管理服务关联角色
本文介绍如何通过E-HPC服务关联角色(AliyunServiceRoleForEHPC)授予E-HPC服务访问关联云资源的权限。
背景信息
弹性高性能计算服务关联角色(AliyunServiceRoleForEHPC)是访问控制提供的一种服务关联角色,用于授权E-HPC访问关联云资源。通过AliyunServiceRoleForEHPC,E-HPC可以获得云服务器ECS、专有网络VPC、文件存储NAS的访问权限。更多服务关联角色的说明,请参见服务关联角色。
AliyunServiceRoleForEHPC的权限策略
角色名称:AliyunServiceRoleForEHPC
角色权限策略:AliyunServiceRolePolicyForEHPC
权限内容如下:
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:RunInstances",
"ecs:DescribeInstances",
"ecs:DescribeInstanceTypes",
"ecs:DescribeKeyPairs",
"ecs:DescribeSecurityGroups",
"ecs:DescribePrice",
"ecs:DescribeZones",
"ecs:DescribeAvailableResource",
"ecs:CreateSecurityGroup",
"ecs:DescribeImages",
"ecs:AttachKeyPair",
"ecs:ModifyInstanceAttribute",
"ecs:StartInstance",
"ecs:StopInstance",
"ecs:DeleteInstance",
"ecs:CreateInstance",
"ecs:ReplaceSystemDisk",
"ecs:RebootInstance",
"ecs:AuthorizeSecurityGroup",
"ecs:RevokeSecurityGroup",
"ecs:CreateHpcCluster",
"ecs:ModifyHpcClusterAttribute",
"ecs:DeleteHpcCluster",
"ecs:DescribeHpcClusters",
"ecs:DeleteSecurityGroup",
"ecs:DescribeDisks",
"ecs:ReInitDisk",
"ecs:CreateCommand",
"ecs:InvokeCommand",
"ecs:StopInvocation",
"ecs:DeleteCommand",
"ecs:DescribeCommands",
"ecs:ModifyCommand",
"ecs:DescribeInvocations",
"ecs:DescribeInvocationResults",
"ecs:CreateNetworkInterface",
"ecs:DescribeNetworkInterfaces",
"ecs:CreateNetworkInterfacePermission",
"ecs:DescribeNetworkInterfacePermissions",
"ecs:AttachNetworkInterface",
"ecs:DeleteNetworkInterface",
"ecs:DeleteNetworkInterfacePermission",
"ecs:DescribeResourceAllocation",
"ecs:TagResources",
"ecs:DescribeManagedInstances",
"eci:BatchCreateContainerGroups",
"eci:CreateContainerGroup"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"vpc:DescribeVpcs",
"vpc:DescribeVSwitches",
"vpc:AllocateEipAddress",
"vpc:DescribeEipAddresses",
"vpc:AssociateEipAddress",
"vpc:DescribeVSwitches",
"vpc:ReleaseEipAddress",
"vpc:CreateVpc",
"vpc:CreateVSwitch"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"nas:DescribeFileSystems",
"nas:DescribeMountTargets",
"nas:CreateFileSystem",
"nas:CreateMountTarget",
"nas:CreateAccessGroup",
"nas:CreateAccessRule",
"nas:DeleteAccessGroup",
"nas:DeleteAccessRule",
"nas:DescribeAccessGroups",
"nas:DescribeAccessRules",
"nas:ModifyFileSystem",
"nas:UpdateFileSystemInfo",
"nas:CPFSCreateFileSystem",
"nas:CPFSDescribeFileSystems",
"nas:CPFSModifyFileSystem",
"nas:CreateLDAPConfig",
"nas:DeleteLDAPConfig",
"nas:DescribeLDAPConfig"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ecd:CreateRAMDirectory",
"ecd:CreateADConnectorDirectory",
"ecd:DescribeDirectories",
"ecd:DeleteDirectories",
"ecd:CreateBundle",
"ecd:DescribeBundles",
"ecd:DeleteBundles",
"ecd:ListDirectoryUsers",
"ecd:ModifyEntitlement",
"ecd:CreatePolicyGroup",
"ecd:DescribePolicyGroups",
"ecd:ModifyPolicyGroup",
"ecd:DeletePolicyGroups",
"ecd:CreateDesktops",
"ecd:DescribeDesktops",
"ecd:RebootDesktops",
"ecd:DeleteDesktops",
"ecd:DescribeDesktopTypes",
"ecd:StartDesktops",
"ecd:StopDesktops",
"ecd:CreateImage",
"ecd:DescribeImages",
"ecd:DeleteImages",
"ecd:DescribeRegions",
"ecd:DescribeZones",
"ecd:GetConnectionTicket"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ess:CreateScalingGroup",
"ess:ModifyScalingGroup",
"ess:EnableScalingGroup",
"ess:DisableScalingGroup",
"ess:DeleteScalingGroup",
"ess:SetGroupDeletionProtection",
"ess:DescribeScalingGroups",
"ess:DescribeScalingInstances",
"ess:DescribeScalingActivities",
"ess:DescribeScalingConfiguration",
"ess:DescribeScalingRules",
"ess:CreateScalingConfiguration",
"ess:ModifyScalingConfiguration",
"ess:DeleteScalingConfiguration",
"ess:CreateScalingRule",
"ess:ModifyScalingRule",
"ess:DeleteScalingRule",
"ess:ExecuteScalingRule",
"ess:AttachInstances",
"ess:DetachInstances",
"ess:RemoveInstances",
"ess:CreateScheduledTask",
"ess:DeleteScheduledtask",
"ess:ModifyScheduledTask",
"ess:DescribeLimitation",
"ess:CreateLifecycleHook",
"ess:CompleteLifecycleAction",
"ess:DeleteLifecycleHook",
"ess:TagResources",
"ess:ScaleWithAdjustment"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"cms:CreateDynamicTagGroup",
"cms:DescribeMonitorGroups",
"cms:DeleteDynamicTagGroup",
"cms:DeleteMonitorGroup",
"cms:DescribeContactGroupList",
"cms:DescribeDynamicTagRuleList"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "acm:DescribePrice",
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:PassRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"acs:Service": "ecs.aliyuncs.com"
}
}
},
{
"Action": "ram:CreateServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": [
"ess.aliyuncs.com",
"gws.aliyuncs.com"
]
}
}
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "ehpc.aliyuncs.com"
}
}
},
{
"Effect": "Allow",
"Action": [
"eci:DescribeContainerGroups",
"eci:DescribeContainerGroupStatus",
"eci:DescribeContainerGroupEvents",
"eci:RestartContainerGroup",
"eci:DeleteContainerGroup"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"eci:tag/product": [
"E-HPC"
]
}
}
}
]
}创建AliyunServiceRoleForEHPC
在您使用E-HPC时,系统会检查当前账号是否已有AliyunServiceRoleForEHPC,如果不存在则自动创建。
AliyunServiceRoleForEHPC包含系统权限策略AliyunServiceRolePolicyForEHPC。服务关联角色包含的权限策略由对应的云服务定义和使用,您不能为服务关联角色添加、修改或删除权限。
删除AliyunServiceRoleForEHPC
如果您不再需要使用AliyunServiceRoleForEHPC,例如不需要创建集群和管理集群相关的云资源,在确定不使用该角色的影响后,可以删除AliyunServiceRoleForEHPC。具体操作,请参见删除RAM角色。
说明
删除AliyunServiceRoleForEHPC前,需要先删除依赖这个服务关联角色的E-HPC集群。具体操作,请参见释放集群。