All Products
Search

This Product

    Container Compute Service:Revoke the kubeconfig file of a cluster

    Document Center

    Container Compute Service:Revoke the kubeconfig file of a cluster

    Last Updated:Mar 26, 2026

    In multi-tenant environments, Alibaba Cloud Container Compute Service (ACS) issues kubeconfig files containing user identity information to grant cluster access. When a kubeconfig file is compromised or an employee leaves your organization, revoke it immediately to prevent unauthorized cluster access. After revocation, ACS automatically issues a new kubeconfig file for the cluster.

    Important

    Deleting a Resource Access Management (RAM) user or RAM role alone does not revoke the Role-Based Access Control (RBAC) permissions embedded in the kubeconfig file. If you distribute a kubeconfig file and then delete the identity without revoking the credential, the file remains valid and can still be used to access the cluster. Always revoke the kubeconfig first, then delete the RAM user or RAM role.

    Who can revoke what

    Role Scope
    Alibaba Cloud account Revoke kubeconfig files for any RAM user or RAM role managed by the account
    RAM user Revoke only their own kubeconfig file

    Revoke kubeconfig files as an Alibaba Cloud account

    Use this method to revoke kubeconfig files for RAM users or RAM roles — for example, when handling a departing employee or a suspected credential leak.

    1. Log on to the ACS console with your Alibaba Cloud account.

    2. In the left-side navigation pane, click Permission Management.

    3. On the RAM Users tab, find the target RAM user and click KubeConfig Management.

    4. In the list of clusters created by the RAM user, follow the on-screen instructions to revoke the kubeconfig files.

    Revoke your own kubeconfig file as a RAM user

    Important

    After revocation, you can no longer use the kubeconfig file to access the cluster. Proceed with caution.

    1. Log on to the ACS console with your RAM user credentials.

    2. In the left-side navigation pane, click Clusters.

    3. On the Clusters page, click the name of the cluster you want to manage.

    4. In the left-side navigation pane of the cluster details page, click Cluster Information.

    5. Click the Connection Information tab, click Revoke KubeConfig, and then click OK.

    Handle a departing employee or untrusted user

    Revoking the kubeconfig file is a required step before deleting a RAM user or RAM role. Deleting the identity alone leaves RBAC permissions in the kubeconfig intact, which poses a security risk if the credential has already been distributed.

    Follow this sequence:

    1. Confirm that no application in the cluster depends on the permissions in the kubeconfig file.

    2. Use your Alibaba Cloud account to revoke the kubeconfig file. See Revoke kubeconfig files as an Alibaba Cloud account.

    3. Delete the RAM user or RAM role.