All Products
Search

This Product

    Elastic High Performance Computing:Normal service role of E-HPC

    Document Center

    Elastic High Performance Computing:Normal service role of E-HPC

    Last Updated:Oct 31, 2024

    When you use Elastic High Performance Computing (E-HPC), you must create a normal service role AliyunECSInstanceForEHPCRole and grant the policy AliyunECSInstanceForEHPCRolePolicy to the role.

    Overview

    A normal service role is a Resource Access Management (RAM) role whose trusted entity is an Alibaba Cloud service. A normal service role is used to authorize access across Alibaba Cloud services. For more information, see Overview.

    The following normal service role and system policy are provided for E-HPC:

    • Normal service role: AliyunECSInstanceForEHPCRole

    • System policy: AliyunECSInstanceForEHPCRolePolicy

    Scenarios

    This role AliyunECSInstanceForEHPCRole is used to authorize Elastic Computing Service (ECS) instances in the E-HPC cluster to access associated cloud resources. E-HPC can assume the AliyunECSInstanceForEHPCRole role to access ECS, Virtual Private Cloud (VPC), and File Storage NAS.

    Required permissions for a RAM user to use a normal service role

    If you use a RAM user to create or delete a normal service role, you must use an Alibaba Cloud account to grant permissions to the RAM user.

    • Method 1: Grant the AliyunEHPCFullAccess policy that contains the permissions required to create and delete AliyunECSInstanceForEHPCRole.

    • Method 2: Add the following permissions to the RAM user in the Action statement of the custom policy:

      • Create normal service role: ram:CreateRole

      • Delete normal service role: ram:DeleteRole

    Create a normal service role

    When you use E-HPC, the system checks whether the role AliyunECSInstanceForEHPCRole is created for the current account. If the role does not exist, the system prompts a notification. After you confirm the information, the system automatically creates the AliyunECSInstanceForEHPCRole and grants the AliyunECSInstanceForEHPCRolePolicy permissions to the role.

    AliyunECSInstanceForEHPCRole has the permissions included in the system policy AliyunECSInstanceForEHPCRolePolicy. You cannot modify the system policy, but you can add other policies to the role.

    Permissions included in the policy AliyunECSInstanceForEHPCRolePolicy

    {
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "ecs:RunInstances",
                "ecs:StartInstances",
                "ecs:StopInstances",
                "ecs:DeleteInstances",
                "ecs:DescribeInstances",
                "cms:QueryMetricLast",
                "cms:QueryMetricList",
                "ess:DescribeScalingConfigurations",
                "ess:ModifyScalingConfiguration",
                "ess:ModifyScalingRule",
                "ess:ExecuteScalingRule",
                "ess:RemoveInstances",
                "oss:PutObject",
                "oss:GetObject",
                "oss:ListObjects",
                "oss:ListBuckets",
                "ehpc:*",
                "ecs:CreateCommand",
                "ecs:InvokeCommand",
                "ecs:RunCommand",
                "ecs:DescribeCommands",
                "ecs:DescribeSecurityGroupAttribute",
                "ecs:ListSecurityGroups",
                "ecs:AuthorizeSecurityGroup"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

    View the normal service role

    After the system creates the normal service role, you can view the details of the role by searching for AliyunECSInstanceForEHPCRole on the Roles page in the RAM console.

    • Basic information

      In the Basic Information section, you can view the basic information about the role, including the name, creation time, Alibaba Cloud Resource Name (ARN), and description.

    • Permissions

      On the Permissions tab, click the policy name to view the policy content and the cloud resources that the role can access.

    • Trust Policy Management

      On the Trust Policy tab, you can view the content of the trust policy that is attached to the role. A trust policy describes the trusted entities of a RAM role. A trusted entity refers to an entity that can assume the RAM role. The trusted entity of a normal service role is a cloud service. You can view the value of the Service field in the trust policy of the normal service role to obtain the trusted entity.

    For more information about how to view a normal service role, see View the information about a RAM role.

    Delete the normal service role

    Important

    After the normal service role is deleted, the features that depend on the role cannot be used. Proceed with caution.

    If you do not use E-HPC for a long period of time, you can delete the normal service role in the RAM console. For more information, see Delete a RAM role.

    Before you delete a AliyunECSInstanceForEHPCRole, make sure that the following requirements are met:

    • You no longer need to use the normal service role to perform operations such as creating a cluster or managing nodes in the cluster.

    • The E-HPC cluster that depends on the normal service role is deleted. For more information, see Release a cluster.