阿里云首页 弹性高性能计算E-HPC

管理服务关联角色

本文介绍如何通过E-HPC服务关联角色(AliyunServiceRoleForEHPC)授予E-HPC服务访问关联云资源的权限。

背景信息

弹性高性能计算服务关联角色(AliyunServiceRoleForEHPC)是访问控制提供的一种服务关联角色,用于授权E-HPC访问关联云资源。通过AliyunServiceRoleForEHPC,E-HPC可以获得云服务器ECS、专有网络VPC、文件存储NAS的访问权限。更多服务关联角色的说明,请参见服务关联角色

AliyunServiceRoleForEHPC的权限策略

角色名称:AliyunServiceRoleForEHPC

角色权限策略:AliyunServiceRolePolicyForEHPC

权限说明如下:

{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "ecs:RunInstances",
        "ecs:DescribeInstances",
        "ecs:DescribeInstanceTypes",
        "ecs:DescribeKeyPairs",
        "ecs:DescribeSecurityGroups",
        "ecs:DescribePrice",
        "ecs:DescribeZones",
        "ecs:DescribeAvailableResource",
        "ecs:CreateSecurityGroup",
        "ecs:DescribeImages",
        "ecs:AttachKeyPair",
        "ecs:ModifyInstanceAttribute",
        "ecs:StartInstance",
        "ecs:StopInstance",
        "ecs:DeleteInstance",
        "ecs:CreateInstance",
        "ecs:ReplaceSystemDisk",
        "ecs:RebootInstance",
        "ecs:AuthorizeSecurityGroup",
        "ecs:RevokeSecurityGroup",
        "ecs:CreateHpcCluster",
        "ecs:ModifyHpcClusterAttribute",
        "ecs:DeleteHpcCluster",
        "ecs:DescribeHpcClusters",
        "ecs:DeleteSecurityGroup",
        "ecs:DescribeDisks",
        "ecs:ReInitDisk",
        "ecs:CreateCommand",
        "ecs:InvokeCommand",
        "ecs:StopInvocation",
        "ecs:DeleteCommand",
        "ecs:DescribeCommands",
        "ecs:ModifyCommand",
        "ecs:DescribeInvocations",
        "ecs:DescribeInvocationResults",
        "ecs:CreateNetworkInterface",
        "ecs:DescribeNetworkInterfaces",
        "ecs:CreateNetworkInterfacePermission",
        "ecs:DescribeNetworkInterfacePermissions",
        "ecs:AttachNetworkInterface",
        "ecs:DeleteNetworkInterface",
        "ecs:DeleteNetworkInterfacePermission",
        "ecs:DescribeResourceAllocation",
        "ecs:TagResources"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "vpc:DescribeVpcs",
        "vpc:DescribeVSwitches",
        "vpc:AllocateEipAddress",
        "vpc:DescribeEipAddresses",
        "vpc:AssociateEipAddress",
        "vpc:DescribeVSwitches",
        "vpc:ReleaseEipAddress",
        "vpc:CreateVpc",
        "vpc:CreateVSwitch"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "nas:DescribeFileSystems",
        "nas:DescribeMountTargets",
        "nas:CreateFileSystem",
        "nas:CreateMountTarget",
        "nas:CreateAccessGroup",
        "nas:CreateAccessRule",
        "nas:DeleteAccessGroup",
        "nas:DeleteAccessRule",
        "nas:DescribeAccessGroups",
        "nas:DescribeAccessRules",
        "nas:ModifyFileSystem",
        "nas:UpdateFileSystemInfo",
        "nas:CPFSCreateFileSystem",
        "nas:CPFSDescribeFileSystems",
        "nas:CPFSModifyFileSystem",
        "nas:CreateLDAPConfig",
        "nas:DeleteLDAPConfig",
        "nas:DescribeLDAPConfig"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },

   {
      "Action": [
        "ess:CreateScalingGroup",
        "ess:ModifyScalingGroup",
        "ess:EnableScalingGroup",
        "ess:DisableScalingGroup",
        "ess:DeleteScalingGroup",
        "ess:SetGroupDeletionProtection",
        "ess:DescribeScalingGroups",
        "ess:DescribeScalingInstances",
        "ess:DescribeScalingActivities",
        "ess:DescribeScalingConfiguration",
        "ess:DescribeScalingRules",
        "ess:CreateScalingConfiguration",
        "ess:ModifyScalingConfiguration",
        "ess:DeleteScalingConfiguration",
        "ess:CreateScalingRule",
        "ess:ModifyScalingRule",
        "ess:DeleteScalingRule",
        "ess:ExecuteScalingRule",
        "ess:AttachInstances",
        "ess:DetachInstances",
        "ess:RemoveInstances",
        "ess:CreateScheduledTask",
        "ess:DeleteScheduledtask",
        "ess:ModifyScheduledTask",
        "ess:DescribeLimitation",
        "ess:CreateLifecycleHook",
        "ess:CompleteLifecycleAction",
        "ess:DeleteLifecycleHook",
        "ess:TagResources"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": "ram:CreateServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram.ServiceName": [
            "ess.aliyuncs.com",
            "ecd.aliyuncs.com"
          ]
        }
      }
    },
    {
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "ehpc.aliyuncs.com"
        }
      }
    }
  ]
}

创建AliyunServiceRoleForEHPC

在您使用E-HPC时,系统会检查当前账号是否已有AliyunServiceRoleForEHPC,如果不存在则自动创建。

AliyunServiceRoleForEHPC包含系统权限策略AliyunServiceRolePolicyForEHPC。服务关联角色包含的权限策略由对应的云服务定义和使用,您不能为服务关联角色添加、修改或删除权限。

删除AliyunServiceRoleForEHPC

如果您暂时不需要使用AliyunServiceRoleForEHPC,例如不需要创建集群和管理其他云资源,确定不使用该角色的影响等,可以删除AliyunServiceRoleForEHPC。具体操作,请参见删除RAM角色

说明

删除AliyunServiceRoleForEHPC前,需要先删除依赖这个服务关联角色的E-HPC集群。具体操作,请参见释放集群