If system policies do not meet your requirements, you can create custom policies to implement the principle of least privilege. You can use custom policies to manage permissions in a fine-grained manner and improve resource access security. This topic describes the scenarios in which custom policies are used in Elastic High Performance Computing (E-HPC) and provides sample policies.
What is a custom policy?
Resource Access Management (RAM) policies are classified into system policies and custom policies. You can manage custom policies based on your business requirements.
After you create a custom policy, you must attach the policy to a RAM user, RAM user group, or RAM role. This way, the permissions that are specified in the policy can be granted to the principal.
You can delete a RAM policy that is not attached to a principal. If the RAM policy is attached to a principal, before you can delete the RAM policy you must detach the RAM policy from the principal.
Custom policies support version control. You can manage custom policy versions based on the version management mechanism provided by RAM.
References
Authorization information
To use custom policies, you need to learn about the requirements on service permissions and E-HPC authorization. For more information, see RAM authorization.
Authorize a RAM user to create an E-HPC cluster by using existing cloud resources
The following sample policy allows a RAM user to use existing resources, such as a virtual private cloud (VPC) and a File Storage NAS file system, to create a cluster.
If you want to allow the RAM user to create new resources, you must grant the user the corresponding permissions. For more information about how to authorize a RAM user, see Grant permissions to a RAM user.
VPC resources: If you want to allow the RAM user to create VPCs, you must attach the
AliyunVPCFullAccesssystem policy to the user. This policy provides full access to VPC, including the permissions to create, configure, and manage VPCs.File Storage NAS: If you want to allow the RAM user to create and manage File Storage NAS file systems, you must attach the
AliyunVPCFullAccesssystem policy to the user. This policy provides full access to File Storage NAS, including the permissions to create file systems and mount targets.
If you want the RAM user to use Workbench to connect to an Elastic Compute Service (ECS) instance, make sure that the
AliyunECSWorkbenchFullAccesssystem policy is attached to the user.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ram:GetRole",
"ram:CheckServiceLinkedRoleExistence",
"ram:ListResourceGroups"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "vpc:DescribeEipAddresses",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"cms:QueryMetricList",
"cms:QueryMetricLast"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ecs:DescribeEipPrice",
"ecs:DescribePrice",
"ecs:DescribeKeyPairs",
"ecs:DescribeSecurityGroups",
"ecs:DescribeInstances",
"ecs:RebootInstance",
"ecs:RebootInstances",
"ecs:DescribeCloudAssistantStatus",
"ecs:DescribeUserBusinessBehavior",
"ecs:ModifyUserBusinessBehavior",
"ecs:DescribeCloudAssistantSettings",
"ecs:RunCommand",
"ecs:DescribeInvocations",
"ecs:ListServiceSettings"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"nas:DescribeProtocolMountTarget",
"nas:DescribeFilesets",
"nas:DescribeFileSystems"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "bssapi:DescribeInstanceBill",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"vpc:DescribeVpcs",
"vpc:DescribeVSwitches"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ehpc:*",
"Resource": "*"
}
]
}