When you create a hosted O&M service, specify the RAM policies that your operators need to perform O&M tasks. After a customer deploys a service instance, Compute Nest automatically creates those policies and attaches them to a service-linked role — giving your operators scoped access to the customer's resources.
The permissions your operators receive are the intersection of the AliyunComputeNestPolicyForSupplierRole system policy and the policies you select when configuring the service. Even if you select a broad policy (such as All Permissions), the effective permissions are capped by the system policy boundary.
Resource scope
The resources that service providers can access depend on the service type:
Private services with hosted O&M enabled: Service providers can access only the resources in the customer's specific private service instance.
Pure hosted O&M services: Service providers can access only the ECS instances or service instance resources you explicitly specify. To see which resources are covered, open the service instance details page.
Permission model
AliyunComputeNestPolicyForSupplierRole system policy
This system policy defines the maximum permission boundary for all hosted O&M operations. No matter which policies you select, the effective permissions cannot exceed the actions listed here.
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:StartInstance",
"ecs:DescribeInstances",
"ecs:RebootInstance",
"ecs:StopInstance",
"ecs:RunCommand",
"ecs:DescribeInvocations",
"ecs:DescribeInvocationResults",
"ecs:StartTerminalSession",
"ecs:DescribeTerminalSessions",
"ecs:CloseTerminalSession",
"ecs:DescribeInstanceHistoryEvents",
"ecs:DescribeDiagnosticReports",
"ecs:CreateDiagnosticReport",
"ecs:DescribeSecurityGroups",
"ecs:DescribeDisks",
"ecs:DescribeImages",
"cms:DescribeMetricData",
"cms:DescribeMetricList",
"cms:QueryMetricList",
"cms:DescribeMetricRuleList",
"cms:DescribeAlertHistoryList",
"cms:DescribeAlertLogList",
"cms:DescribeLogHistogram",
"cms:DescribeLogCount",
"cms:DescribeDynamicTagRuleList",
"cms:DescribeMonitorGroups",
"tag:ListTagResources",
"vpc:DescribeVpcs",
"vpc:DescribeVSwitches",
"vpc:DescribeVSwitchAttributes",
"vpc:DescribeVpcAttribute",
"vpc:DescribeRouteEntryList",
"vpc:DescribeRouteTableList",
"vpc:DescribeRouteTables",
"vpc:DescribeRouterInterfaces",
"vpc:DescribeRouterInterfaceAttribute",
"slb:DescribeLoadBalancers",
"slb:DescribeLoadBalancerListeners",
"slb:DescribeLoadBalancerAttribute",
"slb:DescribeVServerGroups",
"rds:DescribeDBInstances",
"rds:DescribeDBInstanceAttribute",
"rds:RestartDBInstance",
"actiontrail:LookupEvents"
],
"Resource": "*",
"Effect": "Allow"
}
]
}Available hosted O&M policies
Select one or more of the following policies when configuring your service. These are Resource Access Management (RAM) policies. For details on policy structure, see Policy elements.
| Permission | Policy | What it covers |
|---|---|---|
| All Permissions | AliyunComputeNestPolicyForFullAccess | Full access to the specified ECS instances or Alibaba Cloud resources in the specified service instances. |
| Read-only Permissions | AliyunComputeNestPolicyForReadOnly | Read-only access to the specified ECS instances or Alibaba Cloud resources in the specified service instances, including ActionTrail audit logs. |
| Terminal Logon Permissions | AliyunComputeNestPolicyForTerminalLogin | Remote logon to the specified ECS instances or ECS instances in the specified service instances. |
| Operation Audit Permissions | AliyunComputeNestPolicyForTrails | Access to ActionTrail audit logs for the specified ECS instances or Alibaba Cloud resources in the specified service instances. |
