Help Center/ Application Service Mesh/ Service Overview/ Permissions Management
Updated on 2025-12-08 GMT+08:00
View PDF
Share

Permissions Management

If you do not have the ASM permissions, a dialog box will be displayed when you log in to the ASM console. Click OK to complete the authorization. The authorization takes effect permanently.

System Agencies

ASM works closely with multiple cloud services to support compute, storage, network, and monitoring functions. When you log in to the ASM console for the first time, ASM automatically requests permissions to access these cloud services in the region where you run your applications. Specifically:
  • Cloud Container Engine (CCE)

    Service meshes are enabled for CCE clusters and provide traffic management capabilities.

  • Network services

    ASM allows an ingress gateway to be published as a Service that can be accessed by external systems. The prerequisite is that ASM has obtained the permissions to access services such as Virtual Private Cloud (VPC) and Elastic Load Balance (ELB).

  • Container and monitoring services

    Service meshes support application metric reporting. The prerequisite is that ASM has obtained the permissions to access Application Operations Management (AOM).

After you agree to the authorization, ASM automatically creates an agency in Identity and Access Management (IAM) to delegate other resource operation permissions in your account to ASM. For details, see Account Delegation.

ASM automatically creates the asm_admin_trust agency.

The asm_admin_trust agency is authorized to operate only the cloud services that ASM depends on to generate temporary access credentials used by components in a service mesh.

asm_admin_trust Description

The asm_admin_trust agency is authorized to operate the cloud services required by components in a service mesh. This agency will be used when cloud service resources that ASM depends on are automatically created in a service mesh, for example, when a gateway is created.

To use ASM in multiple regions, you need to request cloud resource permissions in each region. You can go to the IAM console, choose > Agencies and click asm_admin_trust to view the permissions of each region.

When you create the asm_admin_trust agency, a custom policy named asm admin trust policy will be automatically created. Do not delete this policy.