E-HPC服務(wù)關(guān)聯(lián)角色
使用E-HPC時(shí),必須創(chuàng)建服務(wù)關(guān)聯(lián)角色AliyunServiceRoleForEHPC并授權(quán)AliyunServiceRolePolicyForEHPC。本文介紹如何創(chuàng)建、查看和刪除AliyunServiceRoleForEHPC。
功能概述
服務(wù)關(guān)聯(lián)角色SLR(Service-linked role)是一種可信實(shí)體為阿里云服務(wù)的RAM角色,旨在解決跨云服務(wù)的授權(quán)訪問(wèn)問(wèn)題。更多信息,請(qǐng)參見(jiàn)服務(wù)關(guān)聯(lián)角色。
使用E-HPC時(shí),系統(tǒng)提供的服務(wù)關(guān)聯(lián)角色及其包含的系統(tǒng)權(quán)限策略如下:
服務(wù)關(guān)聯(lián)角色:AliyunServiceRoleForEHPC
系統(tǒng)權(quán)限策略:AliyunServiceRolePolicyForEHPC
應(yīng)用場(chǎng)景
AliyunServiceRoleForEHPC用于授權(quán)E-HPC訪問(wèn)關(guān)聯(lián)云資源。通過(guò)AliyunServiceRoleForEHPC,E-HPC可以獲得云服務(wù)器ECS、專有網(wǎng)絡(luò)VPC、文件存儲(chǔ)NAS的訪問(wèn)權(quán)限。
RAM用戶使用服務(wù)關(guān)聯(lián)角色需要的權(quán)限
如果使用RAM用戶創(chuàng)建或刪除服務(wù)關(guān)聯(lián)角色,必須使用阿里云賬號(hào)為該RAM用戶授權(quán)。
方式一:授予AliyunEHPCFullAccess權(quán)限策略,該權(quán)限策略包含了創(chuàng)建和刪除AliyunServiceRoleForEHPC的權(quán)限。
方式二:在自定義權(quán)限策略的
Action語(yǔ)句中為RAM用戶添加以下權(quán)限:創(chuàng)建服務(wù)關(guān)聯(lián)角色:
ram:CreateServiceLinkedRole刪除服務(wù)關(guān)聯(lián)角色:
ram:DeleteServiceLinkedRole
關(guān)于授權(quán)的詳細(xì)操作,請(qǐng)參見(jiàn)創(chuàng)建和刪除服務(wù)關(guān)聯(lián)角色所需的權(quán)限。
創(chuàng)建服務(wù)關(guān)聯(lián)角色
在您使用E-HPC時(shí),系統(tǒng)會(huì)檢查當(dāng)前賬號(hào)是否已有AliyunServiceRoleForEHPC,如果不存在則會(huì)彈出提示,在您確認(rèn)提示信息后系統(tǒng)會(huì)自動(dòng)創(chuàng)建AliyunServiceRoleForEHPC。
AliyunServiceRoleForEHPC創(chuàng)建成功后,E-HPC可以通過(guò)角色扮演的方式跨服務(wù)訪問(wèn)對(duì)應(yīng)云資源,可能會(huì)因創(chuàng)建ECS實(shí)例、NAS文件系統(tǒng)等資源而產(chǎn)生資費(fèi),請(qǐng)您知悉。
AliyunServiceRoleForEHPC包含系統(tǒng)權(quán)限策略AliyunServiceRolePolicyForEHPC,您無(wú)法添加、修改或刪除權(quán)限。
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:RunInstances",
"ecs:DescribeInstances",
"ecs:DescribeInstanceTypes",
"ecs:DescribeKeyPairs",
"ecs:DescribeSecurityGroups",
"ecs:DescribePrice",
"ecs:DescribeZones",
"ecs:DescribeAvailableResource",
"ecs:DescribeCloudAssistantStatus",
"ecs:CreateSecurityGroup",
"ecs:DescribeImages",
"ecs:AttachKeyPair",
"ecs:ModifyInstanceAttribute",
"ecs:StartInstance",
"ecs:StopInstance",
"ecs:DeleteInstance",
"ecs:CreateInstance",
"ecs:ReplaceSystemDisk",
"ecs:RebootInstance",
"ecs:AuthorizeSecurityGroup",
"ecs:RevokeSecurityGroup",
"ecs:CreateHpcCluster",
"ecs:ModifyHpcClusterAttribute",
"ecs:DeleteHpcCluster",
"ecs:DescribeHpcClusters",
"ecs:DeleteSecurityGroup",
"ecs:DescribeDisks",
"ecs:ReInitDisk",
"ecs:CreateCommand",
"ecs:InvokeCommand",
"ecs:StopInvocation",
"ecs:DeleteCommand",
"ecs:DescribeCommands",
"ecs:ModifyCommand",
"ecs:DescribeInvocations",
"ecs:DescribeInvocationResults",
