Deploy CloudPilot AI with an Existing RAM User
This guide explains how to deploy CloudPilot AI on Alibaba Cloud using an existing RAM user instead of relying on the default method, which uses local Access Key (AK) and Secret Key (SK) credentials. This approach allows you to follow the principle of least privilege by assigning only the necessary permissions.
Note: This guide currently supports only Alibaba Cloud.
Prerequisites
- An Alibaba Cloud account with RAM access.
- Admin privileges to create and manage RAM users and policies.
- Aliyun CLI installed and configured on your local machine.
- Access to your target ACK cluster name.
Step 1: Create a RAM User Manually
Navigate to the RAM User Console and create a new RAM user.
- Username Format:
cloudpilot-<your cluster name>
(e.g.,cloudpilot-test-cluster
) - Access Type: Enable “Programmatic Access” with a permanent AccessKey.
Save the generated Access Key ID and Secret Key securely.
Step 2: Attach Required Permissions
Navigate to the Policy Management Console and create two policies:
a. Deployment Policy
Create a policy named cloudpilot-<your cluster name>-deploy
with the following JSON:
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cs:DescribeClusters",
"cs:GetClusters",
"ecs:TagResources",
"ecs:UntagResources",
"vpc:TagResources",
"vpc:UntagResources",
"tag:TagResources",
"tag:UntagResources",
"ess:ModifyScalingGroup"
],
"Resource": "*"
}
]
}
b. Runtime Policy
Refer to the permissions reference and create a policy named cloudpilot-<your cluster name>
.
Granting Permissions
Go to the Permissions Console and assign both policies to the newly created RAM user.
To retrieve your INTERNAL_CLUSTER_ID
, use:
export CLUSTER_NAME=<your cluster name>
INTERNAL_CLUSTER_ID=$(aliyun cs GET /clusters | jq -r --arg CLUSTER_NAME "$CLUSTER_NAME" '.[] | select(.name == $CLUSTER_NAME) | .cluster_id')
echo INTERNAL_CLUSTER_ID: ${INTERNAL_CLUSTER_ID}
After creation, visit this page to grant the newly created Policies to the new user you just created.
Step 3: Configure Aliyun CLI
Use the Access Key ID and Secret Key from the new RAM user:
aliyun configure
Input the Access Key ID, Secret Key, and default region when prompted.
Step 4: Deploy CloudPilot AI
Set environment variables to indicate that you’re managing credentials manually:
export SELF_MANAGE_USER=true
export ACCESS_KEY_ID=<your access key>
export ACCESS_KEY_SECRET=<your secret key>
Proceed with Phase 2 installation as directed by the CloudPilot AI Console.
More
Note: If you uninstall CloudPilot AI later, make sure to set the
SELF_MANAGE_USER
flag again to avoid permission issues:
export SELF_MANAGE_USER=true