1. Proposed title of this feature request

Currently, IPI on Alibaba cloud only support resource group grant permission to whole Alibaba Cloud Account level on the authorized scope. 

We have requirement from customer that they need to grant the permission to specific resource group level instead of whole alibaba cloud account.

By testing this scenario, currently we face many issues that block IPI installation completed, issues including:

• To create install-config, we got error of 'failed to generate asset "Base Domain"...User not authorized'. But in fact, specifying the resource group id when calling Alibabacloud API does be able to get the base domain.
• By using an existing install-config.yaml then, we got error when trying to create RAM users, with error code 'NoPermission'.
• After temporarily granting the user Alibaba Cloud Account scope AliyunRAMFullAccess permissions, creating RAM users can succeed.
  Then trying to create cluster, we got error 'Datasource alicloud_pvtz_service CreateInstance Failed...NotAuthorized'.

We believe that the scenario of granting permission to the specific Rg is never been tested and unsupported.

2. What is the nature and description of the request?
When granting the permissions (even full permission), since there are no any permissions on the cloud account level, the installer cannot retrieve the required resources from the resource group even if the resource exists in the Rg already. For example, at beginning, when we try to retrieve a DNS domain from the specific Rg, it might fail as below:

[root@bastion opt]# ./openshift-install create install-config --dir install-dir/
? SSH Public Key /root/.ssh/id_rsa.pub
? Platform alibabacloud
? Region cn-zhangjiakou
FATAL failed to fetch Install Config: failed to fetch dependency of "Install Config": failed to generate asset "Base Domain": SDK.ServerError
FATAL ErrorCode: Forbidden.RAM
FATAL Recommend: https://next.api.aliyun.com/troubleshoot?q=Forbidden.RAM&product=Alidns
FATAL RequestId: 01CF78D1-C8A1-5BA7-B544-61CCB08AE9E0
FATAL Message: User not authorized to operate on the specified resource, or this API doesn't support RAM.

The reason it failed is that the RAM user does not have cloud account level of permission to do the DescribeDNS (even though it does have the permission at the specific Rg level). Since our installer will try to fetch the DNS domain at the whole cloud account level, hence it fails.

Above is only an example at beginning. There are other subsequent errors if we move tweak this part and try to move forward.

 
3. Why does the customer need this? (List the business requirements here)

For a large enterprise account who is using Aliyun Cloud, they have dedicated Security Compliance department to restrict the permissions providing to specific Business Unit (each BU represents one dedicated Resource Group). The Security department will not allow the Rg to have cloud account level of permission. All the permissions will have to be restricted to that specific Rg.  In such case, our IPI currently cannot support this scenario and IPI installation will fail.
4. List any affected packages or components.

Installer