本文介绍如何通过E-HPC服务关联角色(AliyunServiceRoleForEHPC)授予E-HPC服务访问关联云资源的权限。
背景信息
弹性高性能计算服务关联角色(AliyunServiceRoleForEHPC)是访问控制提供的一种服务关联角色,用于授权E-HPC访问关联云资源。通过AliyunServiceRoleForEHPC,E-HPC可以获得云服务器ECS、专有网络VPC、文件存储NAS的访问权限。更多服务关联角色的说明,请参见服务关联角色。
AliyunServiceRoleForEHPC的权限策略
角色名称:AliyunServiceRoleForEHPC
角色权限策略:AliyunServiceRolePolicyForEHPC
权限说明如下:
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:RunInstances",
"ecs:DescribeInstances",
"ecs:DescribeInstanceTypes",
"ecs:DescribeKeyPairs",
"ecs:DescribeSecurityGroups",
"ecs:DescribePrice",
"ecs:DescribeZones",
"ecs:DescribeAvailableResource",
"ecs:CreateSecurityGroup",
"ecs:DescribeImages",
"ecs:AttachKeyPair",
"ecs:ModifyInstanceAttribute",
"ecs:StartInstance",
"ecs:StopInstance",
"ecs:DeleteInstance",
"ecs:CreateInstance",
"ecs:ReplaceSystemDisk",
"ecs:RebootInstance",
"ecs:AuthorizeSecurityGroup",
"ecs:RevokeSecurityGroup",
"ecs:CreateHpcCluster",
"ecs:ModifyHpcClusterAttribute",
"ecs:DeleteHpcCluster",
"ecs:DescribeHpcClusters",
"ecs:DeleteSecurityGroup",
"ecs:DescribeDisks",
"ecs:ReInitDisk",
"ecs:CreateCommand",
"ecs:InvokeCommand",
"ecs:StopInvocation",
"ecs:DeleteCommand",
"ecs:DescribeCommands",
"ecs:ModifyCommand",
"ecs:DescribeInvocations",
"ecs:DescribeInvocationResults",
"ecs:CreateNetworkInterface",
"ecs:DescribeNetworkInterfaces",
"ecs:CreateNetworkInterfacePermission",
"ecs:DescribeNetworkInterfacePermissions",
"ecs:AttachNetworkInterface",
"ecs:DeleteNetworkInterface",
"ecs:DeleteNetworkInterfacePermission",
"ecs:DescribeResourceAllocation",
"ecs:TagResources"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"vpc:DescribeVpcs",
"vpc:DescribeVSwitches",
"vpc:AllocateEipAddress",
"vpc:DescribeEipAddresses",
"vpc:AssociateEipAddress",
"vpc:DescribeVSwitches",
"vpc:ReleaseEipAddress",
"vpc:CreateVpc",
"vpc:CreateVSwitch"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"nas:DescribeFileSystems",
"nas:DescribeMountTargets",
"nas:CreateFileSystem",
"nas:CreateMountTarget",
"nas:CreateAccessGroup",
"nas:CreateAccessRule",
"nas:DeleteAccessGroup",
"nas:DeleteAccessRule",
"nas:DescribeAccessGroups",
"nas:DescribeAccessRules",
"nas:ModifyFileSystem",
"nas:UpdateFileSystemInfo",
"nas:CPFSCreateFileSystem",
"nas:CPFSDescribeFileSystems",
"nas:CPFSModifyFileSystem",
"nas:CreateLDAPConfig",
"nas:DeleteLDAPConfig",
"nas:DescribeLDAPConfig"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ess:CreateScalingGroup",
"ess:ModifyScalingGroup",
"ess:EnableScalingGroup",
"ess:DisableScalingGroup",
"ess:DeleteScalingGroup",
"ess:SetGroupDeletionProtection",
"ess:DescribeScalingGroups",
"ess:DescribeScalingInstances",
"ess:DescribeScalingActivities",
"ess:DescribeScalingConfiguration",
"ess:DescribeScalingRules",
"ess:CreateScalingConfiguration",
"ess:ModifyScalingConfiguration",
"ess:DeleteScalingConfiguration",
"ess:CreateScalingRule",
"ess:ModifyScalingRule",
"ess:DeleteScalingRule",
"ess:ExecuteScalingRule",
"ess:AttachInstances",
"ess:DetachInstances",
"ess:RemoveInstances",
"ess:CreateScheduledTask",
"ess:DeleteScheduledtask",
"ess:ModifyScheduledTask",
"ess:DescribeLimitation",
"ess:CreateLifecycleHook",
"ess:CompleteLifecycleAction",
"ess:DeleteLifecycleHook",
"ess:TagResources"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:CreateServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram.ServiceName": [
"ess.aliyuncs.com",
"ecd.aliyuncs.com"
]
}
}
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "ehpc.aliyuncs.com"
}
}
}
]
}
创建AliyunServiceRoleForEHPC
在您使用E-HPC时,系统会检查当前账号是否已有AliyunServiceRoleForEHPC,如果不存在则自动创建。
AliyunServiceRoleForEHPC包含系统权限策略AliyunServiceRolePolicyForEHPC。服务关联角色包含的权限策略由对应的云服务定义和使用,您不能为服务关联角色添加、修改或删除权限。
删除AliyunServiceRoleForEHPC
如果您暂时不需要使用AliyunServiceRoleForEHPC,例如不需要创建集群和管理其他云资源,确定不使用该角色的影响等,可以删除AliyunServiceRoleForEHPC。具体操作,请参见删除RAM角色。
删除AliyunServiceRoleForEHPC前,需要先删除依赖这个服务关联角色的E-HPC集群。具体操作,请参见释放集群。