By default, a Resource Access Management (RAM) user does not have permissions to call the APIs of Alibaba Cloud services. When you want to use Distributed Cloud Container Platform for Kubernetes (ACK One) as a RAM user or by assuming a RAM role, you need to grant the RAM user or RAM role permissions on managing ACK One resources. For example, you need to grant permissions to create Fleet instances, associate clusters, and create workflow clusters. ACK One provides default system permission policies to control global read and write permissions. This topic describes how to attach a system permission policy to a RAM user or RAM role.
Usage notes
You need to grant permissions to a RAM user or RAM role by using an Alibaba Cloud account or RAM administrator account. You cannot grant permissions by using a RAM user.
System permission policies supported by ACK One
RAM system policy | Permission | Cluster involved | ||
Registered clusters | Fleet instances | Workflow clusters | ||
AliyunAdcpFullAccess | Provides read and write permissions on all ACK One resources. | Yes | Yes | Yes |
AliyunAdcpReadOnlyAccess | Provides read-only permissions on all ACK One resources. | Yes | Yes | Yes |
AliyunCSFullAccess | Provides read and write permissions on all Container Service for Kubernetes (ACK) resources. | Yes | Yes | No |
AliyunCSReadOnlyAccess | Provides read-only permissions on all ACK resources. | Yes | Yes | No |
AliyunVPCReadOnlyAccess | Provides permissions to specify a virtual private cloud (VPC) for an ACK cluster to be created. | Yes | Yes | Yes |
AliyunECIReadOnlyAccess | Provides permissions to schedule pods to elastic container instances. | Yes | Yes | Yes |
AliyunLogReadOnlyAccess | Provides permissions to select an existing log project to store logs for an ACK cluster to be created or view the configuration inspection information of an ACK cluster. | Yes | Yes | Yes |
AliyunARMSReadOnlyAccess | Provides permissions to view the monitoring data of the Managed Service for Prometheus plug-in in an ACK cluster. | Yes | Yes | Yes |
AliyunRAMReadOnlyAccess | Provide permissions to view existing RAM policies. | Yes | Yes | Yes |
AliyunECSReadOnlyAccess | Provides permissions to add existing nodes in the cloud to an ACK cluster or view node details. | Yes | No | No |
AliyunContainerRegistryReadOnlyAccess | Provides permissions to view application images within an Alibaba Cloud account. | Yes | No | No |
AliyunAHASReadOnlyAccess | Provides permissions to use the cluster topology feature. | Yes | No | No |
AliyunYundunSASReadOnlyAccess | Provides permissions to view the runtime monitoring data of an ACK cluster. | Yes | No | No |
AliyunKMSReadOnlyAccess | Provides permissions to enable the Secret encryption feature when you create an ACK cluster. | Yes | No | No |
AliyunESSReadOnlyAccess | Provides permissions to perform node pool-related operations in the cloud, such as the permissions to view, modify, and scale node pools. | Yes | No | No |
Grant permissions to a RAM user or RAM role
Log on to the RAM console with an Alibaba Cloud account or a RAM user who has administrative rights.
In the left-side navigation pane, choose .
On the Users page, find the required RAM user and click Add Permissions in the Actions column.
In the Add Permissions panel, grant permissions to the RAM user.
Select the authorization scope.
Alibaba Cloud Account: The authorization takes effect on the current Alibaba Cloud account.
Specific Resource Group: The authorization takes effect on a specific resource group.
NoteIf you select Specific Resource Group for Authorized Scope, make sure that the required cloud service supports resource groups. For more information, see Services that work with Resource Group. For more information about how to grant permissions on a resource group, see Use a resource group to grant a RAM user the permissions to manage a specific ECS instance.
Specify the principal.
The principal is the RAM user to which you want to grant permissions.
In the Select Policy section, click System Policy, enter the name of the system permission policy that you want to attach into the search box, and then click the policy name.
NoteYou can attach at most five policies to a RAM user or RAM role at a time. If you want to attach more than five policies, repeat the operation.
Click OK.
Click Complete.
References
RAM system permission policies can be used to control permissions only on ACK One resources. If a RAM user or RAM role needs to manage Kubernetes resources in the specified cluster, such as creating pods and obtaining node information, you need to grant the RAM user or RAM role Role-Based Access Control (RBAC) permissions on the cluster and its namespace. For more information, see Grant RBAC permissions to a RAM user or RAM role.