When service providers create hosted O&M services, they must specify the policies required to perform O&M operations. After customers create hosted O&M service instances, Compute Nest creates the specified policies and a service-link role of Compute Nest is created. Compute Nest attaches the created policies to service providers to allow them to perform specific O&M operations on the resources included in service instances.
Limits on resources
For private services for which the hosted O&M feature is enabled, service providers are granted permissions only on the resources in the private service instances that customers create.
For pure hosted O&M services, service providers are granted permissions only on the specified Elastic Compute Service (ECS) instances or the resources in the specified service instances. Service providers can view the resources on which they are granted O&M permissions on the details page of a service instance.
Limits on permissions
The hosted O&M permissions that can be granted to service providers are within the scope of the AliyunComputeNestPolicyForSupplierRole system policy. The permissions that are actually granted to service providers are the intersection of the AliyunComputeNestPolicyForSupplierRole policy and the policies that they specify when they configure services.
Content of the AliyunComputeNestPolicyForSupplierRole policy
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:StartInstance",
"ecs:DescribeInstances",
"ecs:RebootInstance",
"ecs:StopInstance",
"ecs:RunCommand",
"ecs:DescribeInvocations",
"ecs:DescribeInvocationResults",
"ecs:StartTerminalSession",
"ecs:DescribeTerminalSessions",
"ecs:CloseTerminalSession",
"ecs:DescribeInstanceHistoryEvents",
"ecs:DescribeDiagnosticReports",
"ecs:CreateDiagnosticReport",
"ecs:DescribeSecurityGroups",
"ecs:DescribeDisks",
"ecs:DescribeImages",
"cms:DescribeMetricData",
"cms:DescribeMetricList",
"cms:QueryMetricList",
"cms:DescribeMetricRuleList",
"cms:DescribeAlertHistoryList",
"cms:DescribeAlertLogList",
"cms:DescribeLogHistogram",
"cms:DescribeLogCount",
"cms:DescribeDynamicTagRuleList",
"cms:DescribeMonitorGroups",
"tag:ListTagResources",
"vpc:DescribeVpcs",
"vpc:DescribeVSwitches",
"vpc:DescribeVSwitchAttributes",
"vpc:DescribeVpcAttribute",
"vpc:DescribeRouteEntryList",
"vpc:DescribeRouteTableList",
"vpc:DescribeRouteTables",
"vpc:DescribeRouterInterfaces",
"vpc:DescribeRouterInterfaceAttribute",
"slb:DescribeLoadBalancers",
"slb:DescribeLoadBalancerListeners",
"slb:DescribeLoadBalancerAttribute",
"slb:DescribeVServerGroups",
"rds:DescribeDBInstances",
"rds:DescribeDBInstanceAttribute",
"rds:RestartDBInstance",
"actiontrail:LookupEvents"
],
"Resource": "*",
"Effect": "Allow"
}
]
}Hosted O&M policies
The following table describes the policies that service providers can select when they configure services.
Permission | Policy | Description |
All Permissions | AliyunComputeNestPolicyForFullAccess | The full permissions on the specified ECS instances or the Alibaba Cloud resources in the specified service instances. |
Read-only Permissions | AliyunComputeNestPolicyForReadOnly | The read-only permissions on the specified ECS instances or the Alibaba Cloud resources in the specified service instances and on the audit logs of these resources recorded by ActionTrail. |
Terminal Logon Permissions | AliyunComputeNestPolicyForTerminalLogin | The permissions to remotely log on to the specified ECS instances or the ECS instances in the specified service instances. |
Operation Audit Permissions | AliyunComputeNestPolicyForTrails | The permissions to view the audit logs that ActionTrail records for the specified ECS instances or the Alibaba Cloud resources in the specified service instances. |
Monitoring Permissions | AliyunComputeNestPolicyForAlarm | The permissions to manage threshold-triggered and event-triggered alert rules for the specified ECS instances or the Alibaba Cloud resources in the specified service instances. |
Upgrade Permissions | AliyunComputeNestPolicyForUpgrade | The permissions to upgrade and roll back the applications and service configurations of the specified service instances. |
O&M Permissions | AliyunComputeNestPolicyForOperation | The permissions to perform O&M operations on the specified service instances. |
The preceding policies are Resource Access Management (RAM) policies. For more information, see Policy elements.