| Monitoring Permissions | AliyunComputeNestPolicyForAlarm | Management of threshold-triggered and event-triggered alert rules for the specified ECS instances or Alibaba Cloud resources in the specified service instances. |
| Upgrade Permissions | AliyunComputeNestPolicyForUpgrade | Upgrade and rollback of applications and service configurations for the specified service instances. |
| O&M Permissions | AliyunComputeNestPolicyForOperation | General O&M operations on the specified service instances. |
AliyunComputeNestPolicyForFullAccess
All Permissions
Policy content
{
"Action": [
"*"
],
"Effect": "Allow",
"Resource": [
"*"
]
}Actual effects
Because the wildcard "*" is intersected with AliyunComputeNestPolicyForSupplierRole, the effective permissions match the system policy exactly:
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:StartInstance",
"ecs:DescribeInstances",
"ecs:RebootInstance",
"ecs:StopInstance",
"ecs:RunCommand",
"ecs:DescribeInvocations",
"ecs:DescribeInvocationResults",
"ecs:StartTerminalSession",
"ecs:DescribeTerminalSessions",
"ecs:CloseTerminalSession",
"ecs:DescribeInstanceHistoryEvents",
"ecs:DescribeDiagnosticReports",
"ecs:CreateDiagnosticReport",
"ecs:DescribeSecurityGroups",
"ecs:DescribeDisks",
"ecs:DescribeImages",
"cms:DescribeMetricData",
"cms:DescribeMetricList",
"cms:QueryMetricList",
"cms:DescribeMetricRuleList",
"cms:DescribeAlertHistoryList",
"cms:DescribeAlertLogList",
"cms:DescribeLogHistogram",
"cms:DescribeLogCount",
"cms:DescribeDynamicTagRuleList",
"cms:DescribeMonitorGroups",
"tag:ListTagResources",
"vpc:DescribeVpcs",
"vpc:DescribeVSwitches",
"vpc:DescribeVSwitchAttributes",
"vpc:DescribeVpcAttribute",
"vpc:DescribeRouteEntryList",
"vpc:DescribeRouteTableList",
"vpc:DescribeRouteTables",
"vpc:DescribeRouterInterfaces",
"vpc:DescribeRouterInterfaceAttribute",
"slb:DescribeLoadBalancers",
"slb:DescribeLoadBalancerListeners",
"slb:DescribeLoadBalancerAttribute",
"slb:DescribeVServerGroups",
"rds:DescribeDBInstances",
"rds:DescribeDBInstanceAttribute",
"rds:RestartDBInstance",
"actiontrail:LookupEvents"
],
"Resource": "*",
"Effect": "Allow"
}
]
}AliyunComputeNestPolicyForReadOnly
Read-only Permissions
Policy content
{
"Action": [
"*:Describe*",
"*:List*",
"*:Get*",
"*:BatchGet*",
"*:Query*",
"*:BatchQuery*",
"actiontrail:LookupEvents"
],
"Resource": [
"*"
],
"Effect": "Allow"
}Actual effects
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:DescribeInstances",
"ecs:DescribeInvocations",
"ecs:DescribeInvocationResults",
"ecs:DescribeTerminalSessions",
"ecs:DescribeInstanceHistoryEvents",
"ecs:DescribeDiagnosticReports",
"ecs:DescribeSecurityGroups",
"ecs:DescribeDisks",
"ecs:DescribeImages",
"cms:DescribeMetricData",
"cms:DescribeMetricList",
"cms:QueryMetricList",
"cms:DescribeMetricRuleList",
"cms:DescribeAlertHistoryList",
"cms:DescribeAlertLogList",
"cms:DescribeLogHistogram",
"cms:DescribeLogCount",
"cms:DescribeDynamicTagRuleList",
"cms:DescribeMonitorGroups",
"tag:ListTagResources",
"vpc:DescribeVpcs",
"vpc:DescribeVSwitches",
"vpc:DescribeVSwitchAttributes",
"vpc:DescribeVpcAttribute",
"vpc:DescribeRouteEntryList",
"vpc:DescribeRouteTableList",
"vpc:DescribeRouteTables",
"vpc:DescribeRouterInterfaces",
"vpc:DescribeRouterInterfaceAttribute",
"slb:DescribeLoadBalancers",
"slb:DescribeLoadBalancerListeners",
"slb:DescribeLoadBalancerAttribute",
"slb:DescribeVServerGroups",
"rds:DescribeDBInstances",
"rds:DescribeDBInstanceAttribute",
"actiontrail:LookupEvents"
],
"Resource": "*",
