https://github.com/aliyuncontainerservice/ack-ram-tool

https://github.com/aliyuncontainerservice/ack-ram-tool

alibaba alibaba-cloud alibabacloud ram rrsa

Last synced: 4 months ago
JSON representation

• Host: GitHub
• URL: https://github.com/aliyuncontainerservice/ack-ram-tool
• Owner: AliyunContainerService
• License: apache-2.0
• Created: 2021-11-30T07:34:52.000Z (almost 4 years ago)
• Default Branch: main
• Last Pushed: 2025-06-09T07:02:28.000Z (4 months ago)
• Last Synced: 2025-06-09T08:21:03.366Z (4 months ago)
• Topics: alibaba, alibaba-cloud, alibabacloud, ram, rrsa
• Language: Go
• Homepage: https://aliyuncontainerservice.github.io/ack-ram-tool/
• Size: 17.2 MB
• Stars: 8
• Watchers: 8
• Forks: 12
• Open Issues: 14
• Metadata Files:
  • Readme: README.rst
  • License: LICENSE
  • Security: SECURITY.md

Awesome Lists containing this project

README

          
ack-ram-tool

=============

A command line utility and library for using RAM、Credential and permission related features in Alibaba Cloud Container Service For Kubernetes (ACK).

`中文文档 `__

.. contents::

Installation

--------------

You can download the latest release from `Releases `__ page.

Credential

-------------

https://aliyuncontainerservice.github.io/ack-ram-tool/#credentials

Usage

--------

kubectl/client-go credential plugin

+++++++++++++++++++++++++++++++++++++

A `kubectl/client-go credential plugin `__ for ACK。

Get a kubeconfig with exec credential plugin format：

.. code-block:: shell

    ack-ram-tool credential-plugin get-kubeconfig --cluster-id  > kubeconfig

Use this kubeconfig to access cluster:

.. code-block:: shell

    kubectl --kubeconfig=kubeconfig get ns

Remove cached credentials:

.. code-block:: shell

    rm ~/.kube/cache/ack-ram-tool/credential-plugin/*.json

RAM Roles for Service Accounts (RRSA)

++++++++++++++++++++++++++++++++++++++++

Enable `RRSA feature `__ :

.. code-block:: shell

    $ ack-ram-tool rrsa enable --cluster-id 

    ? Are you sure you want to enable RRSA feature? Yes

    Enable RRSA feature for cluster c86fdd*** successfully

Associate an RAM Role to a service account (use the ``--create-role-if-not-exist`` flag to

auto create an RAM Role when it doesn't exist):

.. code-block:: shell

    $ ack-ram-tool rrsa associate-role --cluster-id  \

        --namespace  --service-account  \

        --role-name 

    ? Are you sure you want to associate RAM Role test-rrsa to service account test-serviceaccount (namespace: test-namespace)? Yes

    Will change the assumeRolePolicyDocument of RAM Role test-rrsa with blow content:

    {

      "Statement": [

       {

        "Action": "sts:AssumeRole",

        "Effect": "Allow",

        "Principal": {

         "RAM": [

          "acs:ram::18***:root"

         ]

        }

       },

       {

        "Action": "sts:AssumeRole",

        "Condition": {

         "StringEquals": {

          "oidc:aud": "sts.aliyuncs.com",

          "oidc:iss": "https://oidc-ack-**/c86fdd***",

          "oidc:sub": "system:serviceaccount:test-namespace:test-serviceaccount"

         }

        },

        "Effect": "Allow",

        "Principal": {

         "Federated": [

          "acs:ram::18***:oidc-provider/ack-rrsa-c86fdd***"

         ]

        }

       }

      ],

      "Version": "1"

     }

    ? Are you sure you want to associate RAM Role test-rrsa to service account test-serviceaccount (namespace: test-namespace)? Yes

    Associate RAM Role test-rrsa to service account test-serviceaccount (namespace: test-namespace) successfully

Documentation

---------------

For more information, refer to the `document `__.

Security

-------------

Please report vulnerabilities by email to kubernetes-security@service.aliyun.com. Also see our `SECURITY.md <./SECURITY.md>`__ file for details.