By default, Resource Access Management (RAM) users have no access to cloud service APIs. To operate ACK One resources—such as Fleet instances, registered clusters, and workflow clusters—RAM users or RAM roles must be granted the appropriate permissions. ACK One provides built-in system policies that cover read and write access at different levels.
This topic describes how to attach system permission policies to RAM users or RAM roles using the RAM console.
Prerequisites
Before you begin, ensure that you have:
-
An Alibaba Cloud account or a RAM administrator account
Only an Alibaba Cloud account or a RAM administrator account can grant permissions to RAM users or RAM roles. A RAM user cannot grant permissions.
System permission policies for ACK One
The following table lists the built-in system policies supported by ACK One and the cluster types each policy applies to.
| Policy name | Description | Registered clusters | Fleet instances | Workflow clusters |
|---|---|---|---|---|
| AliyunAdcpFullAccess | Full read and write access to all ACK One resources | Yes | Yes | Yes |
| AliyunAdcpReadOnlyAccess | Read-only access to all ACK One resources | Yes | Yes | Yes |
| AliyunCSFullAccess | Full read and write access to all Container Service for Kubernetes (ACK) resources. Does not apply to workflow clusters. | Yes | Yes | No |
| AliyunCSReadOnlyAccess | Read-only access to all ACK resources. Does not apply to workflow clusters. | Yes | Yes | No |
| AliyunVPCReadOnlyAccess | Allows specifying a virtual private cloud (VPC) when creating an ACK cluster | Yes | Yes | Yes |
| AliyunECIReadOnlyAccess | Allows scheduling pods to elastic container instances (ECI) | Yes | Yes | Yes |
| AliyunLogReadOnlyAccess | Allows selecting an existing log project for cluster logs or viewing configuration inspection results | Yes | Yes | Yes |
| AliyunARMSReadOnlyAccess | Allows viewing monitoring data from the Managed Service for Prometheus plug-in | Yes | Yes | Yes |
| AliyunRAMReadOnlyAccess | Allows viewing existing RAM policies | Yes | Yes | Yes |
| AliyunECSReadOnlyAccess | Allows adding existing nodes in the cloud to a cluster or viewing node details. Does not apply to Fleet instances or workflow clusters. | Yes | No | No |
| AliyunContainerRegistryReadOnlyAccess | Allows viewing application images in the Alibaba Cloud account. Does not apply to Fleet instances or workflow clusters. | Yes | No | No |
| AliyunAHASReadOnlyAccess | Allows using the cluster topology feature. Does not apply to Fleet instances or workflow clusters. | Yes | No | No |
| AliyunYundunSASReadOnlyAccess | Allows viewing runtime monitoring data for a cluster. Does not apply to Fleet instances or workflow clusters. | Yes | No | No |
| AliyunKMSReadOnlyAccess | Allows enabling Secret encryption when creating a cluster. Does not apply to Fleet instances or workflow clusters. | Yes | No | No |
| AliyunESSReadOnlyAccess | Allows node pool operations, including viewing, modifying, and scaling node pools. Does not apply to Fleet instances or workflow clusters. | Yes | No | No |
To grant full read and write access across all ACK One resource types, attachAliyunAdcpFullAccess. For read-only access across all resource types, useAliyunAdcpReadOnlyAccess. TheAliyunCSFullAccessandAliyunCSReadOnlyAccesspolicies cover registered clusters and Fleet instances but do not grant access to workflow clusters.
Grant permissions to a RAM user or RAM role
-
Log on to the RAM console as a RAM administrator.
-
In the left-side navigation pane, choose Identities > Users.
-
On the Users page, find the target RAM user and click Add Permissions in the Actions column. To grant permissions to multiple RAM users at once, select the users and click Add Permissions at the bottom of the page.
-
In the Grant Permission panel, configure the following parameters:
-
Resource Scope: Choose where the policy takes effect.
-
Account: The policy applies to all resources under the current Alibaba Cloud account.
-
ResourceGroup: The policy applies to a specific resource group. Use this option only if ACK One supports resource groups in your scenario. For a list of services that support resource groups, see Services that work with Resource Group. For instructions on granting resource group-scoped permissions, see Use a resource group to grant a RAM user the permissions to manage a specific ECS instance.
-
-
Principal: The RAM user to grant permissions to. The current RAM user is selected by default.
-
Policy: Select one or more policies to attach. Policies fall into two types:
-
System policies: Predefined by Alibaba Cloud. These policies cannot be modified, and Alibaba Cloud manages version updates. For a full list, see Services that work with RAM.
NoteThe RAM console automatically flags high-risk system policies such as
AdministratorAccessandAliyunRAMFullAccess. Avoid attaching these policies unless explicitly required. -
Custom policies: Policies that you create and manage. For instructions, see Create a custom policy.
-
-
Click Grant permissions.
-
What's next
System permission policies control access to ACK One resources. To manage Kubernetes resources within a specific cluster—such as creating GitOps applications or workflows—grant the RAM user or RAM role Role-Based Access Control (RBAC) permissions on the Fleet instance, workflow cluster, and their namespaces. For instructions, see Grant RBAC permissions to a RAM user or RAM role.