AliyunComputeNestPolicyForFullAccess
All Permissions
Policy content
{
"Action": [
"*"
],
"Effect": "Allow",
"Resource": [
"*"
]
}Actual effects
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:StartInstance",
"ecs:DescribeInstances",
"ecs:RebootInstance",
"ecs:StopInstance",
"ecs:RunCommand",
"ecs:DescribeInvocations",
"ecs:DescribeInvocationResults",
"ecs:StartTerminalSession",
"ecs:DescribeTerminalSessions",
"ecs:CloseTerminalSession",
"ecs:DescribeInstanceHistoryEvents",
"ecs:DescribeDiagnosticReports",
"ecs:CreateDiagnosticReport",
"ecs:DescribeSecurityGroups",
"ecs:DescribeDisks",
"ecs:DescribeImages",
"cms:DescribeMetricData",
"cms:DescribeMetricList",
"cms:QueryMetricList",
"cms:DescribeMetricRuleList",
"cms:DescribeAlertHistoryList",
"cms:DescribeAlertLogList",
"cms:DescribeLogHistogram",
"cms:DescribeLogCount",
"cms:DescribeDynamicTagRuleList",
"cms:DescribeMonitorGroups",
"tag:ListTagResources",
"vpc:DescribeVpcs",
"vpc:DescribeVSwitches",
"vpc:DescribeVSwitchAttributes",
"vpc:DescribeVpcAttribute",
"vpc:DescribeRouteEntryList",
"vpc:DescribeRouteTableList",
"vpc:DescribeRouteTables",
"vpc:DescribeRouterInterfaces",
"vpc:DescribeRouterInterfaceAttribute",
"slb:DescribeLoadBalancers",
"slb:DescribeLoadBalancerListeners",
"slb:DescribeLoadBalancerAttribute",
"slb:DescribeVServerGroups",
"rds:DescribeDBInstances",
"rds:DescribeDBInstanceAttribute",
"rds:RestartDBInstance",
"actiontrail:LookupEvents"
],
"Resource": "*",
"Effect": "Allow"
}
]
}AliyunComputeNestPolicyForReadOnly
Read-only Permissions
Policy content
{
"Action": [
"*:Describe*",
"*:List*",
"*:Get*",
"*:BatchGet*",
"*:Query*",
"*:BatchQuery*",
"actiontrail:LookupEvents"
],
"Resource": [
"*"
],
"Effect": "Allow"
}Actual effects
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:DescribeInstances",
"ecs:DescribeInvocations",
"ecs:DescribeInvocationResults",
"ecs:DescribeTerminalSessions",
"ecs:DescribeInstanceHistoryEvents",
"ecs:DescribeDiagnosticReports",
"ecs:DescribeSecurityGroups",
"ecs:DescribeDisks",
"ecs:DescribeImages",
"cms:DescribeMetricData",
"cms:DescribeMetricList",
"cms:QueryMetricList",
"cms:DescribeMetricRuleList",
"cms:DescribeAlertHistoryList",
"cms:DescribeAlertLogList",
"cms:DescribeLogHistogram",
"cms:DescribeLogCount",
"cms:DescribeDynamicTagRuleList",
"cms:DescribeMonitorGroups",
"tag:ListTagResources",
"vpc:DescribeVpcs",
"vpc:DescribeVSwitches",
"vpc:DescribeVSwitchAttributes",
"vpc:DescribeVpcAttribute",
"vpc:DescribeRouteEntryList",
"vpc:DescribeRouteTableList",
"vpc:DescribeRouteTables",
"vpc:DescribeRouterInterfaces",
"vpc:DescribeRouterInterfaceAttribute",
"slb:DescribeLoadBalancers",
"slb:DescribeLoadBalancerListeners",
"slb:DescribeLoadBalancerAttribute",
"slb:DescribeVServerGroups",
"rds:DescribeDBInstances",
"rds:DescribeDBInstanceAttribute",
"actiontrail:LookupEvents"
],
"Resource": "*",
"Effect": "Allow"
}
]
}AliyunComputeNestPolicyForTerminalLogin
Terminal Logon Permissions
Policy content
{
"Action": [
"ecs:*TerminalSession*",
"tag:List*",
"tag:DescribeRegions",
"ecs:Describe*Instance*",
"cs:Describe*Cluster*",
"cs:GetClusters",
"eci:DescribeContainerGroups",
"eci:ExecContainerCommand"
],
"Resource": [
"*"
],
"Effect": "Allow"
}Actual effects
{
"Action": [
"ecs:StartTerminalSession",
"ecs:DescribeTerminalSessions",
"ecs:CloseTerminalSession",
"tag:ListSupportResourceTypes",
