Before you call an Alibaba Cloud API as a Resource Access Management (RAM) user, you must use the Alibaba Cloud account to create a RAM policy with the required permissions and attach the policy to the RAM user or RAM role.
Authorize a RAM user or RAM role to access cloud resources
By default, a RAM user or RAM role does not have the permissions to create or modify cloud resources by calling Alibaba Cloud APIs. Before you call an API as a RAM user or RAM role, you must authorize the RAM user or RAM role to call the API. This requires you to create and attach a RAM policy to the RAM user or RAM role.
When you create the RAM policy, you can specify the resource that the RAM user or RAM role wants to access by the Alibaba Resource Name (ARN) of the resource. An ARN is a globally unique name that is used to identify a cloud resource in Alibaba Cloud.
An ARN uses the following format:
acs:service-name:region:account-id:resource-relative-idWhere:
- acs: the acronym of Alibaba Cloud Service.
- service-name: the name of an Alibaba Cloud service, such as Elastic Compute Service (ECS), Object Storage Service (OSS), and Server Load Balancer (SLB).
-
region: the region where the cloud resource is deployed. If this parameter is not supported by the cloud resource, set the value to an asterisk (*).
-
account-id: the ID of the account that owns the cloud resource, for example, 1234567890123456.
-
resource-relative-id: the description of the cloud resource. The description varies based on the Alibaba Cloud service. For more information, see the documentation of Alibaba Cloud services.
For example,
acs:oss::1234567890123456:sample_bucket/file1.txtindicates a resource named sample_bucket/file1.txt in OSS.1234567890123456is the ID of the account that owns the cloud resource.
Authorize a RAM user or RAM role to manage ACK
| Resource type | ARN format |
|---|---|
| Grant permissions on one Container Service for Kubernetes (ACK) cluster | |
| Grant permissions on multiple ACK clusters | |
| Grant permissions on all ACK clusters | |
Mappings between API operations and RAM actions
The following table describes the mappings between the ACK API operations and the RAM actions.
| Operation | RAM Action | Description | Cluster-specific |
|---|---|---|---|
| DescribeEvents | cs:DescribeEvents |
Queries user events. | No |
| StartAlert | cs:StartAlert |
Enables an alert rule. | No |
| StopAlert | cs:StopAlert |
Disables an alert rule. | No |
| UpdateContactGroupForAlert | cs:UpdateContactGroupForAlert |
Updates an alert contact group. | No |
| DeleteAlertContact | cs:DeleteAlertContact |
Deletes an alert contact. | No |
cs:DeleteAlertContactGroup |
Deletes an alert contact group. | No | |
| DescribeUserPermission | cs:DescribeUserPermission |
Queries the permissions that are granted to a RAM user or RAM role to manage clusters. | No |
| OpenAckService | cs:OpenAckService |
Activates ACK. | No |
| GrantPermissions | cs:GrantPermissions |
Updates the permissions that are granted to a RAM user or RAM role to manage clusters. | No |
| CreateCluster | cs:CreateCluster |
Creates an ACK cluster. The supported cluster types include dedicated Kubernetes cluster, managed Kubernetes cluster, serverless Kubernetes (ASK) cluster, managed edge Kubernetes cluster. You can also create a cluster registration proxy to register an external Kubernetes cluster. | No |
| DescribeClusterResources | cs:DescribeClusterResources |
Queries all resources in a cluster by cluster ID. | Yes |
| DescribeClusterDetail | cs:DescribeClusterDetail |
Queries the details about a cluster by cluster ID. | Yes |
| DescribeUserQuota | cs:DescribeUserQuota |
Queries resource quotas. | No |
| DescribeClustersV1 | cs:DescribeClustersV1 and cs:GetClusters |
Queries the details about all clusters. | No |
| DescribeExternalAgent | cs:DescribeExternalAgent |
Queries a cluster registration proxy by cluster ID. | Yes |
| DescribeClusterLogs | cs:DescribeClusterLogs |
Queries cluster logs by cluster ID. | Yes |
| DescribeTaskInfo | cs:DescribeTaskInfo |
Queries the execution details about a task by task ID. | No |
| DescribeKubernetesVersionMetadata | cs:DescribeKubernetesVersionMetadata |
Queries the Kubernetes versions supported by ACK. | No |
| DescribeClusterUserKubeconfig | cs:DescribeClusterUserKubeconfig |
Queries the kubeconfig file of a cluster by cluster ID. | Yes |
| DescribeClusterAddonUpgradeStatus | cs:DescribeClusterAddonUpgradeStatus |
Queries the upgrade progress of a cluster component. | Yes |
| DescribeClusters | cs:DescribeClusters and cs:GetClusters |
Queries all clusters within the account, including Kubernetes clusters and Swarm clusters. | No |
