All Products
Search

This Product

    Container Compute Service:Grant RBAC permissions to RAM users or RAM roles

    Document Center

    Container Compute Service:Grant RBAC permissions to RAM users or RAM roles

    Last Updated:Mar 26, 2026

    Role-based access control (RBAC) regulates access to Kubernetes resources based on user roles. By default, only the Alibaba Cloud account owner and the cluster creator have administrator permissions on Kubernetes resources in ACS clusters. Use RBAC to grant RAM users or RAM roles the minimum permissions they need.

    You can use the following authorization methods:

    • Method 1: Assign predefined RBAC roles (Administrator, O&M Engineer, Developer, Restricted User, or Custom) to a RAM user or RAM role.

    • Method 2: Assign a predefined role to manage all clusters, including newly created clusters.

    • Method 3: Set a RAM user or RAM role as a permission administrator to grant RBAC roles to other RAM users or RAM roles.

    You can grant permissions to one or more RAM users or RAM roles at a time.

    How it works

    ACS provides five predefined RBAC roles. Assign one predefined role and, optionally, one or more custom roles to a RAM user or RAM role for a specific cluster or namespace.

    Role Scope Permissions When to use
    Administrator All namespaces (cluster-wide) Full read and write access to all Kubernetes resources. Use this role for cluster-wide admin access. Do not use Developer or Restricted User if cluster-wide access is needed.
    O&M Engineer All namespaces (cluster-wide) Read and write access to visible Kubernetes resources in the ACS console in all namespaces; read-only access to persistent volumes (PVs), namespaces, and quotas. Use this role for operations staff who need broad visibility but should not manage PVs or namespaces directly.
    Developer All or specified namespaces Read and write access to visible Kubernetes resources in the ACS console. Use this role to limit access to one or more namespaces rather than the entire cluster. If cluster-wide access is needed, use Administrator instead.
    Restricted User All or specified namespaces Read-only access to visible Kubernetes resources in the ACS console. Use this role for users who need visibility without the ability to make changes. Scope can be limited to specific namespaces.
    Custom Defined by the selected cluster role Permissions are determined by the cluster role you select. Use this role when predefined roles do not match your requirements. Before assigning, review the role's permissions with kubectl get clusterrole <role-name> -o yaml.
    Important

    The cluster-admin cluster role grants the same permissions as the Alibaba Cloud account owner — full control over all resources in the cluster. Assign this role only when absolutely necessary.

    Note

    To modify RAM policies attached to RAM users or RAM roles, use the RAM console. You cannot modify RAM policies in the ACS console.

    Prerequisites

    Before you begin, ensure that you have:

    Grant RBAC permissions to RAM users or RAM roles

    Important

    ACS clusters are a type of ACK Serverless cluster. If a RAM user or RAM role has already been granted permissions to manage all clusters in the ACK console, those permissions also cover ACS clusters. In that case, you cannot grant ACS-specific permissions in the ACS console.

    1. Log on to the ACS console. In the left-side navigation pane, click Permission Management.

    2. On the Authorizations page, select the RAM user or RAM role to authorize.

      Note

      Use RAM roles with short-term credentials instead of RAM users with long-term credentials where possible. RAM roles reduce the risk of long-lived credential exposure.

      • RAM users: Click the RAM Users tab, find the target user, and click Modify Permissions.

      • RAM roles: Click the RAM Roles tab, enter the RAM role name, and click Modify Permissions.

    3. In the Permission Management panel, click +Add Permissions. Set the Clusters, Namespace, and role parameters, then click Submit.

      • To grant permissions on all clusters, including clusters created in the future, select All Clusters in the Clusters field.

      • To assign a predefined role, select one of the five roles described in How it works.

      • To assign a custom role, select Custom and click View YAML to review the role's permissions before assigning it.

