跨云部署MyBase 2.0时,实例资源需要部署在其他云上,因此,您需要在其他云的账号中进行委托授权操作。
在其他云上创建委托
华为云
-
创建委托账号。具体操作,请参见创建委托。
创建委托时,委托类型请选择普通账号,持续时间建议选择永久。
-
配置授权。
您需要创建自定义策略并授权给委托账号,创建自定义策略的方法,请参见创建自定义策略。
需要授予委托账号的策略如下:
-
作用范围:项目级服务(只操作项目内资源)
产品
权限
用途
VPC
所有权限
管理VPC、以及网络相关资源。
NAT
DNAT除外,其他所有权限
管理NAT网关、入网打通,不要求出网权限。
EIP
所有权限
管理EIP,用于EIP与各种资源的绑定。
CCE
所有权限
管理CCE集群。
说明您需要先登录一次CCE授予CCE一些权限,否则无法使用CCE。
ECS
除镜像相关所有权限
管理CCE集群中的ECS机器。
EVS
除镜像相关所有权限
管理ECS机器上的磁盘。
IMS
get list
创建ECS和EVS必需。
RDS
所有权限
管理metadb。
ELB
所有权限
管理ELB。
DNS
所有权限
管理DNS。
CES
ces:remoteChecks:list
ces:siteMonitorHealthCheck:get
ces:siteMonitorHealthCheck:create
ces:siteMonitorRule:delete
ces:siteMonitorRule:put
DNS需要该权限。
BSS
bss:unsubscribe:update
bss:order:view
bss:order:pay
包年包月需要该权限。
-
作用范围:全局级服务
产品
权限
用途
组织
organizations:delegatedAdministrators:list
organizations:delegatedServices:list
获取委托相关信息。
IAM
-
所有只读、列表权限
-
iam:permissions:listRolesForAgency
-
获取IAM信息。
-
查询委托授权列表。
-
权限清单
{ "Version": "1.1", "Statement": [ { "Action": [ "iam:agencies:getagency", "iam:agencies:listagencies", "iam:credentials:getcredential", "iam:credentials:listcredentials", "iam:groups:getgroup", "iam:groups:listgroups", "iam:groups:listgroupsforuser", "iam:identityproviders:getidentityprovider", "iam:identityproviders:getidpmetadata", "iam:identityproviders:getmapping", "iam:identityproviders:getopenidconnectconfig", "iam:identityproviders:getprotocol", "iam:identityproviders:listidentityproviders", "iam:identityproviders:listmappings", "iam:identityproviders:listprotocols", "iam:mfa:listvirtualmfadevices", "iam:permissions:listrolesforagency", "iam:projects:listprojectsforuser", "iam:quotas:listquotas", "iam:quotas:listquotasforproject", "iam:roles:getrole", "iam:roles:listroles", "iam:tokens:assume", "iam:users:getuser", "iam:users:listusers", "iam:users:listusersforgroup", "organizations:delegatedadministrators:list", "organizations:delegatedservices:list" ], "Effect": "Allow" } ] }{ "Version": "1.1", "Statement": [ { "Action": [ "bms:serverflavors:get", "bms:servers:attachvolume", "bms:servers:detachvolume", "bms:servers:get", "cbr:policies:list", "cbr:vaults:list", "cce:*:*", "ces:remotechecks:list", "ces:sitemonitorhealthcheck:create", "ces:sitemonitorhealthcheck:get", "ces:sitemonitorrule:delete", "ces:sitemonitorrule:put", "dns:*:*", "ecs:*:get", "ecs:*:list", "ecs:availabilityzones:list", "ecs:cloudserverflavors:get", "ecs:cloudserverfpgaimages:getrelations", "ecs:cloudservernics:delete", "ecs:cloudservernics:update", "ecs:cloudserverpasswords:reset", "ecs:cloudserverquotas:get", "ecs:cloudservers:addnics", "ecs:cloudservers:addservergroupmember", "ecs:cloudservers:attach", "ecs:cloudservers:attachsharedvolume", "ecs:cloudservers:batchsetservertags", "ecs:cloudservers:batchupdateserversname", "ecs:cloudservers:changechargemode", "ecs:cloudservers:changeos", "ecs:cloudservers:changevpc", "ecs:cloudservers:create", "ecs:cloudservers:createservergroup", "ecs:cloudservers:createservers", "ecs:cloudservers:delete", "ecs:cloudservers:deletemetadata", "ecs:cloudservers:deletepassword", "ecs:cloudservers:deleteservergroupmember", "ecs:cloudservers:deleteservers", "ecs:cloudservers:detachvolume", "ecs:cloudservers:executescheduleresize", "ecs:cloudservers:get", "ecs:cloudservers:getautorecovery", "ecs:cloudservers:list", "ecs:cloudservers