"ecs:CreateNetworkInterface",
"ecs:DescribeNetworkInterfaces",
"ecs:CreateNetworkInterfacePermission",
"ecs:DescribeNetworkInterfacePermissions",
"ecs:AttachNetworkInterface",
"ecs:DeleteNetworkInterface",
"ecs:DeleteNetworkInterfacePermission",
"ecs:DescribeResourceAllocation",
"ecs:TagResources",
"ecs:DescribeManagedInstances",
"eci:BatchCreateContainerGroups",
"eci:CreateContainerGroup"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"vpc:DescribeVpcs",
"vpc:DescribeVSwitches",
"vpc:AllocateEipAddress",
"vpc:DescribeEipAddresses",
"vpc:AssociateEipAddress",
"vpc:DescribeVSwitches",
"vpc:ReleaseEipAddress",
"vpc:CreateVpc",
"vpc:CreateVSwitch"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"nas:DescribeFileSystems",
"nas:DescribeMountTargets",
"nas:CreateFileSystem",
"nas:CreateMountTarget",
"nas:CreateAccessGroup",
"nas:CreateAccessRule",
"nas:DeleteAccessGroup",
"nas:DeleteAccessRule",
"nas:DescribeAccessGroups",
"nas:DescribeAccessRules",
"nas:ModifyFileSystem",
"nas:UpdateFileSystemInfo",
"nas:CPFSCreateFileSystem",
"nas:CPFSDescribeFileSystems",
"nas:CPFSModifyFileSystem",
"nas:CreateLDAPConfig",
"nas:DeleteLDAPConfig",
"nas:DescribeLDAPConfig"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ecd:CreateRAMDirectory",
"ecd:CreateADConnectorDirectory",
"ecd:DescribeDirectories",
"ecd:DeleteDirectories",
"ecd:CreateBundle",
"ecd:DescribeBundles",
"ecd:DeleteBundles",
"ecd:ListDirectoryUsers",
"ecd:ModifyEntitlement",
"ecd:CreatePolicyGroup",
"ecd:DescribePolicyGroups",
"ecd:ModifyPolicyGroup",
"ecd:DeletePolicyGroups",
"ecd:CreateDesktops",
"ecd:DescribeDesktops",
"ecd:RebootDesktops",
"ecd:DeleteDesktops",
"ecd:DescribeDesktopTypes",
"ecd:StartDesktops",
"ecd:StopDesktops",
"ecd:CreateImage",
"ecd:DescribeImages",
"ecd:DeleteImages",
"ecd:DescribeRegions",
"ecd:DescribeZones",
"ecd:GetConnectionTicket"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ess:CreateScalingGroup",
"ess:ModifyScalingGroup",
"ess:EnableScalingGroup",
"ess:DisableScalingGroup",
"ess:DeleteScalingGroup",
"ess:SetGroupDeletionProtection",
"ess:DescribeScalingGroups",
"ess:DescribeScalingInstances",
"ess:DescribeScalingActivities",
"ess:DescribeScalingConfiguration",
"ess:DescribeScalingRules",
"ess:CreateScalingConfiguration",
"ess:ModifyScalingConfiguration",
"ess:DeleteScalingConfiguration",
"ess:CreateScalingRule",
"ess:ModifyScalingRule",
"ess:DeleteScalingRule",
"ess:ExecuteScalingRule",
"ess:AttachInstances",
"ess:DetachInstances",
"ess:RemoveInstances",
"ess:CreateScheduledTask",
"ess:DeleteScheduledtask",
"ess:ModifyScheduledTask",
"ess:DescribeLimitation",
