Before you call an Alibaba Cloud API as a Resource Access Management (RAM) user, you must use the Alibaba Cloud account to create a RAM policy with the required permissions and attach the policy to the RAM user or RAM role.

Authorize a RAM user or RAM role to access cloud resources

By default, a RAM user or RAM role does not have the permissions to create or modify cloud resources by calling Alibaba Cloud APIs. Before you call an API as a RAM user or RAM role, you must authorize the RAM user or RAM role to call the API. This requires you to create and attach a RAM policy to the RAM user or RAM role.

When you create the RAM policy, you can specify the resource that the RAM user or RAM role wants to access by the Alibaba Resource Name (ARN) of the resource. An ARN is a globally unique name that is used to identify a cloud resource in Alibaba Cloud.

An ARN uses the following format:

acs:service-name:region:account-id:resource-relative-id

Where:

  • acs: the acronym of Alibaba Cloud Service.
  • service-name: the name of an Alibaba Cloud service, such as Elastic Compute Service (ECS), Object Storage Service (OSS), and Server Load Balancer (SLB).
  • region: the region where the cloud resource is deployed. If this parameter is not supported by the cloud resource, set the value to an asterisk (*).

  • account-id: the ID of the account that owns the cloud resource, for example, 1234567890123456.

  • resource-relative-id: the description of the cloud resource. The description varies based on the Alibaba Cloud service. For more information, see the documentation of Alibaba Cloud services.

    For example, acs:oss::1234567890123456:sample_bucket/file1.txt indicates a resource named sample_bucket/file1.txt in OSS. 1234567890123456 is the ID of the account that owns the cloud resource.

Authorize a RAM user or RAM role to manage ACK

Resource type ARN format
Grant permissions on one Container Service for Kubernetes (ACK) cluster
"Resource": [
     "acs:cs:*:*:cluster/Cluster ID"
 ]
Grant permissions on multiple ACK clusters
"Resource": [
     "acs:cs:*:*:cluster/Cluster ID",
     "acs:cs:*:*:cluster/Cluster ID"
 ]
Grant permissions on all ACK clusters
"Resource": [
     "*"
 ]

Mappings between API operations and RAM actions

The following table describes the mappings between the ACK API operations and the RAM actions.