"tag:ListTagResources",
"tag:DescribeRegions",
"ecs:DescribeInstances",
"ecs:DescribeInstanceTypes",
"ecs:DescribeInstanceHistoryEvents",
"ecs:DescribeInstanceVncUrl",
"cs:DescribeClusterUserKubeconfig",
"cs:DescribeClusterDetail",
"cs:GetClusters",
"cs:DescribeClusterEndpoints",
"cs:DescribeEdasClusterToken",
"eci:DescribeContainerGroups",
"eci:ExecContainerCommand"
],
"Resource": [
"*"
],
"Effect": "Allow"
}AliyunComputeNestPolicyForTrails
Operation Audit Permissions
Policy content
{
"Action": [
"actiontrail:LookupEvents",
"tag:ListTagResources",
"tag:ListSupportResourceTypes",
"tag:DescribeRegions"
],
"Resource": [
"*"
],
"Effect": "Allow"
}Actual effects
{
"Action": [
"actiontrail:LookupEvents",
"tag:ListTagResources",
"tag:ListSupportResourceTypes",
"tag:DescribeRegions"
],
"Resource": [
"*"
],
"Effect": "Allow"
}AliyunComputeNestPolicyForAlarm
Monitoring Permissions
Policy content
{
"Action": [
"cms:Describe*",
"cms:CheckRamRoleForCloudMonitor",
"cms:QueryMetricList",
"cms:*MetricRule*",
"cms:*EventRule*",
"cms:*HostAvailability",
"tag:List*",
"tag:DescribeRegions"
],
"Resource": [
"*"
],
"Effect": "Allow"
}Actual effects
{
"Action": [
"cms:DescribeMetricData",
"cms:DescribeMetricList",
"cms:QueryMetricList",
"cms:DescribeMetricRuleList",
"cms:DescribeAlertHistoryList",
"cms:DescribeAlertLogList",
"cms:DescribeLogHistogram",
"cms:DescribeLogCount",
"cms:DescribeDynamicTagRuleList",
"cms:DescribeMonitorGroups",
"cms:DescribeMonitorGroupInstances",
"cms:DescribeMonitorGroupCategories",
"cms:DescribeMonitorGroupDynamicRules",
"cms:DescribeMetricRuleTemplateList",
"cms:DescribeAlertingMetricRuleResources",
"cms:DescribeContactGroupList",
"cms:DescribeMonitorGroupInstanceAttribute",
"cms:DescribeMetricListFromProxy",
"cms:DescribeMetricLastFromProxy",
"cms:DescribeMonitoringAgentHosts",
"cms:DescribeMetricTopFromProxy",
"cms:DescribeRegions",
"cms:DescribeDashboardGroupList",
"cms:DescribeHostAvailabilityList",
"cms:DescribeUnhealthyHostAvailability",
"cms:DescribeGroupMonitoringAgentProcess",
"cms:DescribeSystemEventMetaList",
"cms:CheckRamRoleForCloudMonitor",
"cms:DescribeSystemEventHistogram",
"cms:DescribeSystemEventAttribute",
"cms:DescribeEventRuleList",
"cms:DescribeEventRuleTargetList",
"cms:DescribeCustomEventAttribute",
"cms:DescribeCustomEventHistogram",
"cms:DescribeContactListByContactGroup",
"cms:DescribeAlertLogList",
"cms:DescribeCustomMetricList",
"cms:DescribeAlertLogCount",
"cms:DescribeMetricMetaList",
"cms:DescribeConsoleViews",
"cms:DescribeProjectMeta",
"cms:DescribeAlertLogHistogram",
"cms:CreateHostAvailability",
"cms:ModifyHostAvailability",
"tag:DescribeRegions",
"tag:ListSupportResourceTypes",
"tag:ListTagResources"
],
"Resource": [
"*"
],
"Effect": "Allow"
}AliyunComputeNestPolicyForUpgrade
Upgrade Permissions
Policy content
{
"Effect": "Allow",
"Action": [
"ros:*Stack",
"ros:ListStack*",
"tag:List*Resource*",
"tag:DescribeRegions",
"vpc:Describe*",
"slb:Describe*",
"slb:ListTagResources",
"slb:*AccessControlListEntry",
"slb:ModifyLoadBalancer*",
"ecs:*Instance*",
"ecs:Describe*",
"ecs:RunCommand",
"ecs:*SecurityGroup*",
"ecs:*Disk*",
"ess:ListTagResources",
"ess:DescribeScaling*",
"ess:*ScalingRule",
"ess:*Instances",
"cs:GetUserPermissions",
"cs:Describe*Cluster*",
"cs:GetClusters",
"cs:CreateEdasClusterRole*"
],
"Resource": [
"*"
