding ClusterRoleBinding/-/25908395708943****-clusterrolebinding have been backed up to file c137a979dec21472c8279c903cfce**** /ClusterRoleBinding--25908395708943**** -clusterrolebinding.json
2023-12-12T19:28:52+08:00 INFO [c137a979dec21472c8279c903cfce****] start to clean up kubeconfig permissions for uid 25908395708943****
2023-12-12T19:28:52+08:00 INFO [c137a979dec21472c8279c903cfce****] finished clean up kubeconfig permissions for uid 25908395708943****
2023-12-12T19:28:52+08:00 INFO [c137a979dec21472c8279c903cfce****] all bindings and permissions have been cleaned up