You can use the RAM Roles for Service Accounts (RRSA) feature to enforce access control on pods that are deployed in a Container Service for Kubernetes (ACK) cluster. This feature allows you to authorize pods to call the APIs of different cloud resources. This topic describes how to use RRSA.
Prerequisites
Only ACK clusters that run Kubernetes 1.22 or later versions support RRSA. The ACK clusters include ACK standard clusters, ACK Pro clusters, Serverless Kubernetes (ASK) standard clusters, and ASK Pro clusters.
Background information
Elastic container instances run on ECS instances. Elastic Compute Service (ECS) instance metadata contains information about ECS instances on Alibaba Cloud. You can log on to a running ECS instance and view its metadata, and then configure or manage the ECS instance based on the metadata. Applications deployed in an ACK cluster can use ECS instance metadata to obtain Security Token Service (STS) tokens that are used to assume different Resource Access Management (RAM) roles. This way, the applications can call the APIs of different cloud services. For more information, see Overview of ECS instance metadata

In multi-tenant scenarios, ECS instance metadata cannot meet the requirements for controlling the pods of different applications to access different cloud services. In scenarios where ASK clusters or elastic container instances are used, ECS instance metadata cannot meet the requirements for using STS tokens because RAM roles cannot be assigned to elastic container instances. To address these issues, ACK releases the RRSA feature which is developed based on RAM. This feature allows you to control the pods of different applications to access different cloud services and use STS tokens as temporary access tokens when ASK clusters and elastic container instances are used.
By using the RRSA feature, you can allow applications in an ACK cluster to assume specific RAM roles. The applications can obtain STS tokens, use the tokens to assume specific RAM roles, and then access relevant cloud services. This enforces the principle of least privilege and fine-grained access control on the pods of different applications in multi-tenant scenarios. For more information about how the RRSA feature is implemented, see Enable service account token volume projection and Overview of OIDC-based SSO.

- The tenant deploys a pod for which the feature of service account token volume projection is enabled.
- The ACK cluster creates a service account OpenID Connect (OIDC) token file and mounts the token file to the pod.
- The application in the pod uses the OIDC token file to call the AssumeRoleWithOIDC API operation of STS and obtain the STS token that is used to assume a specific RAM role. To enable the application to complete these tasks, you must first create an OIDC identity provider and allow the service account used by the pod to assume the specified RAM role. For more information, see AssumeRoleWithOIDC
- The application in the pod uses the obtained STS token to assume the specified RAM role and then calls the API of the relevant cloud service.
Enable RRSA
Method 1: Enable RRSA in the ACK console
Method 2: Enable RRSA by using ack-ram-tool
You can enable RRSA by using the ack-ram-tool CLI. For more information, see ack-ram-tool.
When you enable RRSA for an ACK cluster, ACK performs the following steps in the background:
- Automatically creates an OIDC Issuer Service that is dedicated to the cluster. This Service is managed by ACK. For more information, see OIDC Issuer.
- Enables the feature of service account token volume projection for your cluster. If your cluster already has this feature enabled, ACK overwrites the value of service-account-issuer with the setting of the OIDC Issuer created in the preceding step. For more information, see Enable service account token volume projection.
- Creates a RAM role identity provider within your account. The identity provider uses the created OIDC Issuer for single sign-on. The identity provider is named ack-rrsa-<cluster_id>. <cluster_id> indicates the ID of your cluster. For more information, see Manage an OIDC IdP.
Work with RRSA
After you enable RRSA for your cluster, perform the following steps to enable the applications in the cluster to obtain STS tokens through RRSA. The STS tokens are used to call the APIs of specific cloud services.
Alibaba Cloud SDKs that support the OIDC token authentication of RRSA
Some Alibaba Cloud SDKs allow applications to call the APIs of specific cloud resources by using the OIDC tokens of RRSA. The following table describes the supported SDK versions.
Programming language | Supported SDK version | Example |
---|---|---|
Go | Alibaba Cloud Credentials for Go 1.2.2 and later versions | Example for SDK for Go |
Java | Alibaba Cloud Credentials for Java 0.2.8 and later versions | Example for SDK for Java |
Node.js and TypeScript | Alibaba Cloud Credentials for TypeScript/Node.js 2.2.1 and later versions | Examples for SDK for Node.js and SDK for TypeScript |