{"id":28740973,"url":"https://github.com/aliyuncontainerservice/ack-ram-tool","last_synced_at":"2025-06-16T07:09:45.156Z","repository":{"id":37963223,"uuid":"433336259","full_name":"AliyunContainerService/ack-ram-tool","owner":"AliyunContainerService","description":null,"archived":false,"fork":false,"pushed_at":"2025-06-09T07:02:28.000Z","size":18008,"stargazers_count":8,"open_issues_count":14,"forks_count":12,"subscribers_count":8,"default_branch":"main","last_synced_at":"2025-06-09T08:21:03.366Z","etag":null,"topics":["alibaba","alibaba-cloud","alibabacloud","ram","rrsa"],"latest_commit_sha":null,"homepage":"https://aliyuncontainerservice.github.io/ack-ram-tool/","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/AliyunContainerService.png","metadata":{"files":{"readme":"README.rst","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2021-11-30T07:34:52.000Z","updated_at":"2025-06-09T07:02:25.000Z","dependencies_parsed_at":"2023-11-06T09:48:54.971Z","dependency_job_id":"14d4e984-4dc1-4628-95af-68613c7030df","html_url":"https://github.com/AliyunContainerService/ack-ram-tool","commit_stats":{"total_commits":555,"total_committers":4,"mean_commits":138.75,"dds":0.3207207207207208,"last_synced_commit":"a8f537a77e88dfcddbce6567f072cff404426eae"},"previous_names":[],"tags_count":80,"template":false,"template_full_name":null,"purl":"pkg:github/AliyunContainerService/ack-ram-tool","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AliyunContainerService%2Fack-ram-tool","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AliyunContainerService%2Fack-ram-tool/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AliyunContainerService%2Fack-ram-tool/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AliyunContainerService%2Fack-ram-tool/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/AliyunContainerService","download_url":"https://codeload.github.com/AliyunContainerService/ack-ram-tool/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AliyunContainerService%2Fack-ram-tool/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":260116644,"owners_count":22961065,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["alibaba","alibaba-cloud","alibabacloud","ram","rrsa"],"created_at":"2025-06-16T07:09:44.345Z","updated_at":"2025-06-16T07:09:45.137Z","avatar_url":"https://github.com/AliyunContainerService.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"ack-ram-tool\n=============\n\nA command line utility and library for using RAM、Credential and permission related features in Alibaba Cloud Container Service For Kubernetes (ACK).\n`中文文档 \u003cREADME.zh-cn.rst\u003e`__\n\n.. contents::\n\n\nInstallation\n--------------\n\nYou can download the latest release from `Releases \u003chttps://github.com/AliyunContainerService/ack-ram-tool/releases\u003e`__ page.\n\n\nCredential\n-------------\n\nhttps://aliyuncontainerservice.github.io/ack-ram-tool/#credentials\n\n\nUsage\n--------\n\n\nkubectl/client-go credential plugin\n+++++++++++++++++++++++++++++++++++++\n\nA `kubectl/client-go credential plugin \u003chttps://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins\u003e`__ for ACK。\n\nGet a kubeconfig with exec credential plugin format：\n\n.. code-block:: shell\n\n    ack-ram-tool credential-plugin get-kubeconfig --cluster-id \u003cclusterId\u003e \u003e kubeconfig\n\n\nUse this kubeconfig to access cluster:\n\n.. code-block:: shell\n\n    kubectl --kubeconfig=kubeconfig get ns\n\n\nRemove cached credentials:\n\n.. code-block:: shell\n\n    rm ~/.kube/cache/ack-ram-tool/credential-plugin/*.json\n\n\n\nRAM Roles for Service Accounts (RRSA)\n++++++++++++++++++++++++++++++++++++++++\n\nEnable `RRSA feature \u003chttps://www.alibabacloud.com/help/doc-detail/356611.html\u003e`__ :\n\n.. code-block:: shell\n\n    $ ack-ram-tool rrsa enable --cluster-id \u003cclusterId\u003e\n\n    ? Are you sure you want to enable RRSA feature? Yes\n    Enable RRSA feature for cluster c86fdd*** successfully\n\n\nAssociate an RAM Role to a service account (use the ``--create-role-if-not-exist`` flag to\nauto create an RAM Role when it doesn't exist):\n\n.. code-block:: shell\n\n    $ ack-ram-tool rrsa associate-role --cluster-id \u003cclusterId\u003e \\\n        --namespace \u003cnamespce\u003e --service-account \u003cserviceAccountName\u003e \\\n        --role-name \u003croleName\u003e\n\n    ? Are you sure you want to associate RAM Role test-rrsa to service account test-serviceaccount (namespace: test-namespace)? Yes\n    Will change the assumeRolePolicyDocument of RAM Role test-rrsa with blow content:\n    {\n      \"Statement\": [\n       {\n        \"Action\": \"sts:AssumeRole\",\n        \"Effect\": \"Allow\",\n        \"Principal\": {\n         \"RAM\": [\n          \"acs:ram::18***:root\"\n         ]\n        }\n       },\n       {\n        \"Action\": \"sts:AssumeRole\",\n        \"Condition\": {\n         \"StringEquals\": {\n          \"oidc:aud\": \"sts.aliyuncs.com\",\n          \"oidc:iss\": \"https://oidc-ack-**/c86fdd***\",\n          \"oidc:sub\": \"system:serviceaccount:test-namespace:test-serviceaccount\"\n         }\n        },\n        \"Effect\": \"Allow\",\n        \"Principal\": {\n         \"Federated\": [\n          \"acs:ram::18***:oidc-provider/ack-rrsa-c86fdd***\"\n         ]\n        }\n       }\n      ],\n      \"Version\": \"1\"\n     }\n    ? Are you sure you want to associate RAM Role test-rrsa to service account test-serviceaccount (namespace: test-namespace)? Yes\n    Associate RAM Role test-rrsa to service account test-serviceaccount (namespace: test-namespace) successfully\n\nDocumentation\n---------------\n\nFor more information, refer to the `document \u003chttps://aliyuncontainerservice.github.io/ack-ram-tool/\u003e`__.\n\nSecurity\n-------------\nPlease report vulnerabilities by email to kubernetes-security@service.aliyun.com. Also see our `SECURITY.md \u003c./SECURITY.md\u003e`__ file for details.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faliyuncontainerservice%2Fack-ram-tool","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Faliyuncontainerservice%2Fack-ram-tool","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faliyuncontainerservice%2Fack-ram-tool/lists"}