:listserverblockdevices", "ecs:cloudservers:listserverinterfaces", "ecs:cloudservers:listservervolumeattachments", "ecs:cloudservers:migrate", "ecs:cloudservers:put", "ecs:cloudservers:reboot", "ecs:cloudservers:rebuild", "ecs:cloudservers:redeploy", "ecs:cloudservers:resetserverpwd", "ecs:cloudservers:resize", "ecs:cloudservers:setautorecovery", "ecs:cloudservers:setautoterminatetime", "ecs:cloudservers:showresetpasswordflag", "ecs:cloudservers:showserver", "ecs:cloudservers:showserverblockdevice", "ecs:cloudservers:showserverpassword", "ecs:cloudservers:showservertags", "ecs:cloudservers:start", "ecs:cloudservers:stop", "ecs:cloudservers:updatemetadata", "ecs:cloudservers:updateserver", "ecs:cloudservers:vnc", "ecs:diskconfigs:use", "ecs:flavors:get", "ecs:instancescheduledevents:accept", "ecs:instancescheduledevents:list", "ecs:instancescheduledevents:update", "ecs:networks:list", "ecs:quotas:get", "ecs:recyclebin:deleteserver", "ecs:recyclebin:get", "ecs:recyclebin:listservers", "ecs:recyclebin:revertserver", "ecs:recyclebin:update", "ecs:recyclebin:updatepolicy", "ecs:securitygroups:use", "ecs:serverfloatingips:use", "ecs:servergroups:manage", "ecs:serverinterfaces:get", "ecs:serverinterfaces:use", "ecs:serverkeypairs:create", "ecs:serverkeypairs:delete", "ecs:serverkeypairs:get", "ecs:serverkeypairs:list", "ecs:serverpasswords:manage", "ecs:servers:create", "ecs:servers:createconsole", "ecs:servers:delete", "ecs:servers:get", "ecs:servers:getmetadata", "ecs:servers:gettags", "ecs:servers:list", "ecs:servers:listmetadata", "ecs:servers:lock", "ecs:servers:reboot", "ecs:servers:rebuild", "ecs:servers:resize", "ecs:servers:setmetadata", "ecs:servers:settags", "ecs:servers:start", "ecs:servers:stop", "ecs:servers:unlock", "ecs:servers:update", "ecs:servervolumeattachments:create", "ecs:servervolumeattachments:delete", "ecs:servervolumeattachments:get", "ecs:servervolumeattachments:list", "ecs:servervolumes:use", "eip:*:*", "elb:*:*", "evs:*:*", "ims:images:create", "ims:images:delete", "ims:images:get", "ims:images:list", "ims:images:update", "ims:images:upload", "nat:natgateways:create", "nat:natgateways:delete", "nat:natgateways:get", "nat:natgateways:list", "nat:natgateways:update", "nat:natgatewaytags:create", "nat:natgatewaytags:delete", "nat:natgatewaytags:get", "nat:natgatewaytags:list", "nat:snatrules:create", "nat:snatrules:delete", "nat:snatrules:get", "nat:snatrules:list", "nat:snatrules:update", "rds:*:*", "vpc:*:*", "bss:unsubscribe:update", "bss:order:view", "bss:order:pay" ], "Effect": "Allow" } ] } -
-
完成委托账号和策略的授权后,您需要在华为云控制台获取以下信息。
参数
用途
获取方法
示例
委托ID(agency_id)
用于查询委托具备的权限。
在华为云IAM控制台的委托页面获取。其中,委托名称对应参数 agency_name,委托ID对应参数 agency_id。
ceshi
委托名称(agency_name)
用于在用户侧IAM鉴权。
ac5168c03719469685a10609********
账号名称(domain_id)
给哪个用户管理资源。
在华为云控制台的我的凭证页面获取。单击API凭证页签,其中账号名对应参数 domain_name,账号ID对应参数 domain_id。
huawei_ceshi
账号ID(domain_name)
指定用户管理资源。
bf1ff3962cc94ac886b4cb3e********
企业项目ID(enterprise_project_id)
授权管理华为云指定项目下的资源,用于资源隔离
在华为云控制台的企业项目管理页面获取。在项目列表中,目标项目的ID即为参数 enterprise_project_id。
c0ca7f80-ad63-4043-b2c0-************
在阿里云上添加委托信息
登录专属集群MyBase 2.0云控制台。
-
在左侧导航栏选择。
-
单击新增委托。
-
在新增委托页面,填写从其他云获取到的委托信息。选择厂商类型为华为云,依次填写委托ID(agency_id)、委托名称(agency_name)、账号名称(domain_name)、账号ID(domain_id)和企业项目ID(enterprise_project_id)。
-
单击确定。