All Products
Search

This Product

    Elastic High Performance Computing:Service-linked role of E-HPC

    Document Center

    Elastic High Performance Computing:Service-linked role of E-HPC

    Last Updated:Oct 31, 2024

    When you use Elastic High Performance Computing (E-HPC), you must create a service-linked role AliyunServiceRoleForEHPC and grant the policy AliyunServiceRolePolicyForEHPC to the role. This topic describes how to create, view, and delete AliyunServiceRoleForEHPC.

    Overview

    A service-linked role is a Resource Access Management (RAM) role whose trusted entity is an Alibaba Cloud service. A service-linked role is used to authorize access across Alibaba Cloud services. For more information, see Service-linked roles.

    The following service-linked role and system policy are provided for E-HPC:

    • Service-linked role: AliyunServiceRoleForEHPC

    • System policy: AliyunServiceRolePolicyForEHPC

    Scenarios

    This role AliyunServiceRoleForEHPC is used to authorize E-HPC to access associated cloud resources. E-HPC can assume the AliyunServiceRoleForEHPC role to access Elastic Computing Service (ECS), Virtual Private Cloud (VPC), and File Storage NAS.

    Required permissions for a RAM user to use a service-linked role

    If you use a RAM user to create or delete a service-linked role, you must use an Alibaba Cloud account to grant permissions to the RAM user.

    • Method 1: Grant the AliyunEHPCFullAccess policy that contains the permissions required to create and delete AliyunServiceRoleForEHPC.

    • Method 2: Add the following permissions to the RAM user in the Action statement of the custom policy:

      • Create a service-linked role: ram:CreateServiceLinkedRole

      • Delete a service-linked role: ram:DeleteServiceLinkedRole

    For more information, see the "Permissions required to create and delete a service-linked role" section in this topic.

    Create the service-linked role

    When you use E-HPC, the system checks whether the role AliyunServiceRoleForEHPC is created for the current account. If the role does not exist, the system prompts a notification. After you confirm the information, the system automatically creates the AliyunServiceRoleForEHPC.

    Important

    After the system creates the AliyunServiceRoleForEHPC role, E-HPC can assume the role to access associated cloud resources. You may be billed for the resources that you create, such as ECS instances and NAS file systems.

    AliyunServiceRoleForEHPC has the permissions included in the system policy AliyunServiceRolePolicyForEHPC. You cannot add, modify, or delete permissions.