"ess:CreateLifecycleHook",
"ess:CompleteLifecycleAction",
"ess:DeleteLifecycleHook",
"ess:TagResources",
"ess:ScaleWithAdjustment"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"cms:CreateDynamicTagGroup",
"cms:DescribeMonitorGroups",
"cms:DeleteDynamicTagGroup",
"cms:DeleteMonitorGroup",
"cms:DescribeContactGroupList",
"cms:DescribeDynamicTagRuleList"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "acm:DescribePrice",
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:PassRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"acs:Service": "ecs.aliyuncs.com"
}
}
},
{
"Action": "ram:CreateServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": [
"ess.aliyuncs.com",
"gws.aliyuncs.com",
"eci.aliyuncs.com"
]
}
}
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "ehpc.aliyuncs.com"
}
}
},
{
"Effect": "Allow",
"Action": [
"eci:RestartContainerGroup",
"eci:DeleteContainerGroup"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"eci:tag/product": [
"E-HPC"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"pvtz:AddZone",
"pvtz:DescribeZoneInfo",
"pvtz:BindZoneVpc",
"pvtz:DescribeZoneVpcTree",
"pvtz:DescribeZones",
"pvtz:AddZoneRecord",
"pvtz:DeleteZoneRecord",
"pvtz:DescribeZoneRecords",
"pvtz:UpdateZoneRecord",
"pvtz:CheckZoneName",
"pvtz:DeleteZone",
"eci:DescribeContainerGroupEvents",
"eci:DescribeContainerGroupMetric",
"eci:DescribeContainerGroupStatus",
"eci:DescribeContainerGroups",
"eci:DescribeContainerLog",
"eci:DescribeInstanceOpsRecords",
"eci:DescribeMultiContainerGroupMetric",
"eci:DescribeVirtualNodes",
"eci:ExportContainerGroupTemplate",
"eci:ListUsage"
],
"Resource": "*"
}
]
}
查看服務(wù)關(guān)聯(lián)角色
當(dāng)服務(wù)關(guān)聯(lián)角色創(chuàng)建成功后,您可以在RAM控制臺(tái)的角色頁(yè)面,通過(guò)搜索AliyunServiceRoleForEHPC查看角色詳情。
基本信息
在角色詳情頁(yè)面的基本信息區(qū)域,查看角色基本信息,包括角色名稱、創(chuàng)建時(shí)間、角色ARN和備注等。
權(quán)限策略
在角色詳情頁(yè)面的權(quán)限管理頁(yè)簽,單擊權(quán)限策略名稱,查看權(quán)限策略內(nèi)容以及該角色可授權(quán)訪問(wèn)哪些云資源。
信任策略
在角色詳情頁(yè)的信任策略頁(yè)簽,查看信任策略內(nèi)容。信任策略是描述RAM角色可信實(shí)體的策略,可信實(shí)體是指可以扮演RAM角色的實(shí)體用戶身份。服務(wù)關(guān)聯(lián)角色的可信實(shí)體為云服務(wù),您可以通過(guò)信任策略中的
Service字段查看。
關(guān)于如何查看服務(wù)關(guān)聯(lián)角色的詳細(xì)操作,請(qǐng)參見(jiàn)查看RAM角色。
刪除服務(wù)關(guān)聯(lián)角色
刪除服務(wù)關(guān)聯(lián)角色后,依賴該角色的對(duì)應(yīng)功能將無(wú)法正常使用,請(qǐng)謹(jǐn)慎刪除。
當(dāng)您長(zhǎng)時(shí)間不使用E-HPC時(shí),您可以在RAM控制臺(tái)手動(dòng)刪除服務(wù)關(guān)聯(lián)角色。具體操作,請(qǐng)參見(jiàn)刪除RAM角色。
刪除AliyunServiceRoleForEHPC前,您需要滿足以下條件:
確定不再需要使用該服務(wù)關(guān)聯(lián)角色,例如不需要?jiǎng)?chuàng)建集群和管理集群相關(guān)的云資源。
已刪除依賴該服務(wù)關(guān)聯(lián)角色的E-HPC集群。具體操作,請(qǐng)參見(jiàn)釋放集群。