Skip to Content
GuideGetting StartedDeploy CloudPilot AI with Existing RAM User

Deploy CloudPilot AI with an Existing RAM User

This guide explains how to deploy CloudPilot AI on Alibaba Cloud using an existing RAM user instead of relying on the default method, which uses local Access Key (AK) and Secret Key (SK) credentials. This approach allows you to follow the principle of least privilege by assigning only the necessary permissions.

Note: This guide currently supports only Alibaba Cloud.

Prerequisites

  • An Alibaba Cloud account with RAM access.
  • Admin privileges to create and manage RAM users and policies.
  • Aliyun CLI installed and configured on your local machine.
  • Access to your target ACK cluster name.

Step 1: Create a RAM User Manually

Navigate to the RAM User Console and create a new RAM user.

  • Username Format: cloudpilot-<your cluster name> (e.g., cloudpilot-test-cluster)
  • Access Type: Enable “Programmatic Access” with a permanent AccessKey.

Save the generated Access Key ID and Secret Key securely.

Step 2: Attach Required Permissions

Navigate to the Policy Management Console and create two policies:

a. Deployment Policy

Create a policy named cloudpilot-<your cluster name>-deploy with the following JSON:

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "cs:DescribeClusters",
                "cs:GetClusters",
                "ecs:TagResources",
                "ecs:UntagResources",
                "vpc:TagResources",
                "vpc:UntagResources",
                "tag:TagResources",
                "tag:UntagResources",
                "ess:ModifyScalingGroup"
            ],
            "Resource": "*"
        }
    ]
}

b. Runtime Policy

Refer to the permissions reference and create a policy named cloudpilot-<your cluster name>.

Granting Permissions

Go to the Permissions Console and assign both policies to the newly created RAM user.

To retrieve your INTERNAL_CLUSTER_ID, use:

export CLUSTER_NAME=<your cluster name>
 
INTERNAL_CLUSTER_ID=$(aliyun cs GET /clusters | jq -r --arg CLUSTER_NAME "$CLUSTER_NAME" '.[] | select(.name == $CLUSTER_NAME) | .cluster_id')
echo INTERNAL_CLUSTER_ID: ${INTERNAL_CLUSTER_ID}

After creation, visit this page to grant the newly created Policies to the new user you just created.

grant-alibabacloud-ram-policies

Step 3: Configure Aliyun CLI

Use the Access Key ID and Secret Key from the new RAM user:

aliyun configure

Input the Access Key ID, Secret Key, and default region when prompted.

Step 4: Deploy CloudPilot AI

Set environment variables to indicate that you’re managing credentials manually:

export SELF_MANAGE_USER=true
export ACCESS_KEY_ID=<your access key>
export ACCESS_KEY_SECRET=<your secret key>

Proceed with Phase 2 installation as directed by the CloudPilot AI Console.

More

Note: If you uninstall CloudPilot AI later, make sure to set the SELF_MANAGE_USER flag again to avoid permission issues:

export SELF_MANAGE_USER=true
Last updated on
Prepare the terminal environmentWorkload Configuration Guide