| DescribeClusterNamespaces | cs:DescribeClusterNamespaces |
Queries the namespaces in a cluster. | Yes |
| ScaleOutCluster | cs:ScaleOutCluster |
Scales out a cluster by cluster ID. | Yes |
| ModifyCluster | cs:ModifyCluster |
Modifies the cluster configurations by cluster ID. | Yes |
| MigrateCluster | cs:MigrateCluster |
Migrates a cluster. | Yes |
| ScaleCluster | cs:ScaleCluster |
Adds nodes to a cluster. | Yes |
| UpdateK8sClusterUserConfigExpire | cs:UpdateK8sClusterUserConfigExpire |
Updates the expiration time of a user-defined configuration. | Yes |
| DeleteCluster | cs:DeleteCluster |
Deletes a cluster by cluster ID and releases all nodes in the cluster. | Yes |
| DescribeClusterNodes | cs:DescribeClusterNodes |
Queries the details about all nodes in a cluster by cluster ID. | Yes |
| AttachInstances | cs:AttachInstances |
Adds existing ECS instances to a cluster. | Yes |
| DescribeClusterAttachScripts | cs:DescribeClusterAttachScripts |
Queries the script that is used to add instances to a cluster. | Yes |
| DeleteClusterNodes | cs:DeleteClusterNodes |
Removes specified nodes from a cluster by node names. | Yes |
| RemoveClusterNodes | cs:RemoveClusterNodes |
Removes specified extra nodes from a cluster by node names. | Yes |
| CreateClusterNodePool | cs:CreateClusterNodePool |
Creates a node pool for a cluster. | Yes |
| DescribeClusterNodePools | cs:DescribeClusterNodePools |
Queries the details about all nodes in a cluster by cluster ID. | Yes |
| DescribeClusterNodePoolDetail | cs:DescribeClusterNodePoolDetail |
Queries the details about a node pool in a cluster by node pool ID. | Yes |
| ScaleClusterNodePool | cs:ScaleClusterNodePool |
Scales out a node pool by node pool ID. | Yes |
| ModifyClusterNodePool | cs:ModifyClusterNodePool |
Modifies the node pool configurations by node pool ID. | Yes |
| DeleteClusterNodepool | cs:DeleteClusterNodepool |
Deletes a node pool by node pool ID. | Yes |
| GetUpgradeStatus | cs:GetUpgradeStatus |
Queries the upgrade progress of a cluster by cluster ID. | Yes |
| ResumeUpgradeCluster | cs:ResumeUpgradeCluster |
Resumes the upgrade of a cluster by cluster ID. | Yes |
| UpgradeCluster | cs:UpgradeCluster |
Upgrades a cluster by cluster ID. | Yes |
| PauseClusterUpgrade | cs:PauseClusterUpgrade |
Suspends the upgrade of a cluster. | Yes |
| CancelClusterUpgrade | cs:CancelClusterUpgrade |
Cancels the upgrade of a cluster. | Yes |
| CreateTemplate | cs:CreateTemplate |
Creates an orchestration template. | No |
| DescribeTemplates | cs:DescribeTemplates |
Queries the details about all orchestration templates. | No |
| DescribeTemplateAttribute | cs:DescribeTemplateAttribute |
Queries the details about an orchestration template by template ID. | No |
| UpdateTemplate | cs:UpdateTemplate |
Updates an orchestration template by template ID. | No |
| DeleteTemplate | cs:DeleteTemplate |
Deletes an orchestration template by template ID. | No |
| InstallClusterAddons | cs:InstallClusterAddons |
Installs a component. | Yes |
| DescribeAddons | cs:DescribeAddons |
Queries the details about all components that are supported by ACK. | No |
| DescribeClusterAddonsUpgradeStatus | cs:DescribeClusterAddonsUpgradeStatus |
Queries the upgrade progress of a component by component name. | Yes |
| DescribeClusterAddonsVersion | cs:DescribeClusterAddonsVersion |
Queries the details about all components that are installed in a cluster by cluster ID. | Yes |
| ModifyClusterConfiguration | cs:ModifyClusterConfiguration |
Modifies the configurations of a managed Kubernetes cluster. | Yes |
| UpgradeClusterAddons | cs:UpgradeClusterAddons |
Upgrades a component to a specified version by component name. | Yes |
| PauseComponentUpgrade | cs:PauseComponentUpgrade |
Suspends the upgrade of a component. | Yes |
| ResumeComponentUpgrade | cs:ResumeComponentUpgrade |
Resumes the upgrade of a component. | Yes |
| CancelComponentUpgrade | cs:CancelComponentUpgrade |
Cancels the upgrade of a cluster component. | Yes |
| UnInstallClusterAddons | cs:UnInstallClusterAddons |
Uninstalls a component by component name. | Yes |
| ListTagResources | cs:ListTagResources |
Queries the labels of a cluster by cluster ID. | No |
| TagResources | cs:TagResources |
Adds labels to resources. | No |
| ModifyClusterTags | cs:ModifyClusterTags |
Modifies the labels of a cluster by cluster ID. | Yes |
| UntagResources | cs:UntagResources |
Removes labels from resources. | No |
| CreateTrigger | cs:CreateTrigger |
Creates an application trigger. | Yes |
| DescribeTrigger | cs:DescribeTrigger |
Queries application triggers. | Yes |
| DeleteTrigger | cs:DeleteTrigger |
Deletes an application trigger. | Yes |