Alibaba Cloud Service Mesh (ASM) supports both Resource Access Management (RAM) and Role-based Access Control (RBAC) authorization systems. This topic introduces the two authorization systems and describes how to use them in ASM.
Authorize ASM to access other cloud services
If you want to use all ASM features, you must authorize ASM to access other cloud services. For example, if you want to use ASM to collect the access logs of the data plane, you must authorize ASM to access Log Service. Log Service is used to create projects and Logstores for storing audit logs. ASM uses a service-linked role to obtain permissions on cloud services. You must create the service-linked role for ASM and use the role to grant required permissions to ASM. For more information, see Manage the service-linked role for ASM.
RAM user authorization
If you use ASM as a RAM user, you must grant required permissions to your account by using the RAM and RBAC authorization systems.
In scenarios where RAM is integrated with enterprise account systems, O&M engineers often manage cloud resources as RAM users. By default, a RAM user is not authorized to call the APIs of Alibaba Cloud services. To allow a RAM user to call an API, you must grant the required permissions to the RAM user.
You can grant specific permissions to a RAM user to restrict the operations that can be performed by the RAM user in the ASM console and the APIs that can be called by the RAM user. This implements fine-grained access control on cloud resources. For more information, see Grant permissions to RAM users and RAM roles.
RBAC authorization is used to implement permission control on ASM instances and restrict the operations on custom ASM resources (such as virtual services and destination rules) by RAM users. A RAM user can have different RBAC permissions on different ASM instances.
ASM provides four preset roles that correspond to different RBAC permissions. The following table describes the preset roles that you can assign to RAM users in the ASM console.
RBAC permissions on cluster resources
Has read and write permissions on all custom ASM resources in all namespaces.
Istio resource administrator
Has read and write permissions on all resources except for the ASM gateways (IstioGateway) in all namespaces.
Has read-only permissions on custom ASM resources visible in the ASM console in all namespaces or specified namespaces.
Has no read or write permissions on all custom ASM resources in all namespaces.
Grant permissions to a RAM user
Create a RAM user in the RAM console. For more information, see Create a RAM user.
Grant RBAC permissions to the RAM user as required. For more information, see Grant RBAC permissions to RAM users and RAM roles.
Attach RAM policies to the RAM user as required. For more information, see Grant permissions to RAM users and RAM roles.