全部產品
Search
文件中心

Elastic High Performance Computing:E-HPC服務關聯角色

更新時間:Jul 06, 2024

使用E-HPC時,必須建立服務關聯角色AliyunServiceRoleForEHPC並授權AliyunServiceRolePolicyForEHPC。本文介紹如何建立、查看和刪除AliyunServiceRoleForEHPC。

功能概述

服務關聯角色SLR(Service-linked role)是一種可信實體為阿里雲服務的RAM角色,旨在解決跨雲端服務的授權訪問問題。更多資訊,請參見服務關聯角色

使用E-HPC時,系統提供的服務關聯角色及其包含的系統權限原則如下:

  • 服務關聯角色:AliyunServiceRoleForEHPC

  • 系統權限原則:AliyunServiceRolePolicyForEHPC

應用情境

AliyunServiceRoleForEHPC用於授權E-HPC訪問關聯雲資源。通過AliyunServiceRoleForEHPC,E-HPC可以獲得Elastic Compute Service、Virtual Private Cloud、Apsara File Storage NAS的存取權限。

RAM使用者使用服務關聯角色需要的許可權

如果使用RAM使用者建立或刪除服務關聯角色,必須使用阿里雲帳號為該RAM使用者授權。

  • 方式一:授予AliyunEHPCFullAccess權限原則,該權限原則包含了建立和刪除AliyunServiceRoleForEHPC的許可權。

  • 方式二:在自訂權限原則的Action語句中為RAM使用者添加以下許可權:

    • 建立服務關聯角色:ram:CreateServiceLinkedRole

    • 刪除服務關聯角色:ram:DeleteServiceLinkedRole

關於授權的詳細操作,請參見建立和刪除服務關聯角色所需的許可權

建立服務關聯角色

在您使用E-HPC時,系統會檢查當前帳號是否已有AliyunServiceRoleForEHPC,如果不存在則會彈出提示,在您確認提示資訊後系統會自動建立AliyunServiceRoleForEHPC。

重要

AliyunServiceRoleForEHPC建立成功後,E-HPC可以通過角色扮演的方式跨服務訪問對應雲資源,可能會因建立ECS執行個體、NAS檔案系統等資源而產生資費,請您知悉。

