Alibaba Cloud Service Mesh (ASM) supports both Resource Access Management (RAM) and Role-based Access Control (RBAC) authorization systems. This topic introduces the two authorization systems and describes how to use them in ASM.

Authorize ASM to access other cloud services

If you want to use all ASM features, you must authorize ASM to access other cloud services. For example, if you want to use ASM to collect the access logs of the data plane, you must authorize ASM to access Log Service. Log Service is used to create projects and Logstores for storing audit logs. ASM uses a service-linked role to obtain permissions on cloud services. You must create the service-linked role for ASM and use the role to grant required permissions to ASM. For more information, see Manage the service-linked role for ASM.

RAM user authorization

If you use ASM as a RAM user, you must grant required permissions to your account by using the RAM and RBAC authorization systems as needed.

RAM authorization

In scenarios where RAM is integrated with enterprise account systems, O&M engineers often manage cloud resources as RAM users. By default, a RAM user is not authorized to call the APIs of cloud services. To allow a RAM user to call the APIs, you must grant required permissions to the RAM user.

You can grant specific permissions to a RAM user to restrict the operations that can be performed by the RAM user in the ASM console and the APIs that can be called by the RAM user. This implements fine-grained access control on cloud resources. For more information, see Grant RAM permissions to a RAM user.

RBAC authorization

RBAC authorization is used to implement permission control on ASM instances and restrict the operations on custom ASM resources (such as virtual services and destination rules) by RAM users. A RAM user can have different RBAC permissions on different ASM instances.

ASM provides three preset roles that correspond to different RBAC permissions. The following table describes the preset roles that you can assign to RAM users in the ASM console.

Role RBAC permissions on cluster resources
Administrator Has read and write permissions on all custom ASM resources in all namespaces.
Restricted user Has read-only permissions on custom ASM resources visible in the ASM console in all namespaces or specified namespaces.
Unauthorized user Has no read or write permissions on all custom ASM resources in all namespaces.

Grant permissions to a RAM user

  1. Create a RAM user in the RAM console. For more information, see Create a RAM user.
  2. Grant RBAC permissions to the RAM user as needed. For more information, see Assign RBAC roles to a RAM user.
  3. Attach RAM policies to the RAM user as needed. For more information, see Grant RAM permissions to a RAM user.