Service Mesh (ASM) uses two authorization systems: Resource Access Management (RAM) for API-level permissions, and Role-based Access Control (RBAC) for instance-level resource permissions. To operate ASM as a RAM user, configure both RAM and RBAC authorization.
Authorize ASM to access other cloud services
ASM requires a service-linked role to access other Alibaba Cloud services. For example, collecting data plane access logs requires access to Log Service, which creates projects and Logstores to store audit logs.
Create the service-linked role before you use features that depend on other services. For details, see Manage the service-linked role for ASM.
RAM authorization
In enterprise environments where RAM is integrated with account systems, O&M engineers typically manage cloud resources as RAM users. By default, RAM users cannot call Alibaba Cloud service APIs.
Attach RAM policies to grant API-level permissions. Policies control which operations a RAM user can perform in the ASM console and which APIs the user can call. For details, see Grant permissions to RAM users and RAM roles.
RBAC authorization
RBAC controls what a RAM user can do within specific ASM instances. It restricts operations on custom ASM resources such as virtual services and destination rules. A single RAM user can have different RBAC permissions on different ASM instances.
ASM provides four preset roles. Assign these roles to RAM users in the ASM console.
| Role | Permissions |
|---|---|
| Administrator | Read and write access to all custom ASM resources in all namespaces |
| Istio resource administrator | Read and write access to all resources except ASM gateways (IstioGateway) in a specified namespace or all namespaces |
| Restricted user | Read-only access to custom ASM resources visible in the ASM console, in a specified namespace or all namespaces |
| No permission | No access to any custom ASM resources in all namespaces |
Grant permissions to a RAM user
To grant a RAM user access to ASM, complete the following steps:
Create a RAM user in the RAM console. For details, see Create a RAM user.
Grant RBAC permissions to the RAM user as required. For details, see Grant RBAC permissions to RAM users and RAM roles.
Attach RAM policies to the RAM user as required. For details, see Grant permissions to RAM users and RAM roles.