AliyunServiceRoleForEHPC包含系統權限原則AliyunServiceRolePolicyForEHPC,您無法添加、修改或刪除許可權。

展開查看AliyunServiceRolePolicyForEHPC許可權內容

{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "ecs:RunInstances",
        "ecs:DescribeInstances",
        "ecs:DescribeInstanceTypes",
        "ecs:DescribeKeyPairs",
        "ecs:DescribeSecurityGroups",
        "ecs:DescribePrice",
        "ecs:DescribeZones",
        "ecs:DescribeAvailableResource",
        "ecs:DescribeCloudAssistantStatus",
        "ecs:CreateSecurityGroup",
        "ecs:DescribeImages",
        "ecs:AttachKeyPair",
        "ecs:ModifyInstanceAttribute",
        "ecs:StartInstance",
        "ecs:StopInstance",
        "ecs:DeleteInstance",
        "ecs:CreateInstance",
        "ecs:ReplaceSystemDisk",
        "ecs:RebootInstance",
        "ecs:AuthorizeSecurityGroup",
        "ecs:RevokeSecurityGroup",
        "ecs:CreateHpcCluster",
        "ecs:ModifyHpcClusterAttribute",
        "ecs:DeleteHpcCluster",
        "ecs:DescribeHpcClusters",
        "ecs:DeleteSecurityGroup",
        "ecs:DescribeDisks",
        "ecs:ReInitDisk",
        "ecs:CreateCommand",
        "ecs:InvokeCommand",
        "ecs:StopInvocation",
        "ecs:DeleteCommand",
        "ecs:DescribeCommands",
        "ecs:ModifyCommand",
        "ecs:DescribeInvocations",
        "ecs:DescribeInvocationResults",
        "ecs:CreateNetworkInterface",
        "ecs:DescribeNetworkInterfaces",
        "ecs:CreateNetworkInterfacePermission",
        "ecs:DescribeNetworkInterfacePermissions",
        "ecs:AttachNetworkInterface",
        "ecs:DeleteNetworkInterface",
        "ecs:DeleteNetworkInterfacePermission",
        "ecs:DescribeResourceAllocation",
        "ecs:TagResources",
        "ecs:DescribeManagedInstances",
        "eci:BatchCreateContainerGroups",
        "eci:CreateContainerGroup"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "vpc:DescribeVpcs",
        "vpc:DescribeVSwitches",
        "vpc:AllocateEipAddress",
        "vpc:DescribeEipAddresses",
        "vpc:AssociateEipAddress",
        "vpc:DescribeVSwitches",
        "vpc:ReleaseEipAddress",
        "vpc:CreateVpc",
        "vpc:CreateVSwitch"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "nas:DescribeFileSystems",
        "nas:DescribeMountTargets",
        "nas:CreateFileSystem",
        "nas:CreateMountTarget",
        "nas:CreateAccessGroup",
        "nas:CreateAccessRule",
        "nas:DeleteAccessGroup",
        "nas:DeleteAccessRule",
        "nas:DescribeAccessGroups",
        "nas:DescribeAccessRules",
        "nas:ModifyFileSystem",
        "nas:UpdateFileSystemInfo",
        "nas:CPFSCreateFileSystem",
        "nas:CPFSDescribeFileSystems",
        "nas:CPFSModifyFileSystem",
        "nas:CreateLDAPConfig",
        "nas:DeleteLDAPConfig",
        "nas:DescribeLDAPConfig"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "ecd:CreateRAMDirectory",
        "ecd:CreateADConnectorDirectory",
        "ecd:DescribeDirectories",
        "ecd:DeleteDirectories",
        "ecd:CreateBundle",
        "ecd:DescribeBundles",
        "ecd:DeleteBundles",
        "ecd:ListDirectoryUsers",
        "ecd:ModifyEntitlement",
        "ecd:CreatePolicyGroup",
        "ecd:DescribePolicyGroups",
        "ecd:ModifyPolicyGroup",
        "ecd:DeletePolicyGroups",
        "ecd:CreateDesktops",
        "ecd:DescribeDesktops",
        "ecd:RebootDesktops",
        "ecd:DeleteDesktops",
        "ecd:DescribeDesktopTypes",
        "ecd:StartDesktops",
        "ecd:StopDesktops",
        "ecd:CreateImage",
        "ecd:DescribeImages",
        "ecd:DeleteImages",
        "ecd:DescribeRegions",
        "ecd:DescribeZones",
        "ecd:GetConnectionTicket"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "ess:CreateScalingGroup",
        "ess:ModifyScalingGroup",
        "ess:EnableScalingGroup",
        "ess:DisableScalingGroup",
        "ess:DeleteScalingGroup",
        "ess:SetGroupDeletionProtection",
        "ess:DescribeScalingGroups",
        "ess:DescribeScalingInstances",
        "ess:DescribeScalingActivities",
        "ess:DescribeScalingConfiguration",
        "ess:DescribeScalingRules",
        "ess:CreateScalingConfiguration",
        "ess:ModifyScalingConfiguration",
        "ess:DeleteScalingConfiguration",
        "ess:CreateScalingRule",
        "ess:ModifyScalingRule",
        "ess:DeleteScalingRule",
        "ess:ExecuteScalingRule",
        "ess:AttachInstances",
        "ess:DetachInstances",
        "ess:RemoveInstances",
        "ess:CreateScheduledTask",
        "ess:DeleteScheduledtask",
        "ess:ModifyScheduledTask",
        "ess:DescribeLimitation",
        "ess:CreateLifecycleHook",
        "ess:CompleteLifecycleAction",
        "ess:DeleteLifecycleHook",
        "ess:TagResources",
        "ess:ScaleWithAdjustment"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "cms:CreateDynamicTagGroup",
        "cms:DescribeMonitorGroups",
        "cms:DeleteDynamicTagGroup",
        "cms:DeleteMonitorGroup",
        "cms:DescribeContactGroupList",
        "cms:DescribeDynamicTagRuleList"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": "acm:DescribePrice",
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": "ram:PassRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "acs:Service": "ecs.aliyuncs.com"
        }
      }
    },
    {
      "Action": "ram:CreateServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": [
            "ess.aliyuncs.com",
            "gws.aliyuncs.com",
            "eci.aliyuncs.com"
          ]
        }
      }
    },
    {
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "ehpc.aliyuncs.com"
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": [
        "eci:RestartContainerGroup",
        "eci:DeleteContainerGroup"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "eci:tag/product": [
            "E-HPC"
          ]
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": [
        "pvtz:AddZone",
        "pvtz:DescribeZoneInfo",
        "pvtz:BindZoneVpc",
        "pvtz:DescribeZoneVpcTree",
        "pvtz:DescribeZones",
        "pvtz:AddZoneRecord",
        "pvtz:DeleteZoneRecord",
        "pvtz:DescribeZoneRecords",
        "pvtz:UpdateZoneRecord",
        "pvtz:CheckZoneName",
        "pvtz:DeleteZone",
        "eci:DescribeContainerGroupEvents",
        "eci:DescribeContainerGroupMetric",
        "eci:DescribeContainerGroupStatus",
        "eci:DescribeContainerGroups",
        "eci:DescribeContainerLog",
        "eci:DescribeInstanceOpsRecords",
        "eci:DescribeMultiContainerGroupMetric",
        "eci:DescribeVirtualNodes",
        "eci:ExportContainerGroupTemplate",
        "eci:ListUsage"
      ],
      "Resource": "*"
    }
  ]
}

查看服務關聯角色

當服務關聯角色建立成功後,您可以在RAM控制台的角色頁面,通過搜尋AliyunServiceRoleForEHPC查看角色詳情。

  • 基本資料

    在角色詳情頁面的基本資料地區,查看角色基本資料,包括角色名稱、建立時間、角色ARN和備忘等。

  • 權限原則

    在角色詳情頁面的許可權管理頁簽,單擊權限原則名稱,查看權限原則內容以及該角色可授權訪問哪些雲資源。

  • 信任策略

    在角色詳情頁的信任策略頁簽,查看信任策略內容。信任策略是描述RAM角色可信實體的策略,可信實體是指可以扮演RAM角色的實體使用者身份。服務關聯角色的可信實體為雲端服務,您可以通過信任策略中的Service欄位查看。

關於如何查看服務關聯角色的詳細操作,請參見查看RAM角色

刪除服務關聯角色

重要

刪除服務關聯角色後,依賴該角色的對應功能將無法正常使用,請謹慎刪除。

當您長時間不使用E-HPC時,您可以在RAM控制台手動刪除服務關聯角色。具體操作,請參見刪除RAM角色

刪除AliyunServiceRoleForEHPC前,您需要滿足以下條件:

  • 確定不再需要使用該服務關聯角色,例如不需要建立叢集和管理叢集相關的雲資源。

  • 已刪除依賴該服務關聯角色的E-HPC叢集。具體操作,請參見釋放叢集