    4. Log on to the ACS console as the RAM user or RAM role to verify access to the target cluster.

    View custom cluster role permissions

    To review the permissions of a custom role before assigning it:

    1. List all cluster roles:

      kubectl get clusterrole

      Sample output:

      NAME                                                                   CREATED AT
acs:view                                                               2024-12-31T06:18:06Z
admin                                                                  2024-12-31T06:17:53Z
alibaba-log-controller                                                 2024-12-31T06:25:03Z
alicloud-csi-provisioner                                               2024-12-31T06:19:23Z
aliyun-eci-pod-clusterrole                                             2024-12-31T06:18:52Z
arms-aliyunserviceroleforarms-clusterrole                              2024-12-31T06:25:03Z
cluster-admin                                                          2024-12-31T06:17:53Z
ebs-token-controller                                                   2024-12-31T06:19:00Z
edit                                                                   2024-12-31T06:17:53Z
o11y:addon-controller:role                                             2024-12-31T06:24:32Z
system:aggregate-to-admin                                              2024-12-31T06:17:53Z
system:aggregate-to-edit                                               2024-12-31T06:17:53Z
...
system:volume-scheduler                                                2024-12-31T06:17:53Z
tenant-webhook-clusterrole                                             2024-12-31T06:19:45Z
view                                                                   2024-12-31T06:17:53Z

    2. Inspect a specific role. For example, to review cluster-admin:

      Important

      A RAM user or RAM role assigned the cluster-admin role has the same permissions as the Alibaba Cloud account owner — full control over all resources in the cluster. Assign this role with caution.

      kubectl get clusterrole cluster-admin -o yaml

      Sample output:

      apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
  creationTimestamp: "2024-12-31T06:17:53Z"
  labels:
    kubernetes.io/bootstrapping: rbac-defaults
  name: cluster-admin
  resourceVersion: "70"
  uid: 759xxxxx-5ad2-42ce-872d-fbce117xxxxx
rules:
- apiGroups:
  - '*'
  resources:
  - '*'
  verbs:
  - '*'
- nonResourceURLs:
  - '*'
  verbs:
  - '*'

    Set a RAM user or RAM role as a permission administrator

    A permission administrator is a RAM user or RAM role that can grant RBAC permissions to other RAM users or RAM roles. By default, you cannot use a RAM user or RAM role to grant RBAC permissions to other RAM users or RAM roles. Only the Alibaba Cloud account owner and RAM users with Administrator access on all clusters can do this.

    To set a RAM user or RAM role as a permission administrator, complete both of the following steps.

    Step 1: Attach RAM policies

    1. Log on to the RAM console.

      • For a RAM user: Go to Identities > Users, find the target user, and click Add Permissions.

      • For a RAM role: Go to Identities > Roles, find the target role, and click Add Permissions.

    2. In the Add Permissions panel, set Authorized Scope, search for AliyunRAMFullAccess and AliyunACCFullAccess (System Policy), and add both policies to the Selected section. Click OK, then click Complete.

    3. Create a custom RAM policy with the following content and attach it to the RAM user or RAM role. For instructions, see Attach a RAM policy to a RAM user or RAM role.

      Important

      Using * in the Resource field grants permissions to perform actions on all resources under the account UID. The cs:* action covers all ACK clusters, but does not include ACS clusters. Scope this policy carefully to follow the principle of least privilege.

      {
    "Statement": [{
            "Action": [
                "ram:Get*",
                "ram:List*",
                "cs:DescribeClustersV1",
                "cs:GrantPermission"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "ram:AttachPolicyToUser",
                "ram:AttachPolicy"
            ],
            "Effect": "Allow",
            "Resource":  [
                "acs:ram:*:*:policy/xxxxxx",
                "acs:*:*:*:user/*"
            ]
        }
    ],
    "Version": "1"
}

      Replace xxxxxx with the name of the RAM policy that the permission administrator is allowed to attach to other users or roles. To allow attaching any RAM policy, use *.

    Step 2: Assign an RBAC role in the ACS console

    Assign the Administrator or cluster-admin role to the RAM user or RAM role in the ACS console. This grants the permission administrator access to the clusters and namespaces it will manage on behalf of others. See Grant RBAC permissions to RAM users or RAM roles.

    For more information about delegation scenarios, see Best practices of authorization.

    Troubleshooting

    If an operation fails with a permission error in the ACS console or API, the error code indicates which RBAC permission is required.

    Error code Required RBAC permission
    ForbiddenCheckControlPlaneLog Administrator or O&M engineer
    ForbiddenHelmUsage Administrator
    ForbiddenRotateCert Administrator
    ForbiddenQueryClusterNamespace Administrator, O&M engineer, developer, or restricted user

    What's next