"Effect": "Allow"
}
]
}AliyunComputeNestPolicyForTerminalLogin
Terminal Logon Permissions
Policy content
{
"Action": [
"ecs:*TerminalSession*",
"tag:List*",
"tag:DescribeRegions",
"ecs:Describe*Instance*",
"cs:Describe*Cluster*",
"cs:GetClusters",
"eci:DescribeContainerGroups",
"eci:ExecContainerCommand"
],
"Resource": [
"*"
],
"Effect": "Allow"
}Actual effects
{
"Action": [
"ecs:StartTerminalSession",
"ecs:DescribeTerminalSessions",
"ecs:CloseTerminalSession",
"tag:ListSupportResourceTypes",
"tag:ListTagResources",
"tag:DescribeRegions",
"ecs:DescribeInstances",
"ecs:DescribeInstanceTypes",
"ecs:DescribeInstanceHistoryEvents",
"ecs:DescribeInstanceVncUrl",
"cs:DescribeClusterUserKubeconfig",
"cs:DescribeClusterDetail",
"cs:GetClusters",
"cs:DescribeClusterEndpoints",
"cs:DescribeEdasClusterToken",
"eci:DescribeContainerGroups",
"eci:ExecContainerCommand"
],
"Resource": [
"*"
],
"Effect": "Allow"
}AliyunComputeNestPolicyForTrails
Operation Audit Permissions
Policy content
{
"Action": [
"actiontrail:LookupEvents",
"tag:ListTagResources",
"tag:ListSupportResourceTypes",
"tag:DescribeRegions"
],
"Resource": [
"*"
],
"Effect": "Allow"
}Actual effects
{
"Action": [
"actiontrail:LookupEvents",
"tag:ListTagResources",
"tag:ListSupportResourceTypes",
"tag:DescribeRegions"
],
"Resource": [
"*"
],
"Effect": "Allow"
}AliyunComputeNestPolicyForAlarm
Monitoring Permissions
Policy content
{
"Action": [
"cms:Describe*",
"cms:CheckRamRoleForCloudMonitor",
"cms:QueryMetricList",
"cms:*MetricRule*",
"cms:*EventRule*",
"cms:*HostAvailability",
"tag:List*",
"tag:DescribeRegions"
],
"Resource": [
"*"
],
"Effect": "Allow"
}Actual effects
{
"Action": [
"cms:DescribeMetricData",
"cms:DescribeMetricList",
"cms:QueryMetricList",
"cms:DescribeMetricRuleList",
"cms:DescribeAlertHistoryList",
"cms:DescribeAlertLogList",
"cms:DescribeLogHistogram",
"cms:DescribeLogCount",
"cms:DescribeDynamicTagRuleList",
"cms:DescribeMonitorGroups",
"cms:DescribeMonitorGroupInstances",
"cms:DescribeMonitorGroupCategories",
"cms:DescribeMonitorGroupDynamicRules",
"cms:DescribeMetricRuleTemplateList",
"cms:DescribeAlertingMetricRuleResources",
"cms:DescribeContactGroupList",
"cms:DescribeMonitorGroupInstanceAttribute",
"cms:DescribeMetricListFromProxy",
"cms:DescribeMetricLastFromProxy",
"cms:DescribeMonitoringAgentHosts",
"cms:DescribeMetricTopFromProxy",
"cms:DescribeRegions",
"cms:DescribeDashboardGroupList",
"cms:DescribeHostAvailabilityList",
"cms:DescribeUnhealthyHostAvailability",
"cms:DescribeGroupMonitoringAgentProcess",
"cms:DescribeSystemEventMetaList",
"cms:CheckRamRoleForCloudMonitor",
"cms:DescribeSystemEventHistogram",
"cms:DescribeSystemEventAttribute",
"cms:DescribeEventRuleList",
"cms:DescribeEventRuleTargetList",
"cms:DescribeCustomEventAttribute",
"cms:DescribeCustomEventHistogram",
"cms:DescribeContactListByContactGroup",
"cms:DescribeAlertLogList",
"cms:DescribeCustomMetricList",
"cms:DescribeAlertLogCount",
"cms:DescribeMetricMetaList",
"cms:DescribeConsoleViews",
"cms:DescribeProjectMeta",
"cms:DescribeAlertLogHistogram",
"cms:CreateHostAvailability",
"cms:ModifyHostAvailability",
"tag:DescribeRegions",
"tag:ListSupportResourceTypes",
"tag:ListTagResources"
],
"Resource": [
"*"
],
"Effect": "Allow"
}AliyunComputeNestPolicyForUpgrade
Upgrade Permissions
Policy content
{
"Effect": "Allow",
"Action": [
"ros:*Stack",
"ros:ListStack*",
"tag:List*Resource*",
"tag:DescribeRegions",
"vpc:Describe*",
"slb:Describe*",
"slb:ListTagResources",
"slb:*AccessControlListEntry",
"slb:ModifyLoadBalancer*",
"ecs:*Instance*",
"ecs:Describe*",
"ecs:RunCommand",