    Permissions included in the policy AliyunServiceRolePolicyForEHPC 

    {
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "ecs:RunInstances",
        "ecs:DescribeInstances",
        "ecs:DescribeInstanceTypes",
        "ecs:DescribeKeyPairs",
        "ecs:DescribeSecurityGroups",
        "ecs:DescribePrice",
        "ecs:DescribeZones",
        "ecs:DescribeAvailableResource",
        "ecs:DescribeCloudAssistantStatus",
        "ecs:CreateSecurityGroup",
        "ecs:DescribeImages",
        "ecs:AttachKeyPair",
        "ecs:ModifyInstanceAttribute",
        "ecs:StartInstance",
        "ecs:StopInstance",
        "ecs:DeleteInstance",
        "ecs:CreateInstance",
        "ecs:ReplaceSystemDisk",
        "ecs:RebootInstance",
        "ecs:AuthorizeSecurityGroup",
        "ecs:RevokeSecurityGroup",
        "ecs:CreateHpcCluster",
        "ecs:ModifyHpcClusterAttribute",
        "ecs:DeleteHpcCluster",
        "ecs:DescribeHpcClusters",
        "ecs:DeleteSecurityGroup",
        "ecs:DescribeDisks",
        "ecs:ReInitDisk",
        "ecs:CreateCommand",
        "ecs:InvokeCommand",
        "ecs:StopInvocation",
        "ecs:DeleteCommand",
        "ecs:DescribeCommands",
        "ecs:ModifyCommand",
        "ecs:DescribeInvocations",
        "ecs:DescribeInvocationResults",
        "ecs:CreateNetworkInterface",
        "ecs:DescribeNetworkInterfaces",
        "ecs:CreateNetworkInterfacePermission",
        "ecs:DescribeNetworkInterfacePermissions",
        "ecs:AttachNetworkInterface",
        "ecs:DeleteNetworkInterface",
        "ecs:DeleteNetworkInterfacePermission",
        "ecs:DescribeResourceAllocation",
        "ecs:TagResources",
        "ecs:DescribeManagedInstances",
        "eci:BatchCreateContainerGroups",
        "eci:CreateContainerGroup"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "vpc:DescribeVpcs",
        "vpc:DescribeVSwitches",
        "vpc:AllocateEipAddress",
        "vpc:DescribeEipAddresses",
        "vpc:AssociateEipAddress",
        "vpc:DescribeVSwitches",
        "vpc:ReleaseEipAddress",
        "vpc:CreateVpc",
        "vpc:CreateVSwitch"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "nas:DescribeFileSystems",
        "nas:DescribeMountTargets",
        "nas:CreateFileSystem",
        "nas:CreateMountTarget",
        "nas:CreateAccessGroup",
        "nas:CreateAccessRule",
        "nas:DeleteAccessGroup",
        "nas:DeleteAccessRule",
        "nas:DescribeAccessGroups",
        "nas:DescribeAccessRules",
        "nas:ModifyFileSystem",
        "nas:UpdateFileSystemInfo",
        "nas:CPFSCreateFileSystem",
        "nas:CPFSDescribeFileSystems",
        "nas:CPFSModifyFileSystem",
        "nas:CreateLDAPConfig",
        "nas:DeleteLDAPConfig",
        "nas:DescribeLDAPConfig"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "ecd:CreateRAMDirectory",
        "ecd:CreateADConnectorDirectory",
        "ecd:DescribeDirectories",
        "ecd:DeleteDirectories",
        "ecd:CreateBundle",
        "ecd:DescribeBundles",
        "ecd:DeleteBundles",
        "ecd:ListDirectoryUsers",
        "ecd:ModifyEntitlement",
        "ecd:CreatePolicyGroup",
        "ecd:DescribePolicyGroups",
        "ecd:ModifyPolicyGroup",
        "ecd:DeletePolicyGroups",
        "ecd:CreateDesktops",
        "ecd:DescribeDesktops",
        "ecd:RebootDesktops",
        "ecd:DeleteDesktops",
        "ecd:DescribeDesktopTypes",
        "ecd:StartDesktops",
        "ecd:StopDesktops",
        "ecd:CreateImage",
        "ecd:DescribeImages",
        "ecd:DeleteImages",
        "ecd:DescribeRegions",
        "ecd:DescribeZones",
        "ecd:GetConnectionTicket"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "ess:CreateScalingGroup",
        "ess:ModifyScalingGroup",
        "ess:EnableScalingGroup",
        "ess:DisableScalingGroup",
        "ess:DeleteScalingGroup",
        "ess:SetGroupDeletionProtection",
        "ess:DescribeScalingGroups",
        "ess:DescribeScalingInstances",
        "ess:DescribeScalingActivities",
        "ess:DescribeScalingConfiguration",
        "ess:DescribeScalingRules",
        "ess:CreateScalingConfiguration",
        "ess:ModifyScalingConfiguration",
        "ess:DeleteScalingConfiguration",
        "ess:CreateScalingRule",
        "ess:ModifyScalingRule",
        "ess:DeleteScalingRule",
        "ess:ExecuteScalingRule",
        "ess:AttachInstances",
        "ess:DetachInstances",
        "ess:RemoveInstances",
        "ess:CreateScheduledTask",
        "ess:DeleteScheduledtask",
        "ess:ModifyScheduledTask",
        "ess:DescribeLimitation",
        "ess:CreateLifecycleHook",
        "ess:CompleteLifecycleAction",
        "ess:DeleteLifecycleHook",
        "ess:TagResources",
        "ess:ScaleWithAdjustment"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "cms:CreateDynamicTagGroup",
        "cms:DescribeMonitorGroups",
        "cms:DeleteDynamicTagGroup",
        "cms:DeleteMonitorGroup",
        "cms:DescribeContactGroupList",
        "cms:DescribeDynamicTagRuleList"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": "acm:DescribePrice",
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": "ram:PassRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "acs:Service": "ecs.aliyuncs.com"
        }
      }
    },
    {
      "Action": "ram:CreateServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": [
            "ess.aliyuncs.com",
            "gws.aliyuncs.com",
            "eci.aliyuncs.com"
          ]
        }
      }
    },
    {
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "ehpc.aliyuncs.com"
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": [
        "eci:RestartContainerGroup",
        "eci:DeleteContainerGroup"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "eci:tag/product": [
            "E-HPC"
          ]
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": [
        "pvtz:AddZone",
        "pvtz:DescribeZoneInfo",
        "pvtz:BindZoneVpc",
        "pvtz:DescribeZoneVpcTree",
        "pvtz:DescribeZones",
        "pvtz:AddZoneRecord",
        "pvtz:DeleteZoneRecord",
        "pvtz:DescribeZoneRecords",
        "pvtz:UpdateZoneRecord",
        "pvtz:CheckZoneName",
        "pvtz:DeleteZone",
        "eci:DescribeContainerGroupEvents",
        "eci:DescribeContainerGroupMetric",
        "eci:DescribeContainerGroupStatus",
        "eci:DescribeContainerGroups",
        "eci:DescribeContainerLog",
        "eci:DescribeInstanceOpsRecords",
        "eci:DescribeMultiContainerGroupMetric",
        "eci:DescribeVirtualNodes",
        "eci:ExportContainerGroupTemplate",
        "eci:ListUsage"
      ],
      "Resource": "*"
    }
  ]
}

    View the service-linked role

    After the system creates the service-linked role, you can view the details of the role by searching for AliyunServiceRoleForEHPC on the Roles page in the RAM console.

    • Basic information

      In the Basic Information section, you can view the basic information about the role, including the name, creation time, Alibaba Cloud Resource Name (ARN), and description.

    • Permissions

      On the Permissions tab, click the policy name to view the policy content and the cloud resources that the role can access.

    • Trust Policy Management

      On the Trust Policy tab, you can view the content of the trust policy that is attached to the role. A trust policy describes the trusted entities of a RAM role. A trusted entity refers to an entity that can assume the RAM role. The trusted entity of a service-linked role is a cloud service. You can view the value of the Service field in the trust policy of the service-linked role to obtain the trusted entity.

    For more information about how to view service-linked roles, see View the information about a RAM role.

    Delete the service-linked role

    Important

    After the service-linked role is deleted, the features that depend on the role cannot be used. Proceed with caution.

    If you do not use E-HPC for a long period of time, you can delete the service-linked role in the RAM console. For more information, see Delete a RAM role.

    Before you delete AliyunServiceRoleForEHPC, make sure that the following requirements are met:

    • You no longer need to use the service-linked role to perform operations such as creating a cluster or managing cloud resources that are associated with the cluster.

    • The E-HPC cluster that depends on the service-linked role is deleted. For more information, see Release a cluster.