Assign RAM Permissions for Users and Roles in ACS - Container Compute Service

By default, RAM users and RAM roles have no permissions to call Alibaba Cloud service APIs. To grant a RAM user or RAM role access to Container Service for Kubernetes (ACK) or Container Compute Service (ACS) clusters, attach the appropriate RAM policies.

ACK uses a two-layer access model:

RAM permissions — control access to Alibaba Cloud platform APIs, such as creating, listing, or deleting clusters.
RBAC permissions — control access to Kubernetes resources inside a cluster, such as deployments, pods, and services.

RAM permissions are required first. RBAC permissions are configured separately after RAM authorization is complete. Completing this topic covers only the RAM layer; see Grant RBAC permissions to a RAM user or RAM role for the second layer.

Prerequisites

Before you begin, make sure that you have:

A RAM administrator account with permission to create and attach policies
Basic knowledge of policy elements, structure, and syntax. See Policy elements.

System policies

System policies are predefined by Alibaba Cloud and grant broad permissions. Attach system policies when you need to grant operations and maintenance (O&M) permissions on all ACK clusters in your Alibaba Cloud account.

The following table lists the system policies commonly used with ACK and ACS.

System policy	Description
AliyunAccFullAccess	Full access to all ACS API operations
AliyunCSFullAccess	Full access to all ACK API operations. Grants read and write permissions on all ACK clusters, excluding ACS clusters. Proceed with caution. To manage applications deployed in ACK clusters, also grant role-based access control (RBAC) permissions. See Custom RBAC policies.
AliyunVPCReadOnlyAccess	Read-only access to virtual private cloud (VPC) resources — required to specify a VPC when creating a cluster
AliyunECSReadOnlyAccess	Read-only access to ECS resources — required to view node details
AliyunContainerRegistryFullAccess	Full access to container images within your Alibaba Cloud account
AliyunLogReadOnlyAccess	Read-only access to Simple Log Service — required to select an existing project for audit logs or to view cluster configuration inspection settings
AliyunAHASReadOnlyAccess	Read-only access to cluster topology
AliyunRAMFullAccess	Full access to RAM — required to manage authorizations across your Alibaba Cloud account
AliyunYundunSASReadOnlyAccess	Read-only access to Security Center — required to monitor cluster runtime
AliyunARMSReadOnlyAccess	Read-only access to ARMS — required to view the status of the Managed Service for Prometheus plug-in
AliyunKMSReadOnlyAccess	Read-only access to Key Management Service (KMS) — required to view keys when creating an ACK Pro cluster
AliyunESSReadOnlyAccess	Read-only access to Auto Scaling — required to view node pools

To use a RAM user as an account administrator with full access to all cloud resources, attach the AdministratorAccess policy. See Create a RAM user as an account administrator.

Attach a system policy to a RAM user or RAM role

Log on to the RAM console as a RAM administrator.
In the left-side navigation pane, choose Identities > Users.
On the Users page, find the target RAM user and click Add Permissions in the Actions column. To grant permissions to multiple RAM users at once, select them and click Add Permissions at the bottom of the page.
In the Grant Permission panel, configure the following parameters:
1. Resource Scope: Select the scope for the authorization.
  - Account: The permission applies to the current Alibaba Cloud account.
  - ResourceGroup: The permission applies to a specific resource group. Make sure the target cloud service supports resource groups. See Services that work with Resource Group and Use a resource group to grant a RAM user the permissions to manage a specific ECS instance.
    
    Important
    If you select Resource Group for the Resource Scope parameter, make sure that the required cloud service supports resource groups. For more information, see Services that work with Resource Group. For more information about how to grant permissions on a resource group, see Use a resource group to grant a RAM user the permissions to manage a specific ECS instance.
2. Principal: The RAM user is automatically selected.
3. Select the system policy to attach.
Click Grant permissions, then click Close.

Custom policies

System policies grant access to all clusters. To restrict permissions to specific clusters or specific operations, create a custom policy.

Best practices

Follow the principle of least privilege when creating custom policies:

Grant only the permissions needed for the task.
Scope permissions to specific clusters using the cluster ID in the Resource field.
Start with system policies during onboarding, then refine with custom policies as access requirements become clear.

Step 1: Create a custom policy

Log on to the RAM console as a RAM administrator.
In the left-side navigation pane, choose Permissions > Policies.
On the Policies page, click Create Policy.

On the Create Policy page, click the JSON tab and enter the policy content. The following example grants read, list, describe, scale, and delete permissions on a specific cluster:

Scope	`Resource` value
One cluster	`"acs:cs:::cluster/<cluster-id>"`
Multiple clusters	One entry per cluster ID
All clusters	`"*"`

{
  "Statement": [{
    "Action": [
      "cs:Get*",
      "cs:List*",
      "cs:Describe*",
      "cs:ScaleCluster",
      "cs:DeleteCluster"
    ],
    "Effect": "Allow",
    "Resource": [
      "acs:cs:*:*:cluster/<cluster-id>"
    ]
  }],
  "Version": "1"
}

Replace <cluster-id> with the actual cluster ID, such as cae93341766c843479ae986b3305xxxxx. The Resource field controls which clusters the policy applies to: The Action field specifies which operations to allow. Wildcards are supported.

Click OK. In the dialog that appears, enter a policy name and click OK.
On the Policies page, search by name or description to confirm the policy was created.

Step 2: Attach the custom policy to a RAM user or RAM role

Attach the custom policy the same way you attach a system policy. See Attach a system policy to a RAM user or RAM role.

Policy examples

Read-only access to a specific cluster

Minimum permissions for a RAM user to view cluster details:

{
  "Statement": [{
    "Action": [
      "cs:Get*",
      "cs:List*",
      "cs:Describe*"
    ],
    "Effect": "Allow",
    "Resource": [
      "acs:cs:*:*:cluster/<cluster-id>"
    ]
  }],
  "Version": "1"
}

Non-cluster-specific API operations

Some API operations, such as DescribeEvents, are not scoped to a specific cluster. For these operations, set Resource to "*" in a separate Statement block. Do not add cluster IDs to the Resource field for non-cluster-specific operations.

The following example grants permission to call DescribeEvents alongside read access on a specific cluster:

{
  "Statement": [
    {
      "Action": [
        "cs:DescribeEvents"
      ],
      "Effect": "Allow",
      "Resource": [
        "*"
      ]
    },
    {
      "Action": [
        "cs:Get*",
        "cs:List*",
        "cs:Describe*"
      ],
      "Effect": "Allow",
      "Resource": [
        "acs:cs:*:*:cluster/<cluster-id>"
      ]
    }
  ],
  "Version": "1"
}

What's next

RAM permissions grant access to cluster management APIs. To manage Kubernetes resources inside a cluster — such as deployments, pods, and services — also grant RBAC permissions.

Before configuring RBAC, make sure the RAM user or RAM role has at least read-only permissions on the target cluster:

{
  "Statement": [{
    "Action": [
      "cs:Get*",
      "cs:List*",
      "cs:Describe*"
    ],
    "Effect": "Allow",
    "Resource": [
      "acs:cs:*:*:cluster/<cluster-id>"
    ]
  }],
  "Version": "1"
}

Then configure RBAC authorization. See Grant RBAC permissions to a RAM user or RAM role.