Skip to Content
GuideGetting StartedDeploy CloudPilot AI with Existing RAM User

Deploy CloudPilot AI with Existing RAM User

By default, CloudPilot AI will use the Alibaba Cloud user’s Access Key (AK) and Secret Key (SK) from the local environment to tag Security Groups and vSwitches. It will also retrieve the necessary ACK cluster information and create RAM users for CloudPilot AI components to perform ECS operations.

However, in some cases, you may prefer not to use the default behavior and instead deploy CloudPilot AI with an existing RAM user that has the correct permissions.

In such situations, you can follow this tutorial to deploy CloudPilot AI using your existing RAM user.

Currently, the tutorial only supports AlibabaCloud.

Step 1. Manually Create a AlibabaCloud RAM User

If you want to deploy CloudPilot AI with minimal permissions, you need to manually create the required user and grant the necessary permissions.

Visit this link to create a new RAM User.

create-alibabacloud-ram-user-1

Then, create a new RAM User, and your username must follow this format: cloudpilot-<your cluster name> (e.g., cloudpilot-test-cluster), and you need to check Using permanent AccessKey to access.

create-alibabacloud-ram-user-2

You must click the following three buttons in order and properly save the copied Access Key and Secret Key.

create-alibabacloud-ram-user-3

Step 2. Add the Required Permissions for the New User

Visit this page to create Policies.

create-alibabacloud-ram-policies-1

create-alibabacloud-ram-policies-2

Please replace the JSON content with the following permission settings:

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "cs:DescribeClusters",
                "cs:GetClusters",
                "ecs:TagResources",
                "ecs:UntagResources",
                "vpc:TagResources",
                "vpc:UntagResources",
                "tag:TagResources",
                "tag:UntagResources",
                "ess:ModifyScalingGroup"
            ],
            "Resource": "*"
        }
    ]
}

create-alibabacloud-ram-policies-3

The name of the Policies should follow this format: cloudpilot-<your cluster name>-deploy.

Next, you need to create the required permissions for CloudPilot AI runtime. You can refer to this article for the JSON content, and the name of this Policy should follow this format: cloudpilot-<your cluster name>.

You can use the following command to query your cluster INTERNAL_CLUSTER_ID:

export CLUSTER_NAME=<your cluster name>
 
INTERNAL_CLUSTER_ID=$(aliyun cs GET /clusters | jq -r --arg CLUSTER_NAME "$CLUSTER_NAME" '.[] | select(.name == $CLUSTER_NAME) | .cluster_id')
echo INTERNAL_CLUSTER_ID: ${INTERNAL_CLUSTER_ID}

After creation, visit this page to grant the newly created Policies to the new user you just created.

grant-alibabacloud-ram-policies

3. Configure Aliyun CLI using the minimal permission user.

Use the Access Key and Secret Key you just saved to log in to Aliyun CLI, and use this user to deploy CloudPilot AI to your cluster.

aliyun configure

4. Deploy CloudPilot AI

Before deploying Phase 2, you must enter the following content to avoid permission issues.

export SELF_MANAGE_USER=true
export ACCESS_KEY_ID=<your access key>
export ACCESS_KEY_SECRET=<your secret key>

Then, follow the steps provided by the Console to install Phase 2.

Note: When uninstalling CloudPilot AI, if you deployed it using this method, you need to enter the following command before uninstallation.

export SELF_MANAGE_USER=true
Last updated on
Prepare the terminal environmentKeep Some Existing Nodes and Exclude Them from Optimization