Operation RAM Action Description Cluster-specific
DescribeEvents cs:DescribeEvents Queries user events. No
StartAlert cs:StartAlert Enables an alert rule. No
StopAlert cs:StopAlert Disables an alert rule. No
UpdateContactGroupForAlert cs:UpdateContactGroupForAlert Updates an alert contact group. No
DeleteAlertContact cs:DeleteAlertContact Deletes an alert contact. No
DeleteAlertContactGroup cs:DeleteAlertContactGroup Deletes an alert contact group. No
DescribeUserPermission cs:DescribeUserPermission Queries the permissions that are granted to a RAM user or RAM role to manage clusters. No
OpenAckService cs:OpenAckService Activates ACK. No
GrantPermissions cs:GrantPermissions Updates the permissions that are granted to a RAM user or RAM role to manage clusters. No
CreateCluster cs:CreateCluster Creates an ACK cluster. The supported cluster types include dedicated Kubernetes cluster, managed Kubernetes cluster, serverless Kubernetes (ASK) cluster, managed edge Kubernetes cluster. You can also create a cluster registration proxy to register an external Kubernetes cluster. No
DescribeClusterResources cs:DescribeClusterResources Queries all resources in a cluster by cluster ID. Yes
DescribeClusterDetail cs:DescribeClusterDetail Queries the details about a cluster by cluster ID. Yes
DescribeUserQuota cs:DescribeUserQuota Queries resource quotas. No
DescribeClustersV1 cs:DescribeClustersV1 and cs:GetClusters Queries the details about all clusters. No
DescribeExternalAgent cs:DescribeExternalAgent Queries a cluster registration proxy by cluster ID. Yes
DescribeClusterLogs cs:DescribeClusterLogs Queries cluster logs by cluster ID. Yes
DescribeTaskInfo cs:DescribeTaskInfo Queries the execution details about a task by task ID. No
DescribeKubernetesVersionMetadata cs:DescribeKubernetesVersionMetadata Queries the Kubernetes versions supported by ACK. No
DescribeClusterUserKubeconfig cs:DescribeClusterUserKubeconfig Queries the kubeconfig file of a cluster by cluster ID. Yes
DescribeClusterAddonUpgradeStatus cs:DescribeClusterAddonUpgradeStatus Queries the upgrade progress of a cluster component. Yes
DescribeClusters cs:DescribeClusters and cs:GetClusters Queries all clusters within the account, including Kubernetes clusters and Swarm clusters. No
DescribeClusterNamespaces cs:DescribeClusterNamespaces Queries the namespaces in a cluster. Yes
ScaleOutCluster cs:ScaleOutCluster Scales out a cluster by cluster ID. Yes
ModifyCluster cs:ModifyCluster Modifies the cluster configurations by cluster ID. Yes
MigrateCluster cs:MigrateCluster Migrates a cluster. Yes
ScaleCluster cs:ScaleCluster Adds nodes to a cluster. Yes
UpdateK8sClusterUserConfigExpire cs:UpdateK8sClusterUserConfigExpire Updates the expiration time of a user-defined configuration. Yes
DeleteCluster cs:DeleteCluster Deletes a cluster by cluster ID and releases all nodes in the cluster. Yes
DescribeClusterNodes cs:DescribeClusterNodes Queries the details about all nodes in a cluster by cluster ID. Yes
AttachInstances cs:AttachInstances Adds existing ECS instances to a cluster. Yes
DescribeClusterAttachScripts cs:DescribeClusterAttachScripts Queries the script that is used to add instances to a cluster. Yes
DeleteClusterNodes cs:DeleteClusterNodes Removes specified nodes from a cluster by node names. Yes
RemoveClusterNodes cs:RemoveClusterNodes Removes specified extra nodes from a cluster by node names. Yes
CreateClusterNodePool cs:CreateClusterNodePool Creates a node pool for a cluster. Yes
DescribeClusterNodePools cs:DescribeClusterNodePools Queries the details about all nodes in a cluster by cluster ID. Yes
DescribeClusterNodePoolDetail cs:DescribeClusterNodePoolDetail Queries the details about a node pool in a cluster by node pool ID. Yes
ScaleClusterNodePool cs:ScaleClusterNodePool Scales out a node pool by node pool ID. Yes
ModifyClusterNodePool cs:ModifyClusterNodePool Modifies the node pool configurations by node pool ID. Yes
DeleteClusterNodepool cs:DeleteClusterNodepool Deletes a node pool by node pool ID. Yes
GetUpgradeStatus cs:GetUpgradeStatus Queries the upgrade progress of a cluster by cluster ID. Yes
ResumeUpgradeCluster cs:ResumeUpgradeCluster Resumes the upgrade of a cluster by cluster ID. Yes
UpgradeCluster cs:UpgradeCluster Upgrades a cluster by cluster ID. Yes
PauseClusterUpgrade cs:PauseClusterUpgrade Suspends the upgrade of a cluster. Yes
CancelClusterUpgrade cs:CancelClusterUpgrade Cancels the upgrade of a cluster. Yes
CreateTemplate cs:CreateTemplate Creates an orchestration template. No
DescribeTemplates cs:DescribeTemplates Queries the details about all orchestration templates. No
DescribeTemplateAttribute cs:DescribeTemplateAttribute Queries the details about an orchestration template by template ID. No
UpdateTemplate cs:UpdateTemplate Updates an orchestration template by template ID. No
DeleteTemplate cs:DeleteTemplate Deletes an orchestration template by template ID. No
InstallClusterAddons cs:InstallClusterAddons Installs a component. Yes
DescribeAddons cs:DescribeAddons Queries the details about all components that are supported by ACK. No
DescribeClusterAddonsUpgradeStatus cs:DescribeClusterAddonsUpgradeStatus Queries the upgrade progress of a component by component name. Yes
DescribeClusterAddonsVersion cs:DescribeClusterAddonsVersion Queries the details about all components that are installed in a cluster by cluster ID. Yes
ModifyClusterConfiguration cs:ModifyClusterConfiguration Modifies the configurations of a managed Kubernetes cluster. Yes
UpgradeClusterAddons cs:UpgradeClusterAddons Upgrades a component to a specified version by component name. Yes
PauseComponentUpgrade cs:PauseComponentUpgrade Suspends the upgrade of a component. Yes
ResumeComponentUpgrade cs:ResumeComponentUpgrade Resumes the upgrade of a component. Yes
CancelComponentUpgrade cs:CancelComponentUpgrade Cancels the upgrade of a cluster component. Yes
UnInstallClusterAddons cs:UnInstallClusterAddons Uninstalls a component by component name. Yes
ListTagResources cs:ListTagResources Queries the labels of a cluster by cluster ID. No
TagResources cs:TagResources Adds labels to resources. No
ModifyClusterTags cs:ModifyClusterTags Modifies the labels of a cluster by cluster ID. Yes
UntagResources cs:UntagResources Removes labels from resources. No
CreateTrigger cs:CreateTrigger Creates an application trigger. Yes
DescribeTrigger cs:DescribeTrigger Queries application triggers. Yes
DeleteTrigger cs:DeleteTrigger Deletes an application trigger. Yes