"ecs:*SecurityGroup*",
"ecs:*Disk*",
"ess:ListTagResources",
"ess:DescribeScaling*",
"ess:*ScalingRule",
"ess:*Instances",
"cs:GetUserPermissions",
"cs:Describe*Cluster*",
"cs:GetClusters",
"cs:CreateEdasClusterRole*"
],
"Resource": [
"*"
]
}Actual effects
{
"Action": [
"ros:UpdateStack",
"ros:GetStack",
"ros:ListStackEvents",
"ros:ListStackResources",
"tag:DescribeRegions",
"tag:ListSupportResourceTypes",
"tag:ListTagResources",
"vpc:DescribeVpcs",
"vpc:DescribeVSwitches",
"vpc:DescribeVSwitchAttributes",
"vpc:DescribeVpcAttribute",
"vpc:DescribeRouteEntryList",
"vpc:DescribeRouteTableList",
"vpc:DescribeRouteTables",
"vpc:DescribeRouterInterfaces",
"vpc:DescribeRouterInterfaceAttribute",
"vpc:DescribeEipAddresses",
"slb:DescribeLoadBalancers",
"slb:DescribeLoadBalancerListeners",
"slb:DescribeLoadBalancerAttribute",
"slb:DescribeVServerGroups",
"slb:ListTagResources",
"slb:DescribeAccessControlLists",
"slb:DescribeAccessControlListAttribute",
"slb:AddAccessControlListEntry",
"slb:RemoveAccessControlListEntry",
"slb:ModifyLoadBalancerInternetSpec",
"slb:ModifyLoadBalancerInstanceSpec",
"ecs:ModifyInstanceAttribute",
"ecs:ReplaceSystemDisk",
"ecs:RunInstances",
"ecs:ModifySecurityGroupAttribute",
"ecs:StartInstance",
"ecs:DescribeInstances",
"ecs:RebootInstance",
"ecs:StopInstance",
"ecs:ModifyInstanceSpec",
"ecs:DescribeInstanceTypes",
"ecs:ModifyPrepayInstanceSpec",
"ecs:ModifyInstanceNetworkSpec",
"ecs:RunCommand",
"ecs:DescribeInvocations",
"ecs:DescribeInvocationResults",
"ecs:StartTerminalSession",
"ecs:DescribeTerminalSessions",
"ecs:CloseTerminalSession",
"ecs:DescribeInstanceHistoryEvents",
"ecs:DescribeDiagnosticReports",
"ecs:CreateDiagnosticReport",
"ecs:DescribeSecurityGroups",
"ecs:DescribeSecurityGroupAttribute",
"ecs:AuthorizeSecurityGroup",
"ecs:RevokeSecurityGroup",
"ecs:DescribeDisks",
"ecs:ResizeDisk",
"ecs:ModifyDiskSpec",
"ecs:DescribeImages",
"ecs:DescribeInstanceVncUrl",
"ecs:DescribeManagedInstances",
"ecs:CreateSnapshot",
"ecs:CreateAutoSnapshotPolicy",
"ecs:ApplyAutoSnapshotPolicy",
"ecs:StopInstances",
"ecs:ResetDisk",
"ecs:DescribeSnapshots",
"ess:ListTagResources",
"ess:DescribeScalingGroups",
"ess:CreateScalingRule",
"ess:DeleteScalingRule",
"ess:DescribeScalingActivityDetail",
"ess:DescribeScalingActivities",
"ess:ExecuteScalingRule",
"ess:RemoveInstances",
"ess:DetachInstances",
"cs:DescribeClusterUserKubeconfig",
"cs:DescribeClusterDetail",
"cs:GetClusters",
"cs:DescribeClusterEndpoints",
"cs:DescribeEdasClusterToken",
"cs:GetUserPermissions",
"cs:CreateEdasClusterRole",
"cs:CreateEdasClusterRoleBinding"
],
"Resource": [
"*"
],
"Effect": "Allow"
}AliyunComputeNestPolicyForOperation
O&M Permissions
Policy content
{
"Action": [
"ros:*Stack",
"ros:ListStack*",
"cs:Get*",
"cs:Describe*Cluster*",
"oos:StartExecution",
"oos:ListExecutions",
"ecs:*Instance*"
],
"Resource": [
"*"
],
"Effect": "Allow"
}Actual effects
{
"Action": [
"ros:UpdateStack",
"ros:GetStack",
"ros:ListStackEvents",
"ros:ListStackResources",
"cs:GetClusters",
"cs:GetUserPermissions",
"cs:DescribeClusterUserKubeconfig",
"cs:DescribeClusterDetail",
"cs:DescribeClusterEndpoints",
"cs:DescribeEdasClusterToken",
"oos:StartExecution",
"oos:ListExecutions",
"ecs:StartInstance",
"ecs:DescribeInstances",
"ecs:RebootInstance",
"ecs:StopInstance",
"ecs:ModifyInstanceSpec",
"ecs:DescribeInstanceTypes",
"ecs:ModifyPrepayInstanceSpec",
"ecs:ModifyInstanceNetworkSpec",
"ecs:DescribeInstanceHistoryEvents",
"ecs:DescribeInstanceVncUrl",
"ecs:DescribeManagedInstances",
"ecs:StopInstances"
],
"Resource": [
"*"
],
"Effect": "Allow"
}