This topic describes how to grant Elastic High Performance Computing (E-HPC) the permissions to access associated cloud resources by using the AliyunServiceRoleForEHPC service-linked role.
Background information
The AliyunServiceRoleForEHPC role is a service-linked role provided by Resource Access Management (RAM). This role is used to authorize E-HPC to access associated cloud resources. E-HPC can assume the AliyunServiceRoleForEHPC role to access ECS, Virtual Private Cloud (VPC), and Apsara File Storage NAS. For more information, see Service linked roles.
Permission policy of the AliyunServiceRoleForEHPC role
Role name: AliyunServiceRoleForEHPC
Policy name: AliyunServiceRolePolicyForEHPC
The following code shows the permission policy:
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:RunInstances",
"ecs:DescribeInstances",
"ecs:DescribeInstanceTypes",
"ecs:DescribeKeyPairs",
"ecs:DescribeSecurityGroups",
"ecs:DescribePrice",
"ecs:DescribeZones",
"ecs:DescribeAvailableResource",
"ecs:CreateSecurityGroup",
"ecs:DescribeImages",
"ecs:AttachKeyPair",
"ecs:ModifyInstanceAttribute",
"ecs:StartInstance",
"ecs:StopInstance",
"ecs:DeleteInstance",
"ecs:CreateInstance",
"ecs:ReplaceSystemDisk",
"ecs:RebootInstance",
"ecs:AuthorizeSecurityGroup",
"ecs:RevokeSecurityGroup",
"ecs:CreateHpcCluster",
"ecs:ModifyHpcClusterAttribute",
"ecs:DeleteHpcCluster",
"ecs:DescribeHpcClusters",
"ecs:DeleteSecurityGroup",
"ecs:DescribeDisks",
"ecs:ReInitDisk",
"ecs:CreateCommand",
"ecs:InvokeCommand",
"ecs:StopInvocation",
"ecs:DeleteCommand",
"ecs:DescribeCommands",
"ecs:ModifyCommand",
"ecs:DescribeInvocations",
"ecs:DescribeInvocationResults",
"ecs:CreateNetworkInterface",
"ecs:DescribeNetworkInterfaces",
"ecs:CreateNetworkInterfacePermission",
"ecs:DescribeNetworkInterfacePermissions",
"ecs:AttachNetworkInterface",
"ecs:DeleteNetworkInterface",
"ecs:DeleteNetworkInterfacePermission",
"ecs:DescribeResourceAllocation",
"ecs:TagResources",
"ecs:DescribeManagedInstances",
"eci:BatchCreateContainerGroups",
"eci:CreateContainerGroup"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"vpc:DescribeVpcs",
"vpc:DescribeVSwitches",
"vpc:AllocateEipAddress",
"vpc:DescribeEipAddresses",
"vpc:AssociateEipAddress",
"vpc:DescribeVSwitches",
"vpc:ReleaseEipAddress",
"vpc:CreateVpc",
"vpc:CreateVSwitch"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"nas:DescribeFileSystems",
"nas:DescribeMountTargets",
"nas:CreateFileSystem",
"nas:CreateMountTarget",
"nas:CreateAccessGroup",
"nas:CreateAccessRule",
"nas:DeleteAccessGroup",
"nas:DeleteAccessRule",
"nas:DescribeAccessGroups",
"nas:DescribeAccessRules",
"nas:ModifyFileSystem",
"nas:UpdateFileSystemInfo",
"nas:CPFSCreateFileSystem",
"nas:CPFSDescribeFileSystems",
"nas:CPFSModifyFileSystem",
"nas:CreateLDAPConfig",
"nas:DeleteLDAPConfig",
"nas:DescribeLDAPConfig"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ecd:CreateRAMDirectory",
"ecd:CreateADConnectorDirectory",
"ecd:DescribeDirectories",
"ecd:DeleteDirectories",
"ecd:CreateBundle",
"ecd:DescribeBundles",
"ecd:DeleteBundles",
"ecd:ListDirectoryUsers",
"ecd:ModifyEntitlement",
"ecd:CreatePolicyGroup",
"ecd:DescribePolicyGroups",
"ecd:ModifyPolicyGroup",
"ecd:DeletePolicyGroups",
"ecd:CreateDesktops",
"ecd:DescribeDesktops",
"ecd:RebootDesktops",
"ecd:DeleteDesktops",
"ecd:DescribeDesktopTypes",
"ecd:StartDesktops",
"ecd:StopDesktops",
"ecd:CreateImage",
"ecd:DescribeImages",
"ecd:DeleteImages",
"ecd:DescribeRegions",
"ecd:DescribeZones",
"ecd:GetConnectionTicket"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ess:CreateScalingGroup",
"ess:ModifyScalingGroup",
"ess:EnableScalingGroup",
"ess:DisableScalingGroup",
"ess:DeleteScalingGroup",
"ess:SetGroupDeletionProtection",
"ess:DescribeScalingGroups",
"ess:DescribeScalingInstances",
"ess:DescribeScalingActivities",
"ess:DescribeScalingConfiguration",
"ess:DescribeScalingRules",
"ess:CreateScalingConfiguration",
"ess:ModifyScalingConfiguration",
"ess:DeleteScalingConfiguration",
"ess:CreateScalingRule",
"ess:ModifyScalingRule",
"ess:DeleteScalingRule",
"ess:ExecuteScalingRule",
"ess:AttachInstances",
"ess:DetachInstances",
"ess:RemoveInstances",
"ess:CreateScheduledTask",
"ess:DeleteScheduledtask",
"ess:ModifyScheduledTask",
"ess:DescribeLimitation",
"ess:CreateLifecycleHook",
"ess:CompleteLifecycleAction",
"ess:DeleteLifecycleHook",
"ess:TagResources",
"ess:ScaleWithAdjustment"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"cms:CreateDynamicTagGroup",
"cms:DescribeMonitorGroups",
"cms:DeleteDynamicTagGroup",
"cms:DeleteMonitorGroup",
"cms:DescribeContactGroupList",
"cms:DescribeDynamicTagRuleList"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "acm:DescribePrice",
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:PassRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"acs:Service": "ecs.aliyuncs.com"
}
}
},
{
"Action": "ram:CreateServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": [
"ess.aliyuncs.com",
"gws.aliyuncs.com"
]
}
}
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "ehpc.aliyuncs.com"
}
}
},
{
"Effect": "Allow",
"Action": [
"eci:DescribeContainerGroups",
"eci:DescribeContainerGroupStatus",
"eci:DescribeContainerGroupEvents",
"eci:RestartContainerGroup",
"eci:DeleteContainerGroup"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"eci:tag/product": [
"E-HPC"
]
}
}
}
]
}Create the AliyunServiceRoleForEHPC role
When you use E-HPC, the system checks whether the AliyunServiceRoleForEHPC role is attached to your account. If the AliyunServiceRoleForEHPC role is not attached to your account, the system creates the role for your account.
The AliyunServiceRoleForEHPC role is attached the AliyunServiceRolePolicyForEHPC policy. System policies attached to service-linked roles are defined and used by Alibaba Cloud services. You cannot add, modify, or delete the permissions of service-linked roles.
Delete the AliyunServiceRoleForEHPC role
If you no longer need to use the AliyunServiceRoleForEHPC role, you can delete it. After you delete the role, you can no longer create clusters or manage other cloud resources. For more information, see Delete a RAM role.
Before you delete the AliyunServiceRoleForEHPC role, you must delete the E-HPC cluster that depends on the role. For more information, see Release a cluster.