]
}Actual effects
{
"Action": [
"ros:UpdateStack",
"ros:GetStack",
"ros:ListStackEvents",
"ros:ListStackResources",
"tag:DescribeRegions",
"tag:ListSupportResourceTypes",
"tag:ListTagResources",
"vpc:DescribeVpcs",
"vpc:DescribeVSwitches",
"vpc:DescribeVSwitchAttributes",
"vpc:DescribeVpcAttribute",
"vpc:DescribeRouteEntryList",
"vpc:DescribeRouteTableList",
"vpc:DescribeRouteTables",
"vpc:DescribeRouterInterfaces",
"vpc:DescribeRouterInterfaceAttribute",
"vpc:DescribeEipAddresses",
"slb:DescribeLoadBalancers",
"slb:DescribeLoadBalancerListeners",
"slb:DescribeLoadBalancerAttribute",
"slb:DescribeVServerGroups",
"slb:ListTagResources",
"slb:DescribeAccessControlLists",
"slb:DescribeAccessControlListAttribute",
"slb:AddAccessControlListEntry",
"slb:RemoveAccessControlListEntry",
"slb:ModifyLoadBalancerInternetSpec",
"slb:ModifyLoadBalancerInstanceSpec",
"ecs:ModifyInstanceAttribute",
"ecs:ReplaceSystemDisk",
"ecs:RunInstances",
"ecs:ModifySecurityGroupAttribute",
"ecs:StartInstance",
"ecs:DescribeInstances",
"ecs:RebootInstance",
"ecs:StopInstance",
"ecs:ModifyInstanceSpec",
"ecs:DescribeInstanceTypes",
"ecs:ModifyPrepayInstanceSpec",
"ecs:ModifyInstanceNetworkSpec",
"ecs:RunCommand",
"ecs:DescribeInvocations",
"ecs:DescribeInvocationResults",
"ecs:StartTerminalSession",
"ecs:DescribeTerminalSessions",
"ecs:CloseTerminalSession",
"ecs:DescribeInstanceHistoryEvents",
"ecs:DescribeDiagnosticReports",
"ecs:CreateDiagnosticReport",
"ecs:DescribeSecurityGroups",
"ecs:DescribeSecurityGroupAttribute",
"ecs:AuthorizeSecurityGroup",
"ecs:RevokeSecurityGroup",
"ecs:DescribeDisks",
"ecs:ResizeDisk",
"ecs:ModifyDiskSpec",
"ecs:DescribeImages",
"ecs:DescribeInstanceVncUrl",
"ecs:DescribeManagedInstances",
"ecs:CreateSnapshot",
"ecs:CreateAutoSnapshotPolicy",
"ecs:ApplyAutoSnapshotPolicy",
"ecs:StopInstances",
"ecs:ResetDisk",
"ecs:DescribeSnapshots",
"ess:ListTagResources",
"ess:DescribeScalingGroups",
"ess:CreateScalingRule",
"ess:DeleteScalingRule",
"ess:DescribeScalingActivityDetail",
"ess:DescribeScalingActivities",
"ess:ExecuteScalingRule",
"ess:RemoveInstances",
"ess:DetachInstances",
"cs:DescribeClusterUserKubeconfig",
"cs:DescribeClusterDetail",
"cs:GetClusters",
"cs:DescribeClusterEndpoints",
"cs:DescribeEdasClusterToken",
"cs:GetUserPermissions",
"cs:CreateEdasClusterRole",
"cs:CreateEdasClusterRoleBinding"
],
"Resource": [
"*"
],
"Effect": "Allow"
}AliyunComputeNestPolicyForOperation
O&M Permissions
Policy content
{
"Action": [
"ros:*Stack",
"ros:ListStack*",
"cs:Get*",
"cs:Describe*Cluster*",
"oos:StartExecution",
"oos:ListExecutions",
"ecs:*Instance*"
],
"Resource": [
"*"
],
"Effect": "Allow"
}Actual effects
{
"Action": [
"ros:UpdateStack",
"ros:GetStack",
"ros:ListStackEvents",
"ros:ListStackResources",
"cs:GetClusters",
"cs:GetUserPermissions",
"cs:DescribeClusterUserKubeconfig",
"cs:DescribeClusterDetail",
"cs:DescribeClusterEndpoints",
"cs:DescribeEdasClusterToken",
"oos:StartExecution",
"oos:ListExecutions",
"ecs:StartInstance",
"ecs:DescribeInstances",
"ecs:RebootInstance",
"ecs:StopInstance",
"ecs:ModifyInstanceSpec",
"ecs:DescribeInstanceTypes",
"ecs:ModifyPrepayInstanceSpec",
"ecs:ModifyInstanceNetworkSpec",
"ecs:DescribeInstanceHistoryEvents",
"ecs:DescribeInstanceVncUrl",
"ecs:DescribeManagedInstances",
"ecs:StopInstances"
],
"Resource": [
"*"
],
"Effect": "Allow"
}